89 FR 20 pgs. 5945-5947 - Request for Information: Privacy Impact Assessments

Next Article Next

Type: NOTICEVolume: 89Number: 20Pages: 5945 - 5947

FR document: [FR Doc. 2024-01756 Filed 1-26-24; 8:45 am]

Agency: Management and Budget Office

Official PDF Version: PDF Version

Pages: 5945, 5946, 5947

[top]

OFFICE OF MANAGEMENT AND BUDGET

Request for Information: Privacy Impact Assessments

AGENCY:

Office of Management and Budget.

ACTION:

Request for information.

SUMMARY:

Pursuant to the Executive order on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, the Office of Management and Budget (OMB) is requesting public input on how privacy impact assessments (PIAs) may be more effective at mitigating privacy risks, including those that are further exacerbated by artificial intelligence (AI) and other advances in technology and data capabilities.

DATES:

Consideration will be given to written comments received by April 1, 2024.

ADDRESSES:

Please submit comments via https://www.regulations.gov/ and follow the instructions for submitting comments. Public comments are valuable, and they will inform any potential updates to relevant OMB guidance; however, OMB will not respond to individual submissions.

[top] Privacy Act Statement: OMB is issuing this request for information (RFI) pursuant to Executive Order 14110 on Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. ¹ Submission of comments in response to this RFI is voluntary. Comments may be used to inform sound decision making on topics related to this RFI, including potential updates to guidance. Please note that submissions received in response to this notice may be posted on https://www.regulations.gov/ or otherwise released in their entirety, including any personal information, business confidential information, or other

sensitive information provided by the commenter. Do not include in your submissions any copyrighted material; information of a confidential nature, such as personal or proprietary information; or any information you would not like to be made publicly available. Comments are maintained under the OMB Public Input System of Records, OMB/INPUT/01; the system of records notice accessible at 88 FR 20913 ( https://www.federalregister.gov/documents/2023/04/07/2023-07452/privacy-act-of-1974-system-of-records ) includes a list of routine uses associated with the collection of this information.

Footnotes:

¹ ?E.O. No. 14110, 88 FR 75191 (Nov. 1, 2023).

FOR FURTHER INFORMATION CONTACT:

Alex Goodenough, Office of Management and Budget, via email at MBX.OMB.PIA_RFI_FY24@omb.eop.gov or via phone at 202-395-3039.

SUPPLEMENTARY INFORMATION:

Privacy safeguards are foundational to the Executive Branch's ability to maintain the public's trust, and analysis of privacy risks associated with the various activities of Executive Branch departments and agencies ("agencies") is key to establishment of those safeguards. PIAs are a tool that agencies use to conduct that analysis. Indeed, as described in OMB's Circular No. A-130, Managing Information as a Strategic Resource, "[a] PIA is one of the most valuable tools Federal agencies use to ensure compliance with applicable privacy requirements and manage privacy risks."? ² In addition to being a key analytical tool, PIAs also make available to the public agencies' analysis of privacy risks and safeguards put in place to mitigate those risks.

Footnotes:

² ?Off. of Mgmt. & Budget, Exec. Off. of the President, Circular No. A-130, Managing Information as a Strategic Resource app. II, section 5(e) (July 28, 2016), available at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf.

Requirements exist in statute and in OMB guidance for how agencies conduct and publish PIAs. Section 208 of the E-Government Act establishes minimum requirements for PIAs, and it requires the OMB Director to issue guidance on the required contents of PIAs. ³ OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, requires agencies to "conduct privacy impact assessments for electronic information systems and collections and, in general, make them publicly available."? ⁴ Additionally, it includes requirements related to certain agency contractors. OMB reinforced and built on the requirements in OMB M-03-22 through additional guidance on PIAs in OMB M-10-23, Guidance for Agency Use of Third-Party websites and Applications, ⁵ and in OMB Circular No. A-130.

Footnotes:

³ ?E-Government Act of 2002, Public Law 107-347, section 208(b)(2), (3), 116 Stat. 2899, 2921 (codified as amended at 44 U.S.C. 3501 note).

⁴ ?Off. of Mgmt. & Budget, Exec. Off. of the President, OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, attach. A, section I.A.a (Sept. 30, 2003), available at https://www.whitehouse.gov/wp-content/uploads/2017/11/203-M-03-22-OMB-Guidance-for-Implementing-the-Privacy-Provisions-of-the-E-Government-Act-of-2002-1.pdf.

⁵ ?Off. of Mgmt. & Budget, Exec. Off. of the President, OMB M-10-23, Guidance for Agency Use of Third-Party websites and Applications (June 25, 2010), available at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2010/m10-23.pdf.

As agency programs and services increasingly rely on rapidly advancing technology and data capabilities ( e.g., artificial intelligence), the privacy risk landscape also is evolving. Existing privacy risks are escalating, and new privacy risks are emerging. It is important to hear from the public as OMB considers what updates to PIA guidance may be necessary to ensure that PIAs continue to facilitate robust analysis and transparency about how agencies address these evolving privacy risks.

Seeking Input on Improving the Use of PIAs To Mitigate Privacy Risks

OMB developed this RFI in consultation with the Department of Justice, National Economic Council, and Office of Science and Technology Policy, in accordance with Executive Order 14110. OMB seeks responses to the following questions:

Role of PIAs in Addressing and Mitigating Privacy Risks

1. A wide range of privacy risks are associated with the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of personally identifiable information (PII). What improvements to OMB guidance on PIAs as analytical tools and notices to the public would assist agencies in identifying, addressing, and mitigating these risks, including when an agency:

a. Develops, procures, or uses information technology to handle PII;

b. Initiates, consistent with the Paperwork Reduction Act, a new electronic collection of information that contains PII;

c. Uses a third-party website or application that makes PII available to the agency; or

d. Engages in a relevant cross-agency initiative that involves PII?

2. What other models or best practices for conducting and documenting PIAs or similar analyses could improve agencies' PIAs?

a. Are there approaches to analyzing and documenting how an entity addresses and mitigates privacy risks used by non-federal government entities, specific sectors or industries, academia, or civil society that OMB should consider?

b. Are there similar approaches to analyzing and documenting how an entity addresses and mitigates other risks in information governance ( e.g., security risks) that OMB should consider from other federal guidance or frameworks?

3. What guidance should OMB consider providing to agencies to help reduce any duplication that may arise in preparing PIAs along with other assessments focused on managing risks ( e.g., security authorization packages or the AI impact assessments proposed in OMB's Draft Memorandum on Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence ? ⁶ ) and to support these assessments' different functions?

Footnotes:

⁶ ?OMB released for public comment a draft memorandum on agency use of AI. See Off. of Mgmt. & Budget, Exec. Off. of the President, Draft Memorandum on Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence (Nov. 2023), available at https://ai.gov/wp-content/uploads/2023/11/AI-in-Government-Memo-Public-Comment.pdf.

Role of PIAs in Facilitating Transparency

4. What role do PIAs play in your search for information about how agencies handle PII and address privacy risks? For what purpose(s) do you read agencies' PIAs?

5. What improvements to PIAs would help you better understand agencies' assessment of privacy impacts and risk mitigation strategies?

a. What improvement(s) would you recommend to make it easier to find and access agencies' PIAs?

b. What improvement(s) would you recommend to make it easier to read and understand agencies' PIAs?

6. How can agencies increase awareness of PIAs among stakeholders?

Privacy Risks Associated With Advances in Technology and Data Capabilities, Including AI

7. AI and AI-enabled systems used by agencies can rely on data that include PII, and agencies may develop those systems or procure them from the private sector.

[top] a. What privacy risks specific to the training, evaluation, or use of AI and AI-enabled systems ( e.g., related to AI system inputs and outputs, including

inferences and assumptions; obtaining consent to use the data involved in these activities; or AI-facilitated reidentification) should agencies consider when conducting PIAs?

b. What guidance updates should OMB consider to improve how agencies address and mitigate the privacy risks that may be associated with their use of AI?

8. What role should PIAs play in how agencies identify and report on their use of commercially available information (CAI)? ⁷ that contains PII?

Footnotes:

⁷ ?Section 3(f) of Executive Order 14110 defines "commercially available information" as "any information or data about an individual or group of individuals, including an individual's or group of individuals' device or location, that is made available or obtainable and sold, leased, or licensed to the general public or to governmental or non-governmental entities." 88 FR 75194.

a. What privacy risks specific to CAI should agencies consider when conducting PIAs?

b. OMB M-03-22 requires PIAs "when agencies systematically incorporate into existing information systems databases of information in identifiable form purchased or obtained from commercial or public sources," while noting that "[m]erely querying such a source on an ad hoc basis using existing technology does not trigger the PIA requirement."? ⁸ What guidance updates should OMB consider to improve how agencies address and mitigate the privacy risks that may be associated with their use of CAI that contains PII?

Footnotes:

⁸ ?OMB M-03-22, attach. A, section II.B.b.6.

9. What guidance updates should OMB consider to improve how agencies address and mitigate the privacy risks that may be associated with their use of other emerging technology and data capabilities?

Other Considerations

10. What else could help promote greater effectiveness and consistency across agencies in how they approach PIAs?

11. What else should OMB consider when evaluating potential updates to its guidance on PIAs?

Richard L. Revesz,

Administrator, Office of Information and Regulatory Affairs.

[FR Doc. 2024-01756 Filed 1-26-24; 8:45 am]

BILLING CODE 3110-01-P