GSA updates policy on privacy impact assessments
The General Services Administration has issued an update to the privacy policies and procedures governing GSA IT systems that details the importance of privacy impact assessments and makes Chief Information Officer Sonny Hashmi the agency’s senior privacy official.
Released late last week, the updated policy and procedures document makes privacy impact assessments (PIAs) “the required tool for conducting privacy evaluations.” The document also “defines the privacy issues to be addressed, describes the steps for completing a PIA report, and provides the PIA report format” anytime GSA is “planning, developing, and implementing automated systems” or its “online Web sites and social media venues collect personal information about individuals.”
Privacy impact assessments, required by the E-Government Act of 2002, are nothing new within GSA. The Office of Management and Budget issued a governmentwide memorandum making them mandatory in October 2003.
This policy update, however, replaces one published in September 2011 by then-Chief People Officer Tony Costa to reflect that GSA’s “Privacy Office is now within the Office of GSA IT,” the document states, a shift that occurred when Administrator Dan Tangherlini consolidated the agency’s IT operations in 2013. With the revision, it also elevates Hashmi to senior agency official for privacy, the ranking GSA official in dealing with PIAs.
“Information security, including privacy of sensitive data is of utmost importance to GSA. GSA is committed to continuously assessing and enhancing the security of its computer systems, and ensuring the privacy of personal information,” Hashmi wrote in an email to FedScoop. “Recently, I issued an IT integration policy that, among other IT principles, highlights the need to bring cybersecurity to the forefront in developing and enhancing information systems within GSA. The recently released directive on Privacy impact assessments helps to further solidify our commitment to ensuring the privacy of sensitive information we manage.”
On GSA’s website, there are several completed PIAs dating as far back as 2011 for systems, websites and social applications that seek personal information when used, including GSA’s own Data.gov and USA.gov, as well as social media sites like Facebook and Twitter. The new policy effectively cancels its predecessor, which called on the GSA’s chief people officer to act as senior agency official for privacy and have the final say in the assessments, though most of the procedures remain the same or at least similar.
The bulk of the updated directive is dedicated to delegating responsibilities for the new assessment. According to the document, the system or project manager will be tasked with preparing the assessment. A level up the chain, program managers are required to make sure their systems undergo PIAs by identifying eligible IT systems, coordinating with system managers and developers on potential privacy concerns, and reviewing and approving the assessments before passing them further up the command chain.
“This newly clarified policy and associated procedures, roles and responsibilities, allows GSA to continue fulfilling our commitments to ensure safeguarding of personal and sensitive information,” Hashmi said.