Edit this page

Privacy Considerations

All federal agencies and programs that collect, retain, or use personally identifiable information (PII) are required to complete and maintain program documents to support these activities.

“Federal information is a strategic asset subject to risks that must be managed to minimize harm; Protecting an individual’s privacy is of utmost importance. The Federal Government shall consider and protect an individual’s privacy throughout the information life cycle; While security and privacy are independent and separate disciplines, they are closely related, and it is essential for agencies to take a coordinated approach to identifying and managing security and privacy risks and complying with applicable requirements.” - OMB Circular A-130

OMB Circular A-130 – Appendices I and II, establish requirements and guide agencies on how to coordinate information security and privacy programs to interact cohesively and describe responsibilities for protecting federal information resources and managing PII, giving agency heads the ultimate responsibility of meeting the requirements in this circular. Agency Identity, Credential, and Access Management (ICAM) leaders should coordinate with their Senior Agency Official for Privacy (SAOP) and privacy office to review and implement privacy principles, procedures, and guidelines. To learn more about the processes you should complete so your agency can meet key privacy requirements, please view OMB Circular A-130.

Apply Fair Information Practice Principles

ICAM programs collect, store, share, and maintain PII. As such, your agency must actively support privacy protections and the widely-recognized Fair Information Practice Principles (FIPPs). Under the Privacy Act of 1974, based on FIPPs, your agency must have processes and procedures governing the use of PII. When you implement your ICAM program, determine whether you must adjust processes and procedures due to a new use of PII.

Privacy Tip

We encourage you to provide redress mechanisms even when the Privacy Act doesn't require them. Promote confidence in your users' interactions with the government by allowing them to provide feedback and rectify issues with their PII.

The table below describes each of the FIPPs and gives practical implementation considerations for applying them within an ICAM program.

FIPPS Implementation Considerations

FIPPS
Description
ICAM Considerations
Access and Amendment Provide individuals with appropriate access to PII and opportunity to correct or update PII. Make it simple to access individual PII.

Provide Privacy Act-compliant procedures to:

• Report and correct information that is inaccurate, lost, or compromised.

• Mitigate damages resulting from incorrect authentication or unauthorized access.

Redress mechanisms enhance confidence in the program and promote individual participation.
Accountability Comply with these principles and properly train employees and contractors who use PII.

Monitor, audit, and document the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
Establish accountability measures to appropriately apply FIPPs to protect users’ privacy effectively. These can include ICAM program audits and reviews by agency privacy and security officials.

Address accountability for specific requirements, such as the M-07-16 requirement for annual certification of training for employees who handle PII. Clear accountability promotes confidence in ICAM programs.
Authority Create, collect, use, process, store, maintain, disseminate, or disclose only the PII that your agency has the authority to do so. Identify this authority in the appropriate notice. Identify a specific authority to create, collect, use, process, store, maintain, disseminate, or disclose PII.
Minimization Collect only PII that is directly relevant and necessary to accomplish the specified purpose(s) and retain PII only for as long as is necessary to fulfill the specified purpose(s). Collect only the information required to carry out ICAM business functions. Wherever possible, use assertions of an individual’s identity in lieu of identifying data elements. For example, if an application has an age limit, the program should ask for proof of age rather than the exact birth date.

Determine how long your agency will retain specific categories of information and implement procedures to destroy the information at the end of the retention period.
Data Quality & Integrity Ensure that PII is accurate, relevant, timely, and complete. Identify and implement means to ensure that PII is accurate, relevant, timely, and complete, including allowing individuals to correct inaccuracies in their information.
Individual Participation Involve the individual in the process of using PII. When possible, seek individual consent to collect, use, disseminate, and maintain PII. Your agency should also provide mechanisms for appropriate access, correction, and redress regarding use of PII. If your agency interacts with the public face-to-face or engages by paper or telephone, some people will not feel comfortable adopting technological processes. Your agency should continue to offer physical alternatives for procedures that are not inherently technology-based.

Provide Privacy Act-compliant procedures to:

• Report and correct information that is inaccurate, lost, or compromised.

• Mitigate damages resulting from incorrect authentication or unauthorized access.

Redress mechanisms enhance confidence in the program and promote individual participation.
Purpose Specification and Use Limitation Use PII solely for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected. The Privacy Act generally requires that once a person consents to the collection of his information for a specific, stated purpose, that information can only be used for that purpose. This is important to remember when sharing information between programs. If the programs have different purposes, you likely shouldn’t share information without additional consent from the user. Consider this limitation when you create your agency’s privacy ICAM program notices.
Security Protect PII through safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. Your agency must ensure the security of information at all stages (collection, transmission, storage, destruction) in accordance with various legal and policy requirements, such as FISMA and OMB M-07-16. Examples of techniques for securing data include:

• Encryption.

• Strong authentication procedures.

• Time-out functionality.

• Minimum security controls to make information unusable by unauthorized individuals.
Transparency Be transparent about the information your agency collects and shares, and notify the individual regarding collection, use, dissemination, and maintenance of PII. A foundational principle in federal privacy law is that people have the right to know what information the government collects and retains about them and, to a great extent, the right to control how that information is used. Consider this principle and ensure the following before each occurrence of information collection or transmission:

• Inform the user about which information elements you’ll collect.

• Inform the user who will receive the information.

• Inform the user about how you’ll use the information.

• Allow the user to affirmatively choose to participate before you transmit any information.