Privacy Policy Guidance
A memorandum issued by OMB on September 26, 2003 provides detailed instructions to Agencies in preparing "privacy impact assessments" (PIA) and web site privacy notices.
There are a few things you should be aware of so we will give you the highlights in plain English.
Privacy Impact Assessments
PIAs are required to be performed and updated as necessary where a system change creates new privacy risks. More specifically, assessments must be conducted before developing IT systems that collect, maintain or disseminate identifiable information or when initiating new information collection for 10 or more people.
No PIA is required where information relates to internal government operations, has been previously assessed under an evaluation similar to a PIA, or where privacy issues are unchanged.
To the extent practicable, privacy impact assessments must be published.
Web Site Privacy Policy
To promote clarity to the public, agencies are now required to refer to their general web site notices explaining agency information handling practices as the "Privacy Policy."
Agency privacy policies must continue to address the following requirements:
- Nature, purpose, use and sharing of information collected
- Security of the information
Agencies must now ensure that their privacy policies:
- inform visitors when requested information is voluntary.
- inform visitors how to grant consent for use of voluntarily-provided information.
- inform visitors how to grant consent to use mandatorily-provided information for other than statutorily-mandated uses or authorized routine uses under the Privacy Act.
Agencies must now also notify web site visitors of their rights under the Privacy Act or other privacy-protecting laws that may primarily apply to specific agencies in at least one of three ways:
- in the body of the web privacy policy
- via link to the applicable agency regulation; or
- via link to other official summary of statutory rights.
Agencies must also develop a plan to make their Web site privacy policies machine-readable, using standards such as the Platform for Privacy Preferences (P3P).
At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a Web site's privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled Web sites make this information available in a standard, machine-readable format. P3P enabled browsers can "read" this snapshot automatically and compare it to the consumer's own set of privacy preferences. (pulled from www.w3.org)
Agencies must develop a timetable for translating their privacy policies into a standardized machine-readable format. The timetable must include achievable milestones that show the agency's progress toward implementation over the next year. Agencies must include this timetable in their reports to OMB.
Each agency is now required to have a designated point person on privacy issues. Agencies must report to OMB the identities of the senior official(s) primarily responsible for implementing and coordinating information technology/web policies and privacy policies.
The date we have given OMB for all usaid.gov sites to come into compliance with machine-readable compliance is February 6, 2003. Please begin work on compliance as soon as possible to assure we meet the deadline.
As of November 25, 2003, www.usaid.gov -- including all mission sites hosted on www.usaid.gov -- are in compliance with all OMB eGov guidance. Scott is a smart cookie. It only took him two days to figure out the P3P XML standard and to bring usaid.gov into compliance. You can see our P3P policy files at www.usaid.gov/w3c/p3p.xml and www.usaid.gov/w3c/policy.xml.
Here are some helpful P3P sites:
- www.w3.org/P3P/ - This is the World Wide Web Consortium's P3P project. This is a great place to begin your P3P education.
- p3pbook.com - Examples and links that are quite useful.
- http://fs.pics.enc.or.jp/p3pwiz/ - a free P3P XML code generator. Scott did not use this generator, and we cannot endorse its use. The generator does, however, give great plain English definitions of the elements required. Just click on the field names…
- www.w3.org/P3P/validator.html - When all is said and done, you must run your site through this validator to assure P3P compliance.
Back to Top ^
|
