Monday, August 13, 2007

Privacy Impact Assessment (PIA) - Aliens have a right for P3P as well

pencil icon, that"s clickable to start editing the post

The OMB has written Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (M-03-22). It's a rather long and terse document, that even scares junior spec readers like myself. I ran into into it when searching for privacy initiatives. In Attachment A - E-Government Act Section 208 Implementation Guidance section II. Privacy Impact Assessment subsection A. Definitions. there's a glossary.

Individual - means a citizen of the United States or an alien lawfully admitted for permanent residence. (Agencies may, consistent with individual practice, choose to extend the protections of the Privacy Act and E-Government Act to businesses, sole proprietors, aliens, etc.)

As english is a non-native language to me, this is a great laugh :-). Though the meaning is less spectacular as can be seen in wikipedias entry on the term Alien in U.S. law:

In U.S. law, an alien is a person who owes political allegiance to another country or government and not a native or naturalized citizen of the land where they are found.

The sixth term defines the PIA (my formatting)

Privacy Impact Assessment (PIA) - is an analysis of how information is handled:

  1. to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy,
  2. to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and
  3. to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

This sounds all fair, though it's a lot of hard work creating and keeping up to date. The seventh and last term:

Privacy policy in standardized machine-readable format - means a statement about site privacy practices written in a standard computer language (not English text) that can be read automatically by a web browser.

Here the obvious candidate is P3P. In section IV. Privacy Policies in Machine-Readable Formats the requirements are:

  1. Actions.
    1. Agencies must adopt machine readable technology that alerts users automatically about whether site privacy practices match their personal privacy preferences. Such technology enables users to make an informed choice about whether to conduct business with that site.
    2. OMB encourages agencies to adopt other privacy protective tools that become available as the technology advances.
  2. Reporting Requirement. Agencies must develop a timetable for translating their privacy policies into a standardized machine-readable format. The timetable must include achievable milestones that show the agency’s progress toward implementation over the next year. Agencies must include this timetable in their reports to OMB (see Section VII).

The last mentioned report is not eazy-piecy. In section VII. Reporting Requirements it goes:

Agencies are required to submit an annual report on compliance with this guidance to OMB as part of their annual E-Government Act status report. The first reports are due to OMB by December 15, 2003. All agencies that use information technology systems and conduct electronic information collection activities must complete a report on compliance with this guidance, whether or not they submit budgets to OMB.

Reports must address the following four elements:

  1. Information technology systems or information collections for which PIAs were conducted. Include the mechanism by which the PIA was made publicly available (website, Federal Register, other), whether the PIA was made publicly available in full, summary form or not at all (if in summary form or not at all, explain), and, if made available in conjunction with an ICR or SOR, the publication date.
  2. Persistent tracking technology uses. If persistent tracking technology is authorized, include the need that compels use of the technology, the safeguards instituted to protect the information collected, the agency official approving use of the tracking technology, and the actual privacy policy notification of such use.
  3. Agency achievement of goals for machine readability: Include goals for and progress toward achieving compatibility of privacy policies with machine-readable privacy protection technology.
  4. Contact information. Include the individual(s) (name and title) appointed by the head of the Executive Department or agency to serve as the agency’s principal contact(s) for information technology/web matters and the individual (name and title) primarily responsible for privacy policies.

Whouzz, this is done right and with required documentation. When I get the energy and courage I'll go look for a such a policy on a U.S. Government website.