HHS-OCIO Policy for Machine-Readable Privacy Policies
January 28, 2010
Table of Contents
- 1. Purpose
- 2. Background
- 3. Scope
- 4. Policy
- 5. Roles and Responsibilities
- 6. Applicable Privacy Laws / Guidance
- 6.1 Federal Statutes
- 6.1.1 The Federal Records Act of 1950 (44 U.S.C. Chapter 31)
- 6.1.2 The Privacy Act of 1974, as amended
- 6.1.3 The Paperwork Reduction Act of 1995
- 6.1.4 The Clinger-Cohen Act of 1996
- 6.1.5 The Children’s Online Privacy Protection Act of 1998
- 6.1.6 The Rehabilitation Act of 1998 (Section 508), as amended
- 6.1.7 NARA Code of Federal Regulations 36 CFR § Subpart B
- 6.2 OMB Guidance
- 6.2.1 OMB M-07-20, FY 2007 E-Government Act Reporting Instructions
- 6.2.2 OMB M-05-04, Policies for Federal Agency Public Websites
- 6.2.3 OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
- 6.2.4 OMB M-00-13, Privacy Policies and Data Collection on Federal Websites
- 6.2.5 OMB M-99-18, Privacy Policies on Federal Websites
- 6.1 Federal Statutes
- 7. Information and Assistance
- 8. Effective Date/Implementation
- 9. Approved
Implementing machine-readable privacy policies will identify and disclose Website privacy practices to the public. Specifically, machine-readable privacy policies will serve as a platform to:
Ensure that Website information collection and use practices conform to applicable legal, regulatory, and policy requirements;
Examine and evaluate Website data collection and data use practices to mitigate potential privacy risks; and
Ensure that the public is accurately informed of Website data collection and data use practices.
http://intranet.hhs.gov/infosec/docs/education/machine_train/Priv_Machine_Readable_Training.pdf). This Policy also provides a summary of federal legislation, regulations, and guidance related to Website privacy practices.
This Policy familiarizes HHS personnel with machine-readable privacy requirements set forth in the E-Government Act of 2002 and machine-readable privacy specification, P3P. All HHS public Websites must have machine-readable privacy policies that are maintained regularly.
This Policy is first issuance, and codifies the Department’s authority to develop, document, implement, and oversee P3P at HHS.
The Federal Government has recognized the public’s increasing concerns about online privacy. Individuals are concerned with what information is collected on Websites, how it is used, and whether or not they have a choice in providing the information.
This document is not a description of privacy policies in general. Public citizens, along with private sector and public sector organizations, interacting with HHS must be informed of Website privacy practices in accordance with the policy located at HHS.gov/webpolicies.
- • Compliance with Section 208 of the E-Government Act of 2002;
- • Automatic access of a Website’s privacy practices;
- • An increase in transparency of data collection and data use processes, thus increasing the level of public trust in the Department;
- • An increase in public confidence through anticipation of privacy concerns; and
Improvement in awareness of potential privacy risks, exposures, and liabilities.
As a result, the HHS-OCIO Policy for Machine-Readable Privacy Policies has been developed to ensure users are informed of Website privacy practices and comply with federal laws and guidance.
This Policy applies to all HHS organization components (i.e., Operating Divisions [OPDIVs] and Staff Divisions [STAFFDIVs]) and organizations conducting business for and on behalf of the
Department officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information, or using or operating information systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this Policy shall be incorporated into applicable contract language and grant agreements, as appropriate.
Agencies shall use this Policy or may create a more restrictive OPDIV/STAFFDIV policy, but not one that is less restrictive, less comprehensive than, or less compliant with this document.
5. Roles and Responsibilities
5.1 Department Level
5.1.1 HHS Chief Information Officer (CIO) and Senior Agency Official for Privacy (SAOP)7
The HHS Chief Information Officer (CIO), who is also the Senior Agency Official for Privacy (SAOP), is responsible for:
Overseeing the development and implementation of machine-readable privacy policies.
5.1.2 HHS Chief Information Security Officer (CISO)
The HHS Chief Information Security Officer (CISO) is responsible for:
- • Reporting annually to OMB on compliance with Section 208 of the E-Government Act of 2002; and
5.1.3 HHS Web Management Team
The HHS Web Management Team is responsible for:
Working with the HHS CISO, HHS Privacy Act Officer, and the HHS Privacy Advocate to ensure that proper machine-readable privacy policies are published on HHS Web servers.
5.1.4 HHS Privacy Advocate
The HHS Privacy Advocate is responsible for:
- • Serving as a resource for privacy programs and awareness;
- • Serving as Chairman of the HHS Data Council Privacy Subcommittee;
- • Encouraging awareness of potential privacy issues and policies;
- • Coordinating the review of all privacy-related documents;
- • Providing privacy-related guidance as needed;
- • Serving as a liaison for HHS privacy matters to external organizations; and
- • Fostering the working relationships between the offices of the HHS Privacy Advocate, the HHS Privacy Officer, and the HHS CISO.
5.1.5 HHS Privacy Officer
The HHS Privacy Officer is responsible for:
- • Keeping apprised of applicable privacy law;
- • Reviewing HHS Privacy Act System of Records Notices (SORNs) prior to publication;
- • Informing the Department of the Privacy Act requirements and corresponding operating procedures; and
- • Reviewing Website privacy statements for accuracy, appropriateness, and applicability.
5.1.6 HHS Office of the Chief Information Officer (OCIO) Information Collection Clearance Staff
The HHS OCIO Information Collection Clearance Staff are responsible for:
- • Ensuring compliance with OMB directives on the Paperwork Reduction Act of 1995 (PRA); and
- • Providing guidance and assistance for compliance with the PRA.
5.1.7 HHS Records Officer
The HHS Records Officer is responsible for:
- • Ensuring compliance with the Federal Records Act; laws, regulations, and guidance of the National Archives and Records Administration (NARA); OMB directives; and GAO audit requirements;
- • Serving as chairperson of the HHS Records Management Council;
- • Developing HHS records management policies and procedures; and
- • Providing department-wide guidance, training, and assistance for compliance with laws and regulations.
5.2 Operating Division Level
5.2.1 OPDIV Chief Information Officers (CIOs)
OPDIV CIOs are responsible for:
- • Overseeing the development and implementation of machine-readable privacy policies.
- • Ensuring that completed8machine-readable privacy policies are implemented on all applicable OPDIV public Websites (both existing and in-development);
- • Ensuring completed machine-readable privacy policies are reviewed annually and attesting that they are adequately and accurately completed; and
- • Ensuring that all machine-readable privacy policies are monitored and maintained.
5.2.2 OPDIV Chief Information Security Officers (CISOs)
OPDIV CISOs are responsible for:
Serving as the key point of contact (POC) to the HHS CISO for OPDIV-specific machine-readable privacy matters.
5.2.3 OPDIV Senior Officials for Privacy (SOP)
OPDIV SOPs are responsible for:
serving as the key POC to their OPDIV CISO for privacy matters.
5.2.4 OPDIV Information Systems Security Officers (ISSOs)
OPDIV ISSOs are responsible for:
- • Coordinating the completion and implementation of machine-readable privacy policies;
- • Working with Website owners to collect information needed to complete machine-readable privacy policies; and
5.2.5 Website Owners and Website Administrators
Website Owners and Website Administrators are responsible for:
- • Working with ISSOs, CIOs, or other staff to provide information relative to completing machine-readable privacy policies;
- • Identifying any additional resources needed to complete machine-readable privacy policies;
- • Implementing, conducting ongoing testing, and maintaining machine-readable privacy policies on existing Websites and Websites in development;
- • Implementing, conducting ongoing testing, and maintaining machine-readable policy reference files on any Web server that hosts an HHS Website; and
- • Ensuring machine-readable privacy policies are successfully validated. (“Validated” means that is has been proven that the policy is able to be automatically read by a web browser; refer to the machine-readable training document for guidance on how to perform this validation.
5.2.6 OPDIV Privacy Contact
The OPDIV Privacy Contacts are responsible for:
- • Serving as a POC for issues related to the Privacy Act within the OPDIV;
- • Serving as a resource for questions on acceptable Website privacy practices; and
- • Maintaining awareness of privacy laws, regulations, and issues.
A list of OPDIV privacy contacts is available at http://www.hhs.gov/contacts/privacy.html. Specific titles and job descriptions vary by OPDIV.
5.2.7 OPDIV Information Collection Clearance Officer
The OPDIV Information Collection Clearance Officer is responsible for:
- • Ensuring OPDIV compliance with OMB and Departmental directives on the Paperwork Reduction Act of 1995; and
- • Providing guidance and assistance for compliance with the Paperwork Reduction Act of 1995.
5.2.8 OPDIV Records Officer
The OPDIV Records Officer is responsible for:
- • Ensuring compliance with the Federal Records Act and HHS Records Management policy and procedures.
5.2.9 Technical Staff
Staff completing machine-readable privacy policies may need to consult or coordinate with other OPDIV staff or subject matter experts. Specific job titles and job descriptions may vary by OPDIV. In general, technical staff can include: IT specialists; Web masters; Web designers; server administrators; Web content management staff; and other staff with responsibilities related to budgeting for IT, security, and privacy needs.
The responsibilities of technical staff include:
- • Providing guidance and insight on enterprise-wide Web content configuration management practices;
- • Providing guidance on mandatory Website approval processes; and
- • Providing guidance on agency design templates, P3P deployment plan, Website testing procedures, and Section 508 approval.
6. Applicable Privacy Laws / Guidance
6.1 Federal Statutes
6.1.1 The Federal Records Act of 1950 (44 U.S.C. Chapter 31)
The Federal Records Act of 1950 defines a records management framework for all federal agencies to follow. Each agency is required to “make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.”9Federal agencies must establish and maintain an active, continuing program for the economical and efficient management of the records of the agency. The program, among other things, shall provide for: (1) effective controls over the creation and over the maintenance and use of records in the conduct of current business; (2) cooperation with the Administrator of General Services and the Archivist in applying standards, procedures, and techniques designed to improve the management of records, promote the maintenance and security of records deemed appropriate for preservation, and facilitate the segregation and disposal of records of temporary value; and (3) compliance with sections 2101-2117, 2501-2507, 2901-2909, and 3101-3107, of this title and the regulations issued under them. .”10
6.1.2 The Privacy Act of 1974, as amended
The Privacy Act protects the privacy of individuals by establishing “Fair Information Practices” for the collection, maintenance, use, and dissemination of information by federal agencies. For several years the Privacy Act, along with its accompanying case law, was the most significant milestone in the history of the protection of the privacy of personal information held by the Federal Government. In the more recent past, subsequent laws, regulations, and guidance have built upon the principles first articulated in the Privacy Act.
6.1.3 The Paperwork Reduction Act of 1995
PRA focuses on increasing the efficiency of the Federal Government’s information collection practices. PRA specifies that CIOs shall improve protection for the privacy and security of information under their agency’s control. PRA also created the Office of Information and Regulatory Affairs (OIRA) within OMB to provide central oversight of information management activities across the Federal Government. Furthermore, the PRA requires agencies to receive an
OMB information collection approval number (also known as an “OMB control number”) for an IT system, prior to using that system to collect information from any person.
6.1.4 The Clinger-Cohen Act of 1996
The Clinger-Cohen Act of 1996 (which includes both the Information Technology Management Reform Act and the Federal Acquisition Reform Act) is intended to improve the productivity, efficiency, and effectiveness of federal programs through the improved acquisition, use, and disposal of IT resources. Among other effects, the Act makes agencies responsible for IT resource acquisition and management under the guidance of the CIO and emphasizes that value shall be maximized and risk shall be minimized in capital planning and budget processes. In effect, the Clinger-Cohen Act places the burden of incorporating privacy controls into IT investments at the agency and CIO levels.
6.1.5 The Children’s Online Privacy Protection Act of 1998
Further discussion of COPPA requirements, compliance, and implementation can be found on the Federal Trade Commission’s COPPA Website at http://www.ftc.gov/privacy/privacyinitiatives/childrens.html.
6.1.6The Rehabilitation Act of 1998 (Section 508), as amended
The 1998 Amendment to Section 508 of the Rehabilitation Act states that when a federal agency is developing, procuring, maintaining, or using electronic and information technology, they are required to ensure individuals with disabilities (both members of the public and federal employees) have access and the ability to utilize the data in a way that is comparable to how an individual without disabilities would access and utilize the data. If this process would cause undue burden to the federal agency, that agency is required to develop a comparable means to provide the access and ability to utilize the data.
6.1.7NARA Code of Federal Regulations 36 CFR § Subpart B
36 CFR § Part 1236defines regulations for the electronic transfer of records to NARA. This includes maintaining the integrity of the record(s) during the transfer process (as defined by the agency’s records disposition schedule), contacting NARA to assist with the file transfer process if the agency cannot transfer the record(s) to newer media, and temporarily maintaining a copy of the record until NARA provides official notification that the transfer was successful. Requirements surrounding the creation, maintenance, use, and disposition of electronic records are defined in 36 CFR § Part 1236.
6.2 OMB Guidance
HHS must also comply with OMB guidance on implementing these various legislative acts. This section lists some relevant, though not exhaustive, OMB memoranda regarding privacy and information resource management as it pertains to privacy policies.
6.2.1 OMB M-07-20, FY 2007 E-Government Act Reporting Instructions
OMB M-07-20 provides agencies with instructions for completing the annual E-Government Act report as required by the E-Government Act of 2002 (Pub. L. No. 107-347). The E-Government Act requires the OMB to report to Congress a summary of the information reported by agencies pursuant to Section 202(g) of the Act. New requirements include the following:
- • Providing seven specific pieces of information related to the agency’s e-Government initiatives in Section 1 of the Agency’s Report (Implementation of Electronic Government Initiatives) for this year, as opposed to describing just one internal agency-specific E-Government initiative; and
- • Streamlining the information provided so that only the Website link is included for both previously reported and new information.
6.2.2 OMB M-05-04, Policies for Federal Agency Public Websites
OMB M-05-04, under the requirements of Section 208 of the E-Government Act of 2002, reiterates federal agency responsibilities under existing information resource management law and guidance and establishes several new requirements, including:
Establishing and maintaining information dissemination product inventories, priorities, and schedules;
Establishing and enforcing agency-wide linking policies;
Assuring agency principal and public Websites, and any other major entry points, include a search function; and
Using approved domains only (.gov, .mil, or fed.us) for the sponsorship of information dissemination products, including public Websites.
6.2.3 OMB M-03-22, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
OMB M-03-22 indicates that PIAs should be conducted and/or updated when an information system that collects, maintains or disseminates information in identifiable form11 is developed or procured, as well as when significant changes occur to a system that create new privacy risks.
In addition to the aforementioned requirements related to conducting PIAs, OMB M-03-22 outlines new and previously established requirements for privacy policies on agency Websites. New content requirements outlined in OMB M-03-22 include ensuring Website privacy policies inform Website visitors of their rights under the Privacy Act or other applicable privacy laws, and implementing machine-readable privacy policies on all public Websites.
6.2.4 OMB M-00-13, Privacy Policies and Data Collection on Federal Websites
6.2.5 OMB M-99-18, Privacy Policies on Federal Websites
OMB M-99-18 directs federal agencies to post privacy policies on principle Websites, major entry points, and Websites in which substantial personal information is collected from the public. Agency privacy policies must clearly and concisely inform visitors to the site what information the agency collects about individuals, why the agency collects it, and how the agency will use the information.
7. Information and Assistance
All Department policies and standards are posted on the following Website: http://www.hhs.gov/ocio/policy. Direct questions, comments, suggestions, or requests for further information regarding this Policy to the HHS CISO, (202) 205-9581.
8. Effective Date/Implementation
The effective date of this Policy is the date the policy is approved.
Requirements stated in this Policy are consistent with law, regulations, and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the HHS Secretary’s policy statement dated August 7, 1997, as amended, titled Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations. It is HHS policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, projects, programs, and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
_____________/s/___________________ _January 28, 2010________
Michael W. Carleton DATE
HHS Chief Information Officer (CIO)
HHS Senior Agency Official for Privacy (SAOP)
eXtensible Markup Language (XML)— A specification created by the World Wide Web (WWW) Consortium. XML allows designers to create their own customized tags, enabling the definition, transmission, validation, and interpretation of data between applications and between organizations.
Internet— The Internet is a global system of interconnected computer networks that use the standardized Internet Protocol Suite (Transmission Control Protocol [TCP]/Internet Protocol [IP]) and is accessible to the general public.
Intranet— A network based on TCP/IP protocols (an Internet) belonging to an organization, usually a corporation, accessible only by the organization's members, employees, or others with authorization.
Personally Identifiable Information (PII)— Information in an IT system or online collection: (1) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address), or (2) by which an agency intends to identify specific individuals in conjunction with other data elements (i.e., indirect identification). (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.) (Defined in OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 http://www.hhs.gov/ocio/policy/policydocs/20030001.doc).
Platform for Privacy Preferences (P3P)— A specification created by the WWW Consortium. P3P allows users' web browsers to automatically understand Websites’ privacy practices.
Section 508— A section within the Rehabilitation Act of 1973 that www.Section508.govrequires federal departments and agencies that develop, procure, maintain, or use electronic and information technology to ensure that federal employees and members of the public with disabilities have access to and use of information and data, comparable to that of the employees and members of the public without disabilities–unless it is an undue burden to do so (Defined in ).
Website— A collection of interlinked Web pages (on either Internet or Intranet sites) with a related topic, usually under a single domain name, which includes an intended starting file called a “home page.” From the home page, access is gained to all the other pages on the Website.
Web Server— A computer that provides WWW services on the Internet. It includes the hardware, operating system, Web server software, and Web site content (Web pages). If the Web server is used internally and not by the public, it may be known as an “intranet server” (Defined in National Institute of Standards and Technology [NIST] Special Publication 800-44, Guidelines on Securing Public Web Servers)
World Wide Web Consortium (W3C)— A group of more than 500 companies, universities, and nonprofit organizations that work together to develop common protocols that promote the continued evolution and interoperability of the WWW.
- • What information is collected;
- • Why the information is being collected;
- • The intended use of the information by the agency;
- • With whom the information will be intentionally shared;
- • What notice or opportunities for consent are provided to individuals regarding the information that is collected and how that information is shared;
- • How the information is secured; and
- • The rights of the individual under Section 552a of the Privacy Act, and other laws relevant to the protection of the privacy of an individual.
We collect no information about you, other than information automatically collected and stored (see below), when you visit our Web site unless you choose to provide that information to us.
(NOTE: For information on the Medical Privacy Rule, please go to www.hhs.gov/ocr/hipaa/).
Information Automatically Collected and Stored:
When you browse through any Web site, certain personal information about you can be collected. We automatically collect and temporarily store the following information about your visit:
- • Name of the domain you use to access the Internet (for example, aol.com, if you are using an American Online account, or stanford.edu, if you are connecting from Stanford University's domain);
- • Date and time of your visit;
- • Pages you visited; and
- • Address of the Web site you came from when you came to visit.
We use this information for statistical purposes and to help us make our site more useful to visitors. Unless it is specifically stated otherwise, no additional information will be collected about you.
Personally Provided Information:
You do not have to give us personal information to visit our Web sites.
If you choose to provide us with additional information about yourself through an e-mail message, form, survey, etc., we will only maintain the information as long as needed to respond to your question or to fulfill the stated purpose of the communication.
However, all communications addressed to the HHS Secretary or the HHS Webmaster are maintained, as required by law, for historical purposes. These communications are archived on a monthly basis, but are also protected by the Privacy Act which restricts our use of them, yet permits certain disclosures.
HHS does not disclose, give, sell or transfer any personal information about our visitors, unless required for law enforcement or statute.
This site is maintained by the U.S. Government. It is protected by various provisions of Title 18, U.S. Code. Violations of Title 18 are subject to criminal prosecution in federal court.
For site security purposes and to ensure that this service remains available to all users, we employ software programs to monitor traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage. In the event of authorized law enforcement investigations, and pursuant to any required legal process, information from these sources may be used to help identify an individual.
Systems of Records:
Information originally collected in traditional paper systems can be submitted electronically, i.e., electronic commerce transactions and information updates about eligibility benefits. Electronically submitted information is maintained and destroyed pursuant to the Federal Records Act, and in some cases may be subject to the Privacy Act. If information that you submit is to be used in a Privacy Act system of records, there will be a Privacy Act Notice provided.
HHS Data Council's HHS Privacy Committee
 For the remainder of this document, the terms “HHS” and “the Department” are used interchangeably.
 E-Government Act of 2002, Section 208(C)(2).
 OMB Memorandum 03-22, Implementing the Privacy Provisions of the E-Government Act of 2002, Attachment A, Section IV.
 E-Government Act of 2002, Section 208, (c)(2) reads: “PRIVACY POLICIES IN MACHINE-READABLE FORMATS- The Director shall issue guidance requiring agencies to translate privacy policies into a standardized machine-readable format.” Note also that all websites containing “government information” are required to have a machine-readable policy. “Government information” is defined in OMB Circular A-130 as “information created, collected, processed, disseminated, or disposed of by or for the Federal Government.”
 Office of Management and Budget (OMB) Memorandum (M-) 05-04 required compliance with federal website privacy provisions outlined in the E-Government Act of 2002 by December 31, 2005.
 Per OMB M-05-08, Designation of Senior Agency Official for Privacy, HHS has designated the HHS CIO as the SAOP. Should this designation change, this Policy will be revised to assign separate roles and responsibilities to both the HHS CIO and SAOP.
 “Completed” means the policy can be automatically read by a Web browser, and that all required data elements of the policy are in place; refer to the machine-readable training document for guidance on how to perform these validations: http://intranet.hhs.gov/infosec/docs/education/machine_train/Priv_Machine_Readable_Training.pdf.