• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

Implementation of OMB M-10-22 and M-10-23

TO: OPDIV Chief Information Officers,
   OPDIV Chief Information Security Officers,
   OPDIV Senior Officials for Privacy

FROM: Michael W. Carleton  /s/
   HHS Chief Information Officer
   and Senior Agency Official for Privacy

SUBJECT: Implementation of OMB M-10-22 and M-10-23

ATTACHMENT: Proposed Use of a Multi-Session Web Measurement
   and Customization Technology that
   Collects Personally Identifiable Information Form

DATE: December 21, 2010

 

On June 25, 2010, the Office of Management and Budget (OMB) issued two memoranda: M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies; and M-10-23, Guidance for Agency Use of Third-Party Websites and Applications. The memoranda established procedures and requirements for use of Web measurement and customization technologies and third-party Websites or applications. The Department issued policy for implementation of the memoranda in the HHS-OCIO Policy for Information Systems Security and Privacy (IS2P), dated September 22, 2010. This memorandum provides procedures for implementing the requirements of M-10-22 and M-10-23. As a result of this OMB guidance, HHS IRM Policy for Usage of Persistent Cookies (Document Number: HHS-IRM-2000-009, dated January 8, 2001) is hereby obsoleted. The HHS-OCIO Web page shall reflect the date of this memorandum as the obsoleting factor. These requirements for implementation of OMB M-10-22 and M-10-23 shall be incorporated into the next revision and issuance of the IS2P.

The Internet is critical to facilitating an open government by creating channels for citizen engagement and transparency. The use of Web measurement and customization technologies[1] and third-party Websites or applications,[2] such as social media networks and Web 2.0 applications, will enable customization and improvements in the delivery of services to the public, promote government transparency, and solicit public participation and collaboration. Accordingly, any government use of these technologies must protect the privacy of individuals.[3]

The Department has created this guidance for all HHS Operating Divisions (OPDIVs), including the Staffing Divisions within the Office of the Secretary, in order to meet the expectations of protecting privacy when using new technologies. Per OMB memoranda M-10-22 and M-10-23, any technologies currently in use and any such technology that was approved and operated prior to the issuance of this memorandum are obligated to meet these requirements. Any means of communicating information to the public, including information about privacy practices, must be in compliance with Section 508 accessibility requirements.

For the purposes of this implementation guidance, each OPDIV Chief Information Officer (CIO) is responsible for ensuring the procedures are implemented, unless otherwise noted in this memorandum. OPDIV CIOs may delegate these responsibilities to others within their organization; however, they should take note that there are privacy roles within the OPDIV (e.g., OPDIV Senior Officials for Privacy [SOP]) that may serve as a natural point of implementation and coordination of activities. In addition, any reference to the HHS Senior Agency Official for Privacy (SAOP) is also a reference to the HHS CIO given that the HHS CIO serves as the SAOP for the Department.

Additional Procedures to Implement OMB M-10-22

  1. Update the OPDIV’s Privacy Policy[4] to provide notice of any use of a Web measurement and customization technology in a clear, conspicuous, and accurate manner.
    1. The OPDIV’s Privacy Policy must include the following:
      1. The purpose of the Web measurement and/or customization technology;
      2. i.      The usage tier (i.e., Tier 1, 2, or 3[5]), session type (whether multi-session or single session[6]), and technology used;
      3. ii.      The nature of the information collected;
      4. v.      The purpose and use of the information;
      5. Whether and to whom the information will be disclosed;
      6. i.      The privacy safeguards applied to the information;
      7. ii.      The data retention policy for the information;
      8. iii.      The name of the Privacy Impact Assessment (PIA) associated with the  use of the Website or application using the Web measurement and customization technology;
      9. x.      The System of Records Notice (SORN) associated with the Website or application using the Web measurement and customization technology (if applicable);
      10. Whether the technology is enabled by default or not and why;
      11. i.      How to opt-out or opt-in[7] to the Web measurement and/or customization technology;
      12. ii.      Statement that opting-out still permits users to access comparable information or services;
      13. iii.      The identities of all third-party vendors involved in the measurement and customization process; and
      14. iv.      Name of the HHS SAOP and date of approval.
    2. Review and approve the content of the OPDIV Privacy Policy. Other stakeholders (e.g., OPDIV SOP, Office of General Counsel, Public Affairs) can be included in the review and approval process at the discretion of the OPDIV.
    3. Update the OPDIV’s machine-readable privacy policy to reflect the content of the OPDIV Privacy Policy.[8]
  2. I.            Ensure that any use of a Web measurement and customization technology provides the Internet user with the ability to opt-out of or opt-in to the use of such technology.
    1. OPDIVs are encouraged to use technologies to enable Internet users to opt-out from the use of a Web measurement or customization technology. Such technologies could include the use of a multi-session Web measurement or customization technology.
    2. If a technology solution is not feasible, OPDIVs must provide instructions on other actions an Internet user can take to opt-out of a Web measurement and customization technology. This information should be included in the OPDIV Privacy Policy as described in I.a. above.
    3. OPDIVs that use a multi-session Web measurement and customization technology to collect personally identifiable information (PII) [9] (hereafter referred to as “Tier 3 multi-session technology”) must have explicit consent from the Internet user and have the user opt-in for the use of the Tier 3 multi-session technology.
      1. For the purposes of this memo, “explicit consent” means that the Internet user has been provided clear and conspicuous notice of the proposed practice and has opted-in via an affirmative consent mechanism (e.g., having the Internet user select a radio button or checkbox) to authorize the practice.
  3. II.            Review and approve in writing any use of a Tier 3 multi-session technology prior to its use and promote the proposed use to the HHS SAOP for review and public comment.
    1. Submissions for approval to the HHS SAOP must include information described above in I.a. i-xiii (see Appendix: Proposed Use of a Multi-Session Web Measurement and Customization Technology that Collects Personally Identifiable Information Form). The information must be written in a clear and concise manner that is acceptable for posting to the public on the Department’s Open Government Webpage (www.hhs.gov/open).
    2. Submit a proposed use to the HHS SAOP by sending the completed Proposed Use of a Multi-Session Web Measurement and Customization Technology that Collects Personally Identifiable Information Form to the HHS Cybersecurity Program ([email protected]).
  4. V.            The HHS SAOP must approve in writing any use of Tier 3 multi-session technology prior to its use.
    1. The HHS SAOP will post for public comment submissions for approval for the use of a Tier 3 multi-session technology on the Department’s Open Government Webpage (www.hhs.gov/open) for 30 days.
      1. The HHS CIO has the authority to exempt the proposed use of a Tier 3 multi-session technology from the public notice and comment process if it is reasonably likely to result in serious harm to the public.
    2. The HHS SAOP will consider comments from the public regarding the proposed use of a Tier 3 multi-session technology.
    3. The HHS SAOP may request modifications to a proposed use of a Tier 3 multi-session technology prior to approval or may deny approval on the use of a Tier 3 multi-session technology.
  5. Review technologies associated with the use of Web measurement or customization technologies and procedures related to the use of Web measurement and customization technologies within their OPDIV and report the findings to the HHS SAOP.
    1. This review will take place in Q2 of the fiscal year.
    2. The HHS SAOP will issue guidance on the performance of the reviews.
    3. The HHS SAOP will consolidate the results into a report that will be posted on the HHS Open Government Website (www.hhs.gov/open).

  6. Additional Procedures to Implement OMB M-10-23

  7. Ensure any use of a third-party Website or application follows content requirements.
    1. Provide an alert[10] to an Internet user before redirecting them via an external hyperlink to a third-party Website or application.
      1. The alert must explain to the Internet user that they are being redirected to a non-governmental Website or application that may have different privacy policies from those of the OPDIV’s official Website.
        1. Sample alert language: This hyperlink will direct you to a non-governmental Website or application.The appearance of external hyperlinks does not constitute endorsement by the United States Department of Health & Human Services (HHS) of the hyperlinked Website or application, or the information, products or services contained therein. Visitors to the hyperlinked Website or application will be subject to the Website or application’s privacy policies. These practices may be different than those of this HHS Website.
    2. Apply appropriate branding when using third-party Websites or applications.
      1. Branding should clearly distinguish the OPDIV’s presence and activity from those of non-government actors. For example, the OPDIV should add a seal or emblem to its profile page on a third-party Website or application.
    3. Update the OPDIV’s Privacy Policy to describe any use of third-party Websites or applications.
      1. The OPDIV’s Privacy Policy must include the following:
        1. The specific purpose of the OPDIV’s use of the third-party Websites or applications;
        2. How the OPDIV will use PII that becomes available through the use of the third-party Websites or applications;
        3. Who at the OPDIV will have access to the PII;
        4. With whom PII will be shared outside of the OPDIV;
        5. Whether and how the OPDIV will maintain PII, and for how long;
        6. How the OPDIV will secure PII that it uses or maintains;
        7. What other privacy risks exist and how the OPDIV will mitigate those risks; and
        8. Include a hyperlink to the relevant privacy policies of the third-party Website or application (when feasible).
      2. i.      Update the OPDIV’s machine-readable privacy policy to reflect the content of the OPDIV Privacy Policy.
    4. Post a Privacy Notice[11] on the third-party Website or application (when feasible).
      1. The Privacy Notice must be written in plain language, clearly labeled, and conspicuously placed on all locations where the public might make PII available[12] to the OPDIV.
      2. i.      The Privacy Notice must include:
        1. An explanation that the Website or application is not a government Website or application, that it is controlled or operated by a third-party, and that the OPDIV’s Privacy Policy does not apply to the third-party;
        2. An indication whether and how the OPDIV will maintain, use, or share PII that becomes available through the use of the third-party Website or application;
        3. An explanation that by using the Website or application to communicate with the OPDIV, individuals may be providing non-government third-parties access to PII;
        4. A link to the official OPDIV Website; and
        5. A link to the OPDIV’s Privacy Policy.
        6. Sample Privacy Notice language:[13]

      3. The United States Department of Health & Human Services (HHS) uses third-party Websites to share information and to encourage collaboration with the public. Third-party Websites are not government-owned or government-operated. They are controlled and operated by a third-party not affiliated with HHS. The HHS Privacy Policy does not apply to third-party Websites or applications.

        Any information that a visitor makes available to HHS via a third-party Website, which could include personally identifiable information (PII), is voluntary. When a visitor makes information available to HHS they will also be making this information available to a third-party not affiliated with HHS. The Department encourages the public to contribute to discussions and provide opinions to HHS via third-party Websites. However, in doing so, visitors to the third-party Website should take steps to protect their privacy. Visitors should not disclose any private information about themselves or others (e.g., Social Security number or health information) on a third-party Website. HHS.gov provides information on how to send official correspondence to HHS.

        HHS uses information that visitors make available on third-party Websites to improve our programs and serve the public (for example, improving our education and outreach materials and activities). HHS does not share information provided through third-party Websites and does not collect personally identifiable information from third-party Websites. To learn more about HHS privacy practices, please visit our Privacy Policy at HHS.gov/privacy.

        HHS does not endorse the comments or opinions provided by visitors to a third-party Website.

  8. I.            Complete a PIA for each use of a third-party Website or application.
  9. The HHS SAOP will review and revise the Department’s PIA methodology and standard operating procedures to accommodate third-party Websites or applications in first quarter of FY11 and will review annually thereafter.

Proposed Use of a Multi-Session Web Measurement and Customization Technology that Collects Personally Identifiable Information Form

Per Office of Management and Budget (OMB) instructions found in Memorandum 10-22 Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010), the following information serves as public notice for the proposed use by the United States Department of Health & Human Services of a Tier 3a multi-session Web measurement and customization technology that collects personally identifiable information.

The HHS Senior Agency Official for Privacy (SAOP) will post this notice for public comment on the Department’s Open Government Webpage (www.hhs.gov/open) for 30 days from the date of the posting.

Comments about the proposed use can be submitted electronically or in writing. Electronic comments should be directed to [email protected]. Written comments should be directed to:  HHS Senior Agency Official for Privacy, 200 Independence Ave. S.W., Room 555-G, Washington, D.C. 20201

OPDIV

 

OPDIV Chief Information Officer (CIO)

 

OPDIV CIO Approval Date

MM/DD/YYYY

HHS Senior Agency Official for Privacy

 

Date posted for public comment

MM/DD/YYYY

The purpose of the Web measurement and/or customization technology

 

The usage tier (i.e., Tier 1, 2, or 3)

 

Session Type (multi-session or single session)

 

Information about the technology used

 

Describe the nature of the information collected

 

Describe the purpose and use of the information

 

Describe whether and to whom the information will be disclosed

 

Describe the privacy safeguards applied to the information

 

Describe the data retention policy for the information

 

Name of the Privacy Impact Assessment associated with the Website or application using the Web measurement and/or customization technology

 

Name of the System of Records Notice associated with the Website or application using the Web measurement and/or customization technology (if applicable)

 

Describe whether or not the technology is enabled by default; and if so, why

 

Describe how to opt-out or opt-in to the Web measurement and/or customization technology

 

Describe how a member of the public can access comparable information or services if they choose to opt-out of the Web measurement and/or  customization technology

 

Identities of all third-party vendors involved in the measurement and/or customization process

 

[1] OMB M-10-22 defines Web measurement and customization technologies as technologies that “…are used to remember a user’s online interactions with a Website or online application in order to conduct measurement and analysis of usage or to customize the user’s experience.” The most common mechanism to track user behavior or customize a Website is a cookie.

[2] OMB M-10-23 defines a third-party Websites and applications as “ …Web-based technologies that are not exclusively operated or controlled by a government entity, or Web-based technologies that involve significant participation of a non-government entity. Often these technologies are located on a “.com” Website or other location that is not part of an official government domain. However, third-party applications can also be embedded or incorporated on an agency’s official Website.”

[3] Per Section 1.12 of the IS2P Handbook (September 22, 2010), the use of Web measurement and customization technologies does not apply to: 1) Internet activities that do not face the public (e.g., intranet); 2) activities that are part of authorized law enforcement, national security, or intelligence activities; or 3) third-party Websites and applications that use Web measurement and customization technologies solely for the third-parties’ own purposes and not on behalf of the Department and do not share any personally identifiable information or information collected that could identify an individual with the Department.

[4] OMB M-10-23 defines a Privacy Policy as “…a single, centrally located statement that is accessible from an agency’s official homepage. The Privacy Policy should be a consolidated explanation of the agency’s general privacy-related practices that pertain to its official Website and its other online activities.”

[5] OMB M-10-22 defines Tier 1, Tier 2, and Tier 3 uses. Tier 1 is defined as any use of a single-session Web measurement and customization technology. Tier 2 refers to any use of multi-session Web measurement and customization technology when no PII is collected (including when the agency is unable to identify an individual as a result of its use of such technologies). Tier 3 refers to any use of a multi-session Web measurement and customization technology when PII is collected (including when the agency is able to identify an individual as a result of its use). For the purposes of this memorandum, Web measurement and customization technologies that fall into the Tier 3 category are referred to as “a Tier 3 multi-session technology.”

[6] OMB M-10-22 defines single session technologies and multi-session technologies. Single-session technologies are technologies that remember a user’s online interactions within a single session or visit. Any identifier correlated to a particular user is used only within that session, is not reused, and is deleted immediately after the session ends. Multi-session technologies are technologies that remember a user’s online interactions through multiple sessions. This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits.

[7] Opt-out refers to technologies that assume user inclusion unless users explicitly state a decision to leave or withdraw from services. Opt-in refers to technologies that require a self-selected choice to purposefully accept a situation or condition ahead of participation or receipt of services. 

[8] For additional guidance, refer to HHS-OCIO Policy for Machine-Readable Privacy Policies (Document number: HHS-OCIO-2010-0001 dated January 28, 2010). 

[9] Personally identifiable information is defined in OMB M-07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007). OMB M-10-22 provides additional commentary on the definition of PII found in OMB M-07-16 by stating “the definition of PII is not anchored to any single category of information or technology. Rather, it demands a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available — in any medium and from any source — that, when combined with other available information, could be used to identify an individual.”

[10] An alert can take the form of a statement, icon, or other label adjacent to the hyperlink or as a “pop-up.” 

[11] A privacy notice is defined by OMB M-10-23 as a “brief description of how the agency’s Privacy Policy will apply in a specific situation. Because the Privacy Notice should serve to notify individuals before they engage with an agency, a Privacy Notice should be provided on the specific Webpage or application where individuals have the opportunity to make PII available to the agency.”

[12] The phrase “make PII available” includes any agency action that causes PII to become available or accessible to the agency, whether or not the agency solicits or collects it. In general, an individual can make PII available to an agency when he or she provides, submits, communicates, links, posts, or associates PII while using the Website or application. “Associate” can include activities commonly referred to as “friend-ing,” “following,” “liking,” “joining a group,” becoming a “fan,” and comparable functions.

[13] This is sample language must be customized to adequately address each use of a third-party Website or application.  

 

Content created by Office of the Chief Information Officer (OCIO)
Content last reviewed on September 8, 2017