Information: To Share and Protect, Part 2

shareprint

Information: To Share and Protect, Part 2

Tuesday, January 29th, 2013 - 10:28
By: 
Tuesday, January 29, 2013 - 09:21
Among my New Year’s reading list were two December issuances that impact the world of information and privacy in government: the White House’s National Strategy on Information Sharing, and the Federal CIO Council’s Recommendations for Digital Privacy Controls. The interrelated nature of these issues should not be lost – sharing information requires protection for individuals in order to be sustained and supported over the long term.

To commemorate Data Privacy Day, this blog post addresses the Privacy Controls; the first addressed the Information Sharing Strategy (http://www.businessofgovernment.org/blog/business-government/information...); and a third will discuss the necessary linkages between the two.

Data Privacy Day (http://www.staysafeonline.org/data-privacy-day/about), which as the National Cybersecurity Alliance describes is “an effort to empower people to protect their privacy and control their digital footprint and escalate the protection of privacy and data as everyone’s priority.”  As I have written previously, government has a critical role to play in bringing strong privacy protections to the online world, and especially where sharing information is key to government missions.  Accordingly, today seems an opportune time to review the Federal CIO Council’s (www.cio.gov) December release on making privacy more consistent across agencies, “Recommendations for Standardized Implementation of Digital Privacy Controls.”  https://cio.gov/wp-content/uploads/downloads/2012/12/Standardized_Digital_Privacy_Controls.pdf).

This document carries out a key recommendation of the Administration’s “Digital Government Strategy” (http://www.whitehouse.gov/sites/default/files/omb/egov/digital-government/digital-government.html), issued in May 2012, which calls upon the CIO Council, to work with the National Institute of Standards and Technology (NIST) (www.nist.gov) and the National Archives and Records Administration (www.nara.gov) on guidelines that help agencies to protect privacy online.  The document cites three key controls that agencies can leverage in this regard:

  • Develop an inventory of Digital Personally Identifiable Information (PII).  A cataloguing that allows the agency to know what electronic information it holds that can be used to identify an individual, the PII Inventory can help clarify what an agency has – and point to areas where it is collecting the same information more than once, and can share the information internally to reduce burden.
  • Conduct Digital Privacy Impact Assessments (PIAs).  PIAs are required by Section 208 of the E-Government Act (http://www.gpo.gov/fdsys/pkg/PLAW-107publ347/html/PLAW-107publ347.htm) before an agency uses IT for PII.  The PIA is an important step to take early in the design of a digital system, especially in an era where “big data” can create new pathways to PII by using analytics to combine data sources into linkable streams of identity; the guidance usefully notes that this can impact business confidential information as well.
  • Publish Digital Privacy Notices.  Ensuring that agency online activities that affect PII are accompanied by clear disclosures to users and the public about what the agency intends to do with that information.  The guidance makes reference to “layered notices”, which are useful ways of providing a high-level explanation to the broad public while linking to more detailed use case discussions for those with a greater interest.

The document also notes the importance of early consideration of privacy impacts as new digital technologies are developed, including mobile and consumer applications that agencies will increasingly leverage over time.  These technologies provide great benefit to users, and the risk management approach cited by the document adapts NIST guidance to cybersecurity into a privacy setting – so that agencies can properly integrate privacy protections into their design of digital programs that serve the public (last year NIST has recently issued a draft appendix to a primary cybsecurity publication to implement this principle, http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.

The steps that the CIO Council recommends provide a solid foundation for agencies who use digital technologies across a variety of activities, including those devoted to information sharing.  Stay tuned for part 3, which will address important linkages and potential next steps in this arena.

 

 ** Image courtesy of twobee / FreeDigitalPhotos.net