Hey, there, it's Chris Stevens. I am the privacy gremlin. I'm also the InfoSec Institute instructor for its information privacy for essentials for cybersecurity professionals. As I always state, [inaudible] InfoSec Institute also was providing this training to any professional that seeks to learn more about information privacy and data protection as it might apply to their specific job functions, roles, and responsibilities. It is my pleasure to be your instructor. I enjoy discussing these topics. In this video we're going to talk about the E-Government Act of 2002 and it's Section 208(b), which is important to us from a privacy perspective because it gives a specific privacy related guidance to executive branch agencies. You heard me reference the E-Government Act of 2002 during my discussion of my sad tale of my introduction to the PIA process and not being aware of the E-Government Act of 2002 as a senior manager working over at Department of Homeland Security's Office of Intelligence Analysis and so I learned quickly the importance of this Act. Again, it was the former Obama administration. It was seeking to move the federal government and to digitally transform it accounting for advances that had been made in computer technologies and others. At the same time wanting to be more open and transparent with the American government. Congress enacted this Act to be able to provide that type of government support to the American public to make sure that, again, federal government agencies were being open with their practices themselves specifically in Section 208(b) that talks about their privacy and practices. What are we going to talk about? Now this is an introduction to the E-Government Act of 2002 and Section 208(b). We're going to talk about the E-Government Act of 2002's privacy guidance. Then we're going to talk about delving in to Section 208(b), it's purpose, the agency responsibilities. We're going to talk about Section 208(b)'s backgrounds. It's always important to talk about definitions. We're going to talk about some agency activity requirements. We're going to delve into what it requires from the PIA process. We're going to talk about it also gives guidance for your privacy notices that are posted to a agency's public face and website, the contents of that privacy notice, and what has to be posted to that website. Then we're going to talk about, again, guidances given to the agencies directors. Are you ready? Let's go. We're going to talk about the E-Government Act's privacy guidance. Know it's there to make sure that federal government agencies themselves are protecting the personal identifiable information of Americans and others. It is there to give them guidance on how to conduct a PIA, privacy impact assessment. It is there to make sure that there is a review process within these agencies that the PIAs were reviewed and approved by the appropriate senior leadership. It is there to require that you give public notification that you're posting these PIAs to your public facing websites. You're announcing them in the federal register for a period of 30 days. You're reporting your PIAs at the end of the year pursuant to the Federal Information Security Modernization Act of 2014, along with your system of record notifications, your computer matching agreements, all of those have to be reported to OMBH at the end of the year for its review. In a digital age, again, we saw the increased collection and processing of individuals' personal identifiable information. We also saw at the turn of the 21st century more privacy harms and privacy invasions being created by data breaches in security incidents. The E-Government Act of 2002 wants to ensure that if a federal government agency in the executive branch is going to collect personal identifiable information from citizens themselves, legal permanent residents, and others, that that information is protected accordingly. It's also there to make sure that these agencies are doing good privacy risk assessments and they're using privacy threshold analyses and really a preliminary PIA and then a full PIA when required to assess a risk in their processing activities that identify that risk, that mitigate it, and then to select the appropriate security protocols, administrative, physical, and technical controls to reduce that inherent risk to residual risk. You've got to have someone in the organization that reviews the PIA, that can be your CIO, Chief Information Officer. We're going to talk about this, it's the Office of Management and Budget Memorandum 1624 that really mandates that these agencies themselves have to designate a senior agency official for privacy that also will participate in this process. If we are talking about sensitive systems themselves or those that are excluded from the PII reporting process, national security systems and things like that, then you don't have to review by the appropriate agency officials. Then these agencies themselves have to post their privacy impact assessments on their websites and also give notification in the Federal Register. We're going to talk about the E-Government Act of 2002's purpose and agency responsibilities, the requirements for developing or procuring IT that processes PII, and then how to initiate a new collection of PII. They ever made sure that, in short, these federal government agency respect the rights and freedoms of these individuals as they collect their personally identifiable information. Agencies have to conduct PIIs before they implement a new system that's going to collect PII, that's going to process PII for pilot programs, that any information that's going to initiate any information with other entities themselves, that if this information has been collected online, that pertains to a specific individual, or if they have questions themselves that they are posing on, 10 or more persons, then they have to do a PII. This doesn't include other agencies or employees of a federal government. Let's talk about the background. Like I said, the former Obama administration and Congress realized that we were using computers based technologies, that databases itself to collect information on individuals through use of the Internet, digital networks to share information that might pertain directly or indirectly to an individual. Again, Congress enacted the E-Government Act of 2002 to make sure that any information that was stored in records or systems of records collected by United States federal government executive branch information systems technologies was protected at all times. This is Section 208 that mandates the conducting of privacy impact assessments or new systems themselves, existing system that undergo a modification, a new definition of PIA, introduction of new laws themselves that might change the way that these information systems technologies collect and process an individual's PIA that again, you have to identify the risk associated with those activities. Let's have a look at that information system from the perspective of the information life-cycle. We talked about the information life-cycle, collection, use, disclosure, retention, and disposal, a person identifiable information. When I've done this, you will work directly with a system owner and informations do it, a business owner and the appropriate parties to conduct these PIAs to make sure that they've implemented the appropriate privacy controls protections throughout the system development lifecycle from the time that you can actually design an information systematic technology at a time you replace it, that those controls are working as intended to protect the PIA of the individuals from whom that information is being collected. You got to make it available when possible. Again, if we're talking about classified information systems, national security systems, then they are exempted from this process. We're going to talk about these definitions, individual, information in identifiable format, information technology, major information systems, national security systems. I worked in the intelligence community and the military and national security for over 35 years. I've worked with many of these national security systems that collect a lot of classified information that are excluded from this process. We're going to talk about the Privacy Impact Assessment and then machine readable privacy policy. What does that mean in plain speak? That's information that has been posted to a website, information that can be read or interpreted by a computer. What is an individual? Again, just like we talked about with the Privacy Act of 1974 as amended, the E-Government Act of 2002 extends protection to American citizens and legal permanent residents. Those are the two classes that are protected under this act. Information in identifiable form, that's any information that's contained in an information system or it can be accessed or posted online that directly or indirectly relates to an individual. We've talked about some of these identifiers, your name, address, phone numbers, Social Security numbers, other types of identifying codes themselves and identifying particulars that could be a photo, other types of information, biometric information that can directly or indirectly distinguished or be traced back to an individual. Now, if we're talking about information technology, that's any hardware or software, interconnected technologies themselves that engage an automatic process and collection, disclosure, retention, and disposal that information , personally identifiable information. If we're talking about major information systems, we're talking about systems of systems. These systems that involve a number of systems that are extremely important to that organization's mission as activities. We're talking about systems themselves that again, I referenced the Federal Information Processes that is 199 that you're going to categorize based on sensitivity, high impact systems, moderate impact systems, low-impact systems. National Security Systems are those systems that are operated by certain federal government agencies that process national security information, pertain to intelligence activities, sensitive signals intelligence collection activities. Again, system military information, weapon systems that again, if those systems were compromised, could pose significant harm to the security of the United States. We talked about the PIA. Again, after my embarrassing interaction with the GAO auditors, they became one of my primary focus areas and ensured that not only I understood what the E-Government Act of 2002 section 208B required as it applies to the PIA but others did. You should always conduct a PIA when appropriate. It's going to help you determine what that risk is that exists in your processing activities of PII, so you can address it before it becomes a problem. When we talk about privacy policy in standardized machine-readable format, that's being able to push your privacy notice to your public-facing website. So that can be accessed by a computer and then read by the user. We're going to talk about Section 208's agency activities guides. Now what Section 208 says that, hey, agency and the executive branch, you got to conduct a PIA. You have a process for reviewing it, you got to have somebody approve it, sign off on it. You got to publicly notify the public and the Federal Register for 30 days. You got when appropriate, you have processes for modifying a waive and public notification. Again, we talked about that as applies to national security systems and other systems. You got to provide the PIA to the agency director or his designee. Many times there's going to be that say up. Senior agency official for privacy and the CIO. I spend a lot of time in the DHS website because again, it has a great template for conducting PIAs. It walks you through the PIA process. You can go to any government agency in the executive branch and in most cases, you'll find their post of PIAs that you can look at just like the [inaudible]. You can look at for examples of how to develop an appropriate PIA or a [inaudible]. So again, you got to conduct these PIAs. This isn't optional, you must do it. If you have an information system that is going to process PIA, it already PII, it already does that, you're going to modify it, you have a change in the law. Introduction of new laws, introduction of new types of PII. Then again, you're going to be required to do this privacy risk assessment. You've got to have a review process in place, when appropriate, you got to post it to the Federal Register, you got to share, and provide that information at [inaudible] at the end of the year. The number PIAs that your agency has produced. You got to have processes in place for exemptions to sharing the PIAs publicly, we talked about some of those when it deals with sensitive, classified information that might be a part of the PIA. Then you have to provide your agencies with a copy of the PIA for every system of which finding is requested. That's why it is a part of the FISMA process. Before now, it used to be under the Federal Information Security Management Act of 2002 I believe, that again was more of a checklists process. When Congress amended FISMA with the Federal Information Security Modernization Act of 2014 it became more of a risk focus process. Before you can as an agency and I was a part of this process as a senior executive in government and a senior manager. Before you can request budget or funding for a new IT program, acquisition, procurement of one of these systems that's going to process PII, then again, you must do a PIA and that PIA must be part of that process when you submit that request for funding. Then it has to go through the say app is going to review it, provide comments on it before it's actually approved, and this is a requirement and the FISMA also that the say app actively participate in that process. We're going to talk about that later. That acronym breaks out a senior agency official for privacy, and you'll hear me use that more often later in the learning path. What needs to be in that PIA? You can go to any website, federal government agency and the executive branch. You can look at their PIAs. They're going to be based on section 208b's guidance. You got to understand the nature and scope of the PIA. When you look at the size and the information system that you're going to be assessing, the sensitivity of the information, there might be an identifiable form, which means that if it's processing PII, and you'll also got to look at the harm that might be posed if this information is disclosed in an unauthorized manner and so when you conduct that PI is going to talk about when information to collect and why it's being collected, the purpose of the collection with whom you're going to share that information. What notices that you give the individuals for consent, determination of consent is mandatory or participation is voluntary. What are the security safeguards, you're going to use to process that information, and then this is where you're also going to go back and look at those swarms. Because you also have to include information whether a swarm was conducted on this system. Remember we talked about swarms or system of records, and when we talk about those, remember, assessment records is a compilation of records that uses your name, some type of identifying number like your social security number or some other type of number or some type of identifying particular. It could be a photograph, it can be some type of bio-metric information that's used to retrieve those records from the system of records. If your system has done that, then you got the report also with the PIA, you have to report the system of records. Now let me make a distinction. The PI has more broadly focus than the system of records process. System of records only focus on those system of records where you use those type of retrieval methods. A name, identifying number, identifying particular to retrieve records from assessment for records. PIA is more broadly focus. They focus on any system, then IT system technology that might be processing PIA, whether it's contained in a system of records or is processed by the organization and stored in databases and other things that might not be a record. So what does that agency director have to do? It has to make sure he or she provides guidance on the agency's policy procedures and guidance on how they'll conduct PIAs. Is there to make sure that these PIAs are conducted on the applicable activity systems and technologies, is also there to make sure that this process is implemented throughout all layer levels of his or her agency, and that's what that says there in the nutshell. This is extremely important. Like I said, during my experience, this system had been in place. My predecessors didn't know they had to do a PIA or civil liberties impact assessment. The agency really didn't. We didn't even know a privacy officer existed at DHS. It was our mistake from a compliance standpoint that we weren't aware of what these requirements are. You have to be aware of what your compliance requirements are, regulatory, legislative, legal because it's your responsibility as key staff as a manager and share to comply at all times. I failed in this area, and I learned the hard way, but I never repeated that mistake again. What are some of those website privacy protection requirements? Section 208 says that the agency director will ensure that the agency's privacy notices there's a post or there's public facing website on any page where information is going to be collected from webpage, where first identifiable information is going to be collected from the public itself. American citizens legal permanent residents, you should have a link to your notice, and that notice should tell them what we said what's being collected, why is being collected, the purpose of the collection. How are you going to allow American citizen legal permanent residents exercise their right to customer preference to give consent, grant consent or not. The impacts of not providing certain information, your security safeguards, the independent rights and freedom that are granted to individuals under the Privacy Act and Computer Matching and Privacy Protection Act in 1988, and now under the E-Government Act of 2002. You've got to ensure that you've translated to your privacy notices and to machine-readable formats. Again, that's as being able to display these privacy notices on a website and making them accessible via computer or some other type of computing device. The E-Government Act of 2003 was a game-changer. Like I said, if we look at the three laws that we've talked about, we started in 1974, paper-based environment. We saw the advent of why to use automated databasing using information technology, computing technologies to collect information from the public, American citizens, legal permanent residents. We saw the advent of the 21st century and the former Obama administration trying to move the federal government executive branch into the digital age itself, create opportunities for digital transformation, be more open and transparent with the government on what the government's practices were. We saw as part of the E-Government Act of 2002, we saw Section 208 that gave explicit guidance on the conducting of PIA, Privacy Impact Assessments, making your privacy notices available to the public and a machine-readable format. The requirements for notification to the public, the requirement to polish your Privacy Impact Assessments, give notification to the public itself and the Federal Register for a period of 30 days. He gave strict guidelines on when you have to conduct these PIAs. When you're talking about the development of a new system, or activity, or processes going to collect PII processing. During the information life cycle, I will state that collection, use disclosure, retention, and disposal of personally identifiable information. When you have that information that might be shared by these new information systems and technologies, when you make modification to the way that these information systems and technologies are processing PII, we have a change in the law. When you have the introduction of new types of PIIs is happening all the time, new definitions. If you have any information that's collected online, physical and online perspective that applies directly or indirectly to an individual. Or if you have questions themselves that have been posed to individuals tend to be more that aren't employees at a federal government agency and the executive branch, then you have to conduct the PIA. You can find guidance there, I use it also. This is another one of my source documents, guidances that I keep in my professional toolkit. Because again, just because it's mandatory for the federal government doesn't mean you can't take snippets from these different guidances, these laws, and help you mature your privacy program if you don't have these types of guidance documents and practices procedures in place. It levies on them again, the agency director has significant responsibilities. They have to ensure that their agencies have a PIA process, that they're conducting PIAs, that there's a review process, and that the organization is making public notification when required. Then also making sure that in the essence of transparency and openness that their policy in privacy notices is privacy to your public-facing website when they're applicable. When the PIAs don't address no sensitive information pertaining to intelligence, certain law enforcement activities to a military operations, can't develop weapon systems, and other types of sensitive activities that might cause significant harm to the United States government. Hey, everyone, that concludes this course that we've had on several US federal government agencies with privacy implications. Now as always, I enjoy being your instructor. Hopefully, up to this point, you're still enjoying the instruction that is meeting your expectations. That's extremely important to me. I hope you, your family members, and significant others are safe and well, and I look forward to seeing you in the next course. Stay safe and take care. This is Chris Stevens, the privacy grumbling saying, I'll see you in the next video.
