Internet Privacy:

Agencies' Efforts to Implement OMB's Privacy Policy

GGD-00-191: Published: Sep 5, 2000. Publicly Released: Sep 5, 2000.

Contact:

Linda D. Koontz
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided information on whether agencies were adhering to the Office of Management and Budget's (OMB) memorandum requiring federal agencies to post privacy policies on their Internet Websites, focusing on: (1) whether agencies have clearly labelled and easily accessed privacy policies posted on their principal Web sites; (2) whether agencies' privacy policies posted on their principal Web sites inform visitors about what information an agency collects, why the agency collects it, and how the agency will use the information; (3) how selected agencies have interpreted the requirement to post privacy policies at major entry points; and (4) whether selected agencies have posted privacy policies on Web pages where the agency collects substantial personal information or when applicable, notices that refer to the Privacy Act of 1974.

GAO noted that: (1) of the 70 agencies' principal Web sites that GAO reviewed on April 14, 2000, 69 had privacy policies posted on their principal Web sites, and 1 did not; (2) in addition, of the 69 agency Web sites, 2 had privacy policies that GAO determined were not clearly labelled and easily accessed; (3) thus, 67 of the 70, agency principal Web sites GAO reviewed had privacy policies that were clearly labelled and easily accessed; (4) this appears to be considerable progress from a 1999 survey of selected federal home pages by a public interest group; (5) of the 70 agencies' principal Web sites GAO reviewed, 63 had privacy policies that addressed the automatic collection of information, and 46 of those agencies generally followed all 3 elements of the OMB memorandum's requirement for the agencies to disclose in their privacy policies what information they were automatically collecting, why they were collecting it, and how they planned to use it; (6) although OMB requires agencies to post privacy policies at major entry points to their Web sites, the privacy policy guidance does not define major entry point; (7) however, using a sample of six agencies that had a large number of Web sites or frequent contact with the public, GAO found that these agencies generally used similar criteria to determine the major entry points to their Web sites; (8) the OMB memorandum requires agencies to post privacy policies on pages where they collect substantial personal information, but the guidance does not define substantial personal information; (9) therefore, to assess OMB's requirement, GAO developed its own criteria defining personal information and reviewed the Web sites of 31 high-impact agencies for Web pages that collected any personal information; (10) GAO defined personal information to include an individual's name, e-mail address, postal address, telephone number, Social Security number, or credit card number; (11) most high-impact agencies did not post privacy policies on all pages that GAO identified as collecting personal information; and (12) in comparing the OMB memorandum and guidance to the Privacy Act and fair information principles, the OMB memorandum is narrower in scope than the Privacy Act and the fair information principles, and the act and principles also differ in some respect.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: The Director of OMB should consider, in consultation as appropriate with parties such as the Chief Information Officer Council (CIO), how best to help agencies better ensure that individuals are provided clear and adequate notice about how their personal information is treated when they visit federal Web sites. This should include defining what is meant by substantial personal information.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: In September 2003, OMB issued guidance for implementing the privacy provisions of the e-Government Act of 2002. This guidance now directs agencies to post privacy policies at any web page that collects substantial information in identifiable form. By clarifying that the requirement applies to information in identifiable form, the guidance now addresses questions raised in our report concerning whether information such as social security numbers and credit card numbers would require posting of a privacy policy.

    Recommendation: The Director of OMB should consider, in consultation as appropriate with parties such as the Chief Information Officer Council, how best to help agencies better ensure that individuals are provided clear and adequate notice about how their personal information is treated when they visit federal Web sites. This should include clarifying other sections of the guidance, including if agency privacy policies should specifically disclose whether or not they use security and intrusion detection measures.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: In September 2003, OMB issued guidance for implementing the privacy provisions of the e-Government Act of 2002. As we recommended, this guidance clarifies that agency privacy policies should specifically disclose whether or not the agency uses security and intrusion detection measures. Specifically, the guidance states that agencies should post the following information in their Privacy Policy: 1. in clear language, information about management, operational and technical controls ensuring the security and confidentiality of personally identifiable records (e.g., access controls, data storage procedures, periodic testing of safeguards, etc.), and 2. in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems. (The statement should be at a level to inform the public that their information is being protected while not compromising security.)

    Recommendation: The Director of OMB should consider, in consultation as appropriate with parties such as the Chief Information Officer Council, how best to help agencies better ensure that individuals are provided clear and adequate notice about how their personal information is treated when they visit federal Web sites. This should include determining whether a distinction should continue to be made between why an agency collects information and how the information will be used; if the distinction is maintained, provide additional guidance on how agencies should make that distinction.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: On September 26, 2003, OMB issued new guidance for implementing the privacy provisions of the e-Government Act of 2002. The guidance continues to require agencies to disclose both why the information is being collected and its intended use. The guidance--at the point where the terms are first introduced--now provides examples that further clarify the distinction between the two.

    Recommendation: The Director of OMB, working as appropriate, with agencies, Inspectors General, or CIO Council, should determine whether current oversight strategies are adequate to ensure agencies' adherence to Web site privacy policies and whether the policies will need further revision as Web practices continue to evolve. As part of this oversight, the Director should: (1) ensure that the agencies GAO found that had not posted Privacy Act notices where required, do so; and (2) determine the extent to which the lack of Privacy Act notices is a problem on Federal Web sites.

    Agency Affected: Executive Office of the President: Office of Management and Budget

    Status: Closed - Implemented

    Comments: In September 2003, OMB issued guidance to implement the privacy provisions of the e-Government Act of 2002. The guidance modified and clarified existing guidance on agency website privacy policies and directed agencies to implement the guidance by December 15, 2003. In addition, to improve oversight, the guidance required agencies to report on compliance with the guidance as part of their annual e-Government status reports. Specifically, in their initial reports, agencies reported, for example, on their progress in putting privacy policies into machine readable format to facilitate citizen use and understanding of these policies.

    Jul 17, 2014

    Jun 25, 2014

    May 30, 2014

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Looking for more? Browse all our products here