Agencies receive new guidance, privacy requirements on use of third-party websites

The Office of Management and Budget (OMB) today released a new memo to all heads of executive departments and agencies, “Guidance for Agency Use of Third-Party Websites and Applications,” that lays out a set of general principles for the use of such non-agency sites and resources, and specifically sets new requirements for privacy with respect to these external sites. The memo acknowledges the potential value of social media, interactive online tools, and, by implication, Web 2.0 technologies in general, all of which support the spirit of “transparency, public participation, and collaboration” embodied in the administration’s Open Government Directive.

The new memo applies to all federal agencies and their use of government or contractor third-party websites or applications used to engage with the public. The general message is, agencies may use third-party sites and applications, but when they do so, they must comply with the new privacy requirements in the memo as well as any existing requirements. General guidance is offered in five areas:

  1. Third-Party Privacy Policies. Before an agency uses any third-party website or application to engage with the public, the agency should examine the third party’s privacy policy to evaluate the risks and determine whether the website or application is appropriate for the agency’s use. In addition, the agency should monitor any changes to the third party’s privacy policy and periodically reassess the risks.
  2. External Links. If an agency posts a link that leads to a third-party website or any other location that is not part of an official government domain, the agency should provide an alert to the visitor, such as a statement adjacent to the link or a “pop-up,” explaining that visitors are being directed to a non-government website that may have different privacy policies from those of the agency’s official website.
  3. Embedded Applications. If an agency incorporates or embeds a third-party application on its website or any other official government domain, the agency should take the necessary steps to disclose the third party’s involvement and describe the agency’s activities in its Privacy Policy.
  4. Agency Branding. In general, when an agency uses a third-party website or application that is not part of an official government domain, the agency should apply appropriate branding to distinguish the agency’s activities from those of non-government actors. For example, to the extent practicable, an agency should add its seal or emblem to its profile page on a social media website to indicate that it is an official agency presence.
  5. Information Collection. If information is collected through an agency’s use of a third-party website or application, the agency should collect only the information “necessary for the proper performance of agency functions and which has practical utility.” [Following a government requirement from OMB Circular A-130] If personally identifiable information (PII) is collected, the agency should collect only the minimum necessary to accomplish a purpose required by statute, regulation, or executive order.

From a privacy perspective, the June 25 memo reminds agencies of their continuing obligations under the Privacy Act, and updates previous guidance issued to agencies on federal website privacy policies and on implementing the privacy provisions (largely in Title II, but including some portions of FISMA too) of the E-Government Act of 2002. Among the most significant new requirements is the need for agencies to perform an adapted Privacy Impact Assessment (PIA) for third-party websites; update their privacy policies to make sure they provide information about the use of third-party sites and applications; and post privacy notices on the third-party sites noting the agency’s association with the site, but also clearly stating that the third-party sites is not owned or controlled by the government.