NOAA's National Ocean Service
Office of the CIO

Web Application Privacy Policy

The term "NOS OCIO Web Applications" in this policy refers to all web applications hosted and managed by the NOAA National Ocean Service (NOS) Office of the Chief Information Officer (OCIO). The following discloses the information gathering and dissemination practices for NOS OCIO Web Applications.

Most NOS OCIO Web Applications adhere to the NOAA web privacy policy. This document is in place to define policy for those applications and sites which, by virtue of their mission, depart in any way from the NOAA policy.

The NOS OCIO Web Applications primarily collect, store and display data for these basic purposes:

• Administrative functions (replacing a manual process);
• Tracking of some action, information, request, task, or process related to the NOS/NOAA mission;
• Providing a channel of information regarding NOS and NOAA to the general public;
• Response to a direct request initiated by a private individual;
• Point of contact information for participants in and sponsors of programs or events offered by NOS.

The NOS OCIO is committed to protecting the privacy of site visitors and application users as well as any personal information that users may provide.

Links to NOAA/NOS Websites

NOS OCIO Web Applications contain links to other NOAA/NOS websites. The privacy practices of other websites may vary with the purpose of the page. Consult the privacy policy on each site.

Links to External Websites

NOS OCIO Web Applications contain links to other external sites. NOS OCIO office is not responsible for the privacy practices or the content of such websites.

Cookies

A cookie is a text file that lives on the client user's computer. Cookies are either stored in memory (session cookies) or placed on users' hard disk (persistent cookies). A persistent cookie can keep information in the user's browser to a long lifespan until deleted.

Some sites may use cookies to store the unique internal user ID of an authenticated user for the purposes described in the section on Authentication.

NOS OCIO Web Applications only use session cookies. Persistent cookies are prohibited. When an authenticated user logs off, cookies are emptied. Sensitive information, including user credentials, is not stored in cookies.

Users may determine how their browser handles cookies, and may disable cookies being stored. However, by disabling cookies certain web applications' features and functionality may no longer work properly, or function at all.

Session Management

Session information is stored on the server. It is typically stored in web server memory and exists for 20 minutes by default. Sessions work like a token, allowing access and passing information while the user has the browser open. When users close their browsers they also lose their sessions.

A unique session ID is generated for users when they log on to a NOS OCIO Web Application. The session ID is not associated with the user's computer or with the user individually. It is also not related to the unique user ID that may be generated when a user authenticates.

The session ID may be used to track a user's actions in the application. This is used for security and error resolution purposes only.

For applications requiring user credentials, user information stored in session may be used as explained in the section on Authentication.

When an authenticated user logs off, all information stored by a NOS OCIO Web Application in session memory is deleted. The session itself is deleted when a user's browser is closed.

Authentication

Some NOS OCIO Web Applications require user authentication. Authentication may be based on the existence of an entry in the NOAA LDAP directory or on the presence of application-specific credentials stored in a NOS OCIO database. Credentials stored in a database are not related to credentials stored elsewhere and are not used for purposes other than authentication.

The purpose of authentication is to control access to protected data and restrict actions that may be performed. Once a user has been authenticated, a unique internal user ID is stored, usually in session but possibly in cookies (see the sections on Cookies and Session). This ID is stored only as long as the user session is valid. This unique internal user ID is based on internal database record keys and is not related in any way to any other identification owned by or assigned to the user.

The stored internal user ID may be used to track a user's actions while logged in to the application:

• Stored internal user IDs are used to ensure that users only visit data they are allowed to see.
• The internal user ID of an authenticated user may be logged when an error occurs during that user's session.
• The internal user ID of an authenticated user may be logged in a log tracking session activities.
• Other user information, such as name, may also be stored in session to be used as above or to provide a customized user interface.

A user's password is not stored in session or in cookies. Once the user has logged off, all user information stored outside of the authentication source is deleted.

Access & Audit Logs

A user's actions may be logged as follows:

• Some NOS OCIO Web Applications record a users' login name and last access time for auditing purpose.
• If a user is authenticated, the user's name or unique internal user ID along with the user's actions during a session may be logged to an application audit file.
• The server's system and tracking log files may record page hits and errors along with the IP address of the user who performed an action.

Access to log files is restricted to system administrators and application administrators. They may be shared with appropriate IT security officials when necessary.

Private Data Collection

Any information gathered by NOS OCIO Web Applications is limited to that data needed to provide users with accurate and appropriate service. User information is only used for particular project purposes and is not shared outside the Federal government. Accordingly, the privacy and personal information visitors provide is stored in a secure location accessible only by designated staff, and is used only for the purposes for which visitors provide the information.

Personally identifiable information (PII) collected or stored by applications in the NOS OCIO Web Applications is limited to: name, address, phone, e-mail address, organization name, organization address, and position. In some limited-access applications, the PII is collected using some other method (mail, e-mail, fax, business card, etc.) and is entered by authorized NOS staff.

The information is collected from NOAA/NOS staff, NOAA/NOS partners, and members of the general public.

NOS OCIO Web Applications have reasonable security measures in place to protect the loss, misuse, and alteration of the information under our control. These measures include administrative, technical, physical and procedural steps to protect users' data from misuse, unauthorized access or disclosure, loss, alteration, or destruction.

The current Privacy Impact Assessment for NOS OCIO Web Applications, referenced as the National Ocean Service Web Application Subsystem, is reachable from the page linked here: http://www.cio.noaa.gov/Policy_Programs/PIA.html

Rights under the Privacy Act

Your rights under the Privacy Act can be found at the following address: http://www.pueblo.gsa.gov/cic_text/fed_prog/foia/foia.htm

Updates to This Privacy Policy

In case an update to this privacy policy becomes necessary, we will announce both the changed version and its effective date on NOS OCIO Web Applications.

Contact Information

If you have any questions about this privacy policy, please contact nos.webdb@noaa.gov.

---

Reviewed July, 27 2011 | Questions, Comments? Contact Us | Disclaimer | Privacy Policy Web Site Owner: National Ocean Service | National Oceanic and Atmospheric Administration | Department of Commerce | USA.gov