Joshua Bolten, director of the Office of Management and Budget, issued a memorandum Tuesday instructing agency heads "to describe how the government handles information that individuals provide electronically, so that the American public has assurances that personal information is protected." The OMB guidelines, required by the E-Government Act of 2002, apply to information that identifies individuals in a recognizable form, including name, address, telephone number, Social Security number, and E-mail address.
OMB is requiring agencies to conduct new privacy impact assessments before developing IT systems that contain identifiable information or before collecting such data electronically. The assessments must be updated when changes in the way an agency handles personally identifiable information create new privacy risks. Affected agencies also will be required to report on their E-privacy-related activities every year.
Under the rules, agencies will be required to tell visitors to their Web sites when it's voluntary to submit information, how to grant consent for agency use of voluntary personal data, and about their rights under the Privacy Act and other such laws.
Agency Web sites also will be required to disclose the nature of information collected, the purpose and use of such data, whether and with whom such information will be shared, and the privacy safeguards applied to the information collected.
By Dec. 15, agencies must develop firm plans to make their Web sites' privacy policies machine readable--meaning that they automatically provide notification when the site doesn't cover a visitor's privacy preferences.
A copy of the memorandum can be found here.