NIST recommends updates to Privacy Act

Last week the Information Security and Privacy Advisory Board (ISPAB) published a report, “Toward A 21st Century Framework for Federal Government Privacy Policy”, recommending a variety of both broad and targeted actions intended to update the privacy provisions in the Privacy Act of 1974 and the privacy portions (section 208) of the E-Government Act of 2002. The recommendations are largely driven by the perceived gap in privacy legislative requirements developed 35 years ago and the technological and operational environments of the modern information age. Key recommendations in this report include:

  • Amendments to the Privacy Act and E-Government Act in order to:
    • Improve Government privacy notices;
    • Update the definition of System of Records to cover relational and distributed systems based on government use, not holding, of records.
    • Clearly cover commercial data sources under both the Privacy Act and the E‐Government Act.
  • Improve government leadership and governance of privacy
    • OMB should hire a full-time Chief Privacy Officer with resources.
    • Privacy Act Guidance from OMB must be regularly updated.
    • Chief Privacy Officers should be hired at all “CFO agencies.”
    • A Chief Privacy Officers’ Council should be developed.
  • Changes and clarifications in privacy policy
    • OMB should update the federal government’s cookie policy.
    • OMB should issue privacy guidance on agency use of location information.
    • OMB should work with US‐CERT to create interagency information on data loss across the government
    • There should be public reporting on use of Social Security Numbers

For privacy practitioners, there is much to like in this report. Of particular interest (especially in light of new federal data breach disclosure notice requirements that apply to some commercial sector organizations as well as the government) is the re-definition of “system of records” to encompass databases and other systems storing personal information that are used by the government, and not limited to those the government actually holds. On a more technical level, the ISPAB recommends a long-overdue reevaluation of the federal policy on the use of cookies (in general, the use of persistent cookies is banned on federal websites), in part to help the government realize some of the benefits of Web 2.0 technologies.