Administration seeks to fill gaps in privacy protections

The Obama administration has proposed the first-ever privacy safeguards for protecting the personal information of citizens that is handled by federal computing systems.

The National Institute of Standards and Technology specifications fill gaps in existing information security procedures that date back to 2003, such as the need to offer members of the public options in how their data is used. Americans have become increasingly concerned with shielding self-identifying information from hackers because more government transactions now take place online.

The privacy controls are written to foster trust in the government's ability to handle sensitive information, from taxpayer filings to immigration records, according to draft standards released this week.

The requirements will be folded into a revised list of information security controls due out in December. NIST will accept public comment through Sept. 2, but given the novelty of the privacy proposal, it will be released ahead of the other guidelines and may go through a second round of public vetting before final publication, said the draft's author, NIST fellow Ron Ross.

The privacy safeguards are designed to instruct agencies on how to satisfy requirements mandated by Congress and the White House, such as those in the 2002 Federal Information Security Management Act, the 1974 Privacy Act, and various Office of Management and Budget memos.

"We've been focusing on FISMA and the security controls since 2003 -- this is kind of a natural extension," Ross said. "There's been an explosion of information technology and the different pad technologies that are now being produced . . . The more we use the technology -- security and privacy become more and more important every day."

Current security controls cover information confidentiality so there is some overlap between the two sets of standards, he added. But the new list concentrates more on protecting personal information.

The 18 proposed controls include, among other things, directions on issuing privacy notices, keeping the collection of personal information to a minimum, dealing with complaints about privacy practices, and limiting the amount of time data is retained.

"The controls focus on information privacy as a value distinct from, but highly interrelated with, information security," the document states. "Privacy is more than security and confidentiality, and includes the principles of transparency and notice and choice, for example."

As with most NIST standards, federal contractors were not involved in preparing the privacy guidelines, but they will have the opportunity to provide feedback before the plan is finalized, Ross said. The federal Chief Information Officers Council partnered with NIST on the controls, which government officials said are based on international standards and best practices.