CIO Council proposes digital privacy measures
Critical personal information needs protection as agencies put the Digital Government Strategy into motion. Today's thieves don't need gloves or access to your wallet. (Stock image)
As agencies put the Digital Government Strategy in motion in their offices, the government is addressing the hot-button issue of privacy with the release of recommendations from the CIO Council’s Privacy Committee. In a blog post dated Dec. 14, the council linked to a document with the recommendations, which can help agencies prepare for protecting private information as they implement the strategy.
“In helping to create a government for the 21st century, the strategy recognizes that federal agencies, as good data stewards, must adopt strong privacy, confidentiality and security safeguards to prevent the improper collection, use, retention or disclosure of personally identifiable information (PII) when developing and delivering such digital services and programs,” the document states.
It focuses on three central privacy controls for digital information: PII inventories, privacy impact assessments and privacy notices.
For PII inventories, the council includes a checklist of PII that is commonly collected and used in the digital environment, including the obvious — Social Security, credit card and driver’s license numbers, and government identification information — and the more obscure, such as biometric data and computer log and tracking data. However, the document also says agencies should account for information they will collect in the future, not just what they already store and use.
The document includes informal guidance for privacy impact assessments and directs agencies to establish processes for documenting and explaining what information is used, why it is collected, its intended uses and how the data will be secured. A list of suggested questions can help agencies better assess disclosure risks, plan for potential data breaches and manage how digital information is collected.
Additionally, the CIO Council outlines the basics of a strong privacy notice. Variations in context make it impossible to provide one notice that all agencies could use, so a checklist for key privacy notice elements is included in the document. The council says agencies will need to adjust their notices according to the specifics of their particular missions and as their use of data changes.
That flexibility is important. “Over time, agencies, digital developers, and data users may also create, discover, or propose new and innovative ways to combine, share or otherwise leverage the power of the digital data and content collected or disseminated by their digital services or programs,” the recommendations states.
Amber Corrin is a staff writer covering defense and national security. Connect with her on Twitter: @AmberInsideDOD.