OMB Circular A-130

Appendix I

Appendix I to OMB Circular No. A-130

Responsibilities for Management of Personally Identifiable Information

  1. Purpose

This Appendix outlines some of the general responsibilities for Federal agencies managing information resources that involve personally identifiable information (PII). For more specific requirements, agencies should consult specific OMB guidance documents, which are available on the OMB website.

Previous versions of this Appendix included information about the reporting and publication requirements of the Privacy Act of 1974

(“Privacy Act”) and additional OMB guidance. This information has been revised and reconstituted as OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act.

  1. Responsibilities for Protecting PII

The Federal Government necessarily collects, creates, uses, disseminates, and maintains PII to carry out the missions mandated by the Constitution and laws of the United States. The term PII, as defined in the main body of this Circular, refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can be used to distinguish or trace an individual’s identity, the term PII is necessarily broad. To determine whether information is PII, agencies must perform an assessment of the specific risk that an individual can be identified. In performing this assessment, it is important to recognize that non-identifiable information can become PII whenever additional information becomes available – in any medium and from any source – that would make it possible to identify an individual.

Once the agency determines that an information system contains PII, the agency must conduct an analysis of the information and the information system to determine which privacy requirements may apply. The determination of which privacy controls and safeguards should be applied to an information system will depend on more than an assessment of whether the information system contains PII. Rather, the agency must also consider the sensitivity level of the PII and the potential risk to individual privacy from the collection, creation, use, dissemination, and maintenance of that PII.

Agencies should evaluate the sensitivity of each individual data element that is PII, as well as all of the data elements together. The sensitivity level of the PII will depend on the context, including the purpose for which the PII is collected, used, disseminated, or maintained. For example, the sensitivity level of a list of individuals' names may depend on the source of the information, the other data associated with the list, the intended use of the data, how the data will be processed and shared, and the ability to access the data.

Agencies must begin to consider the effect on individual privacy during the earliest planning and development stages of any actions and policies. Moreover, agencies must continue to account for privacy implications during each stage of the life cycle of PII. On an annual basis, agencies must review their holdings of PII and ensure, to the maximum extent practicable, that such PII is accurate, relevant, timely, and complete, and must reduce their holdings of PII to the minimum necessary for the proper performance of authorized agency functions.

  1. Designation of Senior Agency Official for Privacy

Agencies are required to designate a Senior Agency Official for Privacy (SAOP) who has overall agency-wide responsibility and accountability for ensuring the agency’s implementation of all privacy requirements. The SAOP must have a central policy-making role and must ensure that the agency considers the privacy impact of all agency actions and policies that involve PII. The SAOP’s review of privacy implications should begin at the earliest planning and development stages of agency actions and policies that involve PII, and should continue through the life cycle of the information.

The SAOP must ensure that the agency complies with all applicable privacy requirements in law, regulation, and policy. Relevant authorities include, but are not limited to, the Privacy Act, the Paperwork Reduction Act of 1995, the E-Government Act of 2002,

Privacy Act Implementation: Guidelines and Responsibilities,

Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988,

and OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.

  1. Privacy Impact Assessments

As a general matter, an agency must conduct a privacy impact assessment (PIA) under section 208(b) of the E-Government Act of 2002 when the agency develops, procures, or uses information technology to collect, maintain, or disseminate PII.

A PIA is an analysis of how PII is handled to ensure that handling conforms to all applicable privacy requirements, determine the risks of activities involving PII, and evaluate protections and processes for handling PII to mitigate potential privacy risks.

A PIA is not merely a compliance tool that must be completed before an agency develops a system or begins an activity involving PII. Rather, it is one of the most valuable tools Federal agencies use to ensure that privacy is sufficiently analyzed and addressed. Agencies must conduct and draft a PIA with sufficient clarity and specificity to demonstrate that the agency fully considered privacy and incorporated appropriate privacy protections from the earliest stages of the agency activity and throughout the information life cycle. In order to conduct a meaningful PIA, the agency’s SAOP must work closely with the program managers, system owners, information technology experts, security officials, counsel, and other relevant agency officials.

In addition to serving as an important analytical tool for agencies, a PIA also serves as notice to the public regarding the agency’s practices with respect to privacy and information technology. All PIAs must be drafted in plain language and must be posted on the agency’s website, unless doing so would raise security concerns or reveal classified or sensitive information. Moreover, a PIA is a living document that agencies are required to update whenever changes to the information technology or the agency’s practices substantively alter the privacy risks associated with the use of such information technology. Members of the public should be able to review an up-to-date PIA and understand all of the pertinent information about the privacy implications of the agency’s practices and the safeguards that the agency has put in place to address them.

  1. Responsibilities for Protecting PII Collected for Statistical Purposes under a Pledge of Confidentiality

The Nation relies on the flow of credible statistics to support the decisions of individuals, households, governments, businesses, and other organizations. Any loss of trust in the relevance, accuracy, objectivity, or integrity of the Federal statistical system and its products can foster uncertainty about the validity of measures our Nation uses to monitor and assess performance, progress, and needs.

Given the importance of robust and objective official Federal statistics, agencies and components charged with the production of these statistics are assigned particular responsibility. Specifically, information acquired by an agency or component under a pledge of confidentiality

and for exclusively statistical purposes cannot be used for any non-statistical purpose, such as an administrative, enforcement, or regulatory purpose. As defined in the Confidential Information Protection and Statistical Efficiency Actof 2002 (CIPSEA),

statistical purpose refers to the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that compose such groups; it includes the development, implementation, or maintenance of methods, technical or administrative procedures, or information resources that support such purposes. These agencies and components must protect the integrity and confidentiality of this information against unauthorized access, use, modification, or deletion throughout the life cycle of the information. Further, these agencies and components must adhere to legal requirements and follow best practices for protecting the confidentiality of data, including training their employees and agents, and ensuring the physical and information system security of confidential information.

Relevant authorities include, but are not limited to, Title V of the E-Government Act of 2002, the Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA),

Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA Implementation Guidance),

and Fundamental Responsibilities of Federal Statistical Agencies and Recognized Statistical Units.

  1. Fair Information Practice Principles

In addition to the specific requirements in law, regulation, and policy, agencies should use the Fair Information Practice Principles (FIPPs) when managing information resources that involve PII. The FIPPs are a collection of widely accepted principles that agencies should use when evaluating systems, processes, programs, and activities that affect individual privacy. Rooted in a 1973 Federal Government report from the Department of Health, Education, and Welfare Advisory Committee, “Records, Computers and the Rights of Citizens,”

the FIPPs are at the core of the Privacy Act, and are reflected in the laws of many U.S. states and foreign nations, as well as incorporated in the policies of many organizations around the world. Thus, to establish a comprehensive privacy program, agencies should take steps to establish policies and procedures that address all of the FIPPs.

The precise expression of the FIPPs has varied over time and in different contexts.

However, the FIPPs retain a consistent set of core principles that are broadly relevant to agencies' information management practices. For purposes of this Circular, the FIPPs are as follows:

  1. Access and Amendment. Agencies should provide individuals with appropriate access to PII and appropriate opportunity to correct or amend PII.

  2. Accountability. Agencies should be accountable for complying with these principles and all applicable privacy requirements, and should appropriately monitor, audit, and document compliance. Agencies should also clearly define the roles and responsibilities with respect to PII for all employees and contractors, and should provide appropriate training to all employees and contractors who have access to PII.

  3. Authority. Agencies should only collect, create, use, disseminate, or maintain PII if they have specific authority to do so, and should identify this authority in the appropriate notice.

  4. Minimization. Agencies should only collect, create, maintain, and use PII that is directly relevant and necessary to accomplish a legally authorized purpose, and should only maintain PII for as long as is necessary to accomplish the purpose.

  5. Quality and Integrity. Agencies should collect, create, use, disseminate, and maintain PII with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual.

  6. Individual Participation. Agencies should involve the individual in the decision-making process regarding the collection, creation, use, dissemination, and maintenance of PII and, to the extent practicable, seek individual consent for these activities.

  7. Purpose Specification and Use Limitation. Agencies should provide notice of the specific purpose for which PII is collected and should only use, disseminate, or maintain PII for a purpose that is explained in the notice and is compatible with the purpose for which the PII was collected.

  8. Redress. Agencies should provide individuals with appropriate opportunity for redress regarding unauthorized use and dissemination of PII, and should establish procedures to receive and address individuals' privacy-related complaints.

  9. Security. Agencies should establish administrative, technical, and physical safeguards to protect PII commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss, destruction, or dissemination.

  10. Transparency. Agencies should be transparent about information policies and practices with respect to PII, and should provide clear and accessible notice regarding collection, creation, use, dissemination, and maintenance of PII.

  11. Privacy Controls for Federal Information Systems and Organizations

It is essential for agencies to take a coordinated approach to identifying and addressing privacy and security requirements. Information security and privacy are independent and separate disciplines and a coordinated approach allows agencies to more effectively consider the breadth of privacy and security requirements that may overlap in concept and in implementation within Federal information systems and technology, programs, and organizations.

Agencies are expected to implement the security and privacy controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Security and Privacy Controls for Federal Information Systems and Organizations.

NIST SP 800-53 establishes privacy controls that are designed to help agencies satisfy statutory privacy requirements and privacy-related OMB policies. The privacy controls are based on the FIPPs and outline the administrative, technical, and physical safeguards that agencies should apply to protect and ensure proper handling of PII. Agencies should implement the privacy controls in a manner that is consistent with their authorities, missions, and operational needs.

The requirement to implement security and privacy controls is described in more detail in Appendix III to this Circular, Responsibilities for Protecting Federal Information Resources. Appendix III clarifies the role of the SAOP with respect to the NIST Risk Management Framework. While agencies should refer to Appendix III for the details and definitions of terms, a brief summary of the SAOP’s responsibilities in this area is provided below.

SAOP Responsibilities in the Risk Management Framework for Federal Information Systems

| SAOP Responsibility | Description | Citation | | — | — | — | | Overall agency-wide responsibility for privacy | The SAOP has overall agency-wide responsibility and accountability for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws, regulations, and policies regarding the collection, use, maintenance, dissemination, and disposal of PII by programs and information systems. | Appendix III, § 5(e) | | — | — | — | | Develop and maintain a privacy continuous monitoring strategy | The SAOP shall develop and maintain a privacy continuous monitoring strategy to address privacy risks and requirements across the organizational risk management tiers. | Appendix III, § 5(e)(1) | | Establish and maintain a privacy continuous monitoring program | The SAOP shall establish and maintain a privacy continuous monitoring program to maintain ongoing awareness of privacy risks and assess privacy controls at a frequency sufficient to ensure compliance with applicable requirements and to adequately protect PII. | Appendix III, § 5(e)(2) | | Review IT capital investment plans and budgetary requests | The SAOP shall review IT capital investment plans and budgetary requests to ensure that privacy requirements (and associated privacy controls), as well as any associated costs, are explicitly identified and included. | Appendix III, § 5(e)(3) | | Review and approve the categorization of systems | The SAOP shall review and approve, in accordance with NIST FIPS Publication 199 and Special Publication 800-60, the categorization of information systems that collect, process, store, maintain, or disseminate PII. | Appendix III, § 5(e)(4) | | Designate privacy controls for systems | The SAOP shall designate system-specific, hybrid, and common privacy controls. | Appendix III, § 5(e)(5) | | Review and approve the privacy plans for systems | The SAOP shall review and approve the privacy plans for organizational information systems prior to authorization, reauthorization, or ongoing authorization. | Appendix III, § 5(e)(6) | | Conduct assessments of privacy controls for systems | The SAOP shall conduct privacy control assessments to ensure that privacy controls are implemented correctly, operating as intended, and effective in satisfying privacy requirements. | Appendix III, § 5(e)(7) | | Review authorization packages for systems | The SAOP shall review authorization packages and determine that all applicable privacy requirements are met and the risk to PII is sufficiently addressed prior to authorizing officials making risk determination and acceptance decisions. | Appendix III, § 5(e)(8) | | Maintain formal incident response capabilities | The SAOP shall maintain formal privacy incident response capabilities to include breach notification, shall implement formal privacy incident policies, and shall provide adequate training and awareness for employees and contractors on how to report and respond to privacy incidents. | Appendix III, § 5(f)(1)-(3) | | Develop and maintain agency-wide privacy training | The SAOP shall develop and maintain mandatory agency-wide privacy training for all employees and contractors, including role-based training, and shall establish enforceable rules of behavior. | Appendix III, § 5(g)(1)-(8) |

-->