Cybersecurity & Standards, Privacy & Data
CDT Submits Comments on the Value of and Potential Improvements to Privacy Impact Assessments (PIAs) From Federal Government Agencies
The Center for Democracy & Technology (CDT) is pleased to submit this comment on the value of and potential improvements to Privacy Impact Assessments (PIAs) from federal government agencies. CDT is a nonprofit 501(c)(3) organization that works to advance civil rights and civil liberties in the digital age, including privacy. CDT is supportive of PIAs, both as an analytical tool for risk management and mitigation and as a transparency mechanism for agencies’ use of technologies.
However, PIAs should be improved and expanded to meet the needs of a more expansive technology ecosystem. For instance, taking a data minimization approach to collection and storage where possible can help to mitigate privacy threats, and OMB guidance should include analysis of an agency’s data minimization procedures as part of a PIA. In addition, the categories of data currently required to be reviewed as part of a PIA are not sufficiently robust given the inferential and reidentification capabilities of technology. Seemingly non-identifying data points may be combined to identify individuals in some cases, and PIAs should account for this possibility. Additionally, the utility of a PIA as a transparency tool outlasts the lifespan of the system itself, but many agencies do not maintain historical PIAs for public access. Doing so would strengthen the transparency function of PIAs (and may also provide a library of risks and mitigations that would be useful to other agencies and system deployers).
Beyond improvements to PIAs themselves, OMB could make improvements to the broader transparency and risk mitigation frameworks that PIAs are part of. Given their longevity in supporting transparency around federal data and technology efforts, PIAs offer a relatively consistent and well-used framework by which agencies assess and publicize their technology use cases. However, there is no centralized repository or standard format for PIAs, which makes it difficult to compare PIAs across agencies or do a robust search for technologies (e.g. cybersecurity, AI, digital identity management) used by the federal government writ large.
This ecosystem will be further expanded and complicated by the addition of the federal inventory of AI uses (which are even less consistent and thorough than PIAs) and related analyses like Algorithmic Impact Assessments (AIAs). Therefore, OMB should focus on building a framework and providing guidance that creates a cohesive system of assessments and analyses of government systems, allowing for holistic analysis and easily accessible documentation of the government’s use of data and technology.
Read the full comments here.