Information Technology (IT) Privacy is the protection of personally identifiable or business identifiable information that is collected from respondents through information collection activities or from other sources and that is maintained by the Department of Commerce in its IT systems. For purposes of this policy, this information is termed “identifiable information.” Office of Management and Budget (OMB) guidance, consistent with the E-Government Act of 2002, protects personally identifiable information (PII). Commerce, through this policy, is extending the same protection to business identifiable information (BII). Rapid advancements in computer technology make it possible to store and retrieve vast amounts of data of all kinds quickly and efficiently. These advancements have raised concerns about the impact of IT systems on the privacy of individuals and businesses.What are the federal laws and guidance that relate to the protection of privacy for individuals and businesses?
The Privacy Act of 1974 (5 U.S.C. 552a), as amended, regulates the Federal Government’s collection, use, maintenance, and dissemination of information about individuals.
Section 208 of the E-Government Act of 2002 (44 U.S.C. 3601 et seq.) establishes procedures to ensure the privacy of personal information in electronic records.
The Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501 et seq.) is designed to reduce the public’s burden of answering unnecessary, duplicative, and burdensome government surveys.
The Trade Secret Act (18 U.S.C. 1905) provides criminal penalties for the theft of trade secrets and other business identifiable information.
The Children's Online Privacy Protection Act of 1998 (15 U.S.C. 6501-06) regulates the online collection and use of personal information provided by and relating to children under the age of 13.
OMB Circular A-130, “Management of Federal Information Resources,” establishes a policy for the management of Federal information resources, including automated information systems.
OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, provides specific guidance to agencies for implementing Section 208 of the E-Government Act.
OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, establishes requirements to review and reduce the volume of PII; eliminate the unnecessary use of social security numbers (SSN); and log all computer-readable data extracts from databases holding sensitive information and verify each extract, including whether sensitive data has been erased within 90 days or its use is still required (pages 6-8).
OMB Memorandum M-06-16, Protection of Agency Sensitive Information, provides guidance for encrypting sensitive data on mobile computers and devices; allowing remote access only with two-factor authentication; using a time-out function for remote access; and logging all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or its use is still required.
OMB Memorandum M-06-15, Safeguarding Personally Identifiable Information, requires that agencies conduct a review of their policies and processes, and take corrective action as appropriate to ensure adequate safeguards to prevent the intentional or negligent misuse of, or unauthorized access to, personally identifiable information.
8062 High Castle Road, Suite 202, |Ellicott City, Maryland 21043-5166 TEL: 866.465.6005 | FAX: 410.465.9315