OMB Memorandum 03-22 and Privacy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 2 minutes
Difficulty
Intermediate
CEU/CPE
7
Video Transcription
00:00
>> Hello, everyone. Welcome back to the course.
00:00
My name is Chris and I'm Cybrary's instructor
00:00
for US information privacy course.
00:00
By now, you know that those statements are true,
00:00
that I am the privacy gremlin, and
00:00
>> I'll keep you up all night if you want to talk about
00:00
>> or discuss privacy topics and concepts.
00:00
It's in lesson 3.2 that we're going to continue or look
00:00
at specific OMB guidance documents
00:00
of the executive branch.
00:00
In this case, we're going to look at OMB memorandum
00:00
03-22 entitled OMB guidance
00:00
for implementing the privacy provisions,
00:00
the E-Government Act of 2002.
00:00
Specifically, we're talking about Section
00:00
208 like we talked about earlier in the course.
00:00
We have several learning objectives.
00:00
We're going to look at
00:00
OMB memorandum's 03-22's purpose and PIA requirements.
00:00
We're going to talk about its
00:00
online privacy policy requirements.
00:00
We're also going to talk about the requirement that
00:00
federal agencies in the executive branch
00:00
have for complying with COPPA,
00:00
the Children Online Privacy and Protection Act
00:00
of 1988 that also has
00:00
an accompanying rule that was promulgated in 1990.
00:00
It has been updated.
00:00
The Federal Trade Commission is looking at updating
00:00
it again this year.
00:00
We're not sure when the final rule will come out.
00:00
I'd like to start our discussion by looking at OMB
00:00
>> memorandum 03-22's purpose and its PIA requirements.
00:00
>> Remember, we talked about the what
00:00
and the E-Government Act of 2002,
00:00
Section 208, the requirement
00:00
for privacy impact assessments.
00:00
The need for doing so.
00:00
The requirement to post those to
00:00
public facing websites of these agencies,
00:00
and also the notification requirements at
00:00
these executive branch agencies had to notify OMB and
00:00
notify the public and Congress before placing
00:00
these systems in place that would
00:00
be processing personal identifiable information.
00:00
Now when we look at the intent behind this memorandum,
00:00
we realize, just like we talked about earlier,
00:00
we saw such rapid changes
00:00
in information technology that was being developed and
00:00
acquired by the federal government that was used to
00:00
process personal identifiable information
00:00
and as part of privacy programs
00:00
in the federal government.
00:00
What OMB memorandum 03-22 was,
00:00
it's intent was to help these executive branch agencies
00:00
understand that if they
00:00
were using information technologies,
00:00
information systems to collect
00:00
person identifiable information,
00:00
or they were buying or developing
00:00
new systems that were
00:00
collecting personal identifiable information,
00:00
they had to have the processes in
00:00
place to protect that information.
00:00
Especially, we've talked about
00:00
the electronic collection of
00:00
this information to really ensure
00:00
the American public that
00:00
their information was being safeguarded
00:00
throughout the information life cycle.
00:00
Now we've talked about
00:00
the privacy impact assessment
00:00
and in section 208 of the E-Government Act,
00:00
but we're going to continue our discussion
00:00
here about what those requirements are.
00:00
It's only be memorandum
00:00
03-22 that requires these agencies to conduct
00:00
these privacy impact assessments on
00:00
those federal government information systems that
00:00
electronically collected information and
00:00
to make these PIAs publicly available.
00:00
It required them to post
00:00
privacy policies on their agency websites,
00:00
so that the public can review
00:00
them as part of transparency.
00:00
It asks them to translate
00:00
their privacy policies into machine readable format,
00:00
so they could be read and understood and online.
00:00
It required these agencies to report annually,
00:00
OMB to be on the number of PIA's
00:00
>> that had been produced within a year,
00:00
>> and also make that information known
00:00
>> to the public by posting it in the Federal Register
00:00
>> for a 30 day period for public commenting and
00:00
also providing a narrative letter
00:00
to OMB and the Congress detailing
00:00
the purpose of the systems that we're collecting PII.
00:00
Now PIA is important.
00:00
I shared my story with you about how I
00:00
learned about the importance
00:00
of privacy impact assessments.
00:00
It's OMB memoranda 03-22
00:00
that builds upon the E-Government Act,
00:00
2002 Section 208 requirements.
00:00
It said that you have to conduct a PIA before you
00:00
develop or procure IT systems that collect, maintain,
00:00
>> or disseminate person identifiable information.
00:00
>> When you were initiating
00:00
consistent with the Paperwork Reduction Act,
00:00
a new electronic system
00:00
that had information on 10 or more persons.
00:00
Note, it exclude agencies for their employees.
00:00
It talks about the updating
00:00
>> of these PIAs when required,
00:00
>> when you make significant changes to systems,
00:00
when you have new public access,
00:00
new agency uses for that information.
00:00
Now it also says that you don't have to
00:00
publish a PIA when
00:00
that personal identifiable information
00:00
pertains internal government operations.
00:00
That we're talking about
00:00
national systems themselves that
00:00
might be security systems,
00:00
that might be personal identifiable information.
00:00
That when that information is
00:00
>> being collected as part of
00:00
>> a computer matching agreement that's asked to find into
00:00
the Computer Matching and
00:00
>> Privacy Protection Act of 1988.
00:00
>> Now it also says that
00:00
these PIA should describe
00:00
what information is being collected,
00:00
why it's being collected,
00:00
the intended use,
00:00
whom you going to share that information with.
00:00
What are the customer preferences?
00:00
How can an individual decline to provide information?
00:00
How are you going to secure it?
00:00
Whether you're creating a system or
00:00
records in compliance with the Privacy Act.
00:00
It emphasizes the importance of ensuring that to
00:00
include pilots that before
00:00
you place that specimen operation,
00:00
that you should conduct a privacy impact assessments.
00:00
Some agencies will consider doing
00:00
a privacy threshold analysis,
00:00
which is an initial prior PIA
00:00
to determine whether the system did,
00:00
or does, or does not collect PII and the need for PIA.
00:00
We want to talk about and we have to talk about
00:00
those privacy policy requirements.
00:00
It states that these agencies themselves
00:00
have to post their privacy notices or policies
00:00
on their public facing website to provide the public
00:00
with insights and what their privacy practices are.
00:00
The purpose of is to inform individuals visiting
00:00
those websites that their information
00:00
that's requested is voluntary,
00:00
how they can give consent, or grant consent.
00:00
One of those instances
00:00
where the provision of his information
00:00
is mandatory other than
00:00
outside the scope of the Privacy Act.
00:00
You've have to also,
00:00
when you're looking at the privacy policy,
00:00
you have to provide a link to
00:00
any applicable agency regulations.
00:00
We also talked about you also have to
00:00
demonstrate and notify the appropriate agencies
00:00
of whether your efforts in
00:00
trying to make the privacy notices players,
00:00
privacy policies machine readable for
00:00
access by these individuals.
00:00
OMB encourages these agencies to adopt
00:00
other privacy protective tools.
00:00
As we say, advancements in these capabilities.
00:00
Many federal government agencies
00:00
don't believe that they have to
00:00
be compliant with certain privacy laws,
00:00
like the Children Online
00:00
Privacy and Protection Act, COPPA.
00:00
It really provides guidance and says
00:00
that web operators and web owners cannot
00:00
collect information from children under the age of 13.
00:00
You have to give notice of
00:00
those collection activities are.
00:00
Parents themselves have the right to
00:00
request access and when information is collected,
00:00
when information is being used.
00:00
They have a right to know how to opt out or
00:00
deny the right to process that information.
00:00
You have to have a way to verifying
00:00
the parental identity or
00:00
legal guardian identity before you provide them with
00:00
>> information on information collected from children.
00:00
>> There are certain things that you
00:00
have to comply with requirements.
00:00
Those include, if you're going to use post mail plus,
00:00
accepting or verifying a credit card number
00:00
in connection with the transaction.
00:00
Taking calls from parents through
00:00
a toll-free number staffed by trained individuals.
00:00
As I said, parents and legal guardians have a right to
00:00
access that information upon written requests.
00:00
Now question one asks a question about conducting PIAs.
00:00
The appropriate choices are B and
00:00
C. Question two asks
00:00
about the requirement to post privacy policies.
00:00
The appropriate answers are A, B, C,
00:00
and D. Question three asks
00:00
about OMB 03-22's COPPA requirements.
00:00
The appropriate answers are A, B,
00:00
and C. Closing,
00:00
OMB memorandums 03-22 is an important document.
00:00
It provides guidance to
00:00
executive branch agencies on how to
00:00
implement the E-Government Act
00:00
of 2002's privacy provisions.
Up Next