IRS leading the pack in privacy

As agencies face a Dec. 15 deadline to submit a privacy report based on rules outlined in the E-Government Act of 2002, officials may want to borrow a lesson from the Internal Revenue Service.

The IRS has had procedures in place for years for conducting privacy impact assessments, a requirement under Section 208 of the law. The new requirements are complicating their efforts, but officials have a plan, said Charlene Thomas, IRS deputy privacy advocate.

"We were doing fine until E-Gov came along and brought some new challenges for us," she said, speaking last month at an event sponsored by the Center for Democracy and Technology and the Council for Excellence in Government.

The law requires agencies to conduct privacy impact assessments on new and significantly changed systems and notify users which information is being used and how it's being protected. Agencies' privacy reports are based on guidelines released by the Office of Management and Budget in September.

The E-Government Act added two new elements to privacy reporting, said Eva Kleederman, an OMB privacy policy analyst. First, agencies must identify which information is submitted voluntarily and how a user can consent to allowing the agency to use that information. Agencies must also explain how the personal information is maintained in a system of records.

"There is no reporting requirement per se, but the Web privacy policies should be beefed up to provide these elements by Dec. 15," Kleederman said, also speaking at the event.

OMB officials were unsure how many agencies were on track to meet the deadline but noted that agencies have had guidance or draft guidance for several months.

The IRS requires assessments for all new and changed systems and conducts about 130 assessments each year, Thomas said. Assessments are also mandatory for every milestone of a system, meaning there could be three or four reports for each major system.

To ease the complexity of the process, IRS officials are conducting privacy awareness training to guide systems developers, and officials recently developed an internal memorandum of agreement to ensure that the developers and the privacy advocates are working hand in hand.

"It mandates that the privacy advocate's office is involved in the very early stages of these systems being built," Thomas said.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected