Request for Information: Privacy Impact Assessments, 5945-5947 [2024-01756]
Download as PDF
<![CDATA[
Federal Register / Vol. 89, No. 20 / Tuesday, January 30, 2024 / Notices
that is created to carry out its statutory
responsibilities.55
2. Indicia of Endorsement and Support
The Office requests information from
the Digital Licensee Coordinator
regarding whether it continues to be
‘‘endorsed by and enjoy[] substantial
support from digital music providers
and significant nonblanket licensees
that together represent the greatest
percentage of the licensee market for
uses of musical works in covered
activities, as measured over the
preceding 3 calendar years.’’ 56
3. Administrative Capabilities and
Governance
The DLC must have the
administrative capabilities to perform
its statutory functions.57 The Office
requests a detailed description of the
Digital Licensee Coordinator’s
administrative capabilities and its
performance of the following functions:
i. Governance
The Office requests a copy of the
Digital Licensee Coordinator’s current
bylaws, including a summary of changes
made, if any, from its initial bylaws. To
the extent not addressed by its bylaws,
the Office also requests a summary of its
governance structure, criteria for
membership, and dues paid by its
members. Lastly, the Office requests a
list of the Digital Licensee Coordinator’s
current members, and a description of
its efforts to grow its membership to
other DMPs, and any challenges related
to such efforts.
ii. Notice and Payment Obligations
The Office requests information
addressing the Digital Licensee
Coordinator’s efforts to enforce notice
and payment obligations with respect to
the administrative assessment,
including: (1) how it is coordinating
such efforts with the Mechanical
Licensing Collective; and (2) the extent
to which it is disclosing information to,
and receiving information from, the
Mechanical Licensing Collective on this
topic.
khammond on DSKJM1Z7X2PROD with NOTICES
iii. Participation in Proceedings Before
the Copyright Office and Copyright
Royalty Judges
The Office requests a summary of the
Digital Licensee Coordinator’s
participation in Office or Copyright
Royalty Judge proceedings, including:
(1) participating in proceedings before
the Copyright Royalty Judges to
55 17
U.S.C. 115(d)(5)(A)(i).
at 115(d)(5)(A)(ii).
57 Id. at 115(d)(5)(A)(iii).
56 Id.
VerDate Sep<11>2014
17:23 Jan 29, 2024
Jkt 262001
establish the administrative assessment;
(2) gathering and providing
documentation for use in proceedings
before the Copyright Royalty Judges to
set rates and terms under the
mechanical license; and (3)
participating in proceedings before the
Office with respect to activities
regarding the blanket license.58
iv. Maintaining Records of the Digital
Licensee Coordinator’s Activities
The Office requests a description of
how the Digital Licensee Coordinator is
maintaining records of its activities,
including efforts to ensure that
confidential, private, proprietary, or
privileged information contained in its
records is not improperly disclosed or
used.59
v. Assistance With Publicity for
Unclaimed Royalties
The MMA directs the DLC to ‘‘make
reasonable, good-faith efforts to assist
the mechanical licensing collective . . .
by encouraging digital music providers
to publicize the existence of the
collective and the ability of copyright
owners to claim unclaimed accrued
royalties.’’ 60 The Office requests a
detailed description of the steps that the
Digital Licensee Coordinator has taken
to fulfill this requirement, including
whether all its members have posted the
MLC’s contact information in a
prominent location on their websites
and applications.61 The Office also
requests a summary of the Digital
Licensee Coordinator’s in-person
outreach activities with songwriters.62
The Digital Licensee Coordinator is
encouraged to provide any other
information that it believes is relevant to
demonstrate it continues to meet the
statutory designation criteria.
IV. Public Participation
Interested members of the public are
encouraged to comment on the topics
addressed in the designees’ submissions
or raised by the Office in this
notification of inquiry.63 Commenters
may also address any topics relevant to
this periodic review of the MLC and
DLC designations. Without prejudice to
its review of the current designations,
the Office hopes that this proceeding
will serve as an opportunity for any
58 Id.
at 115(d)(5)(C)(i)(III)–(V).
at 115(d)(5)(C)(i)(VI), (d)(12)(C).
60 See id. at 115(d)(5)(C)(iii).
61 Id. at 115(d)(5)(C)(iii)(I).
62 Id. at 115(d)(5)(C)(iii)(II).
63 Submissions by the Mechanical Licensing
Collective and Digital Licensee Coordinator will be
found on the Office’s website at https://
www.copyright.gov/rulemaking/mma-designations/
2024 approximately sixty days after the publication
of this Notification of Inquiry.
59 Id.
PO 00000
Frm 00091
Fmt 4703
Sfmt 4703
5945
songwriter, publisher, or DMP who
wishes to express concerns, satisfaction,
or priorities with respect to the
administration of the MMA’s blanket
licensing regime to do so, and that any
designated MLC or DLC will use that
feedback to continually improve its
services.
Dated: January 25, 2024.
Suzanne V. Wilson,
General Counsel and Associate Register of
Copyrights.
[FR Doc. 2024–01781 Filed 1–29–24; 8:45 am]
BILLING CODE 1410–30–P
OFFICE OF MANAGEMENT AND
BUDGET
Request for Information: Privacy
Impact Assessments
Office of Management and
Budget.
ACTION: Request for information.
AGENCY:
Pursuant to the Executive
order on Safe, Secure, and Trustworthy
Development and Use of Artificial
Intelligence, the Office of Management
and Budget (OMB) is requesting public
input on how privacy impact
assessments (PIAs) may be more
effective at mitigating privacy risks,
including those that are further
exacerbated by artificial intelligence
(AI) and other advances in technology
and data capabilities.
DATES: Consideration will be given to
written comments received by April 1,
2024.
ADDRESSES: Please submit comments via
https://www.regulations.gov/ and follow
the instructions for submitting
comments. Public comments are
valuable, and they will inform any
potential updates to relevant OMB
guidance; however, OMB will not
respond to individual submissions.
Privacy Act Statement: OMB is
issuing this request for information
(RFI) pursuant to Executive Order 14110
on Safe, Secure, and Trustworthy
Development and Use of Artificial
Intelligence.1 Submission of comments
in response to this RFI is voluntary.
Comments may be used to inform sound
decision making on topics related to this
RFI, including potential updates to
guidance. Please note that submissions
received in response to this notice may
be posted on https://
www.regulations.gov/ or otherwise
released in their entirety, including any
personal information, business
confidential information, or other
SUMMARY:
1 E.O.
E:\FR\FM\30JAN1.SGM
No. 14110, 88 FR 75191 (Nov. 1, 2023).
30JAN1
5946
Federal Register / Vol. 89, No. 20 / Tuesday, January 30, 2024 / Notices
khammond on DSKJM1Z7X2PROD with NOTICES
sensitive information provided by the
commenter. Do not include in your
submissions any copyrighted material;
information of a confidential nature,
such as personal or proprietary
information; or any information you
would not like to be made publicly
available. Comments are maintained
under the OMB Public Input System of
Records, OMB/INPUT/01; the system of
records notice accessible at 88 FR 20913
(https://www.federalregister.gov/
documents/2023/04/07/2023-07452/
privacy-act-of-1974-system-of-records)
includes a list of routine uses associated
with the collection of this information.
FOR FURTHER INFORMATION CONTACT: Alex
Goodenough, Office of Management and
Budget, via email at MBX.OMB.PIA_
RFI_FY24@omb.eop.gov or via phone at
202–395–3039.
SUPPLEMENTARY INFORMATION: Privacy
safeguards are foundational to the
Executive Branch’s ability to maintain
the public’s trust, and analysis of
privacy risks associated with the various
activities of Executive Branch
departments and agencies (‘‘agencies’’)
is key to establishment of those
safeguards. PIAs are a tool that agencies
use to conduct that analysis. Indeed, as
described in OMB’s Circular No. A–130,
Managing Information as a Strategic
Resource, ‘‘[a] PIA is one of the most
valuable tools Federal agencies use to
ensure compliance with applicable
privacy requirements and manage
privacy risks.’’ 2 In addition to being a
key analytical tool, PIAs also make
available to the public agencies’ analysis
of privacy risks and safeguards put in
place to mitigate those risks.
Requirements exist in statute and in
OMB guidance for how agencies
conduct and publish PIAs. Section 208
of the E-Government Act establishes
minimum requirements for PIAs, and it
requires the OMB Director to issue
guidance on the required contents of
PIAs.3 OMB M–03–22, OMB Guidance
for Implementing the Privacy Provisions
of the E-Government Act of 2002,
requires agencies to ‘‘conduct privacy
impact assessments for electronic
information systems and collections
and, in general, make them publicly
available.’’ 4 Additionally, it includes
2 Off. of Mgmt. & Budget, Exec. Off. of the
President, Circular No. A–130, Managing
Information as a Strategic Resource app. II, section
5(e) (July 28, 2016), available at https://
www.whitehouse.gov/wp-content/uploads/legacy_
drupal_files/omb/circulars/A130/a130revised.pdf.
3 E-Government Act of 2002, Public Law 107–347,
section 208(b)(2), (3), 116 Stat. 2899, 2921 (codified
as amended at 44 U.S.C. 3501 note).
4 Off. of Mgmt. & Budget, Exec. Off. of the
President, OMB M–03–22, OMB Guidance for
Implementing the Privacy Provisions of the E-
VerDate Sep<11>2014
17:23 Jan 29, 2024
Jkt 262001
requirements related to certain agency
contractors. OMB reinforced and built
on the requirements in OMB M–03–22
through additional guidance on PIAs in
OMB M–10–23, Guidance for Agency
Use of Third-Party websites and
Applications,5 and in OMB Circular No.
A–130.
As agency programs and services
increasingly rely on rapidly advancing
technology and data capabilities (e.g.,
artificial intelligence), the privacy risk
landscape also is evolving. Existing
privacy risks are escalating, and new
privacy risks are emerging. It is
important to hear from the public as
OMB considers what updates to PIA
guidance may be necessary to ensure
that PIAs continue to facilitate robust
analysis and transparency about how
agencies address these evolving privacy
risks.
Seeking Input on Improving the Use of
PIAs To Mitigate Privacy Risks
OMB developed this RFI in
consultation with the Department of
Justice, National Economic Council, and
Office of Science and Technology
Policy, in accordance with Executive
Order 14110. OMB seeks responses to
the following questions:
Role of PIAs in Addressing and
Mitigating Privacy Risks
1. A wide range of privacy risks are
associated with the creation, collection,
use, processing, storage, maintenance,
dissemination, disclosure, and disposal
of personally identifiable information
(PII). What improvements to OMB
guidance on PIAs as analytical tools and
notices to the public would assist
agencies in identifying, addressing, and
mitigating these risks, including when
an agency:
a. Develops, procures, or uses
information technology to handle PII;
b. Initiates, consistent with the
Paperwork Reduction Act, a new
electronic collection of information that
contains PII;
c. Uses a third-party website or
application that makes PII available to
the agency; or
d. Engages in a relevant cross-agency
initiative that involves PII?
2. What other models or best practices
for conducting and documenting PIAs
Government Act of 2002, attach. A, section I.A.a
(Sept. 30, 2003), available at https://
www.whitehouse.gov/wp-content/uploads/2017/11/
203-M-03-22-OMB-Guidance-for-Implementing-thePrivacy-Provisions-of-the-E-Government-Act-of2002-1.pdf.
5 Off. of Mgmt. & Budget, Exec. Off. of the
President, OMB M–10–23, Guidance for Agency
Use of Third-Party websites and Applications (June
25, 2010), available at https://www.whitehouse.gov/
wp-content/uploads/legacy_drupal_files/omb/
memoranda/2010/m10-23.pdf.
PO 00000
Frm 00092
Fmt 4703
Sfmt 4703
or similar analyses could improve
agencies’ PIAs?
a. Are there approaches to analyzing
and documenting how an entity
addresses and mitigates privacy risks
used by non-federal government
entities, specific sectors or industries,
academia, or civil society that OMB
should consider?
b. Are there similar approaches to
analyzing and documenting how an
entity addresses and mitigates other
risks in information governance (e.g.,
security risks) that OMB should
consider from other federal guidance or
frameworks?
3. What guidance should OMB
consider providing to agencies to help
reduce any duplication that may arise in
preparing PIAs along with other
assessments focused on managing risks
(e.g., security authorization packages or
the AI impact assessments proposed in
OMB’s Draft Memorandum on
Advancing Governance, Innovation, and
Risk Management for Agency Use of
Artificial Intelligence 6) and to support
these assessments’ different functions?
Role of PIAs in Facilitating
Transparency
4. What role do PIAs play in your
search for information about how
agencies handle PII and address privacy
risks? For what purpose(s) do you read
agencies’ PIAs?
5. What improvements to PIAs would
help you better understand agencies’
assessment of privacy impacts and risk
mitigation strategies?
a. What improvement(s) would you
recommend to make it easier to find and
access agencies’ PIAs?
b. What improvement(s) would you
recommend to make it easier to read and
understand agencies’ PIAs?
6. How can agencies increase
awareness of PIAs among stakeholders?
Privacy Risks Associated With Advances
in Technology and Data Capabilities,
Including AI
7. AI and AI-enabled systems used by
agencies can rely on data that include
PII, and agencies may develop those
systems or procure them from the
private sector.
a. What privacy risks specific to the
training, evaluation, or use of AI and AIenabled systems (e.g., related to AI
system inputs and outputs, including
6 OMB released for public comment a draft
memorandum on agency use of AI. See Off. of
Mgmt. & Budget, Exec. Off. of the President, Draft
Memorandum on Advancing Governance,
Innovation, and Risk Management for Agency Use
of Artificial Intelligence (Nov. 2023), available at
https://ai.gov/wp-content/uploads/2023/11/AI-inGovernment-Memo-Public-Comment.pdf.
E:\FR\FM\30JAN1.SGM
30JAN1
Federal Register / Vol. 89, No. 20 / Tuesday, January 30, 2024 / Notices
inferences and assumptions; obtaining
consent to use the data involved in
these activities; or AI-facilitated
reidentification) should agencies
consider when conducting PIAs?
b. What guidance updates should
OMB consider to improve how agencies
address and mitigate the privacy risks
that may be associated with their use of
AI?
8. What role should PIAs play in how
agencies identify and report on their use
of commercially available information
(CAI) 7 that contains PII?
a. What privacy risks specific to CAI
should agencies consider when
conducting PIAs?
b. OMB M–03–22 requires PIAs
‘‘when agencies systematically
incorporate into existing information
systems databases of information in
identifiable form purchased or obtained
from commercial or public sources,’’
while noting that ‘‘[m]erely querying
such a source on an ad hoc basis using
existing technology does not trigger the
PIA requirement.’’ 8 What guidance
updates should OMB consider to
improve how agencies address and
mitigate the privacy risks that may be
associated with their use of CAI that
contains PII?
9. What guidance updates should
OMB consider to improve how agencies
address and mitigate the privacy risks
that may be associated with their use of
other emerging technology and data
capabilities?
Other Considerations
10. What else could help promote
greater effectiveness and consistency
across agencies in how they approach
PIAs?
11. What else should OMB consider
when evaluating potential updates to its
guidance on PIAs?
Richard L. Revesz,
Administrator, Office of Information and
Regulatory Affairs.
BILLING CODE 3110–01–P
NATIONAL SCIENCE FOUNDATION
Sunshine Act Meetings
khammond on DSKJM1Z7X2PROD with NOTICES
FEDERAL REGISTER CITATION OF PREVIOUS
ANNOUNCEMENT: The meeting was
7 Section 3(f) of Executive Order 14110 defines
‘‘commercially available information’’ as ‘‘any
information or data about an individual or group of
individuals, including an individual’s or group of
individuals’ device or location, that is made
available or obtainable and sold, leased, or licensed
to the general public or to governmental or nongovernmental entities.’’ 88 FR 75194.
8 OMB M–03–22, attach. A, section II.B.b.6.
17:23 Jan 29, 2024
Jkt 262001
PREVIOUSLY ANNOUNCED TIME AND DATE OF
THE MEETING: Monday, January 26, 2024,
from 3:00–5:00 p.m. Eastern.
The correct date
for the meeting is Monday, January 29,
2024. The time remains the same.
CONTACT PERSON FOR MORE INFORMATION:
Point of contact for this meeting is:
Chris Blair, cblair@nsf.gov, 703/292–
7000.
CHANGE IN THE MEETING:
Christopher Blair,
Executive Assistant to the National Science
Board Office.
[FR Doc. 2024–01851 Filed 1–26–24; 11:15 am]
BILLING CODE 7555–01–P
OFFICE OF PERSONNEL
MANAGEMENT
Submission for Review: 3206–0201,
Federal Employees Health Benefits
(FEHB) Open Season Express
Interactive Voice Response (IVR)
System and Open Season Website
Office of Personnel
Management.
ACTION: 30-Day notice and request for
comments.
AGENCY:
The Office of Personnel
Management (OPM), Retirement
Services, offers the general public and
other Federal agencies the opportunity
to comment on an expiring information
collection request (ICR), with change:
3206–0201, Federal Employees Health
Benefits (FEHB) Open Season Express
Interactive Voice Response (IVR) System
and the Open Season website, Open
Season Online.
DATES: Comments are encouraged and
will be accepted until February 29,
2024.
SUMMARY:
Interested persons are
invited to submit written comments on
the proposed information collection to
the Office of Information and Regulatory
Affairs, Office of Management and
Budget, 725 17th Street NW,
Washington, DC 20503, Attention: Desk
Officer for the Office of Personnel
Management or sent via electronic mail
to oira_submission@omb.eop.gov or
faxed to (202) 395–6974.
FOR FURTHER INFORMATION CONTACT: A
copy of this ICR, with applicable
supporting documentation, may be
obtained by contacting the Retirement
Services Publications Team, Office of
Personnel Management, 1900 E Street
NW, Room 3316–L, Washington, DC
20415, Attention: Cyrus S. Benson, or
sent via electronic mail to
ADDRESSES:
[FR Doc. 2024–01756 Filed 1–26–24; 8:45 am]
VerDate Sep<11>2014
noticed on January 25, 2024, at 89 FR
4998.
PO 00000
Frm 00093
Fmt 4703
Sfmt 4703
5947
RSPublicationsTeam@opm.gov or faxed
to (202) 606–0910 or via telephone at
(202) 936–0403.
SUPPLEMENTARY INFORMATION: As
required by the Paperwork Reduction
Act of 1995 (Pub. L. 104–13, 44 U.S.C.
chapter 35), as amended by the ClingerCohen Act (Pub. L. 104–106), OPM is
soliciting comments for this collection.
This information collection (OMB No.
3206–0201) was previously published in
the Federal Register on November 14,
2023, at 88 FR 78069, allowing for a 60day public comment period. No
comments were received for this
collection. The purpose of this notice is
to allow an additional 30 days for public
comments. The Office of Management
and Budget is particularly interested in
comments that:
1. Evaluate whether the proposed
collection of information is necessary
for the proper performance of the
functions of the agency, including
whether the information will have
practical utility;
2. Evaluate the accuracy of the
agency’s estimate of the burden of the
proposed collection of information,
including the validity of the
methodology and assumptions used;
3. Enhance the quality, utility, and
clarity of the information to be
collected; and
4. Minimize the burden of the
collection of information on those who
are to respond, including through the
use of appropriate automated,
electronic, mechanical, or other
technological collection techniques or
other forms of information technology,
e.g., permitting electronic submissions
of responses.
Federal Employees Health Benefits
(FEHB) Open Season Express Interactive
Voice Response (IVR) System, and the
Open Season website, Open Season
Online, are used by retirees and
survivors. They collect information for
changing FEHB enrollments, collecting
dependent and other insurance
information for self and family
enrollments, requesting plan brochures,
requesting a change of address,
requesting cancellation or suspension of
FEHB benefits, asking to make payment
to the Office of Personnel Management
when the FEHB payment is greater than
the monthly annuity amount, or for
requesting FEHB plan accreditation and
Customer Satisfaction Survey
information.
The revisions are as follows: The
Open Season enrollment dates have
been updated to reflect the upcoming
benefits year of 2024 and enrollment
period of November 13, 2023 through
December 11, 2023. The Public Burden
E:\FR\FM\30JAN1.SGM
30JAN1
]]>Agencies
[Federal Register Volume 89, Number 20 (Tuesday, January 30, 2024)]
[Notices]
[Pages 5945-5947]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-01756]
=======================================================================
-----------------------------------------------------------------------
OFFICE OF MANAGEMENT AND BUDGET
Request for Information: Privacy Impact Assessments
AGENCY: Office of Management and Budget.
ACTION: Request for information.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the Executive order on Safe, Secure, and
Trustworthy Development and Use of Artificial Intelligence, the Office
of Management and Budget (OMB) is requesting public input on how
privacy impact assessments (PIAs) may be more effective at mitigating
privacy risks, including those that are further exacerbated by
artificial intelligence (AI) and other advances in technology and data
capabilities.
DATES: Consideration will be given to written comments received by
April 1, 2024.
ADDRESSES: Please submit comments via https://www.regulations.gov/ and
follow the instructions for submitting comments. Public comments are
valuable, and they will inform any potential updates to relevant OMB
guidance; however, OMB will not respond to individual submissions.
Privacy Act Statement: OMB is issuing this request for information
(RFI) pursuant to Executive Order 14110 on Safe, Secure, and
Trustworthy Development and Use of Artificial Intelligence.\1\
Submission of comments in response to this RFI is voluntary. Comments
may be used to inform sound decision making on topics related to this
RFI, including potential updates to guidance. Please note that
submissions received in response to this notice may be posted on
https://www.regulations.gov/ or otherwise released in their entirety,
including any personal information, business confidential information,
or other
[[Page 5946]]
sensitive information provided by the commenter. Do not include in your
submissions any copyrighted material; information of a confidential
nature, such as personal or proprietary information; or any information
you would not like to be made publicly available. Comments are
maintained under the OMB Public Input System of Records, OMB/INPUT/01;
the system of records notice accessible at 88 FR 20913 (https://www.federalregister.gov/documents/2023/04/07/2023-07452/privacy-act-of-1974-system-of-records) includes a list of routine uses associated with
the collection of this information.
---------------------------------------------------------------------------
\1\ E.O. No. 14110, 88 FR 75191 (Nov. 1, 2023).
FOR FURTHER INFORMATION CONTACT: Alex Goodenough, Office of Management
and Budget, via email at [email protected] or via phone
---------------------------------------------------------------------------
at 202-395-3039.
SUPPLEMENTARY INFORMATION: Privacy safeguards are foundational to the
Executive Branch's ability to maintain the public's trust, and analysis
of privacy risks associated with the various activities of Executive
Branch departments and agencies (``agencies'') is key to establishment
of those safeguards. PIAs are a tool that agencies use to conduct that
analysis. Indeed, as described in OMB's Circular No. A-130, Managing
Information as a Strategic Resource, ``[a] PIA is one of the most
valuable tools Federal agencies use to ensure compliance with
applicable privacy requirements and manage privacy risks.'' \2\ In
addition to being a key analytical tool, PIAs also make available to
the public agencies' analysis of privacy risks and safeguards put in
place to mitigate those risks.
---------------------------------------------------------------------------
\2\ Off. of Mgmt. & Budget, Exec. Off. of the President,
Circular No. A-130, Managing Information as a Strategic Resource
app. II, section 5(e) (July 28, 2016), available at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf.
---------------------------------------------------------------------------
Requirements exist in statute and in OMB guidance for how agencies
conduct and publish PIAs. Section 208 of the E-Government Act
establishes minimum requirements for PIAs, and it requires the OMB
Director to issue guidance on the required contents of PIAs.\3\ OMB M-
03-22, OMB Guidance for Implementing the Privacy Provisions of the E-
Government Act of 2002, requires agencies to ``conduct privacy impact
assessments for electronic information systems and collections and, in
general, make them publicly available.'' \4\ Additionally, it includes
requirements related to certain agency contractors. OMB reinforced and
built on the requirements in OMB M-03-22 through additional guidance on
PIAs in OMB M-10-23, Guidance for Agency Use of Third-Party websites
and Applications,\5\ and in OMB Circular No. A-130.
---------------------------------------------------------------------------
\3\ E-Government Act of 2002, Public Law 107-347, section
208(b)(2), (3), 116 Stat. 2899, 2921 (codified as amended at 44
U.S.C. 3501 note).
\4\ Off. of Mgmt. & Budget, Exec. Off. of the President, OMB M-
03-22, OMB Guidance for Implementing the Privacy Provisions of the
E-Government Act of 2002, attach. A, section I.A.a (Sept. 30, 2003),
available at https://www.whitehouse.gov/wp-content/uploads/2017/11/203-M-03-22-OMB-Guidance-for-Implementing-the-Privacy-Provisions-of-the-E-Government-Act-of-2002-1.pdf.
\5\ Off. of Mgmt. & Budget, Exec. Off. of the President, OMB M-
10-23, Guidance for Agency Use of Third-Party websites and
Applications (June 25, 2010), available at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2010/m10-23.pdf.
---------------------------------------------------------------------------
As agency programs and services increasingly rely on rapidly
advancing technology and data capabilities (e.g., artificial
intelligence), the privacy risk landscape also is evolving. Existing
privacy risks are escalating, and new privacy risks are emerging. It is
important to hear from the public as OMB considers what updates to PIA
guidance may be necessary to ensure that PIAs continue to facilitate
robust analysis and transparency about how agencies address these
evolving privacy risks.
Seeking Input on Improving the Use of PIAs To Mitigate Privacy Risks
OMB developed this RFI in consultation with the Department of
Justice, National Economic Council, and Office of Science and
Technology Policy, in accordance with Executive Order 14110. OMB seeks
responses to the following questions:
Role of PIAs in Addressing and Mitigating Privacy Risks
1. A wide range of privacy risks are associated with the creation,
collection, use, processing, storage, maintenance, dissemination,
disclosure, and disposal of personally identifiable information (PII).
What improvements to OMB guidance on PIAs as analytical tools and
notices to the public would assist agencies in identifying, addressing,
and mitigating these risks, including when an agency:
a. Develops, procures, or uses information technology to handle
PII;
b. Initiates, consistent with the Paperwork Reduction Act, a new
electronic collection of information that contains PII;
c. Uses a third-party website or application that makes PII
available to the agency; or
d. Engages in a relevant cross-agency initiative that involves PII?
2. What other models or best practices for conducting and
documenting PIAs or similar analyses could improve agencies' PIAs?
a. Are there approaches to analyzing and documenting how an entity
addresses and mitigates privacy risks used by non-federal government
entities, specific sectors or industries, academia, or civil society
that OMB should consider?
b. Are there similar approaches to analyzing and documenting how an
entity addresses and mitigates other risks in information governance
(e.g., security risks) that OMB should consider from other federal
guidance or frameworks?
3. What guidance should OMB consider providing to agencies to help
reduce any duplication that may arise in preparing PIAs along with
other assessments focused on managing risks (e.g., security
authorization packages or the AI impact assessments proposed in OMB's
Draft Memorandum on Advancing Governance, Innovation, and Risk
Management for Agency Use of Artificial Intelligence \6\) and to
support these assessments' different functions?
---------------------------------------------------------------------------
\6\ OMB released for public comment a draft memorandum on agency
use of AI. See Off. of Mgmt. & Budget, Exec. Off. of the President,
Draft Memorandum on Advancing Governance, Innovation, and Risk
Management for Agency Use of Artificial Intelligence (Nov. 2023),
available at https://ai.gov/wp-content/uploads/2023/11/AI-in-Government-Memo-Public-Comment.pdf.
---------------------------------------------------------------------------
Role of PIAs in Facilitating Transparency
4. What role do PIAs play in your search for information about how
agencies handle PII and address privacy risks? For what purpose(s) do
you read agencies' PIAs?
5. What improvements to PIAs would help you better understand
agencies' assessment of privacy impacts and risk mitigation strategies?
a. What improvement(s) would you recommend to make it easier to
find and access agencies' PIAs?
b. What improvement(s) would you recommend to make it easier to
read and understand agencies' PIAs?
6. How can agencies increase awareness of PIAs among stakeholders?
Privacy Risks Associated With Advances in Technology and Data
Capabilities, Including AI
7. AI and AI-enabled systems used by agencies can rely on data that
include PII, and agencies may develop those systems or procure them
from the private sector.
a. What privacy risks specific to the training, evaluation, or use
of AI and AI-enabled systems (e.g., related to AI system inputs and
outputs, including
[[Page 5947]]
inferences and assumptions; obtaining consent to use the data involved
in these activities; or AI-facilitated reidentification) should
agencies consider when conducting PIAs?
b. What guidance updates should OMB consider to improve how
agencies address and mitigate the privacy risks that may be associated
with their use of AI?
8. What role should PIAs play in how agencies identify and report
on their use of commercially available information (CAI) \7\ that
contains PII?
---------------------------------------------------------------------------
\7\ Section 3(f) of Executive Order 14110 defines ``commercially
available information'' as ``any information or data about an
individual or group of individuals, including an individual's or
group of individuals' device or location, that is made available or
obtainable and sold, leased, or licensed to the general public or to
governmental or non-governmental entities.'' 88 FR 75194.
---------------------------------------------------------------------------
a. What privacy risks specific to CAI should agencies consider when
conducting PIAs?
b. OMB M-03-22 requires PIAs ``when agencies systematically
incorporate into existing information systems databases of information
in identifiable form purchased or obtained from commercial or public
sources,'' while noting that ``[m]erely querying such a source on an ad
hoc basis using existing technology does not trigger the PIA
requirement.'' \8\ What guidance updates should OMB consider to improve
how agencies address and mitigate the privacy risks that may be
associated with their use of CAI that contains PII?
---------------------------------------------------------------------------
\8\ OMB M-03-22, attach. A, section II.B.b.6.
---------------------------------------------------------------------------
9. What guidance updates should OMB consider to improve how
agencies address and mitigate the privacy risks that may be associated
with their use of other emerging technology and data capabilities?
Other Considerations
10. What else could help promote greater effectiveness and
consistency across agencies in how they approach PIAs?
11. What else should OMB consider when evaluating potential updates
to its guidance on PIAs?
Richard L. Revesz,
Administrator, Office of Information and Regulatory Affairs.
[FR Doc. 2024-01756 Filed 1-26-24; 8:45 am]
BILLING CODE 3110-01-P
