The IT Law Wiki
Advertisement

Overview[]

The Office of Management and Budget (OMB)[1] is a U.S. Executive Branch agency that assists the President in overseeing the preparation of the federal budget and supervises its administration in Executive Branch agencies. The OMB evaluates the effectiveness of agency programs, policies, and procedures, assesses competing funding demands among agencies, and sets funding priorities. OMB ensures that agency reports, rules, testimony, and proposed legislation are consistent with the President's Budget and with Administration policies.

In addition, OMB oversees and coordinates the Administration's procurement, financial management, information, and regulatory policies. In each of these areas, OMB's role is to help improve administrative management, to develop better performance measures and coordinating mechanisms, and to reduce any unnecessary burdens on the public.

Information security[]

The Federal Information Security Management Act of 2002 (FISMA) states that the Director of the OMB shall oversee agency information security policies and practices, including:

FISMA also requires OMB to report to Congress no later than March 1 of each year on agency compliance with the requirements of the Act.

Privacy[]

OMB is tasked with providing guidance to agencies on how to implement the provisions of the Privacy Act of 1974 and the E-Government Act of 2002 and has done so, beginning with guidance on the Privacy Act, issued in 1975. The guidance provides explanations for the various provisions of the law as well as detailed instructions on how to comply. OMB’s guidance on implementing the privacy provisions of the E-Government Act of 2002 identifies circumstances under which agencies must conduct PIAs and explains how to conduct them.

OMB Privacy Memoranda[]

A number of OMB memoranda have also addressed the roles and responsibilities of senior privacy officials.

  • In 1999, OMB required agencies to designate a senior official to assume primary responsibility for privacy policy.[2]
  • OMB later reiterated this requirement in its guidance on compliance with the E-Government Act of 2002, in which it directed agency heads to designate an appropriate senior official with responsibility for the coordination and implementation of OMB Web and privacy policy and to serve as the agency’s principal contact for privacy policies.[3]
  • In 2005, OMB directed agencies to designate a senior agency official for privacy (SAOP) with agency-wide responsibility for information privacy issues and with responsibility for specific privacy functions, including ensuring agency compliance with all federal privacy laws, playing a central policy-making role in the development of policy proposals that implicate privacy issues, and ensuring that contractors and employees are provided with adequate privacy training.[4]

OMB Privacy Guidance[]

Since its 1975 OMB Privacy Act Implementation, Guidelines and Responsibilities, OMB has periodically issued guidance related to privacy addressing specific issues as they have arisen.[5]

Beginning in 2005, OMB has also issued guidance significantly enhancing longstanding requirements for agencies to report on their compliance with privacy laws.[6]

  • OMB’s 2005 guidance directed agencies to add a new section addressing privacy to their annual reports under the Federal Information Security Management Act (FISMA).[7] SAOPs were assigned responsibility for completion of this section, in which they were to report on such things as agency policies and procedures for the conduct of PIAs, agency policies for ensuring adequate privacy training, as well as their own involvement in agency regulatory and policy decisions.

OMBGuidance

Senior Office Privacy Responsibilities[]

These laws and guidance set a variety of requirements for senior officials to carry out specific privacy responsibilities. These responsibilities can be grouped into the following six key functions:

  • Policy consultation. Relevant laws direct senior privacy officials to actively participate in the development and evaluation of privacy-sensitive agency policy decisions. Several specifically task the SAOP with evaluating legislative and regulatory proposals or periodically reviewing agency actions affecting privacy. As agencies develop new policies, senior officials responsible for privacy issues play a key role in identifying and mitigating potential privacy risks prior to finalizing a particular policy decision. Moreover, OMB directed agency SAOPs to undertake a central role in the development of policy proposals that implicate privacy issues.
  • Privacy reporting. Agency senior privacy officials are often required to prepare periodic reports to ensure transparency about their activities and compliance with the law. Many laws reviewed required agencies to produce periodic privacy reports to agency stakeholders and Congress. OMB also requires agency SAOPs to report on their privacy activities as part of their annual FISMA reports, including such measures as their total numbers of systems of records, the number of written privacy complaints they have received, and whether a senior official has responsibility for all privacy-related activities.
  • Redress. With regard to federal agencies, the term “redress” generally refers to an agency’s complaint resolution process, whereby individuals may seek resolution of their concerns about an agency action. Specifically, in the privacy context, redress refers to processes for handling privacy inquiries and complaints as well as for allowing citizens who believe that agencies are storing and using incorrect information about them to gain access to and correct that information. The Privacy Act of 1974 requires that all agencies, with certain exceptions, allow individuals access to their records and the ability to have inaccurate information corrected. Several recent laws also direct senior privacy officials at specific agencies to provide redress by ensuring that they have adequate procedures for investigating and addressing privacy complaints by individuals. Several laws also provide for attention to privacy in a broader context of civil liberties protection.
  • Privacy training. Privacy training is critical to ensuring that agency employees and contractor personnel follow appropriate procedures and take proper precautions when handling personally identifiable information. For example, the Transportation, Treasury, Independent Agencies and General Appropriations Act of 2005 requires senior privacy officials at covered agencies to ensure that employees have adequate privacy training. OMB also requires agency SAOPs to ensure that employees and contractors receive privacy training.

In addition to performing key privacy functions, requirements in laws include responsibilities to ensure adequate security safeguards to protect against unauthorized access, use, disclosure, and destruction of sensitive personal information. Generally, this is provided through agency information security programs established under FISMA, and overseen by agency CIOs and chief information security officers (CISO). Moreover, OMB has issued guidance instructing agency heads to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records.

References[]

  1. The OMB was known as the "Bureau of the Budget" prior to July 1, 1970.
  2. Office of Management and Budget, OMB Instructions on Complying with President’s Memorandum of May 14, 1998, “Privacy and Personal Information in Federal Records”, OMB Memorandum M-99-05 (Jan. 7, 1999).
  3. Office of Management and Budget, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, OMB Memorandum M-03-22 (Sept. 26, 2003).
  4. Office of Management and Budget, Designation of Senior Agency Officials for Privacy, OMB Memorandum M-05-08 (Feb. 11, 2005).
  5. Nearly all of this guidance can be found on the OMB website, www.whitehouse.gov/omb, by searching in the “Agency Information” and “Information and Regulatory Affairs” sections of the website.
  6. Office of Management and Budget, FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, OMB Memorandum M-05-15 (June 13, 2005).
  7. FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002).
  8. Office of Management and Budget, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, OMB Memorandum M-06-20 (July 17, 2006).
  9. Office of Management and Budget, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, OMB Memorandum M-07-19 (July 25, 2007).

See also[]

Advertisement