IRM BULLETIN NO. 2001-002
To: Deputy Secretary
Solicitor
Assistant Secretaries
Inspector General
Heads of Bureaus and Offices
Bureau Chief Information
Officers
From: Daryl W. White /s/
Chief
Information Officer
Subject: Guidance on Inter-Agency Sharing of Personal Data, and Privacy Protection Measures in System Development and Applications
Purpose
This Information Resources Management Bulletin provides you with guidance issued by the Office of Management and Budget (OMB), in memorandum M-01-05, dated December 20, 2000 (see attached). For an electronic version of this memo, go to http://georgewbush-whitehouse.archives.gov/omb/memoranda/m01-05.html . The purpose of the OMB memorandum is twofold: (1) To remind government agencies of the existing statutory requirements that apply to inter-agency sharing of personal data, and (2) To provide measures to reduce the privacy risks in electronic records.
Background
I. Complying with the Computer Matching and Privacy Protection Act
OMB memorandum M-01-05 instructs government agencies to apply requirements of the Computer Matching and Privacy Protection Act of 1988 ("Matching Act") which was an amendment to the Privacy Act of 1974 (5 U.S.C. 552a). The Matching Act applies to those times when agencies plan to use inter-agency data sharing for the purpose of verifying program eligibility or recovering delinquent debt.
Prior to any inter-agency data sharing, it is important that government bureaus/offices review and meet the Privacy Act requirements. For more information on what constitutes an inter-agency matching system and on government requirements, refer to the Departmental Manual on Implementation of the Privacy Act at 383 DM 12 and OMB Circular A-130, Appendix I on "Federal Agency Responsibilities for Maintaining Records About Individuals." A copy of the circular may be found at http://www.whitehouse.gov/omb/circulars/a130/a130trans4.html.
Please consult with your bureau/office Privacy Act Officer on whether the Privacy Act applies to any planned sharing of data with another government agency, and how to implement the requirements.
II. Privacy Protection Measures
The OMB memorandum attachment provides "Additional Guidance" that government employees must use to protect personal information when involved in data sharing. These are also consistent with new guidelines addressed in the November 2000 revisions to the OMB Circular A-130, on information management procedures for protection of personal privacy.
Guidance is as follows:
1. Apply the "minimization" principle. This applies to limiting data shared by only sharing data that is actually needed for program purposes, in order to minimize the impact on privacy.
2. Add measures to address "accountability." When sharing information, procedures must be in place to ensure that the Privacy Act requirements for handling the information will be adhered to (see 383 DM 1-13, and Department of Interior regulations at 43 CFR Part 2, Subpart D on the Privacy Act).
3. Initiate privacy impact assessments during the design and development of computer systems and applications.
The Federal CIO Council identified and endorsed a "Best Practice" for a privacy impact assessment in February of 2000. Section V of the document identifies questions that help to ensure that the Privacy Act and privacy protections are addressed when
1. designing and developing a new system;
2. modifying a system; and
3. developing an application.
For example, when developing a web site in which information is posted or collected, have you considered certain requirements that will make your web site Privacy Act compliant?
Privacy protection is a value added to your product. In order to accomplish this and comply with statutory requirements, it is important to consult with your bureau/office Privacy Act Officer early in your planning process.
Should you have any questions regarding this OMB guidance, please contact Marilyn Legnini, Departmental Privacy Officer, at (202) 219-0868.
Attachment
bcc: Mlegnini/PIR
Bureau Privacy Act Officers
PIR:IMD:MLegnini:lec:2/20/01:12.20:219-0868 (O:\Privacy\Memo_InteragencyDataSharing.wpd)