Feds to Undergo Privacy Training Under OMB’s New IT Guidance
Everyone who touches data must execute best practices to curb risk, advocate says.
White House guidance for streamlining information technology management will impose important new privacy training requirements on employees across government, a privacy expert tells Government Executive. Administration officials expect to finalize the guidelines in December.
On Oct. 21, the Office of Management and Budget released for public comment the first revisions in 15 years to OMB Circular No. A-130 aimed at improving management of IT investments, tightening information security practices and streamlining governmentwide acquisition of new technology.
Some unnamed sources in agencies and the IT industry have expressed concerns about adding new layers of approval for cloud access certification to protect both personally identifiable information as well as overall system security. But Trevor Hughes, president and CEO of the International Association of Privacy Professionals, welcomes the coming requirement as a “sophisticated reflection on how privacy has evolved and arrived in today’s modern organization.”
The circular’s revised Appendix I on managing and protecting personally identifiable information provides what Hughes considers “best practices” to retain confidentiality in line with privacy controls outlined by the National Institute of Standards and Technology. The revisions to A-130—the first in 15 years—also will include a requirement that agencies designate a senior agency official for privacy (called a SOAP) to conduct regular privacy impact statements.
“The guidance will establish enforceable rules of behavior for employees and contractors, including role-based training,” which is a notable development, Hughes said on Friday. Benchmarks for such standards and practices have been evolving since the 1970s, so this “is an appropriate and right step for the federal government.”
Appointing a senior agency official for privacy is important for providing “leadership of a robust team of professionals,” Hughes said.
Best practices require that anyone touching the organization’s data “needs to understand enough about data management to not make a stupid decision,” Hughes said. “Everyone who touches data is a risk factor with regard to privacy.” That means don’t leave files open on desks, talk about someone’s tax records in the elevator, and or snoop around health records, he said.
The training can be role-based, Hughes added. “One size will not fit all.”
The comment period for revisions ends Nov. 20.
(Image via KieferPix/Shutterstock.com)