Privacy Requirements and Best        Practices for Uses ofThird-Party Websites and Applications                June 2011
AgendaWhat is Privacy?What is a Third-Party Website and Application (TPWA)?What Do I Need to Do?6/27/2011           TPW...
What is Privacy?Notice/AwarenessChoice/ConsentAccess/ParticipationIntegrity/SecurityEnforcement/Redress6/27/2011     ...
What is a TPWA? TPWAs are defined as Web-based  technologies that are not exclusively  operated or controlled by a govern...
What is a TPWA?Office of Management and Budget (OMB) Memorandum (M)10-23, Guidance for Agency Use of Third-Party Websites...
What Do I Need to Do?1. Inventory current and proposed uses of TPWAs.2. Review and assess the privacy policy of the TPWA p...
An example of OMB M-10-23 Updates (notcomprehensive)   – Twitter             Apply appropriate              branding.    ...
Each TPWA may require slightly differentimplementation of the requirements – Facebook                                     ...
Complete a TPWA PIA QuestionnaireStep 1: Complete TPWA PIA questionnaireStep 2: Submit completed questionnaire to your S...
Getting StartedStep 1: Coordinate TPWA Privacy Compliance with your OPDIV SOPStep 2: Review TPWA Resources6/27/2011     ...
TPWA Resources on the OCIO Intranethttp://intranet.hhs.gov/it/cybersecurity/privacy/index.htmlTPWA PIA Standard Operating...
Contact Information                      The HHS Cybersecurity Program                        Telephone: (202) 205-9581   ...
Upcoming SlideShare
Loading in …5
×

Third Party Websites and Applications - Kris O'Neil (HHS Cybersecurity)

1,165 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,165
On SlideShare
0
From Embeds
0
Number of Embeds
316
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Third Party Websites and Applications - Kris O'Neil (HHS Cybersecurity)

  1. 1. Privacy Requirements and Best Practices for Uses ofThird-Party Websites and Applications June 2011
  2. 2. AgendaWhat is Privacy?What is a Third-Party Website and Application (TPWA)?What Do I Need to Do?6/27/2011 TPWA Privacy Requirements Page 2
  3. 3. What is Privacy?Notice/AwarenessChoice/ConsentAccess/ParticipationIntegrity/SecurityEnforcement/Redress6/27/2011 TPWA Privacy Requirements Page 3
  4. 4. What is a TPWA? TPWAs are defined as Web-based technologies that are not exclusively operated or controlled by a government entity, or Web-based technologies that involve significant participation of a nongovernment entity. Often these technologies are located on a ‘.com’ Website or other location that is not part of an official government domain. However, third-party applications can also be embedded or incorporated on an agency’s official Website.6/27/2011 TPWA Privacy Requirements Page 4
  5. 5. What is a TPWA?Office of Management and Budget (OMB) Memorandum (M)10-23, Guidance for Agency Use of Third-Party Websites and Applications, allows the use of TPWAs in support of Open Government principles.The purpose of the Memorandum is to ensure that agency uses of TPWAs protect privacy and are consistent with the law through: – Transparency of privacy policies; – Notification of individuals; and – Careful analysis of the privacy implications whenever Federal agencies choose to use TPWAs to engage the public.6/27/2011 TPWA Privacy Requirements Page 5
  6. 6. What Do I Need to Do?1. Inventory current and proposed uses of TPWAs.2. Review and assess the privacy policy of the TPWA prior to using the third- party’s services.3. Update TPWA Privacy Practices a) Update Operating Division (OPDIV) Privacy Policy and Machine-Readable Privacy Policy to describe the use of a TPWA. b) Post a Privacy Notice on the TPWA (when feasible). c) Implement alerts or statements notifying the public when redirected to a nongovernmental Website that may have different privacy policies. (Sample language on page 5 of HHS Office of the Chief Information (OCIO) Memorandum, Implementation of OMB M-10-22 and M-10-23). d) Apply appropriate branding to distinguish OPDIV activities on a TPWA.4. Conduct a TPWA privacy impact assessment (PIA) on each use of a TPWA using the TPWA PIA form.6/27/2011 TPWA Privacy Requirements Page 6
  7. 7. An example of OMB M-10-23 Updates (notcomprehensive) – Twitter  Apply appropriate branding.  Post a privacy notice, when feasible.  Add a popup alert or disclaimer where the .gov site directs the visitor to the TPWA.6/27/2011 TPWA Privacy Requirements Page 7
  8. 8. Each TPWA may require slightly differentimplementation of the requirements – Facebook – YouTube  Add a tab for the “Privacy Notice”  Within the video information, add a link to the official .gov website and Privacy Notice.6/27/2011 TPWA Privacy Requirements Page 8
  9. 9. Complete a TPWA PIA QuestionnaireStep 1: Complete TPWA PIA questionnaireStep 2: Submit completed questionnaire to your Senior Official for Privacy (SOP) for review and approvalStep 3: Periodically review practices on the TPWA to ensure the TPWA PIA responses are current6/27/2011 TPWA Privacy Requirements Page 9
  10. 10. Getting StartedStep 1: Coordinate TPWA Privacy Compliance with your OPDIV SOPStep 2: Review TPWA Resources6/27/2011 TPWA Privacy Requirements Page 10
  11. 11. TPWA Resources on the OCIO Intranethttp://intranet.hhs.gov/it/cybersecurity/privacy/index.htmlTPWA PIA Standard Operating Procedures – Included a question-by-question guide of the TPWA PIA questionnaire – Includes example TPWA PIAsTWAP PIA Training offered bi-weekly on Fridays at 1pm. Next training on Friday, June 24th. Email hhs.cybersecurity@hhs.gov for information. – Background – Requirements – Process – QuestionnaireTPWA Frequently Asked Questions6/27/2011 TPWA Privacy Requirements Page 11
  12. 12. Contact Information The HHS Cybersecurity Program Telephone: (202) 205-9581 Email: HHS.Cybersecurity@hhs.gov Intranet: http://intranet.hhs.gov/infosec/index.html6/27/2011 TPWA Privacy Requirements Page 12

×