Agencies tackle privacy policy

More than half of the 60 agencies reporting to Office of Management and Budget officials said that they have or plan to soon have machine-readable privacy policies as mandated under the E-Government Act of 2002.

The E-Gov Act requires agencies to inform officials about the progress of their implementation of privacy provisions, such as machine-readable policies, privacy impact assessments for new or changed technology systems, use of tracking technology and designation of a single privacy official at the agency.

The agencies that complied with that part of the mandate have identified Web site privacy policies that have been or will be translated into a standard computer language readable by the browser, according to OMB's E-Government Act report released to Congress this month. With the machine-readable policies, the browser automatically notifies the user if the site is in line with the user's privacy preferences.

"Other agencies were 'undecided,' [and] indicated they were either examining the field or they were awaiting a recommendation from OMB on what standard to use," the report states.

Although OMB does not endorse one standard, there is only one way to become compliant: use the Platform for Privacy Preferences Project (P3P) developed by the World Wide Web Consortium.

Agency officials are improving their understanding of privacy impact assessments (PIAs), and many plan to post the assessments on their Web sites, according to the report.

OMB officials said agencies should involve program owners and experts in information technology, security, privacy and policy in the crafting of the PIAs. Agency officials indicated they will post the PIAs on the Web sites, unless it would raise security concerns, according to the report.

Of the 60 agencies reporting to OMB, most said they did not use tracking technology, such as persistent cookies, to monitor a Web site visitor's activities. In most cases, this tracking technology is not allowed, unless agencies get permission.

Agencies also had to identify the main officials responsible for privacy issues, and agencies generally designated one official as the point of contact for IT and Web site issues and a second person for policy issues, the report states. Some agencies had three separate officials while others gave all areas of responsibility to a single person.

"OMB is in the process of communicating with the listed individuals to supplement the information provided and develop a contact roster," the report states. "By communicating with all three principals, OMB can ensure that agency privacy officials are part of the agency's capital planning and investment process."