OMB orders feds to post privacy notice

The Office of Management and Budget last week directed agencies and departments to post clear privacy policies on the home pages of their World Wide Web sites by Sept. 1.

The policies must inform visitors to federal Web sites what information the agency collects, why it is collected and how the agency plans to use it, OMB Director Jacob Lew wrote in a memo to the heads of departments and agencies last week.

Lew also set Dec. 1 as a deadline for agencies to add privacy policies on other government sites that link to their home pages.

Only about 50 Web sites, those of Cabinet-level departments and the major agencies, must comply with the first deadline, but the Dec. 1 deadline affects thousands of government sites and Web pages in which agencies collect substantial amounts of information.

The General Services Administration issued a governmentwide memo last summer offering guidance on protecting the public's privacy on federal Web sites and urging officials to post privacy policies, but last week was the first time a requirement was issued.

Lew's memo stressed that posting a privacy policy helps ensure that individuals are notified and have a choice about how their personal information is handled. Lew also noted that new laws, particularly the Government Paperwork Elimination Act, will increase the number of times the public accesses agencies' Web sites.

In addition to the directive, Lew's memo included guidance designed to help agencies write or rewrite their Web privacy policies. The guidance was developed by a steering committee formed after Peter Swire was appointed in March as chief counselor for privacy, a new position within OMB.

"This is the kind of document we were hoping would be created," said Ari Schwartz, a policy analyst with the Center for Democracy and Technology, an advocacy group that follows information technology issues in Washington, D.C.

In April, the CDT issued a report that found that of 46 executive branch agencies studied, nearly half had not posted a discernible privacy policy, and eight had policies that were difficult to find. Ruth Doerflein, Internet/intranet program manager at the Department of Health and Human Services, said OMB's directive means technicians will have to implement many revisions at the more than 500 sites run by HHS and the numerous agencies and offices within the department.

"We do have to come up with something better for our hhs.gov site," said Doerflein, who was a member of the steering committee. HHS added a privacy policy notice to its site the same day the CDT issued its report.

Beyond that, there will have to be customization at other sites, and the boilerplates provided in the guidance will help with that task, Doerflein said. But she also pointed out that every page that includes a form or an e-mail address or that offers users a chance to submit any information - their opinion, their e-mail address, a credit card number - will have to have a separate privacy policy.

"That's why this is such a big deal. The agencies will have to look at each one of the technical impacts," Doerflein said.

Schwartz called the guidance "quite good. We'll have to see what happens in September, but certainly for getting agencies to understand how important privacy is, this document lays that out very clearly."

Roger Baker, chief information officer at the Commerce Department, said Commerce's home page privacy policy probably will be revised based on the OMB guidance, adding that more than a thousand sites within the agency will have to be reviewed. Some sites will require simple statements telling users no information is collected, but the policies of other sites, such as the one run by the National Ocean Service, which collects credit card numbers and other information from customers who buy information and services, will need more retooling.

Baker said it is important that federal agencies, especially Commerce, which oversees much of the activity of the business world, lead by example on Web privacy matters.

"We are the agency that's really driving the need for privacy policies in the private sector, so it's really important for us to have them on our Web sites," Baker said.

Lew's memo reminded agency heads that under the 1974 Privacy Act, federal agencies must notify individuals whenever it collects information from them and must protect their right to privacy.

But legislators could not anticipate the development of the Internet, and therefore the Privacy Act does not explicitly require privacy notices on Web sites, said Frank Reeder, one of the authors of the Privacy Act and now a consultant on technology and public policy issues in Arlington, Va.

"What OMB is now doing, and I think quite properly, is encouraging agencies to adopt a sound practice, and that is to let people know the extent to which information being gathered is being used," Reeder said.