[Federal Register Volume 89, Number 20 (Tuesday, January 30, 2024)]
[Notices]
[Pages 5945-5947]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-01756]


=======================================================================
-----------------------------------------------------------------------

OFFICE OF MANAGEMENT AND BUDGET


Request for Information: Privacy Impact Assessments

AGENCY: Office of Management and Budget.

ACTION: Request for information.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Executive order on Safe, Secure, and 
Trustworthy Development and Use of Artificial Intelligence, the Office 
of Management and Budget (OMB) is requesting public input on how 
privacy impact assessments (PIAs) may be more effective at mitigating 
privacy risks, including those that are further exacerbated by 
artificial intelligence (AI) and other advances in technology and data 
capabilities.

DATES: Consideration will be given to written comments received by 
April 1, 2024.

ADDRESSES: Please submit comments via https://www.regulations.gov/ and 
follow the instructions for submitting comments. Public comments are 
valuable, and they will inform any potential updates to relevant OMB 
guidance; however, OMB will not respond to individual submissions.
    Privacy Act Statement: OMB is issuing this request for information 
(RFI) pursuant to Executive Order 14110 on Safe, Secure, and 
Trustworthy Development and Use of Artificial Intelligence.\1\ 
Submission of comments in response to this RFI is voluntary. Comments 
may be used to inform sound decision making on topics related to this 
RFI, including potential updates to guidance. Please note that 
submissions received in response to this notice may be posted on 
https://www.regulations.gov/ or otherwise released in their entirety, 
including any personal information, business confidential information, 
or other

[[Page 5946]]

sensitive information provided by the commenter. Do not include in your 
submissions any copyrighted material; information of a confidential 
nature, such as personal or proprietary information; or any information 
you would not like to be made publicly available. Comments are 
maintained under the OMB Public Input System of Records, OMB/INPUT/01; 
the system of records notice accessible at 88 FR 20913 (https://www.federalregister.gov/documents/2023/04/07/2023-07452/privacy-act-of-1974-system-of-records) includes a list of routine uses associated with 
the collection of this information.
---------------------------------------------------------------------------

    \1\ E.O. No. 14110, 88 FR 75191 (Nov. 1, 2023).

FOR FURTHER INFORMATION CONTACT: Alex Goodenough, Office of Management 
and Budget, via email at [email protected] or via phone 
---------------------------------------------------------------------------
at 202-395-3039.

SUPPLEMENTARY INFORMATION: Privacy safeguards are foundational to the 
Executive Branch's ability to maintain the public's trust, and analysis 
of privacy risks associated with the various activities of Executive 
Branch departments and agencies (``agencies'') is key to establishment 
of those safeguards. PIAs are a tool that agencies use to conduct that 
analysis. Indeed, as described in OMB's Circular No. A-130, Managing 
Information as a Strategic Resource, ``[a] PIA is one of the most 
valuable tools Federal agencies use to ensure compliance with 
applicable privacy requirements and manage privacy risks.'' \2\ In 
addition to being a key analytical tool, PIAs also make available to 
the public agencies' analysis of privacy risks and safeguards put in 
place to mitigate those risks.
---------------------------------------------------------------------------

    \2\ Off. of Mgmt. & Budget, Exec. Off. of the President, 
Circular No. A-130, Managing Information as a Strategic Resource 
app. II, section 5(e) (July 28, 2016), available at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf.
---------------------------------------------------------------------------

    Requirements exist in statute and in OMB guidance for how agencies 
conduct and publish PIAs. Section 208 of the E-Government Act 
establishes minimum requirements for PIAs, and it requires the OMB 
Director to issue guidance on the required contents of PIAs.\3\ OMB M-
03-22, OMB Guidance for Implementing the Privacy Provisions of the E-
Government Act of 2002, requires agencies to ``conduct privacy impact 
assessments for electronic information systems and collections and, in 
general, make them publicly available.'' \4\ Additionally, it includes 
requirements related to certain agency contractors. OMB reinforced and 
built on the requirements in OMB M-03-22 through additional guidance on 
PIAs in OMB M-10-23, Guidance for Agency Use of Third-Party websites 
and Applications,\5\ and in OMB Circular No. A-130.
---------------------------------------------------------------------------

    \3\ E-Government Act of 2002, Public Law 107-347, section 
208(b)(2), (3), 116 Stat. 2899, 2921 (codified as amended at 44 
U.S.C. 3501 note).
    \4\ Off. of Mgmt. & Budget, Exec. Off. of the President, OMB M-
03-22, OMB Guidance for Implementing the Privacy Provisions of the 
E-Government Act of 2002, attach. A, section I.A.a (Sept. 30, 2003), 
available at https://www.whitehouse.gov/wp-content/uploads/2017/11/203-M-03-22-OMB-Guidance-for-Implementing-the-Privacy-Provisions-of-the-E-Government-Act-of-2002-1.pdf.
    \5\ Off. of Mgmt. & Budget, Exec. Off. of the President, OMB M-
10-23, Guidance for Agency Use of Third-Party websites and 
Applications (June 25, 2010), available at https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2010/m10-23.pdf.
---------------------------------------------------------------------------

    As agency programs and services increasingly rely on rapidly 
advancing technology and data capabilities (e.g., artificial 
intelligence), the privacy risk landscape also is evolving. Existing 
privacy risks are escalating, and new privacy risks are emerging. It is 
important to hear from the public as OMB considers what updates to PIA 
guidance may be necessary to ensure that PIAs continue to facilitate 
robust analysis and transparency about how agencies address these 
evolving privacy risks.

Seeking Input on Improving the Use of PIAs To Mitigate Privacy Risks

    OMB developed this RFI in consultation with the Department of 
Justice, National Economic Council, and Office of Science and 
Technology Policy, in accordance with Executive Order 14110. OMB seeks 
responses to the following questions:

Role of PIAs in Addressing and Mitigating Privacy Risks

    1. A wide range of privacy risks are associated with the creation, 
collection, use, processing, storage, maintenance, dissemination, 
disclosure, and disposal of personally identifiable information (PII). 
What improvements to OMB guidance on PIAs as analytical tools and 
notices to the public would assist agencies in identifying, addressing, 
and mitigating these risks, including when an agency:
    a. Develops, procures, or uses information technology to handle 
PII;
    b. Initiates, consistent with the Paperwork Reduction Act, a new 
electronic collection of information that contains PII;
    c. Uses a third-party website or application that makes PII 
available to the agency; or
    d. Engages in a relevant cross-agency initiative that involves PII?
    2. What other models or best practices for conducting and 
documenting PIAs or similar analyses could improve agencies' PIAs?
    a. Are there approaches to analyzing and documenting how an entity 
addresses and mitigates privacy risks used by non-federal government 
entities, specific sectors or industries, academia, or civil society 
that OMB should consider?
    b. Are there similar approaches to analyzing and documenting how an 
entity addresses and mitigates other risks in information governance 
(e.g., security risks) that OMB should consider from other federal 
guidance or frameworks?
    3. What guidance should OMB consider providing to agencies to help 
reduce any duplication that may arise in preparing PIAs along with 
other assessments focused on managing risks (e.g., security 
authorization packages or the AI impact assessments proposed in OMB's 
Draft Memorandum on Advancing Governance, Innovation, and Risk 
Management for Agency Use of Artificial Intelligence \6\) and to 
support these assessments' different functions?
---------------------------------------------------------------------------

    \6\ OMB released for public comment a draft memorandum on agency 
use of AI. See Off. of Mgmt. & Budget, Exec. Off. of the President, 
Draft Memorandum on Advancing Governance, Innovation, and Risk 
Management for Agency Use of Artificial Intelligence (Nov. 2023), 
available at https://ai.gov/wp-content/uploads/2023/11/AI-in-Government-Memo-Public-Comment.pdf.
---------------------------------------------------------------------------

Role of PIAs in Facilitating Transparency

    4. What role do PIAs play in your search for information about how 
agencies handle PII and address privacy risks? For what purpose(s) do 
you read agencies' PIAs?
    5. What improvements to PIAs would help you better understand 
agencies' assessment of privacy impacts and risk mitigation strategies?
    a. What improvement(s) would you recommend to make it easier to 
find and access agencies' PIAs?
    b. What improvement(s) would you recommend to make it easier to 
read and understand agencies' PIAs?
    6. How can agencies increase awareness of PIAs among stakeholders?

Privacy Risks Associated With Advances in Technology and Data 
Capabilities, Including AI

    7. AI and AI-enabled systems used by agencies can rely on data that 
include PII, and agencies may develop those systems or procure them 
from the private sector.
    a. What privacy risks specific to the training, evaluation, or use 
of AI and AI-enabled systems (e.g., related to AI system inputs and 
outputs, including

[[Page 5947]]

inferences and assumptions; obtaining consent to use the data involved 
in these activities; or AI-facilitated reidentification) should 
agencies consider when conducting PIAs?
    b. What guidance updates should OMB consider to improve how 
agencies address and mitigate the privacy risks that may be associated 
with their use of AI?
    8. What role should PIAs play in how agencies identify and report 
on their use of commercially available information (CAI) \7\ that 
contains PII?
---------------------------------------------------------------------------

    \7\ Section 3(f) of Executive Order 14110 defines ``commercially 
available information'' as ``any information or data about an 
individual or group of individuals, including an individual's or 
group of individuals' device or location, that is made available or 
obtainable and sold, leased, or licensed to the general public or to 
governmental or non-governmental entities.'' 88 FR 75194.
---------------------------------------------------------------------------

    a. What privacy risks specific to CAI should agencies consider when 
conducting PIAs?
    b. OMB M-03-22 requires PIAs ``when agencies systematically 
incorporate into existing information systems databases of information 
in identifiable form purchased or obtained from commercial or public 
sources,'' while noting that ``[m]erely querying such a source on an ad 
hoc basis using existing technology does not trigger the PIA 
requirement.'' \8\ What guidance updates should OMB consider to improve 
how agencies address and mitigate the privacy risks that may be 
associated with their use of CAI that contains PII?
---------------------------------------------------------------------------

    \8\ OMB M-03-22, attach. A, section II.B.b.6.
---------------------------------------------------------------------------

    9. What guidance updates should OMB consider to improve how 
agencies address and mitigate the privacy risks that may be associated 
with their use of other emerging technology and data capabilities?

Other Considerations

    10. What else could help promote greater effectiveness and 
consistency across agencies in how they approach PIAs?
    11. What else should OMB consider when evaluating potential updates 
to its guidance on PIAs?

Richard L. Revesz,
Administrator, Office of Information and Regulatory Affairs.
[FR Doc. 2024-01756 Filed 1-26-24; 8:45 am]
BILLING CODE 3110-01-P