�A State of the Union for Privacy: Fall, 2002�

Document Sample
�A State of the Union for Privacy: Fall, 2002� Powered By Docstoc
					   "Embedding Privacy in
Federal Information Systems"
                    Professor Peter P. Swire
                      Ohio State University
       Consultant, Morrison & Foerster LLP
                   MITRE Corp. Workshop
                            March 27, 2003
 Agency privacy before 2001
 E-Government Act of 2002
 Beyond E-Gov
 Total Information Awareness
 Conclusions on security and privacy
I. Government Systems Thru
   Privacy Act of 1974
    –   “System of Records”
    –   Notice, consent, access, reasonable
        administrative and technical measures
    –   OMB Guidance
Limits of the Privacy Act
   Only applies to “systems of records”
    –   Not, e.g., to queries of commercial databases
 Large “routine uses”
 Uneven compliance
1999 Web Policies
   OMB Directive from Jack Lew June, 1999
    –   June 2, 1999, OMB M-99-18
 Available at www.privacy2000.org, under
  “Presidential Privacy Archives”
 Guidance and model language for federal
1999 OMB Policy
 Principal agency web sites
 “Known, major entry points”
 “Substantial collection of personal
2000 OMB Cookies Policy
   Issued June 22, 2000, OMB M-00-13
 Reaction to cookies set for the National
  Office of Drug Control Policy
 Cookies need
    –   Clear and conspicuous notice
    –   Compelling need to gather the data
    –   Publicly disclosed safeguards
    –   Personal approval by the agency head
2000 OMB Guidance
 Agencies should comply with requirements
  of Children’s Online Privacy Protection Act
 Description of privacy practices and steps
  for compliance on cookies incorporated into
  annual submission to OMB for IT budgets
 OMB/OIRA has sent out guidance for
  annual budget submissions
II. E-Government Act of 2002
 Spotlight on Privacy Impact Assessments
 PIAs before the Act
    –   IRS PIA adopted as best practice by Federal
        CIO Council
    –   CIO Council encouraged wider use
    –   Only moderate adoption in the agencies
    –   CIO Council subcommittee on privacy did not
        continue after January, 2001
PIAs under the E-Gov Act
 PIA required where “developing or
  procuring IT that collects, maintains, or
  disseminates information that is in
  identifiable form”
 Also “new collection of information” that
  includes information collected from federal
  reporting requirements affecting 10+ people
  (Paperwork Reduction Act extension)
 Review by agency CIO or equivalent
 “If practicable”, after completion of the
  review, publish the PIA
 That can be waived “for security reasons, or
  to protect classified, sensitive, or private
 Copy to OMB
Contents of the PIA
   OMB to issue guidance
    –   Perhaps this April or May
   PIAs to be commensurate with
    –   size of IT system
    –   sensitivity of information
    –   risk of harm from unauthorized release
Contents of PIA
   PIA should include
    –   what information is to be collected
    –   why information is to be collected
    –   intended use of the information
    –   with whom the information is shared
    –   notice or consent for individuals
    –   how information is secured
    –   whether it is a system of records
Other E-Gov Provisions
   Statutory version of OMB 1999 guidance
    for privacy policies on agency web pages
    –   More detail on notice, choice, access, security
   Privacy policies in machine-readable
    –   OMB guidance
    –   P3P the likely current use
   “Identifiable” permits the identity “to be
    reasonably inferred”, directly or indirectly
III. Beyond E-Gov
   HIPAA and federal agencies
    –   Privacy rule this April 14
    –   Transaction rule this October
    –   Security rule in 2 years, and also by April 14
   What agencies?
    –   VA, DOD, other federal/state health providers
    –   Research on human subjects
    –   Federal/state health insurance
    –   Business associates -- receive data from others
Court Records and Privacy
 OMB/DOJ/Treasury study in Jan. 2001 on
  bankruptcy records and privacy
 SEARCH and criminal records
 PACER and court records as a current
  major debate
IV. Total Information Awareness
 Surveillance after September 11
 Wiretap/surveillance changes in USA-
 Philosophy of “information sharing”
    –   Among agencies
    –   Between federal and state/local
 Does not look like “embedding privacy in
  federal information systems”
 Contrasting trends
    –   Embedding privacy
    –   Increasing surveillance (data gathering) and
        data sharing
 Will need to build federal systems better for
  security and privacy
 They work together on the level of good
  data practices
 They can work against each other with
  surveillance and data sharing proposals
 Not clear how the cross-currents will
  change practices in coming years
Contact information
 Professor Peter Swire
 www.peterswire.net
 peter@peterswire.net
 (240) 994-4142

Shared By: