Citation Edit

Office of Management and Budget, OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010) (full-text).

Overview Edit

This Guide requires Federal agencies to take specific steps to protect individual privacy whenever they use third-party websites and applications to engage with the public. The Memorandum builds on the protections and requirements outlined in the Privacy Act of 1974 and the E-Government Act of 2002 and on OMB's existing guidance; it calls for transparent privacy policies, individual notice, and a careful analysis of the privacy implications whenever Federal agencies choose to use third-party technologies to engage with the public.

When using a third-party website or application, agencies are instructed to adhere to the following general requirements:

  1. Third-Party Privacy Policies. Before an agency uses any third-party website or application to engage with the public, the agency should examine the third party's privacy policy to evaluate the risks and determine whether the website or application is appropriate for the agency’s use. In addition, the agency should monitor any changes to the third party's privacy policy and periodically reassess the risks.
  2. External Links. If an agency posts a link that leads to a third-party website or any other location that is not part of an official government domain, the agency should provide an alert to the visitor, such as a statement adjacent to the link or a "pop-up," explaining that visitors are being directed to a non-government website that may have different privacy policies from those of the agency’s official website.
  3. Embedded Applications. If an agency incorporates or embeds a third-party application on its website or any other official government domain, the agency should take the necessary steps to disclose the third party’s involvement and describe the agency’s activities in its Privacy Policy, as specified in this Memorandum.
  4. Agency Branding. In general, when an agency uses a third-party website or application that is not part of an official government domain, the agency should apply appropriate branding to distinguish the agency's activities from those of nongovernment actors. For example, to the extent practicable, an agency should add its seal or emblem to its profile page on a social media website to indicate that it is an official agency presence.
  5. Information Collection. If information is collected through an agency’s use of a third-party website or application, the agency should collect only the information "necessary for the proper performance of agency functions and which has practical utility."[1] If personally identifiable information (PII) is collected, the agency should collect only the minimum necessary to accomplish a purpose required by statute, regulation, or executive order.

Privacy Impact Assessment Edit

This Guide asks agencies to prepare an adapted Privacy Impact Assessment (PIA) that is tailored to address the specific functions of a third-party website or application that is being used. According to the memorandum, the PIA should describe:

An agency may prepare one PIA to cover multiple websites or applications that are functionally comparable, as long as the agency's practices are substantially similar across each website and application. For example, one PIA may be sufficient to cover an agency's use of multiple social media websites where limited PII is made available to the agency, but none is collected, shared, or maintained. However, if an agency's use of a website or application raises distinct privacy risks, the agency should prepare a PIA that is exclusive to that website or application.

References Edit

  1. OMB Circular A-130 (full-text).

Source Edit

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.