6. ICAM Implementation Planning
6.3. Privacy Considerations
ICAM programs have significant privacy implications for federal agencies and must be treated accordingly. These implications must be carefully considered by agencies to mitigate potential privacy risks, while still providing the security intended for the identity management systems (IDMS). Therefore, privacy should be considered a core component and mission critical
objective for all ICAM implementations and agency implementers should understand and integrate privacy principles into ICAM programs early in the design stage. This section introduces the Fair Information Practice Principles (FIPPs) and discusses how they can be appropriately integrated into an agency‟s ICAM program.
6.3.1. Applying the FIPPs
Since ICAM programs involve the collecting, storing, sharing, and maintenance of personally identifiable information (PII), federal agencies must implement solutions that actively support privacy protections and the widely-recognized FIPPs. Under the Privacy Act, which is based on the FIPPs, agencies are required to have certain processes and procedures governing their use of PII in place. Agencies should first assess those processes and procedures and determine whether the implementation of an ICAM program constitutes a new use of PII that requires adjustment of existing processes and procedures. The following figure provides a description of each of the FIPPs and discusses practical implementation considerations for applying them within an ICAM program.
Fair Information
Practice Principle Description ICAM Implementation Considerations
Individual Participation
Agencies should involve the individual in the process of using PII and, to the extent practicable, seek individual consent for the collection, use, dissemination, and maintenance of PII. Organizations should also provide mechanisms for
appropriate access, correction, and redress regarding use of PII.
Agencies that currently interact with the public in a face-to-face context and/or engage in paper/telephone transactions must recognize that there will continue to be individuals who will not feel comfortable adopting technological processes. They should continue to offer physical alternatives for processes that are not inherently technology-based.
Agencies should also provide redress mechanisms in accordance with the Privacy Act that allow individuals to report and correct information that is inaccurate, lost, or compromised and damages resulting from incorrect authentication or unauthorized access. Redress mechanisms help enhance confidence in the program and promote individual participation.
Transparency Agencies should be transparent
with respect to the information they collect and share, and provide notice to the individual regarding collection, use, dissemination, and maintenance of PII.
A foundational principle in federal privacy law is that an individual has the right to know what information the government collects and retains about him and, to a great extent, the right to control how that information is being used. When building ICAM programs, agencies should, first and foremost, consider this principle and ensure the following prior to each occurrence of information collection and/or transmission:
The user is clearly informed what information elements will be collected
The user understands who will receive the information
The user is clearly informed of how the information will be used
The user must affirmatively choose to participate before any information is transmitted
Purpose Specification
Agencies should specifically articulate the authority that permits the collection of PII and specifically articulate the purpose or purposes for which the PII is intended to be used.
Data Minimization Agencies should only collect PII
that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified
Agencies should only collect the information necessary to carry out ICAM business functions. Wherever possible, agencies should use assertions of an individual’s identity in lieu of identifying data elements. For example, if an application has an age limitation, the program should ask for proof of age rather than the
Fair Information
Practice Principle Description ICAM Implementation Considerations
purpose(s). exact birth date. Agencies should also determine how long specific categories of information associated with ICAM processes will be retained and implement procedures for destruction of the information at the end of the retention period.
Use Limitation Agencies should use PII solely
for the purpose(s) specified in the notice. Sharing PII should be for a purpose compatible with the purpose for which the PII was collected.
The Privacy Act generally requires that once an individual consents to the collection of his information for a specific, stated purpose, that information can only be used for that purpose. This is particularly important to remember when considering the sharing of
information between programs. If the programs have different purposes, such sharing will likely not be permissible without additional consent from the user. Agencies should carefully consider this limitation when crafting their privacy notices for ICAM programs.
Security Agencies should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure.
Agencies must ensure the security of information at all stages (collection, transmission, storage, and
destruction) in accordance with various legal and policy requirements (e.g., FISMA and OMB M-07-16). Examples of techniques for securing data are
encryption, strong authentication procedures, time out functionality, and minimum security controls to make information unusable by unauthorized individuals.
Data Quality and Integrity
Agencies should, to the extent practicable, ensure that PII is accurate, relevant, timely, and complete.
Agencies should identify and implement means to ensure that PII is accurate, relevant, timely, and complete, including providing mechanisms for individuals to correct inaccuracies in their information.
Accountability and Auditing
Agencies should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
ICAM implementers should establish accountability measures to ensure that each of the other FIPPs is appropriately applied and effectively protect users’ privacy. Such measures can include ICAM program audits and reviews by agency privacy and security officials. Agencies should address accountability for specific requirements, such as the OMB M-07-16 requirement for annual certification of training for employees who handle PII. Clear accountability will promote confidence in ICAM programs.
Figure 12: Applying the FIPPs to ICAM
Adopting the FIPPs to support privacy-protecting ICAM solutions requires deliberate effort. One example of such an effort is the development of the privacy requirements of the Trust Framework Provider Adoption Process (TFPAP), ,which aims to enable the Federal Government to leverage industry-based credentials that citizens already have for other purposes. In order for an external entity to be certified to provide credentials for use by the Federal Government, it must demonstrate compliance with a rigorous set of privacy requirements built around the FIPPs. This topic is discussed in greater detail in Chapter 12.
6.3.2. Programmatic Support
All programs that collect, retain, or use personal information are required to complete and maintain program documents to support these activities. Such processes for determining policies and rules around collection and use of information ensure that agencies are not creating an unnecessary burden on individuals; nor are they collecting or using information for purposes that
are not consistent with the intent of the program. Agencies should be extremely clear and thorough when developing the documentation to support the collection, use, and retention of personal information. Below are processes that agencies must complete in order to meet key privacy requirements:
System of Records Notice (SORN). A notice published by an agency in the Federal Register to notify the public of a system of record, a group of any records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifier assigned to the individual. The SORN includes basic information about the system, including system name, categories of individuals covered by the system, and categories of records in the system and addresses the policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system.
Privacy Impact Assessment (PIA). The process used to evaluate the potential ramifications to the protection of privacy within IT systems. The resulting document includes information related to the data in the system, access to the data, attributes of the data, and maintenance of administrative controls for protecting it..An agency must complete a PIA whenever a new system is being introduced or an existing system is substantially modified.
Establishment of redress procedures. Procedures to allow an individual to review his record in an IT system upon request and permit the individual to request amendment of a record pertaining to him. In addition to enabling an agency to meet the requirements of the Privacy Act of 1974, redress procedures also help enhance transparency, raise the awareness of the mission, and promote user confidence.
Privacy Tip
It is encouraged that ICAM implementers provide redress mechanisms even when not required by the Privacy Act. Enabling users to file complaints and comments regarding an ICAM program and rectify this if their information is inaccurate, lost, or compromised