Protecting Privacy in Federal Information Systems

Data privacy is an important issue for the federal government. There are several federal laws designed to protect data privacy. The two major laws protecting the privacy of data that the government uses in the course of business are:

• The Privacy Act of 1974⁴²
• The E-Government Act of 2002⁴³

The Privacy Act of 1974

Congress created the Privacy Act of 1974 to protect data collected by the government. Although it applies to records created and used by federal agencies in the executive branch, it does not apply to state or local governments.

Under the Privacy Act, a record is any information about a person that an agency maintains. It includes a person’s educational, financial, medical, and criminal history information.⁴⁴ The act requires agencies to keep accurate and complete records. It also states that an agency should store only the data that it needs to conduct business. It should not store any extra or unnecessary data.

The Privacy Act states the rules that an agency must follow to collect, use, and transfer PII. An agency cannot disclose a person’s records without his or her written consent. There are 12 exceptions to this general rule.⁴⁵ If a situation falls within an exception, then the agency can disclose records without consent. An agency does not need written consent to disclose a record if the disclosure is:

• Made to a federal agency employee who needs the record to perform his or her job duties
• Required under the Freedom of Information Act
• Made for an agency’s routine use
• Made to the U.S. Census Bureau to perform a survey
• Made for statistical research or reporting, and all personally identifiable data has been removed
• To the National Archives and Records Administration because the record has historical value
• Made in response to a written request from a law enforcement or regulatory agency for civil or criminal law purposes
• Made to protect a person’s health or safety
• Made to Congress
• Made to the U.S. Comptroller General in the course of the performance of the duties of the U.S. Government Accountability Office
• Made in response to a court order
• Made to a consumer reporting agency for certain permitted purposes

Under the Privacy Act, a person may ask for a copy of any records that an agency has about that person.⁴⁶ The person can ask only for records that are retrievable by the person’s name, SSN, or some other type of unique identifier. A person also may ask an agency to amend any incorrect records. If an agency refuses to amend a person’s record, then that person may sue the agency to have the record amended. A person also can sue the agency if it denies access to his or her records.

Federal agencies must protect the data that they collect. The Privacy Act requires them to implement administrative, technical, and physical safeguards to protect the records that they maintain. They must protect their records against any anticipated threats that could harm the people identified in the records. Under the act, harm includes embarrassment.⁴⁷

The law requires agencies to give the public notice about their record-keeping systems. This notice is called a system of records notice (SORN). An agency must publish a SORN for any system that holds records on an individual. It must publish SORNs only for systems that retrieve records either by a person’s name or some other personal identifier. An agency must publish its SORNs in the Federal Register.⁴⁸

FYI

An agency that violates the Privacy Act can be subject to both civil and criminal penalties. A person can sue a federal agency for any Privacy Act violation. For example, people can sue if an agency denies them access to their records. They also can sue if an agency refuses to amend a record. If a court finds that an agency has intentionally or willfully violated the act, it can award a plaintiff the actual damages that he or she suffered because of the violation. Under the law, a person is entitled to recover at least $1,000.⁴⁹ A court also can order the agency to pay the plaintiff’s attorney fees.

A federal agency employee can be criminally responsible for violating the Privacy Act.⁵⁰ If an employee improperly discloses information, he or she can be charged with a misdemeanor. The employee also could be fined up to $5,000. An agency employee who keeps records without filing a SORN can be fined up to $5,000.

The OMB oversees Privacy Act compliance. It can publish rules for federal agencies to follow to meet their Privacy Act responsibilities.

The E-Government Act of 2002

The E-Government Act of 2002 has privacy provisions that complement the Privacy Act. Under the E-Government Act, federal agencies must:

• Review their IT systems for privacy risks
• Post privacy policies on their websites
• Post machine-readable privacy policies on their websites
• Report privacy activities to the OMB

A privacy impact assessment (PIA) is an agency’s review of how its IT systems use personal information.⁵¹ An agency conducts a PIA to make sure that it uses personal information in a way that follows the law. The PIA also helps an agency determine the risks of collecting personal information. It also examines the types of controls that an agency must put in place to reduce privacy risks.

An agency must conduct a PIA before it develops or buys any IT system that will collect personal information. It also must perform a PIA anytime its IT systems change in such a way that new privacy risks are introduced. This includes situations where an agency changes from paper to electronic systems. An agency must conduct a PIA if it chooses to outsource an IT system or function that uses personal data.⁵²

An agency’s PIA must include information about its data collection practices. This information is similar to fair information practice principles. The PIA must contain the following information:

• What data the agency will collect
• Why the agency is collecting the data
• How the agency will use the data
• How the agency will share the data
• Whether people have the opportunity to consent to specific uses of the data
• How the agency will secure the data
• Whether the data collected will be a system of records defined by the Privacy Act⁵³

FYI

An agency must submit its PIAs to the OMB. They also must make them available to the public. The only time an agency does not have to make a PIA available to the public is when doing so might compromise the security of an IT system.

The E-Government Act requires agencies to post privacy policies on their websites. The privacy policies must contain the same types of information that are in a PIA. They make the public aware of how the agency collects information. They also state how the agency uses that information.

Agencies must post a link to their privacy policies on their main website home page and write them in language that is easy to understand.

The E-Government Act also requires agencies to adopt machine-readable privacy policies. These technologies alert users about the agency’s website privacy practices. A machine-readable privacy policy lets users know if the agency’s privacy practices match the user’s browser privacy preferences. The machine-readable privacy policy standard is called P3P. You can read about it at http://osec.doc.gov/webresources/policies/machine_readable_privcy_policy_statements.html.

OMB Breach Notification Policy

Some states have laws, called breach notification laws or data breach laws, that require businesses and other entities to notify their customers if they suffer a security breach that discloses personal information. Some of these state laws apply to businesses operating within the state. Some also apply to state governments. These laws are discussed further in Chapter 9.

Some federal laws have breach notification provisions. For instance, the rules promulgated as part of the Health Insurance Portability and Accountability Act (HIPAA) include notification requirements. There is no government-wide federal breach notification law, although federal laws have been proposed from time to time. As of this writing, no act has yet passed Congress. A federal breach notification law would eliminate confusion over when data breaches must be reported to the public.

Over the years the OMB has released several memoranda describing breach notification requirements for federal agencies. The most recent memorandum was released in 2017.⁵⁴ It states that agencies must create a plan for notifying individuals who might be potentially affected by a breach impacting the agencies’ IT systems.

The OMB defines a breach as the “loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or similar occurrence” where unauthorized individuals access PII. It can also include instances where an authorized individual accesses PII for a reason that is not authorized or allowed. Under the current guidance, agencies must review the data disclosed in a breach, determine the number of individuals affected by the breach, consider the likelihood that the data is usable by unauthorized individuals, and assess the risk of harm to the people whose data is disclosed.

An agency has discretion about whether they will notify people about a breach of their PII. If an agency decides to notify individuals about a breach, they must consider:

• Source of the notification—The highest-ranking agency official should notify people who are affected by the breach.
• Time for notification—Agencies must notify the people affected by the breach without delay. An agency may delay notice only for law enforcement or national security reasons.
• Contents of the notice—The notice should include a description of the breach and the type of data disclosed. It should include information on how people can protect themselves from having their data used by unauthorized individuals. It also should describe what the agency is doing to mitigate the breach.
• Means of providing the notice—The agency must consider how to give notice to the people affected by the breach. Telephone, first-class mail, email, website postings, and release to national media outlets may all be appropriate ways to provide notice. The agency must consider the best method for a given situation. Agencies also must think about how they will give notice to individuals who are visually or hearing impaired.

The OMB memo is clear that agencies must report breaches of both paper and electronic information. You can read it at https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2017/m-17-12_0.pdf.

Import and Export Control Laws

This chapter has discussed the laws that federal agencies must follow to protect the security and privacy of information. This section talks briefly about other laws that are in place to protect the export of certain kinds of data. The United States has export control laws that limit the export of materials, data, and technical information to foreign countries. The export of some of these items is limited based on U.S. security interests. It is important to be aware that these types of laws exist. These laws are very complicated and are reviewed briefly here.

Export means the shipment of items or transmission of technology outside of the United States. It also means the transmission of technology to a non-U.S. citizen or nonpermanent resident who is located in the United States. Import and export laws are reciprocal. An export from the United States is an import to another country. A person who is bound by U.S. export control laws cannot import controlled items somewhere else. Much as the United States forbids certain products from being exported, some other countries forbid certain products from being imported.

There are three different types of export control regulations that restrict the export of certain items overseas. They also restrict the transmission of certain types of information to foreign nationals who are living in the United States. The three main regulations are:

• International Traffic in Arms Regulations (ITAR)
• Export Administration Regulations (EAR)
• Regulations from the Office of Foreign Asset Control (OFAC)

The U.S. Department of State issues the ITAR.⁵⁵ They apply to military or defense applications and technology that does not have civil (nonmilitary or defense) uses. They are covered under export control laws because of national security concerns. For instance, the United States may want to prevent terrorists from acquiring certain types of technologies that could be used to harm the country. Any export of applications and technology covered by ITAR requires an export license, which is issued by the Department of State.

FYI

Items that are covered by ITAR are listed on the U.S. Munitions List,⁵⁷ which is published in the Code of Federal Regulations. The list has 21 categories of different items. If an item falls within one of these categories, then it is covered by ITAR. Among the categories are guns and armament, military electronics, spacecraft, and nuclear weapons.

The penalties for violating ITAR are severe, as civil fines over $1 million are possible. The Department of State determines civil penalties.⁵⁸ ITAR violators also can be subject to criminal penalties. A person who willfully violates ITAR can be fined up to $1 million per offense. He or she also can be sentenced to up to 20 years in jail. In addition, companies that violate ITAR can be barred from selling products to the federal government.⁵⁹

The U.S. Department of Commerce handles the EAR.⁶⁰ This responsibility is delegated to the Bureau of Industry and Security (BIS). The EAR applies to dual-use technologies, which have both military and commercial use.

Under the EAR, an exporter must have an export license for items and technologies that are on the Commerce Control List (CCL). In 2018, the BIS approved about 85 percent of these license applications.⁶¹ The CCL has 10 broad categories. They include electronics, computers, telecommunications, and information security technologies. Some items are listed on the CCL when they are removed from the U.S. Munitions List.

Some items on the CCL cannot be exported even if a person tries to get a license to do so. Usually, this is because another law or regulation prevents it. For example, the United States has a comprehensive trade embargo against Cuba, which is the oldest U.S. embargo. An embargo is a ban against trade with another country. In this case, the government forbids almost all exports to Cuba.⁶²

A person who violates the EAR can be subject to both criminal and civil penalties.⁶³ Violators can be fined either up to $300,000 or up to twice the value of the transaction. A person who willfully violates the EAR can be fined up to $1 million per offense. He or she also can be sentenced to up to 20 years in jail.⁶⁴

FYI

The Treasury Department also oversees some export laws. The Office of Foreign Assets Control (OFAC), which is part of the Treasury Department, enforces trade sanctions and embargoes. The OFAC administers trade sanctions and embargoes as part of U.S. foreign policy goals. It has the power to forbid some types of transactions based upon these goals. You can learn about the OFAC’s sanctions programs at https://www.treasury.gov/resource-center/sanctions/Pages/default.aspx.

OFAC regulations may forbid people in the United States from engaging in any trade or financial transactions with other countries. People in the United States are prohibited from engaging in trade with certain people in other countries. For example, the government prohibits trade with known terrorists or drug traffickers.

The OFAC publishes a list of individuals and companies that people in the United States are generally forbidden from dealing with. The people on this list are called specially designated nationals (SDN). You can view the OFAC’s SDN list at https://www.treasury.gov/resource-center/sanctions/SDN-List/Pages/default.aspx.

Penalties for violating OFAC regulations are generally the same as for EAR violations.