6. Protect Privacy

The Federal Government necessarily creates, collects, uses, processes, stores, maintains, disseminates, discloses, and disposes of personally identifiable information (PII) to carry out missions mandated by Federal statute. The review of privacy risks should begin at the earliest planning and development stages of agency actions and policies that involve PII, and should continue throughout the life cycle of the information.

Agencies must be transparent about policies and practices with respect to PII, and must provide clear and accessible notice regarding the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII. This includes maintaining an up-to-date Privacy Program Page on an agency’s principal website, posting plain language privacy policies on an agency’s websites, mobile applications, and other digital services, providing Privacy Act statements where required by the Privacy Act of 1974, and providing privacy notices for online collections of information where feasible.

A. Privacy Program Page

Each agency must maintain a central resource page dedicated to its privacy program on the agency’s principal website. The agency’s Privacy Program Page must serve as a central source for information about the agency’s practices with respect to PII. The agency’s Privacy Program Page must be located at www.[agency].gov/privacy and must be accessible through the agency’s “About” page.

1- At a minimum, agencies must include the following on their Privacy Program Page:

a. System of records notices (SORNs).

An agency must list and provide links to complete, up-to-date versions of all agency SORNs. This requires agencies to provide the following:

  • A list of all of the agency’s systems of records;
  • Citations and links to all Federal Register notices that comprise the SORN for each system of records; and
  • For any SORNs that are comprised of multiple Federal Register notices, an unofficial consolidated version of the SORN that describes the current system of records and allows members of the public to view the SORN in its entirety in a single location.

Agencies must come into full compliance with this requirement as soon as practicable, but no later than 18 months from the issuance of this Memorandum. The requirement to provide links to complete, up-to-date versions of SORNs on the agency’s Privacy Program Page does not replace the Privacy Act’s statutory requirement to publish SORNs in the Federal Register.

b. Privacy impact assessments (PIAs). Agencies must list and provide links to PIAs. However, agencies may determine not to include a link to a PIA if doing so would raise security concerns or reveal classified or sensitive information (sensitive information may include information that is potentially damaging to a national interest, law enforcement effort, or competitive business interest).

Agencies must have a specific, compelling justification in order to decline to post a link to a PIA. If deciding not to post a link to a PIA, agencies should produce a summary or a modified version of the PIA that is suitable for posting.

c. Matching notices and agreements. Agencies must list and provide links to up-to-date matching notices and agreements for all active matching programs in which the agency participates.

d. Exemptions to the Privacy Act. Agencies must provide citations and links to the final rules published in the Federal Register that promulgate each Privacy Act exemption claimed for their systems of records.

e. Privacy Act implementation rules. Agencies must list and provide links to all Privacy Act implementation rules promulgated pursuant to 5 U.S.C. § 552a(f).

f. Publicly available agency policies on privacy. Agencies must list and provide links to all publicly available agency policies on privacy, including any directives, instructions, handbooks, manuals, or other guidance.

g. Publicly available agency reports on privacy. Agencies must list and provide links to all publicly available agency reports on privacy.14 These reports need not include agencies’ Federal Information Security Modernization Act of 2014 (FISMA) reports or reports provided to OMB and Congress pursuant to 5 U.S.C. § 552a(r).

h. Instructions for submitting a Privacy Act request. Agencies must provide instructions in clear and plain language for individuals who wish to request access to or amendment of their records pursuant to 5 U.S.C. § 552a(d).

i. Contact information for submitting a privacy question or complaint. Agencies must provide appropriate agency contact information for individuals who wish to submit a privacy-related question or complaint.

j. Contact information for the SAOP. Agencies must identify their Senior Agency Official for Privacy (SAOP) and provide contact information for his or her office. Agencies may also identify and provide contact information for any component privacy officials.

2- At the discretion of the SAOP, sub-agencies, components, and programs may maintain a sub-agency-, component-, or program-specific privacy program page. If an agency sub-agency, component, or program uses a domain that is different from the agency’s domain, the sub-agency-, component-, or program-specific privacy program page must be accessible through www.[sub-agency, component, or program domain].gov/privacy.

In circumstances where the sub-agency, component, or program uses a domain that is the same as the agency’s domain, the sub-agency-, component-, or program-specific privacy program page must be accessible from the sub-agency’s, component’s, or program’s primary webpage. Agencies may include on a sub-agency-, component-, or program-specific privacy program page any of the same resources posted on the agency’s central Privacy Program Page. However, doing so does not relieve the agency of the requirement to provide the required resources on the agency’s central Privacy Program Page.


B. Privacy Policies on Agency Websites

Agencies must post Privacy Policies on their principal, sub-agency, component, and program websites, mobile applications, and other digital services. For each website, agencies must post a link to that website’s Privacy Policy on any known, major entry points to the website as well as any webpage that collects PII. This requirement does not apply to internal agency activities (such as on intranets or online interactions that do not involve the public).

  1. A Privacy Policy must:

    a. be written in plain language and organized in a way that is easy to understand and navigate;

    b. provide useful information that the public would need to make an informed decision about whether and how to interact with the agency;15

    c. be updated whenever the agency makes a substantive change to the practices it describes;

    d. include a time/date stamp to inform users of the last time the agency made a substantive change to the practices the privacy policy describes;

    e. adhere to all other applicable OMB requirements; and

    f. include a link to the agency’s Privacy Program Page.

  2. If agencies provide content to children under the age of 13 and collect, maintain, or disclose children’s PII, they may be required to comply with the requirements in the Children’s Online Privacy Protection Act. Among other things, these requirements include adding a section in the agency’s Privacy Policy that pertains to these activities. 16


C. Privacy Act Statements for Online Collections of Information

A Privacy Act statement is required by law whenever an agency asks individuals to supply information that will become part of a system of records under the Privacy Act. 17 The requirements for a Privacy Act statement are described in the Privacy Act and in OMB guidance.18 When agencies collect information using an online interface, the agency may need to provide a Privacy Act statement.

A privacy notice must be provided, whenever feasible, where a Privacy Act statement is not required but members of the public could nonetheless provide PII to the agency using an online interface. The privacy notice should include a brief description of the agency’s practices with respect to the PII that the agency is collecting, maintaining, using, or disseminating.


Footnotes

14: Examples of privacy reports include, but are not limited to, annual matching activity reports submitted pursuant to the Privacy Act and reports submitted pursuant to Section 552 of the Consolidated Appropriations Act of 2005, Section 803 of the Implementing Recommendations of the 9/11 Commission Act of 2007, and the Federal Agency Data Mining Reporting Act of 2007.

15: https://www.whitehouse.gov/omb/memoranda_m99-18/

16: http://www.business.ftc.gov/privacy-and-security/childrens-privacy

17: 5 U.S.C. 552a(e)(3)

18:https://www.whitehouse.gov/sites/default/files/omb/assets/omb/inforeg/implementation_guidelines.pdf