OMB wants public input on privacy impact assessments

A forthcoming request for information includes questions about how agencies procure data about Americans from commercial sources.

The Office of Management and Budget wants to know how privacy impact assessments — analyses of the government’s use of personal information about individuals required of agencies — might be improved. A forthcoming request for information is scheduled to be published Tuesday.

The executive order on artificial intelligence issued by the Biden administration last fall required the RFI as a way “to inform potential revisions” to how agencies are directed by OMB to do the assessments.

OMB wants to know how the PIA process might be improved to better protect privacy, especially as artificial intelligence and other technological advancements present new risks. 

The assessments are required from agencies by the E-Government Act of 2002 and associated OMB guidance. Meant to be both an analytical tool and a transparency mechanism for the public, the assessments include details like what information is being collected and why, as well as how it will be shared and secured.

Still, a 2022 Government Accountability Office report found that agencies don’t actually do PIAs early enough to be able to use them in decision-making and that agencies might not be aware of all the systems requiring PIAs, either. 

“We’re glad that it’s being addressed through the AI framework, but this is so long overdue,” Jake Wiener, counsel at the Electronic Privacy Information Center, told Nextgov/FCW. “It needed to be done regardless.”

Among his concerns about PIAs: they’re often pre-decisional, as GAO reported, and can’t force an agency to address identified privacy risks; they can also be incomplete; and they aren’t always made public, he said.

OMB wants insight on how to improve its guidance to agencies on the assessments, what the  best practices for PIAs are and other potential improvements. 

The request also seeks input on the role PIAs should have in how agencies report their use of commercially available information that contains people’s personal details, such as location data. 

The government’s use of such information is an issue in the news this week, as Sen. Ron Wyden, D-Wash., revealed that the National Security Agency purchases data about Americans’ internet use from data brokers without warrants.

Beyond the PIA, the executive order also included directions for OMB to “evaluate and take steps to identify” the personal information agencies purchase, although it excludes information used for national security purposes, and evaluate the standards associated with that data for potential guidance to agencies.

In terms of PIAs, Wiener noted that they’re “notoriously bad about identifying in sufficient detail the datasets the systems operate on… and identifying specifically where information is coming from.”

The RFI asks about the role the assessments should play in how agencies report their use of this commercial data. It also wants insight into the privacy risks specific to using that information, as well as insight into how OMB might update guidance to improve how agencies address risks in this area. 

Currently, guidance requires agencies to do PIAs when incorporating data into their systems, including data from commercial sources. But PIAs aren’t necessarily required for agencies “[m]erely querying such a source on an ad hoc basis using existing technology,” the RFI notes.

Finally, OMB is also concerned specifically about the intersection of current assessment requirements and AI — which has the potential to automate and supercharge surveillance, sweep up massive amounts of personal data to be built and more, said Wiener. 

OMB is taking comments through March 30.