Presentation is loading. Please wait.

Presentation is loading. Please wait.

"Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop.

Similar presentations


Presentation on theme: ""Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop."— Presentation transcript:

1 "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop March 27, 2003

2 Overview n Agency privacy before 2001 n E-Government Act of 2002 n Beyond E-Gov n Total Information Awareness n Conclusions on security and privacy

3 I. Government Systems Thru 2000 n Privacy Act of 1974 – System of Records – Notice, consent, access, reasonable administrative and technical measures – OMB Guidance

4 Limits of the Privacy Act n Only applies to systems of records – Not, e.g., to queries of commercial databases n Large routine uses n Uneven compliance

5 1999 Web Policies n OMB Directive from Jack Lew June, 1999 – June 2, 1999, OMB M n Available at under Presidential Privacy Archives n Guidance and model language for federal sites

6 1999 OMB Policy n Principal agency web sites n Known, major entry points n Substantial collection of personal information

7 2000 OMB Cookies Policy n Issued June 22, 2000, OMB M n Reaction to cookies set for the National Office of Drug Control Policy n Cookies need – Clear and conspicuous notice – Compelling need to gather the data – Publicly disclosed safeguards – Personal approval by the agency head

8 2000 OMB Guidance n Agencies should comply with requirements of Childrens Online Privacy Protection Act n Description of privacy practices and steps for compliance on cookies incorporated into annual submission to OMB for IT budgets n OMB/OIRA has sent out guidance for annual budget submissions

9 II. E-Government Act of 2002 n Spotlight on Privacy Impact Assessments n PIAs before the Act – IRS PIA adopted as best practice by Federal CIO Council – CIO Council encouraged wider use – Only moderate adoption in the agencies – CIO Council subcommittee on privacy did not continue after January, 2001

10 PIAs under the E-Gov Act n PIA required where developing or procuring IT that collects, maintains, or disseminates information that is in identifiable form n Also new collection of information that includes information collected from federal reporting requirements affecting 10+ people (Paperwork Reduction Act extension)

11 PIAs n Review by agency CIO or equivalent official n If practicable, after completion of the review, publish the PIA n That can be waived for security reasons, or to protect classified, sensitive, or private information n Copy to OMB

12 Contents of the PIA n OMB to issue guidance – Perhaps this April or May n PIAs to be commensurate with – size of IT system – sensitivity of information – risk of harm from unauthorized release

13 Contents of PIA n PIA should include – what information is to be collected – why information is to be collected – intended use of the information – with whom the information is shared – notice or consent for individuals – how information is secured – whether it is a system of records

14 Other E-Gov Provisions n Statutory version of OMB 1999 guidance for privacy policies on agency web pages – More detail on notice, choice, access, security n Privacy policies in machine-readable formats – OMB guidance – P3P the likely current use n Identifiable permits the identity to be reasonably inferred, directly or indirectly

15 III. Beyond E-Gov n HIPAA and federal agencies – Privacy rule this April 14 – Transaction rule this October – Security rule in 2 years, and also by April 14 n What agencies? – VA, DOD, other federal/state health providers – Research on human subjects – Federal/state health insurance – Business associates -- receive data from others

16 Court Records and Privacy n OMB/DOJ/Treasury study in Jan on bankruptcy records and privacy n SEARCH and criminal records n PACER and court records as a current major debate

17 IV. Total Information Awareness n Surveillance after September 11 n Wiretap/surveillance changes in USA- PATRIOT Act n Philosophy of information sharing – Among agencies – Between federal and state/local

18

19 TIA n Does not look like embedding privacy in federal information systems n Contrasting trends – Embedding privacy – Increasing surveillance (data gathering) and data sharing

20 Conclusion n Will need to build federal systems better for security and privacy n They work together on the level of good data practices n They can work against each other with surveillance and data sharing proposals n Not clear how the cross-currents will change practices in coming years

21 Contact information n Professor Peter Swire n n n (240)


Download ppt ""Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop."

Similar presentations


Ads by Google