Agencies eye Web privacy

OMB Memo on Privacy Provisions of the E-Gov Act

Agencies are meticulously examining their Web pages for weaknesses in privacy protections, as Office of Management and Budget officials call their attention to Section 208 of the E-Government Act of 2002.

Section 208 lays out rules and guidelines agencies must follow to protect the privacy of citizens using government Web sites. OMB officials issued a memorandum offering specific guidance on implementing the privacy provisions in late September. Agencies must begin submitting annual reports on their compliance with the privacy rules, and the first report is due Dec. 15.

The agencies are moving into high gear now, said David Grant, director of accessibility solutions at Watchfire Corp., a company that makes software tools including products for automating the privacy validation process.

"Privacy was always a 'nice-to-have,' but there was never something like this to enforce it," he said. "Agencies and departments are all concerned."

Both Section 208 and OMB's September memo spell out clear rules that agencies have to follow. The problem is that most agencies have Web pages that predate those rules, sometimes by years, Grant said. Now they are under orders to examine their older pages and bring them into compliance.

The rules include some fairly standard practices that almost any Web site will offer. Agencies must post privacy policies on Web sites used by the public, for example, and must spell out in the policies what information the site collects and how it is used. The policies must inform users when they reveal information voluntarily.

However, the rules also define some limits on what federal sites can do that agencies might have done in the past.

For example, agencies cannot use persistent cookies to track visitors. Persistent cookies are small files that the site transfers to a user's computer to identify visitors when they return to the site. But agencies can use session cookies, which track a visitor's clicks through the site and can temporarily personalize the site, but expire as soon as the visitor leaves.

Agencies also have to submit privacy impact assessments to OMB — and make them publicly available when purchasing new information technology equipment — when making changes to their Web sites that could affect privacy.

Sorting through all of the rules and ensuring compliance are daunting tasks, but agencies are tackling them. Commerce Department officials are working on updating all of their sites in time to meet the deadline, said Tom Pyke, the department's chief information officer.

"The department's chief privacy officer is working with CIOs across the department who are responsible for the privacy statements on Commerce Web sites, to guide them as they update the privacy statements and make any other changes that may be required by this guidance," he said. "Commerce expects to be able to report to OMB in December 2003 that these actions have been completed."

The Securities and Exchange Commission is undertaking a similar effort, said spokesman John Nester. SEC staff members are developing plans for reviewing the SEC site for policy statements and evaluating the information technology systems that work with Web interfaces to determine what information they collect.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group