This document offers recommendations that can serve as a resource to help agencies meet their privacy obligations as they implement the requirements of the Digital Government Strategy ("Strategy"). This document explains how privacy controls help enable and promote the Strategy's data- and customer-centric approach, and the importance of integrating such controls into the risk management process to ensure that privacy is fully incorporated in the planning and development of digital services and programs.
The document then discusses three key privacy controls: (1) PII Inventory; (2) Privacy Impact Assessment (PIA); and (3) Privacy Notice. These fundamental privacy controls require that agencies identify and consider all PII that may be collected or otherwise exposed through a particular digital technology, analyze the privacy risks through the data life cycle by conducting and updating a PIA (as needed), and provide notice to individuals of when and how their PII will be collected, used, retained, and disclosed.
This document is not a formal guidance document and does not establish or alter official Federal Government policies. It does, however, offer recommendations that can serve as a resource to help agencies meet their privacy obligations as they implement the requirements of the Strategy.
Moreover, this document does not attempt to provide a “one size fits all” approach, as each digital service or program will be different. Instead, it provides tools and best practices, in the form of key considerations and checklists, to standardize and streamline the implementation of the three critical privacy controls noted above, and to educate agency personnel on options for addressing privacy issues in the complex ecosystem inherent in the evolution toward a Digital Government.