GCN Hot Topics:

Serious about privacy

In this report

The basics of a PIA

Postal Service chief privacy officer Zoe Strickland has outlined the five steps to construct a privacy impact assessment.

Develop a questionnaire. Each questionnaire should solicit information about a system under development, addressing plans for privacy and security. It also should capture, assess and drive data practices.

Define the scope. The assessment should cover all systems within a particular program, as well as all technologies being used to collect, create or manage information.

Establish the schedule. The agency should plan when work on the assessment should start and be completed.

Determine roles and accountability. Employees should know what is expected of them and who will sign off on the finished assessment.

Define how the process works. Each objective should be clearly identified and the PIA process, including approach to risk management, should be easily repeatable.

More on this topic

Special Report: Privacy

Agencies using medical data got in the act early

SSA makes protecting privacy a �cornerstone�

Agencies lag in assessing the impact of systems upgrades

Agencies are making strides in e-government, but ensuring the privacy of citizens’ data has proved to be a struggle.

In reviewing agencies’ privacy impact assessments for the fiscal 2005 budget, the Office of Management and Budget found that few agencies have adequately considered how new or upgraded systems could compromise the privacy of citizens who submit personal information.

“When we talk about e-government, citizens really do want it faster, cheaper and now,” said Karen Evans, OMB administrator for e-government and IT. “But they also expect us to secure the data as well. That is balancing we need to do. That is the challenge for us.”

The E-Government Act of 2002 required agencies to conduct privacy assessments. The first round was due last September with agencies’ 2005 budget submissions. In the more than 300 assessments submitted, agencies struggled to integrate privacy efforts with their IT business cases, said an OMB official who requested anonymity.

It’s too soon to determine what effect merely writing the assessments has had on agencies’ efforts to protect privacy, but the process is more than an exercise in paperwork, officials said.

“It shouldn’t just be a check box to OMB to say ‘We’ve done it,’ ” Evans said. Agencies, she said, should think seriously about how they will use citizens’ data and incorporate that thinking as they plan new systems and upgrades.

Agencies also are supposed to take that approach to information security, incorporating it into business cases for major IT projects.

The E-Government Act’s privacy provisions were intended to make systems development a multidisciplinary effort, involving systems owners, IT specialists, and security and privacy experts, the OMB official said.

Eva Kleederman, an OMB policy analyst working on privacy issues, said at a recent conference that an assessment must be a multidisciplinary effort in which privacy officials and IT officials work closely together.

“The PIAs must bring to bear technical, legal and programmatic expertise,” she said at a discussion on privacy hosted by the Council for Excellence in Government. “All of the areas must work hand in glove in doing the PIAs.”

« Previous12 3 Next »


GCN.com	Latest News	FCW.com

Government Computer News