OMB has told agencies to assess the “management, structure, and operation” of their privacy programs within 60 days.
The assessment is to address issues including the financial, personnel and infrastructure resources they need to carry out their privacy-related responsibilities, taking into account issues such as their size, geographic structure; their mission, the volume, sensitivity and uses of personally identifiable information; the privacy risks associated with such information; and the IT resources needed, including planned investments.
The memo follows an executive order issued in February that among other things created the Federal Privacy Council to oversee policies on creating, collecting, using, storing and disclosing personally identifiable information.
Memo M-16-24 said there have been “significant changes in law, policy and technology” since OMB’s most recent guidance of a decade ago. “Agencies’ use of these technologies presents complex questions and has led to new challenges when protecting privacy,” it says.
The memo further specifies the level, expertise and authority that each agency’s senior privacy official should have, adding that “agencies should recognize that privacy and security are independent and separate disciplines” that often require different expertise and different approaches. It also lays out the responsibilities for policy making, compliance and risk management.