adam's notes

E-Government Act (2002)

Requirements

  • requires the federal government to use information technologies that protect privacy
  • requires federal agencies to conduct Privacy Impact Assessments (PIAs)
    • review IT systems for privacy risks
  • requires privacy protection measures to secure the data in the systems
  • Federal agencies must post their privacy policies to their websites
    • post machine-readable privacy policies on website
  • Report privacy activities to the OMB

Privacy Impact Assessment

A privacy impact assessment (PIA) is an agency’s review of how its IT systems use personal information.

  • PIA makes sure that systems:
    • are evaluated for privacy risks
    • uses personal information in a way that follows the law
  • helps an agency determine the risks of collecting personal information
  • examines the types of controls that an agency must put in place to reduce privacy risks
  • learn more from FTC

When to Conduct a PIA

  • Must conduct a PIA when:
    • before it develops or buys any IT system that will collect personal information
    • its IT systems change in such a way that new privacy risks are introduced
      • an agency changes from paper to electronic systems
    • chooses to outsource an IT system or function that uses personal data

PIA Information

  • agency’s PIA must include information about its data collection practices
  • must contain the following information:
    • What data the agency will collect
    • Why the agency is collecting the data
    • How the agency will use the data
    • How the agency will share the data
    • Whether people have the opportunity to consent to specific uses of the data
    • How the agency will secure the data
    • Whether the data collected will be a system of records defined by the Privacy Act of 1974

Reporting Privacy Activities

  • agency must submit its PIAs to the OMB
  • must make them available to the public
    • unless when doing so might compromise the security of an IT system
  • requires agencies to post privacy policies on their websites
    • must contain the same types of information that are in a PIA
    • make the public aware of how the agency collects information
    • also state how the agency uses that information
    • must post a link to their privacy policies on their main website home page and write them in language that is easy to understand
  • requires agencies to adopt machine-readable privacy policies
    • alert users about the agency’s website privacy practices
    • lets users know if the agency’s privacy practices match the user’s browser privacy preferences

    • machine-readable privacy policy standard is called P3P

Graph View

Backlinks