Internet Privacy: Agencies' Efforts to Implement OMB's Privacy Policy

GGD-00-191 Published: Sep 05, 2000. Publicly Released: Sep 05, 2000.
Jump To:
Skip to Highlights
Highlights

Pursuant to a congressional request, GAO provided information on whether agencies were adhering to the Office of Management and Budget's (OMB) memorandum requiring federal agencies to post privacy policies on their Internet Websites, focusing on: (1) whether agencies have clearly labelled and easily accessed privacy policies posted on their principal Web sites; (2) whether agencies' privacy policies posted on their principal Web sites inform visitors about what information an agency collects, why the agency collects it, and how the agency will use the information; (3) how selected agencies have interpreted the requirement to post privacy policies at major entry points; and (4) whether selected agencies have posted privacy policies on Web pages where the agency collects substantial personal information or when applicable, notices that refer to the Privacy Act of 1974.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should consider, in consultation as appropriate with parties such as the Chief Information Officer Council (CIO), how best to help agencies better ensure that individuals are provided clear and adequate notice about how their personal information is treated when they visit federal Web sites. This should include defining what is meant by substantial personal information.
Closed - Implemented
In September 2003, OMB issued guidance for implementing the privacy provisions of the e-Government Act of 2002. This guidance now directs agencies to post privacy policies at any web page that collects substantial information in identifiable form. By clarifying that the requirement applies to information in identifiable form, the guidance now addresses questions raised in our report concerning whether information such as social security numbers and credit card numbers would require posting of a privacy policy.
Office of Management and Budget The Director of OMB should consider, in consultation as appropriate with parties such as the Chief Information Officer Council, how best to help agencies better ensure that individuals are provided clear and adequate notice about how their personal information is treated when they visit federal Web sites. This should include clarifying other sections of the guidance, including if agency privacy policies should specifically disclose whether or not they use security and intrusion detection measures.
Closed - Implemented
In September 2003, OMB issued guidance for implementing the privacy provisions of the e-Government Act of 2002. As we recommended, this guidance clarifies that agency privacy policies should specifically disclose whether or not the agency uses security and intrusion detection measures. Specifically, the guidance states that agencies should post the following information in their Privacy Policy: 1. in clear language, information about management, operational and technical controls ensuring the security and confidentiality of personally identifiable records (e.g., access controls, data storage procedures, periodic testing of safeguards, etc.), and 2. in general terms, information about any additional safeguards used to identify and prevent unauthorized attempts to access or cause harm to information and systems. (The statement should be at a level to inform the public that their information is being protected while not compromising security.)
Office of Management and Budget The Director of OMB should consider, in consultation as appropriate with parties such as the Chief Information Officer Council, how best to help agencies better ensure that individuals are provided clear and adequate notice about how their personal information is treated when they visit federal Web sites. This should include determining whether a distinction should continue to be made between why an agency collects information and how the information will be used; if the distinction is maintained, provide additional guidance on how agencies should make that distinction.
Closed - Implemented
On September 26, 2003, OMB issued new guidance for implementing the privacy provisions of the e-Government Act of 2002. The guidance continues to require agencies to disclose both why the information is being collected and its intended use. The guidance--at the point where the terms are first introduced--now provides examples that further clarify the distinction between the two.
Office of Management and Budget The Director of OMB, working as appropriate, with agencies, Inspectors General, or CIO Council, should determine whether current oversight strategies are adequate to ensure agencies' adherence to Web site privacy policies and whether the policies will need further revision as Web practices continue to evolve. As part of this oversight, the Director should: (1) ensure that the agencies GAO found that had not posted Privacy Act notices where required, do so; and (2) determine the extent to which the lack of Privacy Act notices is a problem on Federal Web sites.
Closed - Implemented
In September 2003, OMB issued guidance to implement the privacy provisions of the e-Government Act of 2002. The guidance modified and clarified existing guidance on agency website privacy policies and directed agencies to implement the guidance by December 15, 2003. In addition, to improve oversight, the guidance required agencies to report on compliance with the guidance as part of their annual e-Government status reports. Specifically, in their initial reports, agencies reported, for example, on their progress in putting privacy policies into machine readable format to facilitate citizen use and understanding of these policies.

Full Report