Protecting Privacy and Security

Privacy is a key concern of all – ensuring that our Personally Identifiable Information is protected, via strong IT Governance, Risk Management and Security programs, while it is collected, stored used and finally destroyed/deleted by those we’ve entrusted with it, is a key tenant of modern society. This is true whether the information is in digital form or otherwise. A previous blog discussed this key relationship of privacy, security, risk management and IT Governance in detail. In order to see how privacy protections align with security in a governance framework, it's important to understand the collection of privacy laws and policies that help agencies protect PII. One of the key privacy policies, Office of Management & Budget (OMB) Circular A-130 is currently being updated and the privacy and security provisions will be brought up to date, addressing new privacy policy around cloud, mobile, internet of things and other technologies, but the basic requirements by which agencies protect the public's information will endure.

Privacy has been a fundamental requirement of Federal agencies, employees, contractors and contractor employees since the Privacy Act was enacted on December 31, 1974 (5 U.S.C. § 552a). The Act’s enduring provisions embody many fundamental tenets of privacy law, including a:

• Code of Fair Information Practice that governs the collection, maintenance, use and dissemination of PII about individuals that is maintained in systems of records by federal agencies. (A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.)

• Requirement that agencies give the public notice of their systems of records by publication in the Federal Register.

• Prohibition of the disclosure of information from a system of records without the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions. 

• Provision to individuals of a means by which they can review the agency’s record and request an amendment to correct information in a record pertaining to the individual.

The Act also sets forth various additional record-keeping requirements and requires the agency to have in place an administrative and physical security system to prevent the unauthorized release of personal records.

The Computer Matching and Privacy Protection Act of 1988, P.L. 100-503, amended the Privacy Act of 1974 by adding certain protections to records used in automated matching programs. These protections have been mandated to ensure procedural uniformity in carrying out matching programs, due process for subjects in order to protect their rights, and oversight of matching programs by Data Integrity Boards at each agency engaging in matching to monitor matching activities.

Office of Management and Budget Circular No. A-130, Management of Federal Information Resources -- soon to be updated with a revision that strengthens and clarifies protections for security and privacy -- establishes policy for the management of Federal information resources, and includes procedural and analytic guidelines for implementing specific aspects of these policies as appendices. Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals, describes agency responsibilities for implementing the reporting and publication requirements of the Privacy Act. The Appendix states that the head of each agency is responsible for ensuring that reviews are conducted as often as required and reporting the results of such reviews and the corrective action taken to resolve problems uncovered.  This includes Biennial Privacy Act Reports; Biennial Computer Matching Activity Reports; New and Altered System of Records Reports; and New or Altered Computer Matching Program Reports. OMB’s guidance also requires agencies to publish notices or rules in the Federal Register in the following circumstances:  when adopting a new or altered system of records, when adopting a routine use, when adopting an exemption for a system of records, or when proposing to carry out a new or altered matching program.

The National Institute of Standards and Technology’s (NIST’s) Framework for Improving Critical Infrastructure Cybersecurity includes a “Methodology to Protect Privacy and Civil Liberties” (Section 3.5), which specifically addresses individual privacy and civil liberties implications that may result from cybersecurity operations. This methodology contains a general set of considerations and processes since privacy and civil liberties implications may differ by sector or over time, and organizations may address these considerations and processes with a range of technical implementations.

The NIST Framework focuses on using business drivers to guide cybersecurity activities, and also stresses that privacy and civil liberties implications may arise when personal information is used, collected, processed, maintained or disclosed in connection with the organization’s cybersecurity activities. To address privacy implications, organizations may consider how, in circumstances where such measures are appropriate, their cybersecurity program might incorporate privacy principles such as: 

• data minimization in the collection, disclosure, and retention of personal information material related to a cybersecurity incident;

• use limitations outside of cybersecurity activities on any information collected specifically for cybersecurity activities;

• transparency for certain cybersecurity activities;

• individual consent and redress for adverse impacts arising from use of personal information in cybersecurity activities; and

• data quality, integrity and security and accountability, and auditing. 

The framework also discusses the following processes and activities that may be considered as a means to address privacy and civil liberties implications: governance of cybersecurity risk; approaches to identifying and authorizing individuals to access organizational assets and systems; awareness and training measures; anomalous activity detection and system and assets monitoring; and response activities, including information sharing or other mitigation efforts. In addition, Table 2: Framework Core, addresses the issue of privacy and civil liberties under the Governance (ID.GV) Category, Subcategory ID.GV-3 and states: “Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties obligations, are understood and managed.”

NIST’s Special Publication (SP) 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations, provides technology, processes, policies, and people specific controls for each of the applicable family of controls outlined in “Appendix J PRIVACY CONTROL CATALOG: PRIVACY CONTROLS, ENHANCEMENTS, AND SUPPLEMENTAL GUIDANCE”.  This appendix specifically provides a structured set of controls for protecting privacy and serves as a roadmap for organizations to use in identifying and implementing privacy controls concerning the entire life cycle of PII, whether in paper or electronic form. NIST SP 800-53r4 was developed by an Interagency Working Group with representatives from the Civilian, Defense, and Intelligence Communities, in an ongoing effort to produce a unified information security framework for the federal government and is thus applicable for all federal agencies.

NIST SP 800-53r4, Appendix J, states that protecting an individual’s privacy in accordance with the Privacy Act requires a balance of the government’s need to collect information from an individual with a citizen’s right to be notified as to how that information is being used, collected, maintained and disposed of after its use – this balance is a fundamental responsibility of the federal government.  Appendix J also notes that privacy protections include the principles of transparency, notice and choice, and provides a structured set of controls which focus on information privacy as a value distinct from, but highly interrelated with, information security.  These controls include administrative, technical and physical safeguards employed within organizations to protect and ensure the proper handling of PII. The privacy controls in this Appendix stem from the Fair Information Practice Principles (FIPPs) which are widely accepted in the U.S. and internationally as a general framework for privacy.

Table J-1: Summary of Privacy Controls by Family, contains the eight privacy control families, each aligning with one of the FIPPs:  Authority and Purpose; Accountability, Audit, and Risk Management; Data Quality and Integrity; Data Minimization and Retention; Individual Participation and Redress; Security; Transparency; and Use Limitation. The privacy families can be implemented at the organization, department, agency, component, office, program, or information system level.  Under the leadership and oversight of the Senior Agency Official for Privacy (SAOP)/Chief Privacy Officer (CPO) and in coordination with the Chief Information Security Officer, Chief Information Officer, risk executives, program officials, legal counsel, developers/integrators, and others as appropriate, these officials determine how best to incorporate effective privacy protections and practices (i.e., controls) within organizational programs and information systems and the environment in which they operate.

The privacy controls facilitate the organization’s efforts to comply with privacy requirements affecting organizational programs and/or systems that collect, use, maintain, share or dispose of PII or other activities that raise privacy risks.  The privacy controls in Appendix J are selected and implemented based on the privacy requirements of organizations and the need to protect PII of individuals in accordance with federal privacy legislation, policies, directives, regulations, guidelines and best practices. Organizations analyze and apply each privacy control with respect to their distinct mission/business and operational needs based on their legal authorities and obligations and as a result their implementation of the privacy controls may vary based upon this analysis (e.g., organizations defined as covered entities per the Health Insurance Portability and Accountability Act (HIPAA) may have additional requirements specified by the Department of Health and Human Services).

Organizations are required to document their agreed upon privacy controls. These privacy controls are documented in Privacy Impact Assessments (PIAs) and System of Record Notices (SORNs). In addition, at the discretion of the implementing organization, privacy controls may be documented in a distinct privacy plan or incorporated into other risk management documents (e.g., system security plans). Organizations also establish appropriate assessment methodologies to determine the extent to which the privacy controls are implemented correctly, operating as intended and producing the desired outcomes with respect to the organization’s privacy requirements.  These assessments can be conducted by the SAOP/CPO alone or jointly with the other organizational risk management offices, including the information security office.

Also, the Federal CIO Council, hosts a Privacy Community of Practice. A key reference document produced by this group is the Best Practices: Elements of a Federal Privacy Program, issued in 2010. This document serves as a best practices guide to help federal organizations implement and sustain privacy awareness and stewardship. This document states that “a strong and multi-faceted privacy program will help ensure that organizations consider privacy protections and controls when first making business decisions involving the collection, use, sharing, retention, disclosure, and destruction of PII, whether in paper or electronic form.” The seven elements described in this document provide the basis for a robust federal privacy program. The elements are leadership, privacy risk management and compliance documentation, information security, incident response, notice and redress for individual, privacy training and awareness, and accountability. These seven elements can also influence business decisions involving the use of new technologies or other interactions with the public, contractors, or employees that may not involve the collection and use of PII but may nonetheless raise privacy risks or concerns (e.g., the use of surveillance cameras, global positioning systems, or body imaging screening devices).

As a last point of reference, the President signed Executive Order (EO) 13179 establishing The Federal Privacy Council (Privacy Council) on February 9, 2016. This EO designated the Privacy Council as the principal interagency forum to improve the Government privacy practices of agencies and entities acting on their behalf. The Privacy Council was established to help Senior Agency Officials for Privacy at agencies better coordinate and collaborate, educate the Federal workforce, and exchange best practices. The Chair of the Privacy Council shall be the Deputy Director for Management of the Office of Management and Budget. The Privacy Council was established to:

• develop recommendations for the Office of Management and Budget on Federal Government privacy policies and requirements;
• coordinate and share ideas, best practices, and approaches for protecting privacy and implementing appropriate privacy safeguards;
• assess and recommend how best to address the hiring, training, and professional development needs of the Federal Government with respect to privacy matters; and
• perform other privacy-related functions, consistent with law, as designated by the Chair.

This EO requires each Federal Agency to establish an interagency support structure that:

• builds on existing interagency efforts to protect privacy and provides expertise and assistance to agencies;
• expands the skill and career development opportunities of agency privacy professionals;
• improves the management of agency privacy programs by identifying and sharing lessons learned and best practices; and
• promotes collaboration between and among agency privacy professionals to reduce unnecessary duplication of efforts and to ensure the effective, efficient, and consistent implementation of privacy policy Government-wide.

It also required that the Head of each Agency designate or re-designate a Senior Agency Official for Privacy with the experience and skills necessary to manage an agency-wide privacy program.

Thus, privacy provides, within a secure enterprise, specific controls to ensure that only properly designated personnel access information governed under privacy laws, and to protect an individual’s ability to determine how their personal information is collected, used, stored, and disclosed.  Information security and IT Governance directly impact the success of a privacy program. Privacy cannot exist without information security and privacy must be considered in all information security programs.

Image courtesy of cooldesign at FreeDigitalPhotos.net