Privacy Act Laws, Policies and Resources
On this page, you will find information on:
- Laws and Guidance
- EPA Policies and Procedures
- EPA Forms
- Office of Management and Budget Memorandum
- Related Resources
Laws and Guidance
United States Code
- The Privacy Act of 1974, 5 U.S.C. § 552a, as amended
- The Freedom of Information Act, 5 U.S.C. § 552, as amended
- Children's Online Privacy Protection Act of 1998 (PDF)(2 pp, 125 K), 15 U.S.C. § 6501, et seq.
- Computer Matching and Privacy Protection Act of 1988, 11.3.39, as amended
- E-Government Act of 2002
- Federal Information Security Modernization Act (FISMA) of 2014 (PDF)(16 pp, 62 K)
- Department of Justice - Overview of the Privacy Act of 1974
Code of Federal Regulations
- EPA Privacy Act Regulations (PDF)(10 pp, 207 K), Federal Register: January 4, 2006 (Volume 71, Number 2)
FISMA Reporting Guidance
- M-16-03, Fiscal Year 2015-2016 Guidance on Federal Information Security and Privacy Management Requirements (October 30, 2015)
- M-15-01, Fiscal Year 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices (October 3, 2014)
- M-14-04, Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (November 18, 2013)
- M-12-20, FY 2012 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (September 27, 2012)
- M-11-33, FY 2011 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (September 14,2011)
- M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (April 21, 2010)
- M-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (August 20, 2009)
- M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 14, 2008)
- M-08-09, New FISMA Privacy Reporting Requirements for FY 2008 (January 18, 2008)
- M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (July 25, 2007)
- Management of Federal Information Resources, OMB Circular No. A-130
- Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy, OMB Memorandum M-01-05
- OMB Memorandum, Recommendations for Identity Theft Related Data Breach Notifications (September 20, 2006)
- M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003)
Office of Management and Budget Memorandum
- M-16-24, Role and Designation of Senior Agency Officials for Privacy (Sep 15, 2016)
- M-16-04, Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government (October 30, 2015)
- M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services (June 8, 2015)
- M-14-03, Enhancing the Security of Federal Information and Information Systems (November 18, 2013)
- M-13-20, Protecting Privacy while Reducing Improper Payments with the Do Not Pay Initiative (August 16, 2013)
- M-12-11, Reducing Improper Payments through the "Do Not Pay List" (April 12, 2012)
- M-11-27, Implementing the Telework Enhancement Act of 2010: Security Guidelines (July 15, 2011)
- M-11-20, Implementing Telework Enhancement Act of 2010 IT Purchasing Requirements (April 28, 2011)
- M-11-02, FY 2010 Sharing Data While Protecting Privacy (November 3, 2010)
- M-10-23, FY 2010 Guidance for Agency Use of Third-Party Websites and Application (June 25, 2010)
- M-10-22, FY 2010 Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010)
- M-08-01, HSPD-12 Implementation Status (October 23, 2007)
- M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007)
- M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006)
- M-06-16, Protection of Sensitive Agency Information (June 23, 2006)
- M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006)
- M-05-08, Designation of Senior Agency Officials for Privacy (February 11, 2005)
- M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy (December 20, 2000)
- M-00-13, Privacy Policies and Data Collection of Federal Web Sites (June 22, 2000)
- M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999)
EPA Policies and Procedures
Policies
- Social Media Policy CIO 2184.0 (6 pp, 68 K), June 2011
- Mobile Computing Policy CIO 2150.4 (PDF)(5 pp, 192 K), December 2013
- Privacy Policy CIO 2151.1 (PDF), September 2015 (11 pp, 108 K)
- Agency Network Security Policy (PDF) (12 pp, 101 K)
- System Life Cycle Management Policy (PDF) (9 pp, 181 K)
Procedures
- Records Management Policy, August 2018
- Web Measurement and Customization Technologies (Cookies) CIO 2180-P-01.0, April 2011
- Children's Privacy and Copyright Issues CIO 2182.0, October 2007
- Computer Matching Agreement Procedure
- Conducting Privacy On-Site Reviews (PDF) (5 pp, 73 K)
- EPA Information Security – National Rules of Behavior Procedure
- Procedures for Preparing Privacy Impact Assessments (PDF)(5 pp, 90 K)
Privacy issues must be addressed when systems are being developed, and privacy protections must be integrated into the development life cycle of automated systems. - Procedures for Preparing Privacy Act Statements (PDF)(4 pp, 90 K)
Forms that collect Personally Identifiable Information directly from individuals must include a Privacy Act statement. - Procedures for Preparing and Publishing Privacy Act Systems of Records Notices (PDF)(5 pp, 90 K)
Prior to creating of a new System of Records or significant altercating an existing system, the Agency must publish a notice in the Federal Register. - Processing Privacy Act Requests Procedure (PDF) (5 pp, 90 K)
- Interim Procedure for Responding to Breaches of Personally Identifiable Information (PII) Issued by the EPA Chief Information Officer (PDF)
- How Contractors Will Respond to a Suspected or Confirmed PII Breach (DOC) (1 pp, 48 K)
- Protecting Sensitive Personally Identifiable Information (SPII) Procedure (PDF)
EPA Forms
Office of Management and Budget (OMB) Directives
The directives listed below may be found on the OMB Memoranda webpage.
- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017)
- M-16-24, Role and Designation of Senior Agency Officials for Privacy (Sep 15, 2016) (PDF) (5 pp, 288 K)
- M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services (June 8, 2015) (PDF) (5 pp, 259 K)
- M-14-03, Enhancing the Security of Federal Information and Information Systems (November 18, 2013) (PDF) (15 pp, 869 K)
- M-13-20, Protecting Privacy while Reducing Improper Payments with the Do Not Pay Initiative (August 16, 2013) (PDF) (18 pp, 9 MB)
Related Resources
Federal Acquisition Regulations (FAR) Clauses and EPA Acquisition Regulation (EPAAR)
- Protection of Individual Privacy, Federal Acquisition Regulation - Subpart 24.1
- Protection of Individual Privacy, EPA Acquisition Regulation - 48 CFR Subpart 1524.1
Other Resources
- Federal Trade Commission: Information about Consumer Privacy
- Federal Register Privacy Act Issuances for Systems of Records Notice (National Archives and Records Administration)
- A Citizen's Guide on Using the Freedom of Information Act and Privacy Act of 1974 to Request Government Records
- Frequently Asked Questions about the Children's Online Privacy Protection Act (from FTC Bureau of Consumer Protection)