GSA: Protect Web users' privacy

The General Services Administration last week signed off on a governmentwide memo urging agencies to place a high priority on protecting the public's privacy on federal World Wide Web sites.

The July 9 memo from Joan Steyaert, GSA's deputy associate administrator for information technology, outlines eight privacy principles that agency officials should apply to the operation of their Web sites. The memo urges agency officials to notify the public with a privacy notice whenever collecting data via the Internet and to use the information only for the purpose for which it was gathered as disclosed in the privacy notice.

GSA wrote the memo to alert agencies that while Web site security and privacy concerns are often lumped together, officials need to pay close attention to protecting privacy when designing Web sites, said Rich Kellett, division director of GSA's Emerging Information Technologies Policies Division.

Many federal agencies in the past two years have come to realize they should craft privacy policies and post privacy notices for Web sites to cover issues such as logs of people who visit the site, the e-mails users send to the Webmaster and other site-specific issues, Kellett said.

For example, the Defense Technical Information Center (DTIC), which manages more than 90 Defense sites, last summer created a privacy policy that requires the sites' managers to destroy all Web logs after 60 days. DTIC developed the policy in response to an increasing number of Freedom of Information Act requests for the logs. The logs record personal data that can be used to identify the user, how the user arrived at the site and the files or services the user requested.

Few agencies, however, realize the need for privacy notices when collecting information directly from the public, Kellett said. The most common examples, he said, are when agencies collect information from the public via surveys posted on a site without also posting a privacy notice detailing how the agency will use the data or when officials use the data for some purpose other than that which is outlined in the privacy notice.

Robert Stephens, Webmaster at the National Cancer Institute, said privacy has been a principal concern for officials during the institute's ongoing redesign of its Web site. Officials plan to post a link to a privacy notice and to fully disclose what data they will gather about users and how they plan to use it. As part of the institute's Web site overhaul, officials will begin using software that will collect information about users via browser "cookies," which allow the Web site to identify the individual accessing their site, and will allow users to opt for automated updates when new information is posted.

However, while these functions provide advanced features that users may be interested in, privacy concerns must be balanced as well, Stephens said. For example, a person newly diagnosed with cancer wants to receive all the information the site can provide without necessarily revealing specifics about his medical status.

"More than most Web sites, we have to take the utmost [privacy] precautions," Stephens said. "The privacy issues are paramount here; on the other hand, people want personalized help. We're trying to balance the natural curiosity of the patients with their need for privacy."

Ari Schwartz, a policy analyst with the Washington, D.C.-based Center for Democracy and Technology, said federal agencies need the privacy guidance contained in the GSA memo, especially in the absence of Web privacy policy or guidance from the Office of Management and Budget.

OMB officials have been planning to release guidelines for federal use of the since late 1996, but none have been published.