---------- Forwarded message ----------
Date: Fri, 22 Nov 2002 12:38:49 -0500
From: Ari Schwartz <ari@cdt.org>
To: clift@PUBLICUS.NET
Subject: Policy Post 8.25: Privacy Impact Assessments for Federal Agencies

CDT POLICY POST Volume 8, Number 25, November 21, 2002

A BRIEFING ON PUBLIC POLICY ISSUES AFFECTING CIVIL LIBERTIES ONLINE
from
THE CENTER FOR DEMOCRACY AND TECHNOLOGY

CONTENTS:
(1) New Law Includes Important Provisions to Promote E-Government
(2) New Law to Require Privacy Impact Assessments for U.S. Agencies
(3) Privacy Notices, Including P3P Statements, Now Required for Agencies

------------------------------------------------------------------------

(1) New Law Includes Important Provisions to Promote E-Government

The E-Government Act of 2002, passed by Congress this week and soon to be
signed into law, includes important provisions that could have an
impact on how the public interacts with the government. Many of
these could have merited free-standing legislation. Most of them
have received little attention.

The legislation was originally introduced by Senators Joe Lieberman
(D-CT) and Conrad Burns (R-MT).

At the risk of an overly-long Policy Post, we list some of them here
-- highlighting some of the interesting new privacy provisions --
please see the text of the bill for full details:

* Creates a specific position in OMB for the Administrator of the
Office of Electronic Government. Some Members of Congress had wanted
to create a Chief Information Officer for the federal government, but
the Administration balked. The compromise basically codifies current
practice, under which Associate Director Mark Forman heads up
e-government efforts. The new position does not have a lot of direct
power, but as a statutorily-authorized position it will be subject to
more consistent Congressional oversight. Sec. 101.

* Authorizes an E-Government Fund with million in fiscal 2003, an
amount that would increase to million by fiscal 2006, to fund the
development and implementation of innovative uses of the Internet and
other electronic methods by federal agencies. Sec. 101.

* Requires the General Services Administration to establish a
framework to allow interoperability among federal agencies when using
electronic signatures, including the development of a "Federal bridge
certification authority for digital signature capability." Sec. 203.

* Requires each federal court to establish a Web sites where the
public could get court rules, decisions, docket information and
documents filed with the court in electronic information. The
section requires the Supreme Court to adopt rules to protect privacy
and security concerns relating to the electronic filing and
availability of documents. Sec. 205.

* Requires federal regulatory agencies, "to the extent practicable,"
to ensure that a publicly accessible federal government Web site
includes all information that the agency is required to publish in
the Federal Register, and to accept electronic submissions in
rulemaking proceedings. Sec. 206.

* Creates a committee to study the adoption of standards to enable
government information to be searched across agencies. Sec. 207. A
separate section requires a 3 year study of interoperability and the
integrated collection and management of data. Sec. 212. Such
initiatives have positive implications for electronic Freedom of
Information Act requests, but may have negative implications for
privacy, allowing even greater amalgamation of
personally-identifiable information in the hands of disparate
government agencies. A third provision requires OMB and the Interior
Department to develop common protocols for the acquisition and
application of geographic information (GIS), in order to maximize the
degree to which unclassified geographic information from various
sources can be made electronically compatible and accessible,
something that will be of importance on environmental issues. Sec.
216.

* Requires OMB to develop and maintain a repository that fully
integrates information about research and development funded by the
federal government. Sec. 207(g).

* Authorizes an IT exchange program under which mid-level
information technology managers of the federal government can be
detailed to work in the private sector for up to 2 years and private
sector employees can be assigned to work in federal agencies. Sec.
209.

* Requires the Administrator of E-Gov to develop an online tutorial
explaining how to access government information services and
information on the Internet. Sec. 213 (f).

* Requires a National Academy of Sciences study on the digital
divide. Sec. 215.

* At the behest of Chairman Tom Davis (R-VA), includes the "Federal
Information Security Management Act" (FISMA). The provisions impose
certain responsibilities on agency heads, give OMB certain oversight
of agency information security practices, mandate annual independent
audits of agency computer security practices, and require reports to
Congress. The Act also renames the Computer System Security and
Privacy Advisory Board (CSSPAB) as the Information Security and
Privacy Advisory Board, keeping its dual focus on security and
privacy.

* Establishes a very strict rule of confidentiality for information
collected by the federal government for statistical purposes, which
may prove to be especially important as Zip Code and other data that
is not strictly personal becomes easier to use for personal profiling
purposes. Secs. 501-513.

Ironically, the E-Government Act makes no improvements in Congress' own
practices -- failing to address such deficiencies as the lack of a
searchable index of individual Member voting records.

For more information:

CDT Deputy Director Jim Dempsey's testimony on FISMA, May 2, 2002
http://www.cdt.org/testimony/020502dempsey.shtml

CDT's statement on e-government to the Governmental Affairs Committee,
July 11, 2001 http://www.cdt.org/testimony/010711cdt.shtml

CDT press release in support of the E-Government Act, May 1, 2001
http://www.cdt.org/press/010501press.shtml

More on E-Government http://www.cdt.org/righttoknow/

------------------------------------------------------------------------

(2) New Law to Require Privacy Impact Assessments for U.S. Agencies

The E-Government Act of 2002 also includes an innovative and
potentially far-reaching provision requiring federal government
agencies to conduct privacy impact assessments before developing or
procuring information technology or initiating any new collections of
personally-identifiable information. The privacy impact assessment
must address what information is to be collected, why it is being
collected, the intended uses of the information, with whom the
information will be shared, what notice would be provided to
individuals and how the information will be secured. To the extent
practicable, privacy impact assessments must be published. The
Director of the White House's Office of Management and Budget (OMB)
will issue guidelines for the assessments.

Under the legislation, originally introduced by Senators Joe
Lieberman (D-CT) and Conrad Burns (R-MT), a privacy impact assessment
must address what information is to be collected, why it is being
collected, the intended uses of the information, with whom the
information will be shared, what notice would be provided to
individuals and how the information will be secured. To the extent
practicable, privacy impact assessments must be published. The
Director of the White House's Office of Management and Budget (OMB)
will issue guidelines for the assessments.

CDT believes that the law could have a significant positive impact in
three ways:

* The assessments will raise the level of attention to privacy issues
within federal agencies, at the most critical stage: before new
technology is purchased or new collections of data are initiated.

* The assessments will bring greater transparency to the IT
development and procurement process, allowing Congress, citizens and
advocacy groups to better scrutinize the privacy decisions of the
government .

* Using the massive purchasing power of the U.S. government , the
assessments could help to increase the marketplace for technologies
that incorporate privacy "by design."

CDT supported the privacy impact assessment provision.

Related legislation, the Federal Agency Protection of Privacy Act (HR 4561),
introduced by Representative Bob Barr (R-GA), would have required
privacy impact
assessments for new agency rules and regulations. That bill passed the House
earlier this year but was never taken up by the Senate. Rep. Barr, a leader on
many privacy issues, will not be in Congress next year. But his
proposal remains
valid and a sound complement to the E-Gov Act. We believe OMB should require
such assessments as best practices despite not being required in law.

Links to the text and legislative history of the E-Government Act:
http://thomas.loc.gov/cgi-bin/bdquery/z?d107:hr2458:
http://www.cdt.org/legislation/107th/e-gov/

A link to the Barr bill can be found at
http://www.cdt.org/legislation/107th/privacy/

------------------------------------------------------------------------

(3) PRIVACY NOTICES, INCLUDING P3P STATEMENTS, NOW REQUIRED FOR
AGENCIES

The E-Government Act also requires agencies to post privacy notices
on their Web
sites, detailing agency practices and individual rights. Most
agencies already post written privacy notices after the Clinton
administration, under the leadership of Chief Privacy Counselor Peter
Swire, required them in an administrative order. The new law will
take the agencies one step further by requiring "machine-readable"
notices, such as those specified in the Platform for Privacy
Preferences (P3P) standards.

Under the P3P framework, Web sites can express their privacy policies in a
standardized format that can be read by Web browsers and other end-user
software tools. These tools can display information about a site's
privacy policy to end-users and take actions based on a user's
preferences. Such tools can notify users when the sites they visit
have privacy policies matching their preferences and provide warnings
when a mismatch occurs.

Currently, only a few federal agency Web sites are P3P compliant, including the
Federal Trade Commission, the US Postal Service and portions of the Department
of Commerce.

While privacy notices do not in and of themselves guarantee privacy protection,
they offer a basis for public and Congressional scrutiny of agency practices.

For more information about P3P and privacy notices on government Web sites:

* Policy Post 8.09, Privacy Standard Moves Forward, April 26, 2002 --
http://www.cdt.org/publications/pp_8.09.shtml

* P3P Toolbox - http://www.p3ptoolbox.org

* OMB Memorandum M-99-18, Privacy Policies on Government Web sites --
http://www.whitehouse.gov/omb/memoranda/m99-18.html

* Letter from CDT urging posting of privacy policies on federal Web sites,
April 15, 1999 -- http://www.cdt.org/privacy/lettertoswire.html

.

For more information:

CDT Deputy Director Jim Dempsey's testimony on FISMA, May 2, 2002
http://www.cdt.org/testimony/020502dempsey.shtml

CDT's statement on e-government to the Governmental Affairs Committee,
July 11, 2001 http://www.cdt.org/testimony/010711cdt.shtml

CDT press release in support of the E-Government Act, May 1, 2001
http://www.cdt.org/press/010501press.shtml

More on E-Government http://www.cdt.org/righttoknow/

------------------------------------------------------------------------
Detailed information about online civil liberties issues may be found
at http://
www.cdt.org/.

This document may be redistributed freely in full or linked to
http://www.cdt.org/
publications/pp_8.25.shtml.

Excerpts may be re-posted with prior permission of ari@cdt.org

--
To subscribe to CDT's Activist Network, sign up at:
http://www.cdt.org/join/

If you ever wish to remove yourself from the list, unsubscribe at:
http://www.cdt.org/action/unsubscribe.shtml

If you just want to change your address, you should unsubscribe
yourself and then sign up again or contact: mclark@cdt.org
--
Michael Clark, Grassroots Webmaster
mclark@cdt.org
PGP Key available on keyservers

Center for Democracy and Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
http://www.cdt.org/
voice: 202-637-9800
fax: 202-637-0968

*** Past Messages, Discussion http://e-democracy.org/do ***
*** To subscribe, e-mail: listserv@tc.umn.edu ***
*** Message body: SUB DO-WIRE ***
*** To UNSUBSCRIBE instead, write: UNSUB DO-WIRE ***

*** Please forward this post to others and encourage ***
*** them to subscribe to the free DO-WIRE service. ***
*** Please send submissions to: clift@publicus.net ***