Agencies eye Web privacy

OMB Memo on Privacy Provisions of the E-Gov Act

Agencies are meticulously examining their Web pages for weaknesses in privacy protections, as Office of Management and Budget officials call their attention to Section 208 of the E-Government Act of 2002.

Section 208 lays out rules and guidelines agencies must follow to protect the privacy of citizens using government Web sites. OMB officials issued a memorandum offering specific guidance on implementing the privacy provisions in late September. Agencies must begin submitting annual reports on their compliance with the privacy rules, and the first report is due Dec. 15.

The agencies are moving into high gear now, said David Grant, director of accessibility solutions at Watchfire Corp., a company that makes software tools including products for automating the privacy validation process.

"Privacy was always a 'nice-to-have,' but there was never something like this to enforce it," he said. "Agencies and departments are all concerned."

Both Section 208 and OMB's September memo spell out clear rules that agencies have to follow. The problem is that most agencies have Web pages that predate those rules, sometimes by years, Grant said. Now they are under orders to examine their older pages and bring them into compliance.

The rules include some fairly standard practices that almost any Web site will offer. Agencies must post privacy policies on Web sites used by the public, for example, and must spell out in the policies what information the site collects and how it is used. The policies must inform users when they reveal information voluntarily.

However, the rules also define some limits on what federal sites can do that agencies might have done in the past.

For example, agencies cannot use persistent cookies to track visitors. Persistent cookies are small files that the site transfers to a user's computer to identify visitors when they return to the site. But agencies can use session cookies, which track a visitor's clicks through the site and can temporarily personalize the site, but expire as soon as the visitor leaves.

Agencies also have to submit privacy impact assessments to OMB — and make them publicly available when purchasing new information technology equipment — when making changes to their Web sites that could affect privacy.

Sorting through all of the rules and ensuring compliance are daunting tasks, but agencies are tackling them. Commerce Department officials are working on updating all of their sites in time to meet the deadline, said Tom Pyke, the department's chief information officer.

"The department's chief privacy officer is working with CIOs across the department who are responsible for the privacy statements on Commerce Web sites, to guide them as they update the privacy statements and make any other changes that may be required by this guidance," he said. "Commerce expects to be able to report to OMB in December 2003 that these actions have been completed."

The Securities and Exchange Commission is undertaking a similar effort, said spokesman John Nester. SEC staff members are developing plans for reviewing the SEC site for policy statements and evaluating the information technology systems that work with Web interfaces to determine what information they collect.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.