OMB Circular A-130

Privacy and Information Security

Privacy and Information Security

Although this section includes requirements for protecting Federal information resources, this area is covered more fully in the Appendices to this Circular.

  1. Privacy

To ensure proper safeguards, agencies shall:

  1. Designate a senior agency official for privacy (SAOP) who has overall agency-wide responsibility and accountability for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws, regulations, and policies regarding the collection, use maintenance, dissemination, and disposal of PII by programs and information systems;
  2. Limit the collection of information such as personally identifiable information, to that which is legally authorized and necessary for the proper performance of agency functions;
  3. Only maintain personally identifiable information that is relevant and necessary to accomplish a legally authorized purpose;
  4. Limit the disclosure of personally identifiable information or proprietary information to that which is legally authorized, and impose appropriate conditions on use where a continuing obligation to ensure the confidentiality of the information exists;
  5. Provide individuals, upon request, access to records about them maintained in Privacy Act systems of records, and permit them to amend such records consistent with the provisions of the Privacy Act;
  6. Comply with all applicable requirements of the Privacy Act and ensure that system of records notices are published, revised, and rescinded, as required;
  7. Ensure that all records with personally identifiable information are maintained in accordance with applicable records retention or disposition schedules approved by the National Archives and Records Administration;
  8. Conduct privacy impact assessments when developing, procuring, or using information technology, in accordance with the E-Government Act, and make the assessments available to the public in accordance with OMB policy; and

  9. Maintain and post privacy policies on all agency websites, in accordance with OMB policy.

  10. Information Security

To ensure proper safeguards, agencies shall:

  1. Ensure the CIO designates a senior agency information security officer to develop and maintain an agency-wide information security program in accordance with the Federal Information Security Modernization Act of 2014;
  2. Ensure that information is protected commensurate with the risk that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of such information;
  3. Implement security policies issued by the Office of Management and Budget (OMB), and related government-wide requirements and procedures issued by the Department of Commerce, Department of Homeland Security, General Services Administration, and the Office of Personnel Management. This includes applying the standards and guidelines contained in the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS), NIST Special Publications (SPs) (e.g., 800 series guidelines), and where appropriate and directed by OMB, NIST Interagency or Internal Reports (NISTIRs).
-->