HHS Machine-Readable Privacy Policy Guide - Substance Abuse ...
HHS Machine-Readable Privacy Policy Guide - Substance Abuse ...
HHS Machine-Readable Privacy Policy Guide - Substance Abuse ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Machine</strong>-<strong>Readable</strong> <strong>Privacy</strong> <strong>Policy</strong> <strong>Guide</strong><br />
US Department of Health and Human Services<br />
2.2.5 OMB Memorandum M-03-22<br />
OMB has provided federal agencies with M-03-22, Guidance for Implementing the<br />
<strong>Privacy</strong> Provisions of the E-Government Act of 2002, September 2003. This guidance<br />
directs agencies to conduct reviews of how they use technology to collect new<br />
information and when they buy or develop new IT systems to handle collecting IIF as<br />
well as website privacy policy content.<br />
M-03-22 indicates that PIAs should be conducted if any of the following nine<br />
circumstances occur:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Conversions. When converting paper-based methods to electronic systems.<br />
Anonymous to Non-Anonymous. When the system’s function, as applied to<br />
an existing information collection, changes anonymous information into IIF.<br />
Significant System Management Changes. When new uses of an existing<br />
IT system, including application of new technologies, significantly change how<br />
information in identifiable form is managed in the system.<br />
Significant Merging. When agencies adopt or alter business processes so<br />
that government databases holding IIF are merged, centralized, matched with<br />
other databases, or otherwise significantly manipulated.<br />
New Public Access. When user-authenticating technology (e.g., password,<br />
digital certificate, biometric) is newly applied to an electronic information<br />
system that members of the public can access.<br />
Commercial Sources. When agencies systematically incorporate into<br />
existing information systems databases of IIF purchased or obtained from<br />
commercial or public sources.<br />
New Interagency Uses. When agencies work together on shared functions<br />
involving significant new uses or exchanges of IIF.<br />
Internal Flow or Collection. When alteration of a business process results<br />
in significant new uses or disclosures of information or incorporation into the<br />
system of additional IIF.<br />
Alteration in Character of Data. When new IIF added to a collection raises<br />
the risks to personal privacy, such as the addition of health or privacy<br />
information.<br />
In addition to the PIA requirements, M-03-22 outlines new and previously<br />
established requirements for privacy policies on agency websites. New content<br />
requirements outlined in M-03-22 include ensuring website privacy policies inform<br />
website visitors of their rights under the <strong>Privacy</strong> Act or other applicable privacy laws<br />
and implementing machine-readable privacy policies on all public websites.<br />
2.2.6 OMB Memorandum 01-05<br />
OMB M-01-05 provides guidance on implementing the Computer Matching and<br />
<strong>Privacy</strong> Protection Act of 1988. M-01-05 states that agencies must “prior to any data<br />
sharing...review and meet the <strong>Privacy</strong> Act requirements for computer matching,<br />
including developing a computer matching agreement and publishing notice of the<br />
Page 13