OMB Memorandum 16-24 and Privacy
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Welcome back to the course everyone.
00:00
It's Chris again the privacy gremlin.
00:00
I'm Cybrary's instructor for
00:00
its US Information Privacy course.
00:00
In Lesson 3.3,
00:00
we're going to continue our discussion
00:00
on significant OMB circular and memorandum.
00:00
In this lesson, we're going to focus
00:00
on OMB Memorandum 16-24
00:00
that talks about the role and designation
00:00
of a Senior Agency Official for privacy.
00:00
We talked about this during our
00:00
>> circular A130 discussion.
00:00
>> But now we're going to provide
00:00
more depth into that discussion because
00:00
a Senior Agency Official for Privacy plays
00:00
an important role within executive branch agencies.
00:00
We have two learning objectives.
00:00
We're going to talk about the designation of
00:00
the Senior Agency Officials for Privacy
00:00
within federal agencies within the executive branch.
00:00
We're going to also talk about the role
00:00
of the Senior Agency Officials
00:00
for Privacy within the executive branch.
00:00
Now we've also talked about Chief Privacy Officers.
00:00
Depending on the size of an organization,
00:00
you may have one person that
00:00
serves both as the SAOP and the CPO.
00:00
In large organizations, you may have
00:00
these two roles managed by two different people.
00:00
The SAOP being the most senior agency official for
00:00
privacy supported by the Chief Privacy Officer
00:00
who has responsibilities for
00:00
the day-to-day operational activities of
00:00
privacy across the agency.
00:00
It really depends on
00:00
the agency's focus on
00:00
privacy as it applies to
00:00
its mission and business activities.
00:00
Let's delve into Memorandum 16-24.
00:00
It was on February 9th,
00:00
2016 that the President
00:00
issued executive order 13719 entitled,
00:00
The Establishment of the Federal Privacy Council,
00:00
which is an extremely important inter-agency forum to
00:00
where privacy professionals across
00:00
the executive branch meet
00:00
periodically to talk about the implementation
00:00
of privacy practices across executive branch.
00:00
Looking at advances in technology and the way that
00:00
the federal government process
00:00
and collected this information
00:00
is stored in its federal systems
00:00
within the executive branch.
00:00
It was important to provide guidance to these agencies
00:00
on how they were supposed to
00:00
manage the information life-cycle.
00:00
Anytime that they collected and processed
00:00
identifiable information to include
00:00
the creation, collection, the use,
00:00
the processing, the storing, the maintaining,
00:00
the dissemination, the disclosure,
00:00
and the disposal of personally
00:00
>> identifiable information.
00:00
>> As I said previously,
00:00
there's always some inherent risk associated
00:00
with processing personally identifiable information.
00:00
These agencies must have
00:00
the appropriate privacy controls, insert the controls,
00:00
in place to ensure that we're protecting
00:00
their personally identifiable information of
00:00
the American public and
00:00
also other individuals like agency employees.
00:00
In designating the SAOP,
00:00
that SAOP is responsible for
00:00
ensuring that the privacy interests are
00:00
protected and then PII is
00:00
managed end-to-end and within the agency.
00:00
We look at three requirements when we talk
00:00
about designating that SAOP position.
00:00
This SAOP is supposed to be
00:00
a senior official at
00:00
the Deputy Assistant Secretary or equivalent level.
00:00
Supposed to be the most senior agency official
00:00
for privacy to where they can work with
00:00
the agency head to make sure that they're promoting
00:00
an effective privacy program and is
00:00
consistent with federal government guidance.
00:00
They have to have the expertise.
00:00
That SAOP has to have the necessary skills, knowledge,
00:00
and expertise to lead and direct
00:00
the agency's privacy program and also to
00:00
carry out privacy-related functions.
00:00
Then they must have the authority.
00:00
They have to have the necessary authority
00:00
within that organization,
00:00
that's why they have to be senior,
00:00
to lead and direct
00:00
that agency's privacy program and to comply with
00:00
OMB privacy-directed policies circular memorandum.
00:00
When we talk about the role
00:00
of and the responsibilities of the SAOP,
00:00
the SAOP is responsible for policy-making.
00:00
It's that senior agency official that's
00:00
responsible for developing the agencies legislative,
00:00
regulatory, and other policy
00:00
proposals that have privacy implications.
00:00
They're responsible for publishing and
00:00
implementing all agency
00:00
privacy-related regulations and policies.
00:00
Compliance. They're the ones that have to
00:00
be there to drive compliance across the agency.
00:00
They ensure that agency is compliant
00:00
with the Privacy Act of 1974,
00:00
the Paperwork Reduction Act of 1995,
00:00
the e-government Act of 2002,
00:00
HIPAA, the Health Insurance Portability
00:00
and Accountability Act of 1996,
00:00
OMB circular A-130,
00:00
and other applicable requirements.
00:00
They also play a central role in risk management.
00:00
When we get to the discussion on this,
00:00
we'll see that integration of privacy risk management
00:00
throughout all aspects of an executive branch agency.
00:00
But that SAOP is responsible for consistently,
00:00
continually conducting privacy risk assessments by
00:00
using tools like privacy threshold analysis and
00:00
privacy impact assessments to assess the risk
00:00
associated with the processing of
00:00
personally identifiable information
00:00
throughout the information life-cycle.
00:00
Agency heads have to make sure that
00:00
the SAOP is sufficiently resourced to be able
00:00
to achieve and satisfy
00:00
those privacy-related functions that are required
00:00
by OMB and other federal laws,
00:00
rules, and regulations.
00:00
But there are things that you have to consider as
00:00
an agency head when you're considering
00:00
with allocating resources to your privacy programs.
00:00
You got to consider the size and structure,
00:00
including agency geographic presence.
00:00
What is the agency's mission and
00:00
the volume sensitivity and use of
00:00
PII that supports an agency mission?
00:00
What are the privacy risks associated with the
00:00
creation, the collection, the use,
00:00
the processing, the storage, the maintenance,
00:00
the dissemination, disclosure,
00:00
and the disposal of PII?
00:00
Then finally, we have to
00:00
consider those information sources used.
00:00
We talk about budgetary and plan investments
00:00
and information technologies that ensure that we're
00:00
doing those privacy reviews of
00:00
those systems before they begin to collect,
00:00
use, disclose, retain,
00:00
dispose of information as
00:00
part of the information life-cycle.
00:00
Question 1 asked the question,
00:00
what requirements govern the designation
00:00
and roll of SAOPs within federal agencies?
00:00
A, C, and D are the appropriate answers.
00:00
Question 2 asks,
00:00
what are the responsibilities of
00:00
SAOPs within federal agencies?
00:00
The appropriate answers are A, C, B,
00:00
and D. Question 3 asks,
00:00
what factors should federal agency heads consider when
00:00
assessing a SAOP or privacy program's resource needs?
00:00
A, B, C, and D are the appropriate answers.
00:00
In summary, I hope you've enjoyed Lesson 3.3.
00:00
I hope you can see the relevance in
00:00
reviewing OBM Memorandum 16-24,
00:00
whether you're supporting an agency
00:00
within the executive branch or
00:00
you are supporting a private sector entity.
00:00
Like I said, throughout my career as a
00:00
privacy professional, I've looked internationally.
00:00
I've looked at the federal government and also at
00:00
the state level for those useful tools that I can
00:00
put in my privacy toolkit to
00:00
assist agencies in being better stewards of
00:00
privacy and always showing
00:00
due diligence and due care every time that they
00:00
collect, use, disclose, retain,
00:00
and dispose of personally identifiable information.
Up Next
Similar Content
