Volume 22 Number 22, December 2, 2002

(Excerpted From Page 3)

In its final week, Congress passed a little-noticed law requiring federal agencies to

conduct privacy impact assessments (PIAs) before developing or procuring information technology or initiating any new collections of personally-identifiable information.

The E-Government Act of 2002, which President Bush is expected to sign into law,

also requires agencies to post privacy notices on their Web sites, detailing agency practices and individual rights. While most agencies already post such notices because of a Clinton administrative order, the new law will further require "machine-readable" notices, such as those specified in the Platform for Privacy Preferences (P3P) standards.

According to Ari Schwarz, of the Center for Democracy and Technology (CDT), only a few federal agency Web sites currently are P3P compliant, including the Federal Trade Commission, the US Postal Service and portions of the Commerce Department.

Originally introduced by Sens. Joe Lieberman (D-CT) and Conrad Burns (R-MT), a privacy impact assessment must address what information is to be collected, why it is being

collected, the intended uses of the information, with whom the information will be shared, what notice would be provided to individuals and how the information will be secured. To the extent

practicable, privacy impact assessments must be published. The Office of Management and Budget (OMB) will issue guidelines for the assessments.

The new law should not be confused with a proposal by Representative Bob Barr (R-GA) which did not pass that would have required PIAs for new agency rules and regulations. That bill passed the House but was never taken up by the Senate. CDT recommended that OMB incorporate standards from the Barr bill into its guidance.

According to a CDT summary, other important provisions in the bill include:

• Creation of an OMB Administrator of the Office of E-Government (a compromise in response to a proposal for a U.S. Chief Information Officer. The compromise basically codifies OMB Associate Director Mark Forman's role, but should increase Congressional oversight. (Sec. 101) develop an online tutorial explaining how to access government information services and information on the Internet. Sec. 213 (f).
• "To the extent practicable," requires agencies to ensure that its Web sites include all information that it is required to publish in the Federal Register, and to accept electronic submissions in rulemaking proceedings. (Sec. 206).

• Authorizes an E-Government Fund with $45 million in fiscal 2003, an amount that would increase to $150 million by fiscal 2006, to fund innovative uses of the Internet and other electronic methods by federal agencies. (Sec. 101)
• Mandates a (1) study panel on standards to enable government data to be searched across agencies. (Sec. 207). (2) A 3-year study of interoperability and the integrated collection and management of data. Sec. 212. A OMB and Interior Dept. effort to develop protocols for acquisition/application of geographic data (GIS). (Sec 216)
• Requires OMB to develop and maintain a repository that fully integrates information about research and development funded by the federal government. (Sec. 207(g))
• Authorizes an IT exchange program under which mid-level information technology managers of the federal government can be detailed to work in the private sector for up to 2 years, and private sector employees can be assigned to work in federal agencies. (Sec. 209)
• Imposes new data security duties on agency heads, increases OMB oversight, mandate annual independent audits of agency computer security practices, and renames the Computer System Security and Privacy Advisory Board (CSSPAB) as the Information Security and Privacy Advisory Board.
• Establishes a very strict rule of confidentiality for federal agency statistical data, which may prove to be especially important as Zip Code and other data that is not strictly personal becomes easier to use for personal profiling purposes. (Sec. 501-513)
• Requires the General Services Administration to establish a framework to allow interoperability among federal agencies when using electronic signatures (Sec. 203)
• Requires each federal court to establish a Web site where the public could get court rules, decisions, docket information and documents filed with the court in electronic format, and, requires the Supreme Court to adopt rules to protect privacy and security concerns relating to the electronic filing and availability of documents. (Sec. 205)

For the text and legislative history, see http://thomas.loc.gov/cgi-bin/bdquery/z?d107:hr2458