WASHINGTON, D. C. 20503 THE DI RECTOR May9,2013 M-13-13 MEMORANDUMFORTHEHEADS OFEXECUTIVEDEPARTMENTSANDAGENCIES FROM: SylviaM. Burwell- b }1/ Director StevenVanRoekel FederalChiefInforma fficer ToddPark /VL-- U.S. v - - ( DominicJ. Mancini ActingAdministrator,0 rce andRegulatoryAffairs SUBJECT: OpenDataPolicy-ManagingInformationasanAsset Information is avaluablenational resourceandastrategicassettothe Federal Government, its partners,and the public. In orderto ensurethattheFederalGovernmentis takingfull advantageofits informationresources,executivedepa11ments and agencies(hereafterreferredtoas"agencies")must manage inf01mationas an assetthroughoutits life cycletopromoteopennessand interoperability, and properlysafeguardsystemsand information. Managinggovernmentinformationas an assetwill increase operationalefficiencies,reducecosts, improveservices,supportmissionneeds,safeguardpersonal information,and increasepublicaccesstovaluablegovernmentinformation. Makinginformationresourcesaccessible, discoverable,and usablebythepubliccanhelpfuel entrepreneurship,innovation,and scientificdiscovery- all ofwhich improveAmericans' livesand contributesignificantlytojobcreation. Forexample,decadesago,theFederalGovernmentmadeboth weatherdataandtheGlobal PositioningSystem(GPS)freely availableto anyone. Sincethen, American entrepreneursand innovatorshaveusedtheseresourcestocreatenavigationsystems,weathernewscasts and warningsystems, location-basedapplications,precision farmingtools,andmuchmore. Pursuantto ExecutiveOrderofMay9,2013,Making Open and Machine Readable the New Default for Government Information, thisMemorandumestablishesaframeworkto helpinstitutionalize theprinciplesofeffectiveinfonnation managementateachstageoftheinformation'slifecycleto promoteinteroperabilityandopenness.Whetherornotparticularinformationcanbe madepublic, agenciescanapplythisframeworktoall inf01mation resourcesto promoteefficiencyandproducevalue. Specifically,thisMemorandum requiresagenciestocollectorcreateinformation in awaythat supportsdownstream informationprocessingand disseminationactivities. Thisincludesusingmachine- readableandopenformats,datastandards,andcommoncoreandextensiblemetadataforall new informationcreationand collectioneff01ts. It also includesagenciesensuring informationstewardship throughtheuseofopen licensesand reviewofinformation for privacy,confidentiality, security, orother restrictionsto release. Additionally, it involvesagencies buildingormodernizinginformationsystems in a waythatmaximizes interoperabilityand informationaccessibility, maintains internal and external data asset inventories,enhances informationsafeguards,and clarifies informationmanagement responsibilities. TheFederalGovernmenthasalreadymadesignificantprogress in improvingits managementof informationresourcesto increase interoperabilityandopenness. ThePresident'sMemorandumon Transparency and Open Government 1 instructed agenciestotakespecificactionsto implementthe principlesoftransparency,patticipation,and collaboration,andtheOfficeofManagementandBudget's (OMB) Open Government Directive 2 required agenciesto expandaccessto information by makingit availableonlinein openformats. OMB has alsodeveloped policiesto helpagencies incorporatesound information practices, includingOMB CircularA-130 3 and OMBMemorandumM-06-02. 4 In addition, theFederal GovernmentlaunchedData.gov,an onlineplatformdesigned to increaseaccesstoFederal datasets. ThepublicationofthousandsofdataassetsthroughData.govhas enabled thedevelopmentof numerous productsand servicesthatbenefitthepublic. Tohelpbuild ontheseeff01ts,thePresidentissued aMemorandumonMay23,2012entitled Building a 21st Century Digital Government 5 thatchargedtheFederalChieflnfonnationOfficer(CIO) withdevelopingand implementingacomprehensivegovernment-widestrategyto deliverbetterdigital servicesto theAmericanpeople. TheresultingDigital Government Strateg/ outlined an information- centricapproachto transform howtheFederalGovernmentbuildsanddeliversdigital services,and requiredOMBto developguidanceto increasethe interoperabilityand opennessofgovernment information. ThisMemorandum is designedto beconsistentwith existingrequirements in thePaperwork Reduction Act, 7 the-GovernmentActof2002, 8 thePrivacyActof1974, 9 theFederal Information SecurityManagementActof2002(FISMA), 10 theConfidentialInformationProtectionand Statistical EfficiencyActof2002(CIPSEA), 11 theFreedomofInformation Act, 12 theInformationQualityAct, 13 the 1 President Barack Obama,MemorandumonTransparencyand Open Government(Jan. 21, 2009),available at http://ww\V.\Vhitehouse.!wv/the press office/TransparencyandOpenGovernment. 2 OMB Memorandum M-10-06, Open Government Directive (Dec. 8,2009),available at http://www.whitehouse.gov/sites/defaul t/files/omb/assets/memoranda 20I0/mI0-06.pdf 3 OMB CircularA- 130,available at http://www.whitehouse.gov/omb/Circul ars a130 a130trans4/ 'OMBMemorandum M-06-02,Improving Public Access to and Dissemination ofGovernment Information and Using the Federal Ente1prise Architecture Data Reference Model (Dec. 16,2005),m1ailable at http://www.whitelJOuse.gov/sit es/defaul t/fi les/omb/memorandalfy2006/m06- 02.pdf 3 President Barack Obama,Memorandum on Buildinga21st Century Digital Government (May23, 2012), available at http://www.whitehouse.gov/sites/defaul t/lil es/upl oads/2012digital mem rei.pdf 6 OfficeofManagementand Budget,Digital Government: Building a 21 51 Centlll)' Platform to Beller Serve the American People (May23,2012), available at htt p: // \VW\V. whitehouse. gov/sites/defaul t/fil es/omb/egov/digi tal -government/elig. ital-government-strategv.pdf 7 44 U.S.C. 350Iet seq. 8 Pub. L. No. 107-347, 116 Stat. 2899(2002)(codifiedas 44 U.S.C. 350lnote). 9 5U.S.C. 552a. 10 44 U.S.C. 3541,et seq. 11 Secti on503(a), Pub.L. No. I07-347, 116 Stat. 2899 (2002)(codifi edas44 U.S.C. 350Inote); see also Impl ementation Guidance for Title Y oftheE-GovernmentAct,Confidential Information Protectionand Stati sti calEfficiency Act of2002(CIPSEA),available at http://www.whitehouse.gov/si tes/default/fil cs/omb/assets/omb/fedreg/2007/061507 cipsea guidance.pdf 12 5USC 552(a)(2). 2 Federal RecordsAct, 14 and existing OMB and OfficeofScienceandTechnologyPolicy(OSTP) guidance. Ifagencieshaveanyquestions regardingthi sMemorandum,pl easedirectthemto OMBat datause@omb.eop.gov. Attachment 13 Pub.L. No. 106-554 (2000) (codifi edat44 U.S.C. 3504(d)(l)and 35 16).See also OMBMemorandum M- 12- 18,Managing Government Records Directive (Aug.24,2012), available at http://www.whitehouse.!!ov/sitcs/defaul t!fi les/omb/memoranda/2012/m- 12-18.pdf. ~ 44 U.S.C. Chapters21,22,29,31,and 33.See also 36CFRSubchapterB - Records Management. 3 Attachment Thisattachmentprovidesdefinitionsand implementationguidanceforM-13-13,OpenData Policy-ManagingInformationasanAsset. I. Definitions: Data: Forthe purposesofthis Memorandum,theterm"data" refers to all structured information, unless otherwisenoted. 15 Dataset: ForthepurposesofthisMemorandum,thetenn"dataset"refers to acollectionofdata presented in tabularor non-tabularform. FairInformationPracticePrinciples: Theterm" FairInformation PracticePrinciples"referstothe eightwidelyaccepted principlesfor identifyingand mitigatingprivacyimpacts in informationsystems, programsand processes,delineated in theNational StrategyforTrusted Identities in Cyberspace. 16 Governmentinformation: As defined in OMBCircularA-130,"governmentinformation"means informationcreated,collected, processed,disseminated,ordisposed of, byorforthe FederalGovernment. Information: As defined in OMBCircularA-130,theterm " information" meansanycommunicationor representation ofknowledgesuchas facts,data, oropinionsin any medium orfmm, includingtextual , numerical, graphic, cartographic, narrative,oraudiovisual forms. Informationlifecycle: Asdefined in OMBCircularA-130,theterm" information lifecycle"meansthe stagesthrough which information passes,typicallycharacterizedas creationorcollection, processing, dissemination, use,storage, and disposition. Personallyidentifiableinformation: As defined in OMBMemorandumM-10-23, 17 "personally identifiable information" (PIT) refersto informationthatcan be used to distinguishortracean individual 's identity, eitheraloneorwhen combinedwithotherpersonal oridentifying informationthatis linkedor linkableto a specificindividual. ThedefinitionofPII is notanchoredto anysinglecategoryof information ortechnology. Rather, it requires acase-by-caseassessmentofthespecificriskthatan individual can be identified. In performingthisassessment, it is importantforan agencytorecognizethat non-PIT can becomePII wheneveradditional information is madepubliclyavailable(in anymediumand from anysource)that,when combinedwithotheravailable information,could be usedto identifyan individual. Mosaiceffect: Themosaiceffectoccurswhen the information in an individual dataset, in isolation, may notposeariskofidentifyingan individual (orthreateningsomeotherimpmtantinterestsuchas security), butwhencombinedwith otheravailable information,could posesuchrisk. Beforedisclosingpotential PIT orotherpotentiallysensitive information,agenciesmustconsiderotherpubliclyavailabledata- in 15 Structuredinformation istobe contrastedwith unstructuredinformation (commonly referred to as "content")such as press releases and fact sheets. As described in theDigitalGovernmentStrategy,content maybe converted toastructuredformatand treatedas data. Forexample, a web-based fact sheetmaybe brokenintothe followingcomponentdata pieces: thetitle, bodytext,images, and relatedlinks. 16 The White House,NationalStrategyfor TrustedIdentities in Cyberspace (April 20II),availableat htt p://www.whitehouse.gov/sites/default/ tiles/rss viewer/NSTICstrategv 0415ll.pdf 17 OMB Memorandum M-10-23,GuidanceforAgencyUse of Third-Party WebsitesandApplications(June 25, 20I0) ,availableat http://www.whitehousc.gov/sites/default/ files/omb/assets/memoranda 20I0/ml0-23.pdf 4 any medium and from anysource- to determinewhethersomecombinationofexistingdataandthedata intendedto be'publiclyreleasedcouldallowforthe identificationofan individual orposeanothersecurity concern. Open data: ForthepurposesofthisMemorandum,theterm "open data" referstopublicly availabledata structured in a waythatenablesthedatato befully discoverableand usable byend users. In general, opendatawill beconsistentwiththefollowing principles: Public. Consistentwith OMB'sOpen Government Directive, agencies mustadopta presumption in favorofopennessto theextentpennitted by lawand subjectto privacy,confidentiality,security,or othervalid restrictions. Accessible. Opendataaremadeavailable in convenient, modifiable,and openfonnats thatcan be retrieved,downloaded,indexed,and searched. Formatsshould bemachine-readable(i .e.,dataare reasonablystructuredto allowautomated processing). Opendatastructuresdo notdiscriminate againstanyperson orgroupofpersonsand should bemadeavailabletothewidestrangeofusersfor thewidest rangeofpurposes,often byprovidingthedata in multipleformatsforconsumption. Tothe extentpermitted by law, theseformats should be non-proprietary, publiclyavailable, and no restrictions should be placed upontheiruse. Described. Opendataaredescribed fully sothatconsumersofthedatahavesufficientinformation to understandtheirstrengths,weaknesses,analytical limitations, securityrequirements,aswell as how to process them. This involvestheuseofrobust,granularmetadata(i.e., fields orelementsthat describedata),thorough documentationofdataelements,datadictionaries,and, ifapplicable, additional descriptionsofthe purposeofthecollection,thepopulationofinterest,thecharacteristics ofthesample,and the method ofdatacollection. Reusable. Opendataare madeavailableunderan open licensethatplacesno restrictionson theiruse. Complete. Opendataare published in primaryforms (i.e., as collectedatthesource),withthefinest possible level ofgranularitythatis practicableandpermitted by lawand otherrequirements. Derived oraggregateopendatashould alsobe published butmustreferencetheprimarydata. Timely. Opendataare madeavailableasquicklyas necessarytopreservethevalueofthedata. Frequencyofreleaseshould accountfor key audiencesanddownstream needs. Managed Post-Release. A pointofcontactmustbedesignatedto assistwithdatauseand to respond to complaintsaboutadherencetotheseopen datarequirements. Project Open Data: "ProjectOpenData,"a newOMBand OSTPresource, is an onlinerepository of tools, bestpractices,and schemato help agenciesadopttheframeworkpresented in this guidance. ProjectOpenDatacan beaccessed athttp://project-open-data.github.io. 18 ProjectOpenDatawill evolve overtimeas acommunityresourcetofacilitateadoptionofopen datapractices. Therepository includes definitions,code,checklists,casestudies, and more,and enablescollaborationacrosstheFederal Government, in partnershipwith publicdevelopers,as applicable. Agenciescan visitProjectOpenData foramorecomprehensiveglossaryoftermsrelatedto open data. 18 Linkstothebest practi ces developedin Proj ectOpen Data referenced in thi smemorandum can befound through thedirectoryon thi smain page. 5 II. Scope: Therequirements in pat1 III, sections 1and 2 ofthisMemorandumapplyto all new information collection,creation,and systemdevelopmenteff011s as well as majormodernization projectsthat update orre-design existinginformationsystems. National SecuritySystems,as defined in 40 U.S. C. 11103,are exemptfrom therequirementsofthis policy. Therequirements in pa11 III,section3 applyto management ofall datasets used in an agency's informationsystems. Agenciesarealso encouragedto improvethe discoverabilityand usabilityofexistingdatasets bymakingthem"open" usingthemethodsoutlined in this Memorandum, prioritizingthosethathavealreadybeen released to the publicorotherwisedeemed high-valueorhigh-demandthroughengagementwith customers(seepartIII,section3.c). Agencies shouldexercisejudgmentbeforepubliclydistributingdata residingin an existingsystem by weighingthe valueofopennessagainstthecostofmakingthosedatapublic. Ill. PolicyRequirements: Agencies managementofinformation resourcesmustbeginattheearlieststagesofthe planningprocess, well before information is collectedorcreated. Earlystrategic planningwill allowtheFederal Governmenttodesign systemsand developprocessesthatunlockthefull valueofthe information,and provideafoundation from which agenciescan continueto manage informationthroughout its life cycle. Agenciesshall takethefollowingactionsto improvethemanagementofinformation resources throughoutthe information' s I ifecycleand reinforcethegovernment ' spresumption in favor ofopenness: 1. Collectorcreateinformationinawaythatsupportsdownstreaminformationprocessingand disseminationactivities- ConsistentwithOMBCircularA-130,agenciesmustconsider,ateach stageof the information lifecycle,theeffectsofdecisionsand actionsonotherstagesofthelifecycle. Accordingly,totheextentpermitted by law,agenciesmustdesignnewinformationcollectionand creationeff011s sothatthe information collectedorcreatedsupportsdownstream interoperabilitybetween informationsystemsand dissemination ofinformationtothepublic, as appropriate,withouttheneed for costlyretrofitting. Thisincludesconsiderationandconsultationofkeytargetaudiencesforthe information when determiningformat,frequency ofupdate,and otherinformationmanagementdecisions. Specifically,agenciesmust incorporatethefollowingrequirements into future information collectionand creationefforts: a. Usemachine-readableandopenformats 19 - Agenciesmustusemachine-readableand open formats for information as it is collectedorcreated. While informationshouldbecollected electronically by default, machine-readableand openformats mustbe used in conjunction with both electronicand telephoneorpaper-based information collectioneffot1s. Additionally, in consultationwiththebestpracticesfound in ProjectOpenDataand tothe extentpermitted by law, agenciesshould prioritizetheuseofopenformats thatarenon- publiclyavailable,and thatplaceno restrictionsupontheiruse. 19 Therequirementsofthi ssubsecti onbuild uponexistingrequirementsin OMBStati sti calPoli cy DirectivesNo. I and No.2,available at http://www.whi tchousc.gov/sit cs/dcfault/l'il es/omb/assets/omb/inforeg/dirccti ve1.!2ill"and http://\VIVW.whitchouse.gov/sitcs/dcfault/ lllcs/omb/assets/omb/inforeg/directive2. pdf. 6 b. Usedatastandards- Consistentwith existingpoliciesrelatingtoFederalagencies' use of standards 20 for informationas it is collectedorcreated,agencies mustusestandards in order to promotedata interoperabilityand openness. c. Ensureinformationstewardshipthroughtheuseofopenlicenses- Agenciesmustapply open licenses, in consultationwiththebestpracticesfound in ProjectOpenData,to informationas it is collectedorcreatedsothat ifdataaremadepublicthereareno restrictions on copying, publishing,distributing,transmitting,adapting, orotherwiseusingthe informationfor non-commercialorfor commercialpurposes ? 1 When information is acquired oraccessed by an agencythrough performanceofacontract,appropriateexistingclauses 22 shall beutilizedto meettheseobjectiveswhilerecognizingthatcontractorsmayhave proprietaryinterests in such information,andthatprotectionofsuch information maybe necessatyto encouragequalifiedcontractorsto participatein and apply innovativeconcepts togovernmentprograms. d. Usecommoncoreandextensiblemetadata- Agenciesmustdescribeinformation using commoncoremetadata, in consultation withthebestpracticesfound in ProjectOpenData,as it is collectedandcreated. Metadatashouldalso include information aboutorigin, linked data,geographiclocation,timeseriescontinuations,dataquality,and otherrelevant indices thatrevealrelationshipsbetweendatasetsandallowthepublicto determine thefitness ofthe datasource. Agencies may expanduponthebasiccommonmetadatabasedonstandards, specifications, orformats developedwithin differentcommunities(e.g.,financial, health, geospatial , lawenforcement). Groupsthatdevelopand promulgatethesemetadata specificationsmustreviewthemforcompliancewiththecommoncoremetadatastandard, specifications,andformats. 2. Buildinformationsystemstosupportinteroperabilityandinformationaccessibility- Through theiracquisitionand technology managementprocesses,agenciesmustbuildormodernize informationsystems in a waythatmaximizes interoperabilityand information accessibility, tothe extent practicableand permitted by law. Tothisend, agenciesshould leverageexistingFederal IT guidance, suchastheCommon Approach to Federal Enterprise Architecture, 23 whendesigning informationsystems. Agenciesmustexerciseforethoughtwhenarchitecting,building,or substantiallymodifying an informationsystemto facilitate publicdistribution,whereappropriate. In addition,theagency'sCIOmustvalidatethatthefollowingminimumrequirements havebeen incorporated intoacquisition planningdocumentsandtechnical design for all newinformation systemsandthose preparingfor modernization,as appropriate: a. Thesystemdes ign mustbe scalable,fl exible,andfacilitate extractionofdata in multiple formats and for a rangeofusesas internal andexternal needschange, including potential uses notaccountedfor in theoriginal des ign. In general,thiswill involvethe useofstandardsand specifications in thesystem des ignthatpromoteindustrybestpracticesfor information 10 See OMB CircularA-119,available at http://www.whitehouse.gov/omb/circulars a119,and OMB Memorandum M- 12-08, Principles for Federal Engagement in Standards Activities to Address National Priorities (Jan 27,2012),available at http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-08.pdf 11 lfadatauseraugmentsoralters or iginalinformati onthat is attributed to the FederalGovernment,theuser isresponsible for makingclearthe source and nature ofthat augment ati on. 12 See FederalAcqui siti on Regulation (FAR)Subpart27.4-Rightsin Data and Copyrights,available at https:l/acgui siti on.gov/far/currentlhtmi /Subpa11%2027 4. html 23 OfficeofManagement and Budget,Common ApproachtoFederal EnterpriseArchitecture,available at http:/ /www.whi tehouse.gov/sites/defaultlfiles/om b/assets/egov_docs/common_approach_to_federal _ea. pdf 7 sharing,and separationofdatafrom theapplication layerto maximizedatareuse opportunitiesand incorporationoffutureapplication ortechnologycapabilities, in consultationwiththebestpracticesfound in ProjectOpenData; b. All dataoutputsassociatedwiththesystem mustmeettherequirements described in partIII, sections l.a-eofthisMemorandumand beaccounted for in thedatainventorydescribed in partIII section3.a; and c. Dataschemaand dictionaries havebeen documentedand shared with internal pmtnersand thepublic, as applicable. 3. Strengthendatamanagementand releasepractices- Toensurethatagencydataassetsare managed and maintainedthroughouttheir life cycle, agenciesmustadopteffectivedataassetp01tfolio management approaches. Within six(6) monthsofthedateofthisMemorandum,agenciesand interagencygroups mustreviewand, whereappropriate, reviseexistingpoliciesand proceduresto strengthentheirdata managementand releasepracticestoensureconsistencywiththerequirements in thisMemorandum,and takethefollowingactions: a. Createandmaintainanenterprisedatainventory- Agenciesmustupdatetheirinventory ofagency information resources(as requiredbyOMB CircularA-130) 24 to includean enterprisedata inventory, ifit does notalreadyexist,thataccountsfordatasetsused inthe agency's informationsystems. Theinventorywill be builtoutovertime,withthe ultimate goal ofincludingall agencydatasets,to theextentpracticable. Theinventorywill indicate, as appropriate, iftheagencyhas determinedthatthe individual datasets maybe madepublicly available(i.e., release is permitted by law,subjecttoall privacy, confidentiality, security,and othervalid requirements)and whethertheyarecurrentlyavailabletothepublic. TheSenior AgencyOfficialfor Records Managementshouldbeconsultedon integrationwiththerecords managementprocess. Agenciesshould usetheDataReferenceModelfrom theFederal EnterpriseArchitecture 25 to helpcreateand maintaintheir inventory. Agenciesmustdescribe datasetswithin the inventoryusingthecommoncoreandextensiblemetadata(seepartIII, section l.e). b. Createandmaintaina publicdatalisting- Anydatasets in theagency'senterprisedata inventorythatcan be madepubliclyavailablemustbe listedatwww.[agency].gov/datain a human- and machine-readableformatthatenablesautomaticaggregation by Data.govand otherservices(knownas" harvestablefiles"), totheextentpracticable. Thisshould include datasetsthatcanbemadepubliclyavailable buthave notyetbeen released. Thispublicdata listingshould also include,to theextentpermitted by lawand existingtermsandconditions, datasetsthatwereproducedthrough agency-funded grants,contracts,and cooperative agreements(excludinganydatasubmitted primarilyforthepurposeofcontractmonitoring and administration),and,wherefeasible,beaccompanied bystandardcitation information, preferably in theform ofapersistentidentifier. Thepublicdata listingwill be builtoutover time,with theultimategoal ofincludingall agencydatasetsthatcan be madepublicly available. SeeProjectOpenDataforbestpractices,tools, and schemato implementthe publicdata listingand harvestablefiles. "See OMBCircularA-130,section 8(b)(2)(a). 25 OfficeofManagementand Budget,Federal Enterprise Architecture(FEA) Reference Model s,available at http://www.whitehouse.gov/omb/e- gov/ fea 8 c. Createa processtoengagewithcustomersto helpfacilitateand prioritizedatarelease- Agencies mustcreateaprocessto engagewith customers,through their www.[agency].gov/datapages and othernecessarymeans,to solicithelp in prioritizingthe releaseofdatasetsand determiningthe mostusableand appropriateformats for release? 6 Agenciesshould makedataavailable in multipleformats accordingtotheircustomerneeds. Forexample, high-volumedatasetsofinterestto developersshould bereleased usingbulk downloadsas well asApplication ProgrammingInterfaces(APis). In addition, customer engagementeff01ts should helpagenciesprioritizeeffortsto improvethediscoverabilityand usabilityofdatasetsthathavealreadybeen released tothe publicbutare notyetfully"open" (e.g. ,theyareonlyavailable in closed, inaccessibleformats). SeeProjectOpenDataforbest practicesand toolsthatcanbe used to implementcustomerengagementefforts. d. Clarify rolesand responsibilitiesfor promotingefficientandeffectivedatarelease practices- Agencies mustensurethatroles and responsibilitiesareclearlydesignatedforthe promotionofefficientand effectivedatarelease practicesacrosstheagency, and thatproper authoritieshave been grantedto executeon related responsibilities, including: 1. Communicatingthestrategicvalueofopen datato internal stakeholdersand the public; 11. Ensuringthatdatareleasedto the publicareopen(asdefined in partI),as appropriate,anda pointofcontactis designatedto assistopendatause and to respond to complaintsaboutadherenceto opendatarequirements; 111. Engagingentrepreneurs and innovators in theprivateand nonprofitsectorsto encourageand facilitatethe use ofagencydatato build applicationsand services; IV. Workingwith agencycomponentstoscalebestpracticesfrom bureausand offices thatexcel in open datapracticesacrosstheenterprise; v. Workingwiththeagency' sSeniorAgencyOfficialforPrivacy(SAOP)orother relevantofficialstoensurethatprivacyandconfidentialityarefully protected;and v1. WorkingwiththeChieflnformationSecurityOfficer(CISO)andmissionownersto assessoverall organizational risk,based onthe impactofreleasingpotentially sensitivedata,and makearisk-based determination. 4. Strengthenmeasurestoensurethatprivacyandconfidentialityarefully protectedand thatdata are properlysecured- Agencies must incorporateprivacyanalyses intoeach stageofthe information' s lifecycle. In particular,agencies mustreviewthe information collectedorcreated forvalid restrictionsto releaseto determinewhether it can be madepubliclyavailable,consistentwiththe Open Government Directive's presumption in favorofopenness,and totheextentpermitted by lawand subjectto privacy, confidentialitypledge,security,tradesecret,contractual ,orothervalid restrictionsto release. Ifthe agencydeterminesthatinformationshould notbe madepubliclyavailableononeofthesegrounds,the agencymustdocumentthisdetermination in consultation with its OfficeofGeneral Counselor equivalent. As agenciesconsiderwhetherornotinformation may bedisclosed,theymustalsoaccountforthe "mosaiceffect" ofdataaggregation. Agenciesshould notethatthemosaiceffectdemandsa risk-based 26 OMBStati sti cal Poli cy Directives3and 4describethescheduleand manner in whichdata producedbytheprincipal stati sti cal agenci es will be released.Stati sti cal Poli cy DirectiveNo. 4:Release and Di sseminati onofStati sti cal ProductsProducedbyFederal Stati sti calAgencies, available at http://www.whitehouse.gov/sites/defaul t/fil es/omb/assets/omb/fedreg/2008/030708 directive-4.pdf; Stati sti cal PolicyDirective3: Compilation,Release,and EvaluationofPrincipal FederalEconomi cIndi cators,available at http://www.whitehouse.gov/sites/default!files/omb/assets/omblinforeg/statpoli cy/dir 3 fr 09251985. pdf 9 analysis, often utilizingstatistical methodswhose parameterscan changeovertime,dependingon the natureofthe information,theavailabilityofotherinformation,and thetechnology in placethatcould facilitatethe process ofidentification. Because ofthecop1plexity ofthi sanalysis and thescopeofdata involved,agenciesmaychooseto takeadvantage ofentities in the ExecutiveBranchthat may have relevant expe1tise,includingthe staffofData.gov. Ultimately,it is the responsibilityofeach agencyto perform the necessaryanalysisand complywith all applicable laws,regulations,and policies. In some cases, this assessment mayaffecttheamount,type,form,and detail ofdata releasedbyagencies. As OMB has noted,"Theindividual's rightto privacymust beprotected in Federal Government informationactivities involvingpersonal information." 27 As agenciesconsidersecurity-related restrictionsto release, they should focus on information confidentiality, integrity,and availabilityas part oftheagency'soverall risk managementframework. Theyare required to incorporatetheNational InstituteofStandardsandTechnology(NIST)Federal Information ProcessingStandard (FIPS) Publication 199"Standardsfor SecurityCategorizationofFederal Information and Information Systems," which includes guidanceand definitionsfor confidentiality,integrity,and availability. 28 Agencies should also consultwith the Controll edUnclassified Information (CUI) program to ensurecompliancewith CUI requirements, 29 theNational Strategyfor Information Sharingand Safeguarding/ 0 and the bestpractices found in ProjectOpenData. In additionto complyingwith the PrivacyActof1974,the-Government Actof2002,FISMA, and CIPSEA, agencies should implementinformation policiesbased upon Fair Information PracticePrincipl es and NISTguidanceon Securityand PrivacyControlsfor Federal Information Systemsand Organizations. 31 Forexampl e, agenciesmust: a. Collectorcreateonlythatinformation necessary for the properperformanceofagency functions and which has practical utility; 32 b. Limitthecollectionorcreationofinformationwhich identifiesindividualsto thatwhich is legallyauthorized and necessaryfor the properperformanceofagencyfunctions; 33 c. Limitthesharingofinf01mation thatidentifi es individualsorcontains proprietary informationto thatwhich is legallyauthorized,and imposeappropriateconditionson use whereacontinuingobligation to ensurethe confidentialityoftheinformationexists; 34 d. Ensurethatinformation isprotectedcommensuratewith the ri sk and magnitudeofthe harm thatwould resultfrom the loss,mi suse, or unauthorized accessto ormodificationofsuch information; 35 and e. Takeintoaccountotherpubliclyavailable informationwhen determiningwhetherparticular information should be consideredPII (as defined in pmtIofthis Memorandum). 27 See OMB CircularA-130,availableathttp://www.whitehouse.gov/omb/Circulars al30 a130trans4/ 28 NIST FIPSPublication 199"Standardsfor Securi tyCategorizati onofFederalInformationand Information Systems",availableat http://csrc.ni st.gov/publi cati ons/fips/fips199/FfPS-PUB-199-final.pdf 29 Executi ve Order I3556,Controll ed UnclassifiedInformation,availableathttp://www.whitehouse.gov/the-press-office/20I0/II/04/executive- order- 13556-controlled-unclassilied-informat ion. 30 TheWhite House,NationalStrategyforInformation SharingandSafeguarding (December20II), availableathttp://www.whitehouse.gov/the- press-office/2012/12/19/nati onal-strategy- informati on-sharing-and-safeguarding 31 See NIST Special Publication 800-53 "Securityand PrivacyCont rolsfor FederalInformationSystemsand Organi zations", availableat hltp:l/csrc. nist.gov/pubI icat ions/draft s/800-53-rev4/sp800-53-rev4-ipd. pdf 32 See OMB CircularA-130,section 8(a)(2). 33 See OMB CircularA-130,section 8(a)(9)(b). 3 ' See OMB CircularA-130, secti on8(a)(9)(c). 35 See OMB Circul arA-130,secti on8(a)(9)(a). 10 5. Incorporatenewinteroperabilityandopennessrequirementsintocoreagencyprocesses- Consistentwith44U.S.C. 3506(b)(2), agenciesmustdevelopand maintain an Information Resource Management(IRM)StrategicPlan. IRMStrategicPlansshouldalign withtheagency'sStrategicPlan(as required byOMBCircularA-ll), 36 supporttheattainmentofagencyprioritygoalsas mandated by the GovernmentPerformanceand ResultsModernizationActof2010, 37 provideadescription ofhowIRM activities helpaccomplish agency missions, and ensurethatIRMdecisionsare integratedwith organizational planning,budget, procurement,financial management,human resources management,and program decisions. As partofthe annual PortfolioStatprocess, 38 agenciesmustupdatetheirIRM StrategicPlansto describehowtheyare meetingnewand existing information lifecyclemanagement requirements. Specifically,agenciesmustdescribehowthey have institutionalizedand operationalized the interoperabilityand opennessrequirements in thisMemorandum intotheircoreprocessesacrossall applicableagencyprogramsand stakeholders. IV. Implementation: Asagenciestakestepsto meettherequirements in thisMemorandum, it is importanttoworkstrategically and prioritizethoseelementsthatcanbeaddressed immediately,supp011 mission-critical objectives,and result in moreefficientuseoftaxpayerdollars. Agenciesshouldconsiderthefollowingas they implementtherequirementsofthis Memorandum: 1. RolesandResponsibilities- TheClinger-CohenActof1996assignsagencyCIOsstatutory responsibilityfor promotingtheeffectiveand efficientdesign and operationofall majorIRMprocesses within theiragency. Accordingly,agencyheadsmustensurethatCIOsarepositioned withthe responsibilityand authorityto implementthe requirementsofthisMemorandum in coordinationwiththe agency'sChiefAcquisitionOfficer,ChiefFinancial Officer, ChiefTechnologyOfficer,SeniorAgency Official for Geospatial Information, SeniorAgencyOfficialfor Privacy(SAOP),Chieflnformation SecurityOfficer(CISO), SeniorAgencyOfficialfor RecordsManagement,and ChiefFreedomof InformationAct(FOIA)Officer. TheCIOshouldalso workwiththeagency'spublicaffairsstaff,open governmentstaff, webmanagerordigital strategist, programownersand otherleadership,as applicable. A keycomponentofagencies ' managementofinformation resources involvesworkingcloselywith the agency'sSAOPand otherrelevantofficialsto ensurethateachstageofthe planningprocessincludesa full analysisofprivacy,confidentiality,and securityissues. Agencyheads mustalsoensurethatprivacy and securityofficialsarepositionedwiththeauthorityto identify informationthatmayrequireadditional protectionand agencyactivitiesthatmayrequireadditional safeguards. Consistentwith OMB Memorandum M-05-08, 39 eachagency' s SAOPmusttakeon acentral planningand policy-makingrole in all agency information managementactivities, beginningattheearlieststagesofplanningand continuing throughoutthe life cycleofthe information. In addition, ifan agency'sSAOP is not positioned withinthe officeoftheCIO,theagencyshoulddesignate an officialwithintheofficeoftheCIOto serve asa liaison to helpcoordinatewith the agency'sprivacyoffice. 36 OMB Circul arA-ll ,availableathttp: //www.whitehouse.gov/omb/circulars aII current year aII toe 37 Pub.L. No. 111-352 (2011)(codified as 31USC 11 20 note). 38 In March20 12OMB establi shedPortfolioStat accountabilitysessions,engagingdirectlywith agencyleadership toassess the maturityand effect iveness ofcurrent ITmanagement practi ces and address management opportuniti es and challenges. For FY13OMB PortfolioStatguidance. seeOMB Memorandum M-13-09,Fiscal Year2013 PorifolioStatGuidance:Strengthening FederaliT PorifolioManagement (Mar. 27,2013), availableathttp://www.whitehouse.gov/sites/defaul t/fil es/omb/memoranda/?013/m-13-09.pdf. 39 OMB Memorandum M-05-08, Designation ofSeniorAgencyOfficialsforPrivacy(Feb. II,2005),availableat htt p:1lm. 1vhi teh ouse.govIsites/default/fiIes/omb/assets/ombit11emoranda/fv2005/m05 -08.pdf 11 2. Government-wideCoordination- The Federal CIO will work with the United States Chief Technology Officer (CTO) and the Administrator of the OMB Office of Information and Regulatory Affairs (OIRA) to help improve the interoperability and openness of government information. To this end, the Federal CIO will work to establish an interagency working group supp01ted by the Federal CIO Council. The working group should focus on leveraging government-wide communities of practice to help with the development of tools that support information interoperability and openness through repositories such as Project Open Data. Part of this work should be to share best practices related to interoperability and openness within government (e.g. , Federal , state, local , and tribal). These collaborations shall be subject to statutory limitations and conducted in a way that fully protects privacy, confidentiality, confidential business information, and intellectual property rights. 3. Resources- Policy implementation may require upfront investments depending on the maturity of existing information life cycle management processes at individual agencies. Agencies are encouraged to evaluate current processes and identify implementation opportunities that may result in more efficient use of taxpayer dollars. However, effective implementation should result in downstream cost savings for the enterprise through increased interoperability and accessibility of the agency's information resources. Therefore, these potentialupfront investments should be considered in the context of their future benefits and be funded appropriately through the agency' s capital planning and budget processes. Some of the requirements in this Memorandum may require additional tools and resources. Agencies should make progress commensurate with available tools and resources. In addition, tools, best practices, and schema to help agencies implement the requirements of this Memorandum can be found through the Digital Services Innovation Center and in Project Open Data. 4. AccountabilityMechanisms- Progress on agency implementation of the actions required in this Memorandum will be primarily assessed by OMB and the public through analysis of the agency' s updates to IRM plans (part III, section 5), the completeness of the enterprise data inventory (part III, section 3.a), and the data made available in the agency's public data listing (part III, section 3.b). Nothing in this Memorandum shall be construed to affect existing requirements for review and clearance of pre-decisional information by OMB relating to legislative, budgetary, administrative, and regulatory materials. Moreover, nothing in this Memorandum shall be construed to reduce the protection of information whose release would threaten national security, invade personal privacy, breach confidentiality or contractual terms, violate the Trade Secrets Act, 40 violate other statut01y confidentiality requirements, 41 or damage other compelling interests. This Memorandum is not intended to, and does not, create any right or benefit, substantive or procedural , enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person. 40 18 usc 1905. 41 See 13 U. S.C. 8, 9 and 301(g) and 22 U.S.C. 3104. 12
CIPL Protecting Privacy in A World of Big Data Part 1 Protecting - Privacy - in - A - World - of - Big - Data - Paper - 1 - The - Role - of - Enhanced - Accountability - 21 - October - 2015