Seeking to bring the federal government’s websites to parity with those in the private sector, the Office of Management and Budget today issued new guidelines on the use of widely-used web management and customization technologies.
OMB also issued guidance on privacy policies concerning government use of third-party websites and applications.
Michael Fitzpatrick, associate administrator with OMB’s Office of Information and Regulatory Affairs, said during a conference call that the new guidelines update policies set up ten years ago when things like social networking sites, wikis, etc. had not yet even been imagined.
“We revisited this issue through public comment which began last summer,” he said, “We received thousands of helpful comments from the public, through a series of one-on-ones, and outreach meetings with key stakeholders.”
He adds that a request for comment was also issued through the White House Office of Science and Technology Policy.
As outlined by the OMB memorandum, the new guidelines cover two areas:
Personally identifiable information can only be collected from the use of such technologies through opt in, voluntary consent of the user. Before such consent can be given, however, agencies must undergo a 30-day notice and comment period on their proposed use of the information.
As additional protection, the new policy makes clear that under no circumstances can agencies use web measurement and customization technologies: to track a user’s online activity on other websites outside the government; to share the data gathered through the use of such technologies with other departments or agencies unless the user has consented; to cross-reference, without the user’s explicit consent, any information gathered from such technologies against personally identifiable information to determine an individual’s online activity; to collect, in any fashion, personally identifiable information without the user’s explicit consent.
Lastly, agencies will need to conduct an annual review of their compliance with the new policy and post the results of this review online.
Examining the third party’s privacy policies to evaluate the risks and determine whether the website or application is appropriate for the agency’s use. The third party’s policies should be monitored for changes and the risks should be periodically reassessed.
Performing a Privacy Impact Assessment to evaluate the privacy implications, to identify appropriate safeguards, and to ensure that such safeguards are in place. Generally, these assessments should be posted on the agency’s website.
To the extent practicable, providing a Privacy Notice on the specific website or application that the agency is using. The notice should give people an opportunity to understand the agency’s practices before engaging with the agency.
The new guidelines replace previous OMB guidance on the use of these technologies, says Fitzpatrick, who adds that agencies now have the ability to use them to improve the delivery of services to citizens, while at the same time providing certain privacy protection.
The web guidelines, he says, will help agencies update websites to enbable the use of so-called “persistent cookies”, which private sector sites use to create more personalized user experiences.