5 highlights from CIO Council digital privacy controls strategy

The federal Chief Information Officers Council released new recommendations on Friday for how the government can standardize digital privacy controls.

The strategy, “Recommendations for Standardized Digital Privacy Controls,” recognizes that federal agencies must adopt strong privacy, confidentiality and security safeguards to prevent the improper use of personally identifiable information when developing and delivering digital services and programs.

Below we look at five key points made in the strategy:

1. A secure data-centric approach: Requires that federal agencies move from simply managing documents to a more data-centric approach that emphasizes discrete pieces of open data and content. It also calls for agencies to adopt a more customer-centric approach to digital services by presenting data through many different delivery modes.


With that said, these approaches cannot come at the expense of privacy and security. In order to enable the most open and flexible use of data, federal agencies must identify and address privacy issues and risks at the earliest stages of developing digital services and programs “well before” data about individuals are collected, used, retained or disclosed.

2. Create a digital personal identifiable information inventory: Instead of just having a PII inventory of existing PII holdings, agencies should – as part of the privacy risk management process – create a catalog of prospective PII inventory. Doing so early in the privacy impact assessment process will help agencies avoid unanticipated privacy risks later, the strategy says.

The strategy also says that no PII inventory or catalog can be complete without a sufficiently broad understanding of what personal information should be considered identifiable.

For example, a common misconception is that PII only includes data that can be used to directly identify or contact an individual (e.g., name, e-mail address), or personal data that is especially sensitive (e.g., Social Security number, bank account number). Data elements that may not identify an individual directly (e.g., age, height, birth date) may nonetheless constitute PII if those data elements can be combined, with or without additional data, to identify an individual.

3. Agencies need digital privacy impact assessment plans: A PIA analyzes how information will be handled to ensure such handling conforms to requirements regarding privacy, to determine the risks and effects of disseminating such information and to examine and evaluate protections and alternative processes for handling the information to mitigate potential privacy risks.


The PIA process must be documented and must explain:

  • what PII will be collected, maintained, or disseminated, including the nature and source of the data;
  • why the PII is being collected (i.e., purpose);
  • intended use or uses of the PII;
  • with whom the information will be shared or disclosed;
  • options and methods for individuals to exercise choice or give consent for collection or use;
  • how the PII will be secured; and
  • whether a system of records is being created under the Privacy Act of 1974.

4. Agencies must give notice: Federal agencies are required by law give notice to individuals, when collecting information from them, of the authority, purpose, and uses of PII when such data will be maintained as agency records that will be retrieved by individual name or other identifier.

When agencies use a website to collect or share data, they must post a privacy policy, as required by Section 208 of the E-Gov Act and Office of Management and Budget guidance. Additional privacy notice requirements may apply, depending on other factors such as what digital technology or platform is being used. For example, agencies must give notice when using social media or other third-party sites or applications to communicate with the public if PII will be available to the agency.

5. What agencies can expect: By adopting the recommended best practices outlined in this document, agencies should be better able to:

  • identify and account for such data (i.e., PII inventory);
  • analyze and address the privacy and security risks that may be associated with such data (i.e., PIA); and
  • provide individuals with the knowledge, assurance, and trust that their data will be collected, maintained, used and shared in a manner consistent with their expectations (i.e., privacy notice).

Agencies should always address and resolve these issues early in the planning and design of their digital services and programs. This approach is more likely to achieve the strategy’s goal of a data- and customer-centric approach to digital data and content with greater speed, efficiency and effectiveness.

Latest Podcasts