The Office of Information and Regulatory Affairs (OIRA) recently released a model Privacy Impact Assessment (PIA) that federal agencies must use before they employ third-party websites and applications to communicate with the public.  The new rules issued by OIRA, an arm of the White House’s Office of Management and Budget (OMB), build on rules the agency issued in June 2010.

OIRA’s new PIA largely concerns the collection and use of personally identifiable information (PII).  OIRA adopts the same definition of PII that OMB has employed previously, defining PII to mean information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. 

In conducting the PIA, an agency seeking to use a third-party website or application must review and analyze seven issues:

  • The purpose of the agency’s use of the third-party website or application;
  • Whether any PII will become available to the agency through the website or application;
  • The agency’s intended or expected use of the PII;
  • What sharing or disclosure of PII will occur;
  • Whether, when, and how the agency will maintain PII;
  • What privacy risks exist, and how the agency will mitigate them; and
  • Whether the agency’s activities create or modify a “system of records” within the meaning of the Privacy Act.

Companies seeking to offer public-facing online services to federal agencies may wish to review OIRA’s regulations in detail to ensure that an agency conducting a PIA will reach a favorable conclusion.  Additionally, in a privacy “green paperreleased in December 2010, the Department of Commerce suggested that companies should undertake their own PIAs and make public the results before introducing new technologies.  Commerce intends to issue a final, revised privacy report that will update its December 2010 release, and it is possible that OIRA’s PIA could serve as a model if Commerce continues to advocate use of PIAs for private companies.