The Federal Trade Commission released its privacy report last month for businesses and policymakers titled “Protecting Consumer Privacy in an Era of Rapid Change” with a set of recommendations for handling consumer data privacy online. Protecting consumers as they use online technologies is important, but new and different challenges emerge as online or cloud solutions become core services for public sector agencies. As governments look to online services or cloud computing to internally and externally host applications and share data, many are considering the adoption of consumer-oriented technologies to make this transition. Yet, as public sector workers use these solutions, are they an ordinary consumer or are they covered by special provisions suited to protecting government, education, healthcare and taxpayer data? Nowhere in the recommendations for consumer privacy is there any mention of what is being done to protect public sector privacy online, especially when the public sector uses consumer online services.
While it is not normally the FTC’s job to set policy for public sector IT, it is worth reviewing the FTC’s consumer Privacy Framework in order to explore how some of these areas impact public sector privacy and data use:
The FTC’s Privacy Framework
- Companies Should Comply with the Framework Unless They Handle Only Limited Amounts of Non-Sensitive Data that is Not Shared with Third Parties.
- The Framework Sets Forth Best Practices and Can Work in Tandem with Existing Privacy and Security Statutes.
- The Framework Applies to Offline As Well As Online Data
- The Framework Applies to Data That is Reasonably Linkable to a Specific Consumer, Computer, or Device
B. Privacy by Design
- The Substantive Principles: Data Security, Reasonable Collection Limits, Sound Retention Practices, and Data Accuracy
- Companies Should Adopt Procedural Protections to Implement the Substantive Principles
C. Simplified Consumer Choice
- Practices That Do Not Require Choice
- For Practices Inconsistent with the Context of their Interaction with Consumers, Companies Should Give Consumers Choices
- Privacy Notices
- Consumer Education
Privacy by Design
Public sector workloads are bound by a very different set of privacy, regulatory and data retention requirements than what might impact a consumer. For example, healthcare organizations are bound by HIPAA. Educational institutions must respect the FERPA regulations. Law enforcement agencies must conform to the FBI’s Criminal Justice Information System (CJIS) standards in order to share information with other agencies. Therefore, as public sector agencies consider the use of cloud computing technology, they need to start with their privacy, regulatory and data retention requirements as the foundation for selecting which cloud services can or cannot be used. Likewise, cloud service providers need to build products from the ground up to meet these unique privacy and regulatory requirements. In some cases, services that were originally designed for consumers may not be appropriate for use by public sector customers.
Simplified Consumer Choice
This section of the framework talks about giving consumers the ability to have greater control over their data when they use online services. For example, it states:
“…the proposed framework called on companies that collect and use consumer data to provide easy-to-use choice mechanisms that allow consumers to control whether their data is collected and how it is used.”
Again, one could argue that for public sector use, there should be no ability for companies to collect user data in any form beyond what is required to provide the service. Since individual users are not able to control how their data is used, the IT organization of the entity should take on the role of ensuring the appropriate controls are in place to prevent inappropriate use of their users’ data. Therefore, it is imperative that the IT organization ensure that all potential privacy and data use concerns are researched and addressed well before any decision is made to deploy a new service. It would be both costly and disruptive to find out after a deployment that users or departments are not satisfied with the security and privacy capabilities of the service.
This section of the privacy report raises three excellent areas for consideration for public sector customers: Privacy Notices, Access and Consumer Education.
Government agencies should disclose the privacy policies that govern the cloud computing services that they use or host. After all, the government should answer to the people and if citizen data is being stored in the cloud, the people have a right to know how that data is being used. For example, the GSA recently stated that their third-party cloud-based solution “is compliant with all federal regulations and requirements, including those regarding privacy and data protection." However, it is not clear exactly which privacy policies are in place for GSA workers, public citizens and companies that interact with GSA. In the spirit of the FTC’s call for transparency, these policies should be made public.
Likewise as public sector workers move from an internal government cloud service with one set of privacy policies to an external consumer service with a different set of policies, there should be very clear notice to the user of the privacy policies change as the user switches context. For example, if the user is bound by one agreement while they use a cloud-based email service but then switches to a more permissive policy as they use the search function embedded in that system, then the user should be notified that their privacy context has changed.
The report also includes following principle in this section the:
“Companies should provide reasonable access to the consumer data they maintain; the extent of access should be proportionate to the sensitivity of the data and the nature of its use.”
The same should apply to cloud service providers that collect data from users of public sector cloud services. Again, collecting user data should be kept to a minimum given that the government entity should judge what is considered sensitive data – not the cloud service provider.
Privacy education is just as important, if not more so, for public sector users of cloud computing technology. Public sector employees must learn the privacy boundaries of their government cloud services and their consumer cloud services in order to maintain the appropriate levels of confidentiality, security and trust for public sector data. If the privacy or data collection policy of a consumer service violates the agency’s rules or compliance requirements, then the consumer cloud service should simply not be used. Public sector employees will not know when they can use various cloud services unless they are trained on their internal privacy requirements and are vigilant about which privacy policies apply to each cloud service.
The fact that the FTC is taking consumer privacy seriously is extremely encouraging. But let’s not stop there. If cloud service providers do not come forward with appropriate privacy and data use policies for public sector users, perhaps the Office of Management and Budget (OMB) and other public sector agencies will need to create their own frameworks and rules to ensure government, education, healthcare and taxpayer data is protected without compromise.