|
M-99-05
Attachment B
INSTRUCTIONS FOR COMPLYING WITH THE
PRESIDENT'S MEMORANDUM OF MAY 14, 1998,
"Privacy and Personal Information in Federal Records"
A. WHAT IS THE PURPOSE OF THE REVIEW?
The Privacy Act of 1974 (5 U.S.C. § 552a, the Act) requires agencies to inform the
public of the
existence of systems of records containing personal information, to give individuals access to
records about themselves in a system of records, and to manage those records in a way to ensure
fairness to individuals in agency programs.
For the Privacy Act to work effectively, it is imperative that each agency properly maintain
its
systems of records and ensure that the public is adequately informed about the systems of records
the agency maintains and the uses that are being made of the records in those systems.
Therefore, agencies must periodically review their systems of records and the published notices
that describe them to ensure that they are accurate and complete. OMB Circular A-130,
"Management of Federal Information Resources," (61 Fed. Reg. 6428, Feb. 20, 1996) requires
agencies to conduct periodic reviews, and this memorandum satisfies that requirement for
calendar year FY 1999. Agencies should continue to conduct reviews in accordance with the
schedule in Appendix I of the Circular.
In addition to directing agencies to ensure the accuracy and completeness of their systems of
records, the President also directed agencies to review their data sharing practices with state,
local and tribal governments.
B. WHAT ACTIONS MUST AGENCIES TAKE?
In order to carry out the President's directive, agencies will carry out six specific tasks. They
should immediately designate a Senior Official for Privacy Policy if they have not already done
so. They will review their systems of records, ensure that the notices published in the
Federal
Register describing those systems of records are up-to-date, and publish a notice for any
system
of records previously overlooked. They will also review information sharing practices with
State, local, and tribal governments, and, finally, report to OMB the results of these reviews.
More detailed instructions for each of these tasks follow.
1. Designate a Senior Official for Privacy
Policy.
Each agency head should have already designated a senior official within the agency to assume
primary responsibility for privacy policy, in accordance with the President's Memorandum. This
individual will not necessarily be the same person who is responsible for implementation of the
Privacy Act. For most Cabinet agencies, the appropriate official would probably be a policy
official at the Assistant Secretary level, or equivalent, who in a position within the agency to
consider privacy policy issues on a national level.
Please notify OMB promptly of the name, title, address, phone number, and electronic mail
address of the designated Senior Official for your agency.
2. Review and Improve the Management of
Privacy Act
Systems of Records.
Each agency shall conduct a thorough review of its systems of records, system of records
notices,
and routine uses in accordance with the criteria and guidance below. Because the President
directed agencies to review systems of records, we have provided guidance on a subset of the
Privacy Act's requirements that are particularly relevant to systems of records.
The goal is to focus agency resources on the most probable areas of out-of-date information,
so
that reviews will have the maximum impact in ensuring that system of records notices remain
accurate and complete. An agency may rely on its ongoing reviews under Circular A-130 to help
focus its review. An agency might decide to pay particular attention to identifying those systems
of records that may have been altered by the application of new technology, changes in function,
or changes in organizational structure that have occurred since the agency's last review of its
systems of records. In addition, an agency may find the President's directive provides an
opportunity to strengthen agency procedures to ensure reviews are timely conducted.
a. Information maintained about individuals must be relevant and
necessary.
An important way for an agency to protect individual privacy is to limit the amount of
information that the agency maintains about individuals. Therefore, each agency shall review its
systems of records to ensure that they contain only that information about individuals that is
"relevant and necessary" to accomplish an agency purpose.
The Privacy Act limits agencies to maintaining "only such information about an individual as
is
relevant and necessary to accomplish a purpose of the agency required to be accomplished by
statute or Executive order of the President." 5 U.S.C. § 552a(e)(1). Information that was
relevant and necessary when a system of records was first established may, over time, cease to be
relevant or necessary. This may result, for example, from a change in agency function or
reorganization, or from a change in how the agency operates a program.
If your agency determines that any information about individuals in a system of records is no
longer relevant and necessary, or if your agency determines that the entire system of records
itself is no longer relevant and necessary, then the agency should expunge the records (or system
of records) in accordance with the procedures outlined in the Privacy Act notice(s) and the
prescribed record retention schedule approved by the National Archives and Records
Administration. The system notice should be accordingly revised (or rescinded).
b. Privacy Act records must be protected by appropriate safeguards.
For that information which agencies do maintain, agencies must ensure the information's
security
and confidentiality. Therefore, each agency shall review its systems of records to ensure that the
safeguards in place are appropriate to the types of records and the level of security required.
The Privacy Act requires agencies to "establish appropriate administrative, technical and
physical
safeguards to insure the security and confidentiality of records and to protect against any
anticipated threats or hazards to their security or integrity which could result in substantial harm,
embarrassment, inconvenience, or unfairness to any individual on whom the information is
maintained." 5 U.S.C. § 552a(e)(10). In addition, the Paperwork Reduction Act requires
agencies to "implement and enforce applicable policies, procedures, standards, and guidelines on
privacy, confidentiality, security, disclosure and sharing of information collected or maintained
by or for the agency" and "identify and afford security protections commensurate with the risk
and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or
modification of information collected or maintained by or on behalf of an agency." 44 U.S.C.
§ 3506(g).
Over time, and given changes in how records are used and maintained, safeguards that may
have
been appropriate in the past may no longer be sufficient, or they may no longer be necessary.
For example, safeguards that were appropriate for a system of records maintained in paper form
may no longer be appropriate when the system of records has been converted to electronic form.
If your agency determines that changes to the safeguards should be made, then the agency
should implement the changes and publish a system of records notice that reflects the updated
safeguards. Note that the system of records notice should not state that access is limited to those
who need the information in the course of their duties. Rather, the notice should explain
how access is limited by describing the types of safeguards in place, such as locks,
building access controls, passwords, network authentication, etc.
c. Routine uses must meet the "compatibility" standard.
Non-statutory disclosures created by administrative mechanisms should only be made when
appropriate. Therefore, each agency shall review its "routine uses" to identify any routine uses
that are no longer justified, or which are no longer compatible with the purpose for which the
information was collected.
The Privacy Act authorizes agencies to disclose information about individuals under a
"routine use." A routine use is defined as a disclosure of a record outside of the agency "for a
purpose which is compatible with the purpose for which it was collected." 5 U.S.C. §
552a(a)(7), (b)(3).
The Act requires agencies to include in their systems of records notices a description of the
routine uses for which information in a system of records may be disclosed. 5 U.S.C. §
552a(e)(4)(D).
It may be the case that the circumstances which justified a routine-use disclosure have ceased
to
exist, or that the purpose for which the records are collected has changed over time so that the
routine use no longer makes sense. Agencies should consult the Privacy Act Overview
published
by the Department of Justice each November (and available through the Government Printing
Office) for judicial rulings which may affect the agency's routine uses. Such changes may well
mean that the routine use is no longer justified or that the routine use is no longer compatible
with the purpose for which the information is being collected. Agencies should review each
routine use to ensure that each continues to be appropriate. In addition, agencies should review
the associated system of records notices to ensure that it accurately and completely describes the
routine uses, including the categories of users and the purpose of such use.
If an agency determines that a routine use is no longer appropriate, the agency should
discontinue
the routine-use disclosures and delete the routine use from the system of records notice. If an
agency determines that the system of records notice does not accurately and completely describe
the routine uses, the agency should revise the notice accordingly.
d. Agencies must keep an accounting of disclosures and make it
available.
In order to ensure fairness to individuals they must be able to determine who has seen their
records and when they were seen. Therefore, each agency should review its procedures for
accounting for disclosures to ensure they are working properly.
The Privacy Act requires agencies to "keep an accurate accounting" regarding "each
disclosure of
a record to any person or to another agency, "and to retain the accounting for at least five years or
the life of the record, whichever is longer." 5 U.S.C. § 552a(c). As in the other contexts
discussed above, "changes in technology, function, and organization" may result in accounting
procedures becoming outdated or may result in inadequate implementation of accounting
procedures that remain appropriate. An agency is relieved by the statute of accounting for
disclosures made within the agency on a need-to-know basis or disclosure required by the
Freedom of Information Act. 5 U.S.C. § 552a(c)(1). However, all other disclosures under
5 U.S.C. § 552a(b) must be accounted for, including those made under routine uses, and
those made pursuant to requests from law enforcement agencies (even though the latter may be
exempt from disclosures to the subject individual). While an agency need not keep a running
tabulation of every disclosure at the time it is made, the agency must be able to reconstruct an
accurate and complete accounting of disclosures so as to be able to respond to requests in a
timely fashion.
If an agency determines that changes to the accounting procedures should be made, then the
agency should implement the changes promptly.
e. Systems of records should not be inappropriately combined.
Groups of records which have different purposes, routine uses, or security requirements, or
which are regularly accessed by different members of the agency staff, should be maintained and
managed as separate systems of records to avoid lapses in security. Therefore, agencies shall
ensure that their systems of records do not inappropriately combine groups of records which
should be segregated. This ensures, for example, that routine uses which are appropriate for
certain groups of records do not also apply to other groups of records simply because they have
been placed together in a common system of records.
Over time, changes in agency operations or functions may result in increased differences
among
the records that are contained within a common system of records. Groups of records that once
were appropriately combined into a common system may have become sufficiently different that
they should be divided into separate systems. Accordingly, during the course of the agency's
review of its systems of records under B.2. of these
instructions, and of its
systems notices under B.3. of these instructions, an agency
should identify
instances where a system of records includes groups of records which -- because of their different
purposes, routine uses, or security requirements -- should not be combined together into a
common system of records, but instead should be maintained and managed as separate systems
of records.
In addition, agency systems of records should not duplicate or be combined with those
systems
which have been designated as "government wide systems of records." A government wide
system of records is one for which one agency has regulatory authority over records in the
custody of many different agencies. Usually these are federal personnel or administrative
records. Such government-wide systems ensure that privacy practices with respect to those
records are carried out in accordance with the responsible agency's regulations uniformly across
the federal government. For example, a civilian agency subject to the personnel rules of the
Office of Personnel Management should manage its official personnel folders in accordance with
the government wide notice published by OPM for those records, OPM/GOVT-1. The custodial
agency need not, and should not, publish a system of records which covers the same records. A
list of government-wide systems of records may be found at Attachment C, along with the name
of someone who can answer specific questions about those systems of records.
3. Ensure notices describing systems of records are up-to-date,
accurate and
complete.
In order to exercise their rights, individuals must have access to an up-to-date statement of
what
types of information are maintained and for what reasons. Therefore, each agency shall conduct
a review of its systems of records notices to ensure that they are up-to-date, to conform with any
necessary changes identified during the review under section B.2. of these instructions.
The Privacy Act requires agencies to publish, upon the establishment of a system of records,
a
notice that describes the system. 5 U.S.C. § 552a(e)(4). The core purpose of a system of
records
notice is to inform the public what types of records the agency maintains, who the records are
about, and what uses are made of them. As the President noted in his Memorandum, however,
"changes in technology, function, and organization" may have the effect of making system of
records notices "out of date."
A systems of records notice should accurately and completely describe each category in the
notice to comply with the requirements of 5 U.S.C. § 552a(e)(4) and the Federal
Register
Document Drafting Handbook. (The Handbook can be found at the web page
of National
Archives and Records Administration (NARA), at
http://www.nara.gov/fedreg/draftres.html or by contacting the Office of the Federal Register.) The goal is to provide a
notice helpful to someone who might be a subject of the records. The reviewer should ask, "If this system of
records contained information about my friends or relatives, would this notice allow them to
understand what type of records are kept, who uses them, and why?"
Agencies should take note that the descriptive categories for systems of records notices have
changed over time. For example, the Drafting Handbook now requires that each
system of
records include a Purpose statement. This statement should briefly explain the program purpose
for which the records are collected and which the system of records supports.
While a notice-by-notice review may be appropriate, an agency may also decide to
concentrate
its review by focusing on those notices that are more likely to contain outdated information. An
agency using this targeted approach, for example, could begin its review by identifying changes
in technology, function, and organization -- that is, changes in how the agency operates -- that
would have the potential to make a system of records notice out-of-date. Based on this analysis,
the agency would then identify those systems of records that would most likely have been
affected by these changes in agency operations. Under this approach, an agency should focus its
review on those notices that apply to systems of records that have been automated; that are
operated by an office (or for a program) that has been assigned increased (or decreased)
responsibilities; or that have been involved in an agency reorganization. This is not meant to be
an exhaustive list; an agency should seek to identify other ways in which changing agency
operations may have affected the accuracy and completeness of its systems of records notices.
4. Identify any Unpublished Systems of Records.
In passing the Privacy Act, the Congress made a strong policy statement that in order to
ensure
fairness, there shall be no record keeping systems the very existence of which is secret.
Therefore, each agency shall review its operations to identify any de facto systems of
records for
which no system of records notice has been published.
If the agency identifies any such unpublished systems of records, then the agency should
publish
a system of records notice for the system promptly. Agencies shall implement appropriate
measures (e.g., training) to ensure that system of records are not inadvertently established, but
instead are established in accordance with the notice and other requirements of the Privacy Act.
5. Review Information Sharing Practices with State, Local and Tribal
Governments.
In accordance with the President's May 14, 1998, directive and the Vice President's
announcement on July 31 that the Administration intends to open a dialogue with the States
about information sharing, each agency shall review their practices of sharing personal
information with State, local and tribal governments. This review should include a review of the
agency's systems of records, computer matching programs, and routine uses which provide for
intergovernmental collection or disclosure of information. Agencies should not survey
the States
to collect information, but should use internal sources of information to conduct the review.
Agencies should pay particular attention to the types of information that is being shared; the
purpose(s) for which the information is shared; the frequency with which it is shared; and the
rules (if any) regarding the retention, re-disclosure, and destruction of Federally-supplied
information by the State, local or tribal governments. In conducting this review, agencies shall
evaluate whether each collection or disclosure continues to be appropriate and consider whether
adequate confidentiality and security safeguards apply. In this regard, "changes in technology,
function, and organization" (whether at the Federal level or at the State, local or tribal level) may
render outdated the sharing of certain types of information (or the frequency of sharing), or may
result in applicable safeguards being inadequate (or inadequately implemented).
Based on these reviews, agencies should identify any potential changes to information
sharing
practices that deserve further review. Agencies should address, including through discussions
with their governmental counterparts, whether and how such potential changes should be
made.
6. Report to OMB.
After completing the review outlined above, each agency should summarize its findings in a
report to OMB, as described below.
a. What should the report contain?
Each agency's report should include the following:
a. A certification by the agency's Chief Information Officer and the agency's Senior Official
for
Privacy Policy designated under section B.1. of these
instructions, that the
review was
conducted.
b. A summary of the actions taken as a result of the review, including citations to the
Federal
Register notices of any issuances of, or revisions to, systems of records notices.
c. A summary of future actions that the agency plans to take as a result of the review to
assure
sound privacy practices across the agency, and a schedule of when those actions will be
completed.
d. A summary of the agency's review of its routine uses, including, in particular, the extent
to
which the agency found that its routine uses remain justified and compatible with the purpose for
which the information was collected.
e. A description of the agency's major information sharing practices with State, local and
tribal
governments, including in particular whether the review identified potential changes to sharing
practices that will undergo further review (and if so, a description of such potential changes).
f. Any subjects on which the agency would like further OMB guidance on the Privacy Act,
and
any recommendations regarding such guidance.
b. When is the deadline for reporting?
With the exception of the designation of the Senior Official for Privacy Policy in
B.1., which should be made immediately, the report in
B.6.
should be made to OMB by May 14, 1999.
c. To whom should the report be addressed?
Director
Office of Management and Budget
Attention: Docket Library
Room 10201 NEOB
725 17th Street, NW
Washington, DC 20503
D. WHO CAN ANSWER QUESTIONS ABOUT THIS
MEMORANDUM?
For more information regarding these instructions, contact:
Maya A. Bernstein
Senior Policy Analyst
Information Policy and Technology Branch
Office of Information and Regulatory Affairs
725 17th Street, NW
Washington, DC 20503 |
202/395-3785 (voice)
202/395-5167 (facsimile)
Maya_A._Bernstein@omb.eop.gov
|
Return to M-99-05
The Budget | Legislative Information | Management Reform/GPRA Grants Management Financial Management | Procurement Policy | Information & Regulatory Policy Contact the White House Web Master
Privacy Statement |