E-Government Act of 2002, Section 208 and the Consolidated Appropriations Act of 2005, Title V

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hey there everyone.
00:00
It's Chris again,
00:00
and I'm Cybrary instructor
00:00
for US Information Privacy course.
00:00
I'm going to welcome you back to the course.
00:00
Hopefully you've enjoyed our dialogue up to this point.
00:00
It's in Lesson 2.4,
00:00
we're going to talk about the E-government Act of 2002.
00:00
Specifically looking at is
00:00
privacy provisions that are captured in Section 208.
00:00
We'll be talking about these privacy
00:00
impact assessments in 208b.
00:00
Then we're also going to talk about
00:00
the Consolidated Appropriations Act of 2005.
00:00
Really focusing on Title V is
00:00
general provisions, Section 522,
00:00
which statutorily requires all federal agencies
00:00
in the executive branch to have
00:00
>> a Chief Privacy Officer.
00:00
>> We have several learning objectives.
00:00
We're going to have a overview of
00:00
the E-government Act of 2002.
00:00
We're going to drill down into Section 208b,
00:00
because it is important to us as privacy professionals.
00:00
Whether you're working in the private sector or
00:00
the public sector to where
00:00
its implementation is mandatory,
00:00
but if you are a private sector privacy officer
00:00
or privacy professional, again,
00:00
there are good best practices that you might learn
00:00
and adopt by just reviewing
00:00
the Government Act of 2002 and Section 208b.
00:00
Then we're going to have a brief discussion on
00:00
the Consolidated Appropriations Act of 2005,
00:00
Title V, general provisions,
00:00
Section 522, which statutorily requires
00:00
federal government agencies in
00:00
the executive branch to have a Chief Privacy Officer.
00:00
Let's talk about the E-government Act of 2002.
00:00
We know it amends the Privacy Act of 1974,
00:00
as we stated earlier.
00:00
The passage of the Privacy Act of 1974 was done
00:00
when the federal government had less transparency.
00:00
American citizens had less insights
00:00
into the end of workings of the federal government.
00:00
We were in a paper-based environment.
00:00
It was at the turn of the 21st century
00:00
that the US government decided that it had to
00:00
amend the Privacy Act of 1974 to
00:00
maintain pace with advances
00:00
that have been made in computer technology,
00:00
information technology to provide
00:00
more efficient and effective function
00:00
and services to the American public.
00:00
What they hoped to do was to
00:00
ensure that in making use and
00:00
incorporating these technologies until the way they
00:00
interact with the American public, that again,
00:00
they can provide these information and
00:00
services in a manner consistent
00:00
with those laws regarding
00:00
the protection of personal privacy,
00:00
national security records retention,
00:00
and access to persons with
00:00
disabilities and other relevant laws.
00:00
The E-government Act of 2002
00:00
requires all federal government agencies to implement
00:00
these requirements to be more transparent
00:00
and open in the way they engage with
00:00
>> the American public.
00:00
>> When we get to Section 208
00:00
which is extremely important to us as privacy officers,
00:00
especially if you're supporting
00:00
activities within the executive branch.
00:00
In Section 208,
00:00
it gives us the requirements for
00:00
these agencies to conduct privacy impact assessments.
00:00
I can remember in 2007 when I didn't
00:00
hear it in a program in
00:00
the Department of Homeland Security that was failing.
00:00
I was asked to take it over.
00:00
Being a mission-oriented guy,
00:00
I focused on the mission aspects of
00:00
the program and not considering the compliance aspects.
00:00
It wasn't until the US Congress sent an audit team from
00:00
the General Accounting Office to audit
00:00
the program that I learned about
00:00
the importance of privacy impact assessments.
00:00
The senior auditor and his team
00:00
sat across the table from me,
00:00
and they asked me if I understood
00:00
>> the purpose and which I
00:00
>> smile beamingly at them
00:00
and told them that I had everything under control.
00:00
It wasn't until the senior auditor
00:00
asked me why I hadn't done
00:00
a privacy impact assessments
00:00
since there was potential that we
00:00
would be collecting
00:00
personal information from American citizens,
00:00
that I learned that I'd missed
00:00
an important component in restoring
00:00
this program to viability.
00:00
Because it was then when I responded to
00:00
him when asked the question, what is a PIA?
00:00
From there the audit went downhill.
00:00
PIA is especially important to me.
00:00
Section 208 highlights that
00:00
anytime that an agency is considering
00:00
>> to include pilots,
00:00
>> acquiring or developing a system that's going
00:00
to process personal identifiable information,
00:00
if there is a new definition of
00:00
personal identifiable information in rule making,
00:00
if you're considering transporting data across borders,
00:00
data centers abroad,
00:00
if you have modified
00:00
a system that's processing
00:00
personal identifiable information,
00:00
then you should do a privacy impact assessment.
00:00
Which is a sort of
00:00
privacy risk assessment that allows us to
00:00
identify risk associated with
00:00
the processing of personal identifiable information,
00:00
so we can mitigate those risks.
00:00
We do these PIAs
00:00
to ensure that we know what we're collecting,
00:00
using, disclosing, retaining, and disposing off.
00:00
There's a requirement for these agencies to
00:00
annually report their PIAs and to make them
00:00
available on their public websites
00:00
so that individuals can
00:00
see the systems that are
00:00
processing PIA and have some insights.
00:00
Just like we talked about with sworns,
00:00
these agencies have to
00:00
publicly announce these systems before they
00:00
place in operation for a period of
00:00
30 days in the Federal Register,
00:00
as well as they have to submit a letter
00:00
to the Office of Management and Budget and to
00:00
the Congress over a period of
00:00
10 days or so to which they have to review the letter.
00:00
That's what happened to me.
00:00
It's important that you
00:00
use these PIAs to conform with legal,
00:00
regulatory, and policy requirements for privacy.
00:00
Determine the risk and affects,
00:00
and then evaluate protections in
00:00
alternative processes for
00:00
mitigating potential privacy risk.
00:00
It's the Consolidated Appropriations Act of 2005,
00:00
Title V, general provisions,
00:00
Section 522 to that states the requirement that
00:00
every federal agency and
00:00
the executive branch must have a Chief Privacy Officer.
00:00
That Chief Privacy Officer is responsible
00:00
>> for all aspects
00:00
>> of privacy and data protection within those agencies.
00:00
It requires those agencies to establish and
00:00
implement a comprehensive privacy
00:00
and data protection procedure.
00:00
Every time that agency collects,
00:00
uses, shares, discloses, transfers, stores,
00:00
or disposes of personal identifiable information as it
00:00
pertains to employees and the American public.
00:00
They're supposed to conduct
00:00
periodic third-party reviews of
00:00
their processing of PIA procedures and policies.
00:00
I included in your reference section
00:00
to give you some greater insight in this Section
00:00
522 and its impact a letter that was
00:00
written to the Director of
00:00
the Office of Management Budget.
00:00
In that letter, it was
00:00
the Information Security and Privacy advisory board
00:00
that had examined
00:00
Section 522 and its importance for
00:00
executive branch agencies that had privacy programs.
00:00
The board realized the importance of
00:00
having these Chief Privacy Officers.
00:00
They wanted federal government agencies.
00:00
They really focus on having
00:00
effective and efficient privacy programs
00:00
that govern how they would
00:00
process personal identifiable information.
00:00
They highlighted the importance of conducting PIAs.
00:00
They talked about the establishment
00:00
of the Chief Privacy Officer.
00:00
They also made sure that there was a distinction
00:00
between information privacy and information security.
00:00
While complimentary, again,
00:00
they have different privacy controls,
00:00
security controls and in some aspects,
00:00
different focuses on protecting
00:00
>> an agency's information.
00:00
>> In this case, personally identifiable information.
00:00
Now, it was the ISPAB that also said that
00:00
the Chief Privacy Officers had to play
00:00
an important role within agencies
00:00
and helping them manage their privacy programs.
00:00
We wanted to make sure that they were
00:00
well-integrated with an agency's CIOs,
00:00
Chief Information Officers,
00:00
>> and other key senior leaders.
00:00
>> Question 1 asks the question,
00:00
what is the E-government Act of 2002's purpose?
00:00
The answers are A,
00:00
B and C. Question 2 asks,
00:00
what are the E-government Act of 2002
00:00
section 208B's privacy requirements?
00:00
The answers are B.
00:00
Question 3 asks about a privacy impact assessment.
00:00
What is it?
00:00
The answers are A, B,
00:00
and C. Question 4
00:00
asks about the Consolidated Appropriations Act of 2005.
00:00
What does it require? The answers are A, B,
00:00
and D. In summary,
00:00
the E-government Act of 2002
00:00
transitions the federal government at
00:00
the beginning of the 21st century
00:00
to be able to achieve digital transformation.
00:00
Is the E-government Act of 2002,
00:00
Section 208 that requires agencies conduct PIAs and
00:00
post those PIAs to
00:00
their public facing websites in most cases,
00:00
and to get the appropriate notification to the public,
00:00
to Congress, and to the OMB.
00:00
It's the Consolidated Appropriations Act of 2005 that
00:00
requires federal agencies statutorily
00:00
to have Chief Privacy Officers.
Up Next