New Privacy Rules Under the E-Government Act of 2002
 
March 4, 2003
 

In December 2002, President Bush signed “The E-Government Act of 2002” ¹ (the Act) with the goal of bringing the government more fully into the electronic age and improving public access to e-government services. While the majority of Act serves as the federal government’s blue print for ushering in a new era of e-government, several of its provisions create significant new rules for federal agencies that are designed to protect the privacy of citizens using e-government services. The new rules will not only affect the way federal agencies interact with the public online but also will significantly impact the way in which federal agencies transact with companies that sell certain information technology to federal agencies or perform certain statistical activities for those agencies.

Although the Act’s privacy implications are the focus of this article, it is important to note that the Act contains a host of important new measures including:

• the establishment of a Chief Information Officer within the Office of Management and Budget (OMB) to promote e-government and implement government-wide information policy

• the establishment of a Chief Information Officers Council as the principal interagency forum for improving the use of government information resources

• the authorization of $345 million over a four-year period for an e-government fund to support interagency projects and innovative uses of information technology

• improving upon the federal government’s online portal

• establishing an online directory of Federal Web sites and indexes of resources

• requiring federal courts to post opinions online

• funding a federal training center to recruit and train information technology professionals

Turning to the specific privacy provisions under the Act, any agency, which includes any executive department, military department, government corporation, government-controlled corporation,² or other establishment in the executive branch of the government (including the Executive Office of the President), or any independent regulatory agency³ must post machine-readable privacy policies on its Web site explaining that agency’s information collection, use and disclosure practices and conduct “privacy assessments” before developing or procuring information technology that collects, maintains, or disseminates information that is in an identifiable form, i.e., in a form that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. The Act also prohibits any agency contractor from using or disclosing confidential information obtained for “statistical purposes” for any reason other than the statistical purpose for which it was obtained and imposes significant fines and penalties for unauthorized disclosures.

Agency Privacy Policies

Under Section 208 (c) of the Act, agencies will be required to post privacy policies pursuant to a guidance developed by the Director of the OMB. The Act does not impose a deadline for the issuance of that guidance so it is unclear just when agencies must comply with privacy policy requirement.

Any guidance issued must require, however, that an agency privacy policy explain

• what information is to be collected

• why the information is being collected

• the intended use of the information

• with whom the information will be shared

• what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared

• how the information will be secured, and

• the rights of the individual under the Privacy Act⁴ and other laws relevant to the protection of the privacy of an individual

Agency Privacy Assessments

Under Section 208 (a)-(b) of the Act, agencies will be required to conduct privacy assessments before developing or procuring information technology⁵ that collects, maintains, or disseminates information that is in an identifiable form. The agency privacy assessments are subject to review by the Chief Information Officer of the agency procuring the technology or the equivalent official, as determined by the head of the agency.

Exactly what information must be reviewed during a privacy assessment remains to be seen and is to be determined by the Director of the OMB in the form of a guidance. As with agency privacy policies, the Act does not impose a deadline for the issuance of that guidance. Any guidance by the director must ensure, however, that a privacy impact assessment is commensurate with the size of the information system being assessed, the sensitivity of information that is in an identifiable form in that system, and the risk of harm from unauthorized release of that information. The privacy impact assessment also must address:

• what information is to be collected

• why the information is being collected

• the intended use of the agency of the information

• with whom the information will be shared

• what notice or opportunities for consent would be provided to individuals regarding what information is collected and how that information is shared

• how the information will be secured

• whether a system of records is being created under the Privacy Act

After the completion of the review, if practicable, agencies are required to make the privacy impact assessment publicly available through the agency Web site, publication in the Federal Register, or other means. The disclosure requirement may be modified or waived for security reasons, or to protect classified, sensitive or private information contained in an assessment. Notably, however, any complete waiver of the disclosure requirement seems to be impossible because it would contradict the requirements for agency Web site privacy policies. Much of the content that must be included in a privacy assessment is identical to the content that must be included in an agency Web site privacy policy.

Non-Disclosure of Information Obtained Exclusively for Statistical Purposes

Section 501-526 of the Act, also known as the “Confidential Information Protection and Statistical Efficiency Act of 2002,” creates stringent fees and penalties for companies that obtain any data or information acquired by an agency under a pledge of confidentiality and for exclusively statistical purposes⁶ and disclose that information in any manner to a person or agency not entitled to receive it. Violators will be guilty of a class E felony and imprisoned for not more than 5 years, or fined not more than $250,000, or both.

What You Should Do If You’re Doing Business with the Federal Government

The E-Government Act of 2001 is an important piece of legislation for companies doing business with the federal government. Privacy professionals will want to evaluate whether their company does or will do business with an entity that qualifies as an “agency” under the Act, and, if so, the nature of that business.

Companies performing activities for agencies that involve the use of information obtained by an agency for “statistical purposes” will want to carefully consider their internal operations and whether measures should be taken to minimize potential liability under the Act through, for example, internal training and a review of internal policies and procedures.

To the extent “information technology” is being sold to any “agency,” where all or potentially any part of that technology can be deemed to “collect, maintain or disseminate information that is in an identifiable form,” privacy professionals and their colleagues handling government contracts will want to carefully consider the variety of potential implications that the Act may have on their business. For example, companies will want to ensure, through closer coordination between company representatives and government procurement officers, that any sensitive or confidential information concerning information technology that is proprietary to the company, or licensed by a third party to the company, is protected from disclosure, whether through an agency web site privacy policy or any other medium. In addition, companies should expect further delays in the procurement process and should factor those delays into the procurement timetable and procurement costs.

For more information, contact Edward Naughton, toll free, at 1-888-688-8500.

_____________________

[1] The E-Government Act of 2002, Pub. L. No. 107-347.

[2] Under the Government Corporation Control Act (GCCA), 31 U.S.C. §§ 9101- 10, a “government corporation” means “a mixed-ownership government corporation or a wholly owned government corporation.” Examples of a “government corporation’’ are the Central Bank for Cooperatives; the Federal Deposit Insurance Corporation; the Federal Home Loan Banks; the Federal Intermediate Credit Banks; the Federal Land Banks; the National Credit Union Administration Central Liquidity Facility; the Regional Banks for Cooperatives; the Financing Corporation; the Resolution Trust Corporation; the Resolution Funding Corporation; the Commodity Credit Corporation; the Community Development Financial Institutions Fund; the Export-Import Bank of the United States; the Federal Crop Insurance Corporation; Federal Prison Industries, Incorporated; the Corporation for National and Community Service; the Government National Mortgage Association; the Overseas Private Investment Corporation; the Tennessee Valley Authority; and the Panama Canal Commission.

[3] Under the Act, the term “agency” does not include the General Accounting Office; Federal Election Commission; the governments of the District of Columbia and of the territories and possessions of the United States, and their various subdivisions; or Government-owned contractor-operated facilities, including laboratories engaged in national defense research and production activities.

[4] 15 U.S.C. § 552.

[5] Under 40 U.S.C. § 1401, the term “information technology,’’ means any equipment or interconnected system or subsystem of equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. Equipment is used by an agency if the equipment is used by the agency directly or is used by a contractor under a contract with the agency which (i) requires the use of such equipment, or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. (B) The term ‘’information technology’’ includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources. (C) Notwithstanding subparagraphs (A) and (B), the term ‘’information technology’’ does not include any equipment that is acquired by a Federal contractor incidental to a Federal contract. “Information Technology” does not include national security systems as defined in 40 U.S.C. § 1452.

[6] Under Section 502 of the Act, “statistical purpose” (a) means the description, estimation, or analysis of the characteristics of groups, without identifying the individuals or organizations that comprise such groups; and (b) includes the development, implementation, or maintenance of methods, technical or administrative procedures, or information resources that support the purposes described in subparagraph (a).