Office of the Chief Information Officer &
High Performance Computing and Communications

Privacy-Related Statutes and Memoranda

 

The Privacy Act of 1974 (5 USC 552a) regulates the Federal Government's collection, use, maintenance, and dissemination of information about individuals.  The Act establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual. The Privacy Act requires that agencies give the public notice of their systems of records by publication in the Federal Register. The Privacy Act prohibits the disclosure of information from a system of records absent the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. The Act also provides individuals with a means by which to seek access to and amendment of their records, and sets forth various agency record-keeping requirements.

 

1. Section 208 of the E-Government Act of 2002 (44 USC 3601 et seq) establishes procedures to ensure the privacy of personal information in electronic records (specific citation for Section 208 is 44 USC 3501 note).OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the EGovernment Act of 2002, September 26, 2003, provides specific guidance to agencies for implementing Section 208 of the E-Government Act.

2. The Paperwork Reduction Act (PRA) of 1995 (44 USC 3501 et seq.) is designed to reduce the public's burden of answering unnecessary, duplicative, and burdensome government surveys.

3. The Trade Secrets Act (18 USC 1905) provides criminal penalties for the theft of trade secrets and other business identifiable information.

4. The Children's Online Privacy Protection Act of 1998 (15 USC 6501-06) regulates the online collection and use of personal information provided by and relating to children under the age of 13.

5. OMB Circular A-130, "Management of Federal Information Resources," majorly revised in 2016, establishes a policy for the management of Federal information resources, including automated information systems.

6. OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, provides specific guidance to agencies for implementing Section 208 of the E-Government Act.

7. OMB Memorandum M-06-16, Protection of Agency Sensitive Information, provides guidance for encrypting sensitive data on mobile computers and devices; allowing remote accessonly with two-factor authentication; using a time-out function for remote access; and logging all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.

9. OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, requires that agencies conduct a review of their policies and processes, and take corrective action as appropriate to ensure adequate safeguards to prevent the intentional or negligent misuse of, or unauthorized access to, personally identifiable information.

10.OMB Memorandum M-7-16. Safeguarding Against and Responding to the Breach of Personally Identifiable Information. As part of the work of the Identity Theft Task Force,4 this memorandum requires agencies to develop and implement a breach5 notification policy6 within 120 days As part of the work of the Identity Theft Task Force, this memorandum requires agencies to develop and implement a breach notification policy 4 5 6 within 120 days. The attachments to this memorandum outline the framework within which agencies must develop this breach notification policy while ensuring proper safeguards are in place to protect the information.

11. OMB Memorandum M-16-4, Cyibersecurity and Strategy and Implementation Plan (CSIP) for the Federal Civilian Government. The Federal Government is bringing significant resources to bear to ensure cybersecurity remains a top priority. This includes strengthening government-wide processes for developing, implementing, and institutionalizing best practices; developing and retaining the cybersecurity workforce; and working with public and private sector research and development communities to leverage the best of existing, new, and emerging technology.

12. OMB Memorandum M-17-5, Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Managemebnt Requirements. This memorandum establishes current Administration information security priorities and provides agencies with Fiscal Year (FY) 2016 Federal Information Security Modernization Act (FISMA) and Privacy Management reporting guidance and deadlines. In many cases, this memorandum establishes new guidance to address discrete challenges identified over the last fiscal year. This guidance is also designed to complement the specific requirements directed in the Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government (CSIP).

13. OMB Memorandum M-17-6, Policies for Federal Agency Public Websites and Digital Services. Federal Agency public websites and digital services are defined here as online information resources or services maintained in whole or in part by the departments and agencies in the Executive Branch of the U.S. Federal Government that are operated by an agency, contractor, or other organization on behalf of the agency. 4 They provide government information or services to the public or a specific user group across a variety of delivery platforms and devices, and support the proper performance of an agency function.

14. OMB Memorandum M-17-12. This Memorandum sets forth the policy for Federal agencies to prepare for and respond to a breach of personally identifiable information (PII). It includes a framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach, as well as guidance on whether and how to provide notification and services to those individuals. This Memorandum is intended to promote consistency in the way agencies prepare for and respond to a breach by requiring common standards and processes. While promoting consistency, this Memorandum also provides agencies with the flexibility to tailor their response to a breach based upon the specific facts and circumstances of each breach and the analysis ofthe risk ofharm to potentially affected individuals.

 

 

NOAA Employees and Contractors: Please also refer to the six DOC and NOAA memoranda labeled 'Privacy and PII', located on the NOAA OCIO Intranet, IT Governance page.