"embedding privacy in federal information systems" professor peter p. swire ohio state...
TRANSCRIPT
![Page 1: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/1.jpg)
"Embedding Privacy in Federal Information Systems"
Professor Peter P. Swire
Ohio State University
Consultant, Morrison & Foerster LLP
MITRE Corp. Workshop
March 27, 2003
![Page 2: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/2.jpg)
Overview
Agency privacy before 2001 E-Government Act of 2002 Beyond E-Gov Total Information Awareness Conclusions on security and privacy
![Page 3: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/3.jpg)
I. Government Systems Thru 2000 Privacy Act of 1974
– “System of Records”– Notice, consent, access, reasonable
administrative and technical measures– OMB Guidance
![Page 4: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/4.jpg)
Limits of the Privacy Act
Only applies to “systems of records”– Not, e.g., to queries of commercial databases
Large “routine uses” Uneven compliance
![Page 5: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/5.jpg)
1999 Web Policies
OMB Directive from Jack Lew June, 1999– June 2, 1999, OMB M-99-18
Available at www.privacy2000.org, under “Presidential Privacy Archives”
Guidance and model language for federal sites
![Page 6: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/6.jpg)
1999 OMB Policy
Principal agency web sites “Known, major entry points” “Substantial collection of personal
information”
![Page 7: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/7.jpg)
2000 OMB Cookies Policy
Issued June 22, 2000, OMB M-00-13 Reaction to cookies set for the National
Office of Drug Control Policy Cookies need
– Clear and conspicuous notice– Compelling need to gather the data– Publicly disclosed safeguards– Personal approval by the agency head
![Page 8: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/8.jpg)
2000 OMB Guidance
Agencies should comply with requirements of Children’s Online Privacy Protection Act
Description of privacy practices and steps for compliance on cookies incorporated into annual submission to OMB for IT budgets
OMB/OIRA has sent out guidance for annual budget submissions
![Page 9: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/9.jpg)
II. E-Government Act of 2002
Spotlight on Privacy Impact Assessments PIAs before the Act
– IRS PIA adopted as best practice by Federal CIO Council
– CIO Council encouraged wider use– Only moderate adoption in the agencies– CIO Council subcommittee on privacy did not
continue after January, 2001
![Page 10: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/10.jpg)
PIAs under the E-Gov Act
PIA required where “developing or procuring IT that collects, maintains, or disseminates information that is in identifiable form”
Also “new collection of information” that includes information collected from federal reporting requirements affecting 10+ people (Paperwork Reduction Act extension)
![Page 11: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/11.jpg)
PIAs
Review by agency CIO or equivalent official “If practicable”, after completion of the
review, publish the PIA That can be waived “for security reasons, or
to protect classified, sensitive, or private information”
Copy to OMB
![Page 12: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/12.jpg)
Contents of the PIA
OMB to issue guidance– Perhaps this April or May
PIAs to be commensurate with– size of IT system– sensitivity of information– risk of harm from unauthorized release
![Page 13: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/13.jpg)
Contents of PIA
PIA should include– what information is to be collected– why information is to be collected– intended use of the information– with whom the information is shared– notice or consent for individuals– how information is secured– whether it is a system of records
![Page 14: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/14.jpg)
Other E-Gov Provisions
Statutory version of OMB 1999 guidance for privacy policies on agency web pages– More detail on notice, choice, access, security
Privacy policies in machine-readable formats– OMB guidance– P3P the likely current use
“Identifiable” permits the identity “to be reasonably inferred”, directly or indirectly
![Page 15: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/15.jpg)
III. Beyond E-Gov
HIPAA and federal agencies– Privacy rule this April 14– Transaction rule this October– Security rule in 2 years, and also by April 14
What agencies?– VA, DOD, other federal/state health providers– Research on human subjects– Federal/state health insurance– Business associates -- receive data from others
![Page 16: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/16.jpg)
Court Records and Privacy
OMB/DOJ/Treasury study in Jan. 2001 on bankruptcy records and privacy
SEARCH and criminal records PACER and court records as a current
major debate
![Page 17: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/17.jpg)
IV. Total Information Awareness Surveillance after September 11 Wiretap/surveillance changes in USA-
PATRIOT Act Philosophy of “information sharing”
– Among agencies– Between federal and state/local
![Page 18: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/18.jpg)
![Page 19: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/19.jpg)
TIA
Does not look like “embedding privacy in federal information systems”
Contrasting trends– Embedding privacy– Increasing surveillance (data gathering) and
data sharing
![Page 20: "Embedding Privacy in Federal Information Systems" Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP MITRE Corp. Workshop](https://reader035.vdocuments.mx/reader035/viewer/2022062511/55147ea7550346f06e8b484a/html5/thumbnails/20.jpg)
Conclusion
Will need to build federal systems better for security and privacy
They work together on the level of good data practices
They can work against each other with surveillance and data sharing proposals
Not clear how the cross-currents will change practices in coming years