Skip to main content

Privacy Impact Assessment for Open Government Citizen Engagement Tool

This PIA was prepared in January 2010 by the GSA Office of Citizen Services for the agency's citizen engagement tool.

System Assessment

A. Data in the system

Question

Explanation/Instructions

1. Describe all information to be included in the system, including personal data. a. The tool is a Software as a Service (SaaS) vendor offering hosted outside the GSA infrastructure. It will serve multiple agencies by offering dialogs where citizens can provide input for the Agencies’ open government plans. Data will include ideas, comments on ideas, and
rankings of ideas. b. Email address submitted by the citizen visiting the site, to be used as a login.
c. In addition, Last name, first name and zip code - all voluntary.
1. A. What stage of the life cycle is the system currently in? Design/Planning
2. A. What are the sources of the information in the system? Voluntary email submissions, first name, last name and zip code by participants visiting the site.
2. B. What GSA files and databases are used? None
2. C. What Federal agencies are providing data for use in the system? None
2. D. What State and local agencies are providing data for use in the system? None
2. E. What other third party sources will the data be collected from? None
2. F. What information will be collected from the individual whose record is in the system? Email address, first name, last name and zip code - only on a voluntary basis.
3. A. How will the data collected from sources other than Federal agency records or the individual be verified for accuracy?

It is a tool made available for voluntary use. Visiting Citizens will be responsible for accurately submitting their information (email address, first name, last name and zip code).

Email addresses will be verified for complete format only. Before access is permitted a return email will be sent to verify that the email address is a functioning email address.

3. B. How will data be checked for completeness? Emails will be verified for complete format only. Before access is permitted a return email will be sent to verify that the email address is a functioning email address. This is a spam reduction measure.
3. C. Is the data current? How do you know? It is a tool made available for voluntary use. Visiting participants will be responsible for accurately submitting the email address. Before access is permitted a return email will be sent to verify that the email address is a functioning email address. This is a spam reduction measure.
4. Are the data elements described in detail and documented? If yes, what is the name of the document? The privacy policy will display messaging confirming to the visiting user the limited use of the email for login. The privacy policy will also indicate that providing an email address and all other information (first name, last name and zip code) is voluntary (OPT IN) and that, when making comments, unless first name and last name have been entered in the participant’s profile, the front part of the email before the “@” sign will be visible to the public. The information will also be documented in a set of guidelines posted on the tool for review. Furthermore, the policy will clearly state that this is not a privacy act system of record (see Question 1).

B. Access to the Data

Question

Explanation/Instructions

1. A. Who will have access to the data in the system?

Agency system administrators, moderators and participants will have access to the Ideas and comments submitted, as well as the limited profile information voluntarily submitted by each participant, as this is a public dialogue intended for transparent uses. Moderators can delete inappropriate comments from the dialogue and/or promote off topic comments to another site.

Only GSA System Administrators have access to the file of email addresses, first and last name, and zip code. Information on emails and names are not to be exported or downloaded for any purpose but zip codes, as available, may be analyzed to determine from which areas of the United States ideas and comments are being submitted. None will be tied in any way to individual names.

1. B. Is any of the data subject to exclusion from disclosure under the Freedom of Information Act (FOIA)? If yes, explain the policy and rationale supporting this decision. Email addresses, first name, last name and zip code are excluded from disclosure under FOIA.
2. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented? System Administrators and developers of Code have access to data as appropriate to fulfill their roles.
Vendor Associates’ access to the system is controlled by the vendor and is dictated by duties and requirements of their positions and by the terms of the service agreement.
Moderators, who are Federal employees, have access to the dialogues and can delete inappropriate comments and/or promote off topic comments to another site.
3. Will users have access to all data in the system or will the user's access be restricted? Explain.

Individual Access: The only data collected is voluntarily. The email data is transitory and not stored as a privacy data base in the government’s infrastructure. The front part of the email address before the “@” sign is visible to the public if a first and last name has not been voluntarily submitted and this is highlighted in the privacy policy provided to the public on the web site. Ideas and comments are listed with an identifier for the submitter, which when clicked, will show the profile information provided by the participant, but this is limited to the first and last name and zip code.

System Administrators and Developers of Code: Only those individuals who have system data administration responsibilities as part of their official job duties and requirements have system-wide access to the email addresses.

Vendor Associates: Only those vendor associates whose duties and responsibilities require access to OCS data have been given the authority for access.

Managers and Supervisors: Management personnel have access only to the technical and statistical data necessary for monitoring system performance.

Moderators, who are Federal employees, have access to the dialogues and can delete inappropriate comments or promote off topic comments to another site.

4. What controls are in place to prevent the misuse (e.g. browsing) of data by those having access? System Administrators, Managers, Supervisors and Moderators are operating under the same rules of behavior for GSA and Federal employees in terms of protecting the privacy of others and not using information in the system for personal gain or to the benefit of others. Passwords, user ids and segmentation of function provide adequate protections.
5. A. Do other systems share data or have access to data in this system? If yes, explain. No
5. B. Who will be responsible for protecting the privacy rights of the clients and employees affected by the interface? Not applicable
6. A. Will other agencies share data or have access to data in this system (International, Federal, State, Local, And Other)? No
6. B. How will the data be used by the agency?

The information will not be used by the Agency. The service provider’s tool uses email addresses only as a means of identifying a user of the dialog.

Zip codes may be used to aggregate responses for purposes of metrics (such as number of responses from various regions of the country).

6. C. Who is responsible for assuring proper use of the data? The Program Manager
6. D. How will the system ensure that agencies only get the information they are entitled to? Not applicable. Note: All comments are public. Email addresses and first or last name are used only for dialog purposes and are not to be downloaded/exported for any purpose.
7. What is the life expectancy of the data? The dialog tool retains the email addresses permanently, or at least until the dialog is closed and decommissioned. This is done to provide a login mechanism only.
8. How will the data be disposed of when it is no longer needed? The program will retain email addresses, first name, last name, zip code, and comments/responses until the dialog is closed and decommissioned. The system provides for the export of data in XML for purposes of records management. Email address, first and last name will not be downloaded/exported for any purpose.

C. Attributes of the Data

Question

Explanation/Instructions

1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed? Email addresses are necessary to identify a user of the dialog tool, to allow users to return and modify their information and ideas, to control number of times a user can vote on an idea, and to discourage frivolous comments. Upon initial log-in, an email is sent back to the email address to confirm the email address is working before allowing participation. This is a spam prevention measure.
2. A. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected? No
2. B. Will the new data be placed in the individual's record (client or employee)? No
2. C. Can the system make determinations about individuals that would not be possible without the new data? No, the information entered is limited to the voluntarily input of an email address, first name, last name and zip code.
2. D. How will the new data be verified for and accuracy? Emails will be verified for complete format only.
3. A. If the data is being consolidated, what controls are in place to protect the data and prevent unauthorized access? Explain. Data is not being consolidated. Zip codes may be used to aggregate metrics (such as responses from which regions of the country). Only System Administrators have download capabilities and no email address, or first and last name information will be exported.
3. B. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain. Processes are not being consolidated.
4. How will the data be retrieved? Can it be retrieved by personal identifier? If yes, explain. Data containing email addresses or first and last name will not be retrieved. An xml export will be performed for analysis of ideas and comments and for records management purposes only.

5. What are the potential effects on the privacy rights of individuals of:

a. Consolidation and linkage of files and systems;

b. Derivation of data;

c. Accelerated information processing and decision making; and

d. Use of new technologies. How are the effects to be mitigated?

There are no known effects on the due process rights of individuals who avail themselves of the tool. This system is not linked to other files and systems.

Participants will be presented with a clear disclaimer in the Privacy Policy that any submissions of email addresses, first and last name, or zip code are voluntary and that this is not a privacy act system of record.

D. Maintenance of Administrative Controls

Question

Explanation/Instructions

1. A. Explain how the system and its use will ensure equitable treatment of individuals. There are no known effects on the due process rights of individuals who avail themselves of the dialog tool. This system is not linked to other files and systems.
1. B. If the system is operated in more than one site, how will consistent use of the system be maintained at all sites? The system is designed to provide separate dialogues for each agency, but a standard account template is developed and applied by GSA to each dialog established.
1. C. Explain any possibility of disparate treatment of individuals or groups. There is no possibility of disparate treatment of individuals.
2. A. What are the retention periods of data in this system? Until the dialog is closed and decommissioned.
2. B. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented? Data (dialogue ideas and comments) will be exported to GSA Central Office and stored on the GSA Central Office LAN shared drives. Similar information may be exported for use by the individual agencies. In GSA, the GSA CIO LAN support provides for processes and procedures for deletion of data on centralized servers supporting central office users.email
2. C. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations? Since the data retained on the system is only an Email address (and voluntarily first name and last name and zip code), the individual will ensure that the information is complete, accurate, and up-to-date when they first use the tool via completion of an email address.
3. A. Is the system using technologies in ways that Federal agencies have not previously employed (e.g. Caller-ID)?

To an extent, yes. The service is provided by an external host as Software as a Service, so the emails submitted are not stored in any GSA maintained privacy act system of record. A disclaimer in the Privacy Policy will ensure that participants are so notified.

Furthermore, IdeaScale (the tool GSA has selected to support Open Government public discussion) uses two optional persistent cookies to recognize returning participants so they do not have to log in each time they visit the site.

• IdeaScale uses persistent cookies to save user login information (the user’s login ID) between sessions. The user is given a choice (an “opt in” approach) to check a box to stay signed in. This is an optional convenience so the user does not have to remember the login information each time they visit the site.
• IdeaScale also uses a persistent cookie to support the use of external login ID’s (e.g., Google, AOL, Yahoo, and Wordpress). This allows the user to interact with IdeaScale without having to create a new login ID for use with the site if they already have one with these other partners.
 

3. B.  How does the use of this technology affect individuals’ privacy?

No affect on individual privacy.  The only impact is the storage of an email address and voluntarily provided first name, last name and zip code.  The email address is posted voluntarily by the owner of the email address after appropriate notices provided on the web site.

In addition, no personal information is saved in either of the cookies used by IdeaScale, nor can they be used to track user activities across other websites.

For purposes of encouraging participation in these dialogs and the convenience of the public, the General Services Administration has approved a specific waiver of the federal policy prohibiting the use of persistent cookies.  This waiver can be viewed at http://www.usa.gov/webcontent/CookiesMemo.pdf.

4. A. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain. No
4. B. Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain. No
4. C. What controls will be used to prevent unauthorized monitoring? System information is only accessible by vendor staff or government System Administrators under secure login.
5. A. Under which Privacy Act System of Records notice (SOR) does the system operate? Provide number and name. This Citizen engagement tool is not a System of Record. The sole purpose is to establish a mechanism for citizens to provide feedback on Agency open government plans.
5. B. If the system is being modified, will the SOR require amendment or revision? Explain. Not applicable; new system.

PIA for Open Government