Request for Information: Executive Branch Agency Handling of Commercially Available Information Containing Personally Identifiable Information, 83517-83519 [2024-23773]

Agencies

• Management and Budget Office

[Federal Register Volume 89, Number 200 (Wednesday, October 16, 2024)]
[Notices]
[Pages 83517-83519]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-23773]


=======================================================================
-----------------------------------------------------------------------

OFFICE OF MANAGEMENT AND BUDGET


Request for Information: Executive Branch Agency Handling of 
Commercially Available Information Containing Personally Identifiable 
Information

AGENCY: Office of Management and Budget.

ACTION: Notice of request for information.

-----------------------------------------------------------------------

SUMMARY: As part of its implementation of Executive order, Safe, 
Secure, and Trustworthy Development and Use of Artificial Intelligence, 
the Office of Management and Budget (OMB) is requesting public input on 
issues related to Federal agency collection, processing, maintenance, 
use, sharing, dissemination, and disposition of commercially available 
information (CAI) containing personally identifiable information (PII).

DATES: Consideration will be given to written comments received by 
December 16, 2024.

ADDRESSES: Please submit comments via https://www.regulations.gov/ and 
follow the instructions for submitting comments. Public comments are 
valuable, and they will inform any potential updates to relevant OMB 
guidance; however, generally OMB will not respond to or address 
individual submissions.
    Privacy Act Statement: OMB is issuing this request for information 
(RFI) as part of its implementation of Executive Order 14110, Safe, 
Secure, and Trustworthy Development and Use of Artificial 
Intelligence,\1\ pursuant to OMB's statutory authorities to set 
policies for Executive Branch agencies' management of information 
resources, including CAI containing PII.\2\ Submission of comments in 
response to this RFI is voluntary. Comments may be used to inform sound 
decision making on topics related to this RFI, including potential 
updates to guidance. Please note that submissions received in response 
to this notice may be posted on https://www.regulations.gov/ or 
otherwise released in their entirety, including any personal 
information, business confidential information, or other sensitive 
information provided by the commenter. Do not include in your 
submissions any copyrighted material; information of a confidential 
nature, such as personal or proprietary information; or any information 
you would not like to be made publicly available. Comments and 
commenter information are maintained under the OMB Public Input System 
of Records, OMB/INPUT/01; the system of records notice is accessible at 
88 FR 20913 (https://www.federalregister.gov/documents/2023/04/07/2023-07452/privacy-act-of-1974-system-of-records) and includes a list of 
routine uses associated with the collection of this information.
---------------------------------------------------------------------------

    \1\ Exec. Order 14110, 88 FR 75191 (Nov. 1, 2023).
    \2\ See, e.g., 44 U.S.C. 3504(a); 5 U.S.C. 552a(v).

FOR FURTHER INFORMATION CONTACT: Kevin Herms, Office of Management and 
Budget, via email at [email protected] or phone at 202-
---------------------------------------------------------------------------
395-3200.

SUPPLEMENTARY INFORMATION: Commercially available information (CAI) 
takes many forms and, when used responsibly, supports many of the 
missions carried out by Executive Branch departments and agencies 
(``agencies'') on behalf of the American people. Section 3(f) of 
Executive Order 14110 defines CAI as ``any information or data about an 
individual or group of individuals, including an individual's or group 
of individuals' device or location, that is made available or 
obtainable and sold, leased, or licensed to the general public or to 
governmental or non-governmental entities.'' \3\ CAI also may include 
PII, which OMB Circular No. A-130 defines as ``information that can be 
used to distinguish or trace an individual's identity, either alone or 
when combined with other information that is linked or linkable to a 
specific individual.'' CAI may be collected from multiple sources, 
including public records, and licensed,

[[Page 83518]]

sold, or otherwise transferred by companies, including those commonly 
known as data brokers, to a variety of customers, including marketers, 
researchers, and Federal, state, local, and tribal government agencies.
---------------------------------------------------------------------------

    \3\ 88 FR 75194.
---------------------------------------------------------------------------

    While responsible use of CAI may support agency missions, an 
agency's collection, processing, maintenance, use, sharing, 
dissemination, and disposition (hereafter ``handling'') of CAI 
containing PII also can present privacy risks. For example, factors 
including the sensitivity and volume of PII contained in some CAI may 
exacerbate privacy risks and limit the application of key principles 
that are foundational to agency handling of PII, such as data 
minimization, transparency, and individual participation. As discussed 
in OMB Circular A-130, when considering the privacy risks associated 
with their handling of PII, agencies are responsible for evaluating the 
sensitivity of the data elements individually and when grouped 
together, as well as considering the volume of PII. These 
considerations are particularly important for agency handling of CAI, 
as participants in an August 2023 White House roundtable on data broker 
practices ``explained how data brokers purchase or acquire large 
volumes of exceedingly detailed data about people including geolocation 
and health information--often without their knowledge or consent.'' \4\ 
As highlighted in Executive Order 14110, such privacy risks may be 
further exacerbated by artificial intelligence (AI) facilitating the 
collection or use of information about individuals, and the making of 
inferences about individuals. The readout from the White House 
roundtable addresses that concern as well, noting that ``[r]ecent 
advancements in artificial intelligence, attendees cautioned, have 
rapidly expanded data brokers' abilities to draw inferences about 
individuals' lifestyles, desires, and weaknesses, and are incentivizing 
rampant data collection to fuel their development.'' \5\
---------------------------------------------------------------------------

    \4\ Readout of White House Roundtable on Protecting Americans 
from Harmful Data Broker Practices, White House (Aug. 16, 2023), 
https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/16/readout-of-white-house-roundtable-on-protecting-americans-from-harmful-data-broker-practices/.
    \5\ Id.
---------------------------------------------------------------------------

    Executive Order 14110 identified agency practices related to CAI, 
particularly CAI that contains PII and including CAI procured from data 
brokers and CAI procured and processed indirectly through vendors, as 
an area for OMB to evaluate in relation to mitigating privacy risks 
potentially exacerbated by AI. Specifically, section 9(a)(i) and (ii) 
of Executive Order 14110 instructs OMB to ``evaluate and take steps to 
identify [CAI] procured by agencies, particularly CAI that contains 
[PII]'' and ``evaluate . . . agency standards and procedures associated 
with the [handling] of CAI that contains [PII].''
    As part of its implementation of Executive Order 14110, OMB is 
seeking public comment and input for OMB's consideration as it 
evaluates agency policies and procedures associated with the handling 
of CAI containing PII and assesses how agencies may mitigate privacy 
risks specifically arising from their handling of CAI containing PII. 
Per section 9(a)(i) and (ii) of Executive Order 14110, OMB's work in 
this area and therefore the scope of this RFI does not include CAI 
containing PII when it is used for the purposes of national 
security.\6\
---------------------------------------------------------------------------

    \6\ 88 FR 75217. For an example of work addressing this topic in 
the national security context, see the Intelligence Community Policy 
Framework for CAI issued by the Office of the Director of National 
Intelligence, available at https://www.dni.gov/files/ODNI/documents/CAI/Commercially-Available-Information-Framework-May2024.pdf.
---------------------------------------------------------------------------

Seeking Public Input on Agencies' Responsible Handling of CAI 
Containing PII

    OMB seeks responses to the following questions:

General Considerations

    1. How does AI potentially exacerbate privacy risks associated with 
agency handling of CAI containing PII?
    a. What are the key privacy risks associated with agencies' 
handling of CAI containing PII that OMB should consider and why?
    2. What frameworks, models, or best practices should OMB consider 
as it evaluates agency standards and procedures associated with the 
handling of CAI containing PII and considers potential guidance to 
agencies on ways to mitigate privacy risks from agencies' handling of 
CAI containing PII?
    3. What, if any, changes to its current guidance should OMB 
consider to improve how agencies address and mitigate the privacy risks 
that may be associated with their handling of CAI containing PII?
    a. Are there specific policies, standards, or procedures governing 
agencies' handling of CAI containing PII that OMB should include in 
guidance?
    4. What, if any, implementation or other challenges could arise 
with using the definition of CAI in Executive Order 14110 to govern 
agency handling of CAI containing PII?
    a. What, if any, aspects of the definition should OMB seek to 
clarify through guidance to address any such challenges?

Transparency Into Agency Handling of CAI Containing PII

    5. Agencies provide transparency into the handling of PII through 
various means (e.g., policies and directives, Privacy Act statements 
and other privacy notices at the point of collection, Privacy Act 
system of records notices, privacy impact assessments). What, if any, 
improvements would enhance the public's understanding of how agencies 
handle CAI containing PII?
    6. What other approaches to sharing information with the public 
about how agencies handle CAI containing PII would be most useful, for 
example, to ensure data quality and to enhance public trust?
    a. What type of information on this topic should agencies share 
publicly?
    b. When, in what form, and to whom should agencies provide that 
information?
    c. Should agencies disclose to individuals when CAI containing PII 
is used to inform a decision with respect to those individuals (e.g., a 
determination of their eligibility for or receipt of a Federal 
benefit)?
    i. What steps could agencies take to provide individuals with an 
opportunity to seek amendment of the CAI before agencies use it to make 
such decisions?
    ii. What other steps could agencies take to verify accuracy, 
relevance, timeliness, and completeness of the CAI before using it to 
make decisions about individuals?
    7. Should agencies establish and maintain comprehensive inventories 
of CAI containing PII that they handle? Why or why not?
    a. If so, should these agency CAI inventories be publicly 
available? Why or why not?
    i. Are there any categories of CAI containing PII that should not 
be included in a public inventory? If so, what risks support that 
exclusion?
    ii. How would public CAI inventories be useful to stakeholders?
    8. Should agencies create periodic reports on their handling of CAI 
containing PII? Why or why not?
    a. If so, what information should be included in these reports, and 
to whom should OMB direct agencies to send these reports?
    b. If so, should agencies make these reports publicly available and 
by what means (e.g., post them on agency privacy program web pages)?

[[Page 83519]]

Agency Processes for Responsible Handling of CAI Containing PII

    9. Should agencies handle CAI containing PII differently depending 
on the purpose for which it is used? Why or why not?
    a. If so, what should be the criteria for any differences in 
handling CAI with PII, and what should those differences in handling 
be?
    b. What, if any, specific use cases or scenarios are examples of 
where OMB guidance should limit or restrict how agencies handle CAI 
containing PII? What risks justify those limitations or restrictions?
    c. Does agency input of CAI containing PII into an AI system, as 
defined by section 3 of Executive Order 14110, alter privacy risks and 
how?
    i. How should agencies mitigate privacy risks associated with such 
input of CAI in an AI system?
    ii. Does appropriate mitigation of privacy risks vary based on the 
type of AI system into which CAI is input and the purposes of that AI 
system? If so, how should those factors be considered in the mitigation 
of privacy risks?
    10. What, if any, factors should OMB guidance include for agencies' 
consideration in their evaluation of how they can mitigate privacy 
risks associated with their handling of CAI containing PII (e.g., 
source of the data, potential concerns with data quality, purpose of 
its use)?
    a. How should agencies document their evaluation of these factors 
related to the handling of CAI containing PII?
    b. Should agencies' evaluation of these factors related to the 
handling of CAI containing PII be made public and, if so, when and how?
    c. Should a differentiation be made between CAI maintained on 
agency systems and CAI accessed or queried through third parties? What 
factors should OMB consider in guidance in relation to CAI accessed or 
queried through third parties?
    11. What, if any, means of interagency information sharing should 
be considered to allow agencies to report problems with CAI containing 
PII (e.g., recurring concerns with data quality)?
    12. What, if any, guidance should OMB provide to agencies regarding 
how their agreements with third parties address privacy requirements 
for CAI containing PII (e.g., specific compliance language in the 
requirements for contracts, licensing agreements, or other agreements)?
    a. Should such agreements require third-party providers of CAI to 
provide information about the source of data, demonstrate the quality, 
reliability and validity of the data, attest to compliance with 
relevant laws and policies, or comply with certain privacy 
requirements? Why or why not? How might agencies require third-party 
providers to demonstrate the quality, reliability, and validity of the 
CAI?
    b. Should such agreements require third-party providers of CAI to 
adopt policies aimed at allowing individuals access to information 
about them held by the third-party provider, the ability to dispute 
incomplete or inaccurate information held by a third-party provider of 
CAI containing PII, or control over how the information about them is 
used or shared? Why or why not?
    c. Are there other practices to mitigate privacy risks that 
agencies might require within agreements with third parties?

Other Considerations

    13. Should OMB guidance require agencies to manage CAI governance--
including policies, procedures, and oversight of agency use of CAI--
through a uniform mechanism?
    14. What else should OMB consider when evaluating potential 
guidance to agencies on ways to mitigate privacy risks from agencies' 
activities related to CAI containing PII?

Richard L. Revesz,
Administrator, Office of Information and Regulatory Affairs.
[FR Doc. 2024-23773 Filed 10-15-24; 8:45 am]
BILLING CODE 3110-01-P