Overview[]
The Office of Management and Budget (OMB)[1] is a U.S. Executive Branch agency that assists the President in overseeing the preparation of the federal budget and supervises its administration in Executive Branch agencies. The OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies.
In addition, OMB oversees and coordinates the Administration's procurement, financial management, information, and regulatory policies. In each of these areas, OMB's role is to help improve administrative management, to develop better performance measures and coordinating mechanisms, and to reduce any unnecessary burdens on the public.
Information security[]
The Federal Information Security Management Act of 2002 (FISMA) states that the Director of the OMB shall oversee agency information security policies and practices, including:
- developing and overseeing the implementation of policies, principles, standards, and guidelines on information security;
- requiring agencies to identify and provide information security protections commensurate with risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency, or information systems used or operated by an agency, or by a contractor of an agency, or other organization on behalf of an agency;
- overseeing agency compliance with FISMA; and
- reviewing at least annually and approving or disapproving, agency information security programs.
FISMA also requires OMB to report to Congress no later than March 1 of each year on agency compliance with the requirements of the Act.
Privacy[]
OMB is tasked with providing guidance to agencies on how to implement the provisions of the Privacy Act of 1974 and the E-Government Act of 2002 and has done so, beginning with guidance on the Privacy Act, issued in 1975. The guidance provides explanations for the various provisions of the law as well as detailed instructions on how to comply. OMB’s guidance on implementing the privacy provisions of the E-Government Act of 2002 identifies circumstances under which agencies must conduct PIAs and explains how to conduct them.
OMB Privacy Memoranda[]
A number of OMB memoranda have also addressed the roles and responsibilities of senior privacy officials.
- In 1999, OMB required agencies to designate a senior official to assume primary responsibility for privacy policy.[2]
- OMB later reiterated this requirement in its guidance on compliance with the E-Government Act of 2002, in which it directed agency heads to designate an appropriate senior official with responsibility for the coordination and implementation of OMB Web and privacy policy and to serve as the agency’s principal contact for privacy policies.[3]
- In 2005, OMB directed agencies to designate a senior agency official for privacy (SAOP) with agency-wide responsibility for information privacy issues and with responsibility for specific privacy functions, including ensuring agency compliance with all federal privacy laws, playing a central policy-making role in the development of policy proposals that implicate privacy issues, and ensuring that contractors and employees are provided with adequate privacy training.[4]
OMB Privacy Guidance[]
Since its 1975 OMB Privacy Act Implementation, Guidelines and Responsibilities, OMB has periodically issued guidance related to privacy addressing specific issues as they have arisen.[5]
Beginning in 2005, OMB has also issued guidance significantly enhancing longstanding requirements for agencies to report on their compliance with privacy laws.[6]
- OMB’s 2005 guidance directed agencies to add a new section addressing privacy to their annual reports under the Federal Information Security Management Act (FISMA).[7] SAOPs were assigned responsibility for completion of this section, in which they were to report on such things as agency policies and procedures for the conduct of PIAs, agency policies for ensuring adequate privacy training, as well as their own involvement in agency regulatory and policy decisions.
- In 2006, OMB issued further guidance requiring agencies to include as part of their FISMA reports a section addressing measures for protecting personally identifiable information. This guidance also required that agencies provide OMB with quarterly privacy updates and report all incidents relating to the loss of or unauthorized access to personally identifiable information.[8]
- Most recently, OMB directed agencies in 2007 to include in their FISMA reports additional items, such as their data breach notification policies, plans to eliminate unnecessary use of Social Security Numbers, and plans for reviewing and reducing their holdings of personally identifiable information.[9]
Senior Office Privacy Responsibilities[]
These laws and guidance set a variety of requirements for senior officials to carry out specific privacy responsibilities. These responsibilities can be grouped into the following six key functions:
- Conduct of Privacy impact assessments (PIA). A PIA is an analysis of how personal information is collected, stored, shared, and managed in a federal system, and is required before developing or procuring information technology that collects, maintains, or disseminates information that is in a personally identifiable form. Several laws assign privacy officials at covered agencies responsibilities that are met in part by performing PIAs on systems that collect, process, or store personally identifiable information. This includes the requirements for several agencies to ensure that “technologies sustain and do not erode privacy protections.” Furthermore, OMB guidance requires agency SAOPs to ensure compliance with federal laws, regulations, and policies relating to information privacy, such as the E-Government Act of 2002, which spells out agency PIA requirements.
- Privacy Act compliance. The Privacy Act of 1974 sets a variety of requirements for all federal agencies regarding privacy protection. For example, the Act requires that when agencies establish or make changes to a system of records, they must notify the public by a notice in the Federal Register, identifying, among other things, the type of data collected, the types of individuals about whom information is collected, the intended “routine” use of the data, and procedures that individuals can use to review and correct personal information. Several other laws explicitly direct agency privacy officials to ensure that the personal information contained in their Privacy Act systems of records is handled in compliance with fair information practices as set out in the Act. Further, OMB guidance assigns agency SAOPs with responsibility for ensuring Privacy Act compliance.
- Policy consultation. Relevant laws direct senior privacy officials to actively participate in the development and evaluation of privacy-sensitive agency policy decisions. Several specifically task the SAOP with evaluating legislative and regulatory proposals or periodically reviewing agency actions affecting privacy. As agencies develop new policies, senior officials responsible for privacy issues play a key role in identifying and mitigating potential privacy risks prior to finalizing a particular policy decision. Moreover, OMB directed agency SAOPs to undertake a central role in the development of policy proposals that implicate privacy issues.
- Privacy reporting. Agency senior privacy officials are often required to prepare periodic reports to ensure transparency about their activities and compliance with the law. Many laws reviewed required agencies to produce periodic privacy reports to agency stakeholders and Congress. OMB also requires agency SAOPs to report on their privacy activities as part of their annual FISMA reports, including such measures as their total numbers of systems of records, the number of written privacy complaints they have received, and whether a senior official has responsibility for all privacy-related activities.
- Redress. With regard to federal agencies, the term “redress” generally refers to an agency’s complaint resolution process, whereby individuals may seek resolution of their concerns about an agency action. Specifically, in the privacy context, redress refers to processes for handling privacy inquiries and complaints as well as for allowing citizens who believe that agencies are storing and using incorrect information about them to gain access to and correct that information. The Privacy Act of 1974 requires that all agencies, with certain exceptions, allow individuals access to their records and the ability to have inaccurate information corrected. Several recent laws also direct senior privacy officials at specific agencies to provide redress by ensuring that they have adequate procedures for investigating and addressing privacy complaints by individuals. Several laws also provide for attention to privacy in a broader context of civil liberties protection.
- Privacy training. Privacy training is critical to ensuring that agency employees and contractor personnel follow appropriate procedures and take proper precautions when handling personally identifiable information. For example, the Transportation, Treasury, Independent Agencies and General Appropriations Act of 2005 requires senior privacy officials at covered agencies to ensure that employees have adequate privacy training. OMB also requires agency SAOPs to ensure that employees and contractors receive privacy training.
In addition to performing key privacy functions, requirements in laws include responsibilities to ensure adequate security safeguards to protect against unauthorized access, use, disclosure, and destruction of sensitive personal information. Generally, this is provided through agency information security programs established under FISMA, and overseen by agency CIOs and chief information security officers (CISO). Moreover, OMB has issued guidance instructing agency heads to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records.
References[]
- ↑ The OMB was known as the "Bureau of the Budget" prior to July 1, 1970.
- ↑ Office of Management and Budget, OMB Instructions on Complying with President’s Memorandum of May 14, 1998, “Privacy and Personal Information in Federal Records”, OMB Memorandum M-99-05 (Jan. 7, 1999).
- ↑ Office of Management and Budget, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, OMB Memorandum M-03-22 (Sept. 26, 2003).
- ↑ Office of Management and Budget, Designation of Senior Agency Officials for Privacy, OMB Memorandum M-05-08 (Feb. 11, 2005).
- ↑ Nearly all of this guidance can be found on the OMB website, www.whitehouse.gov/omb, by searching in the “Agency Information” and “Information and Regulatory Affairs” sections of the website.
- ↑ Office of Management and Budget, FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, OMB Memorandum M-05-15 (June 13, 2005).
- ↑ FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002).
- ↑ Office of Management and Budget, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, OMB Memorandum M-06-20 (July 17, 2006).
- ↑ Office of Management and Budget, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, OMB Memorandum M-07-19 (July 25, 2007).
See also[]
- Guidance for Regulation of Artificial Intelligence Applications
- Office of Management and Budget "Breach Notification Policy"
- OMB Circular No. A-16
- OMB Circular No. A-130
- OMB, Guidelines for Ensuring and Maximizing the Quality, Objectivity, Utility, and Integrity of Information Disseminated by Federal Agencies; Republication
- OMB Memoranda
- OMB, Recommendations for Identity Theft Related Data Breach Notification