The Office of Management and Budget has been quietly ramping up its privacy requirements. Since the security scare of having a Veteran Affairs laptop containing the personal information of 26.5 million veteran and active-duty military stolen was resolved, OMB has offered no less than six memos related to privacy:
M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 25, 2007) (43 pages, 251 kb);
M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) (22 pages, 228 kb);
Recommendations for Identity Theft Related Data Breach Notification (September 20, 2006) (12 pages, 1,903 kb);
M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 17, 2006) (42 pages, 301 kb);
M-06-19, Reporting Incidents Involving Personally Identifiable Information Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006) (2 pages, 41 kb);
M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006) (2 pages, 50 kb).
And on Friday they issued an eighth memo:
M-08-09, New FISMA Privacy Reporting Requirements for FY 2008 (January 18, 2008). Among other things, this guidance requires agencies to report on privacy issues including those that are not covered by the Privacy Act.
While this is a positive step and shows that OMB is indeed beginning to show real leadership on privacy issues (in contrast to GAO’s June 2003 report entitled Privacy Act: OMB Leadership Needed to Improve Agency Compliance), CDT is still urging OMB to move forward, including efforts toward best practices for privacy impact assessments (PIAs) as we explained in our recent testimony on E-Government Act Reauthorization in front of the Senate Homeland Security and Government Affairs Committee. OMB has been supportive of the passage of this legislation, but could move forward with best practices even without it.