As agencies face a Dec. 15 deadline to submit a privacy report based on rules outlined in the E-Government Act of 2002, officials may want to borrow a lesson from the Internal Revenue Service.
The IRS has had procedures in place for years for conducting privacy impact assessments, a requirement under Section 208 of the law. The new requirements are complicating their efforts, but officials have a plan, said Charlene Thomas, IRS deputy privacy advocate.
"We were doing fine until E-Gov came along and brought some new challenges for us," she said, speaking last month at an event sponsored by the Center for Democracy and Technology and the Council for Excellence in Government.
The law requires agencies to conduct privacy impact assessments on new and significantly changed systems and notify users which information is being used and how it's being protected. Agencies' privacy reports are based on guidelines released by the Office of Management and Budget in September.
"There is no reporting requirement per se, but the Web privacy policies should be beefed up to provide these elements by Dec. 15," Kleederman said, also speaking at the event.
OMB officials were unsure how many agencies were on track to meet the deadline but noted that agencies have had guidance or draft guidance for several months.
The IRS requires assessments for all new and changed systems and conducts about 130 assessments each year, Thomas said. Assessments are also mandatory for every milestone of a system, meaning there could be three or four reports for each major system.
To ease the complexity of the process, IRS officials are conducting privacy awareness training to guide systems developers, and officials recently developed an internal memorandum of agreement to ensure that the developers and the privacy advocates are working hand in hand.
"It mandates that the privacy advocate's office is involved in the very early stages of these systems being built," Thomas said.
NEXT STORY: New York MTA expands info online