2024-23773. Request for Information: Executive Branch Agency Handling of Commercially Available Information Containing Personally Identifiable Information
-
AGENCY:
Office of Management and Budget.
ACTION:
Notice of request for information.
SUMMARY:
As part of its implementation of Executive order, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, the Office of Management and Budget (OMB) is requesting public input on issues related to Federal agency collection, processing, maintenance, use, sharing, dissemination, and disposition of commercially available information (CAI) containing personally identifiable information (PII).
DATES:
Consideration will be given to written comments received by December 16, 2024.
ADDRESSES:
Please submit comments via https://www.regulations.gov/ and follow the instructions for submitting comments. Public comments are valuable, and they will inform any potential updates to relevant OMB guidance; however, generally OMB will not respond to or address individual submissions.
Privacy Act Statement: OMB is issuing this request for information (RFI) as part of its implementation of Executive Order 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence,[1] pursuant to OMB's statutory authorities to set policies for Executive Branch agencies' management of information resources, including CAI containing PII.[2] Submission of comments in response to this RFI is voluntary. Comments may be used to inform sound decision making on topics related to this RFI, including potential updates to guidance. Please note that submissions received in response to this notice may be posted on https://www.regulations.gov/ or otherwise released in their entirety, including any personal information, business confidential information, or other sensitive information provided by the commenter. Do not include in your submissions any copyrighted material; information of a confidential nature, such as personal or proprietary information; or any information you would not like to be made publicly available. Comments and commenter information are maintained under the OMB Public Input System of Records, OMB/INPUT/01; the system of records notice is accessible at 88 FR 20913 ( https://www.federalregister.gov/documents/2023/04/07/2023-07452/privacy-act-of-1974-system-of-records) and includes a list of routine uses associated with the collection of this information.
FOR FURTHER INFORMATION CONTACT:
Kevin Herms, Office of Management and Budget, via email at MBX.OMB.CAI_RFI_FY24@omb.eop.gov or phone at 202-395-3200.
SUPPLEMENTARY INFORMATION:
Commercially available information (CAI) takes many forms and, when used responsibly, supports many of the missions carried out by Executive Branch departments and agencies (“agencies”) on behalf of the American people. Section 3(f) of Executive Order 14110 defines CAI as “any information or data about an individual or group of individuals, including an individual's or group of individuals' device or location, that is made available or obtainable and sold, leased, or licensed to the general public or to governmental or non-governmental entities.” [3] CAI also may include PII, which OMB Circular No. A-130 defines as “information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual.” CAI may be collected from multiple sources, including public records, and licensed, ( print page 83518) sold, or otherwise transferred by companies, including those commonly known as data brokers, to a variety of customers, including marketers, researchers, and Federal, state, local, and tribal government agencies.
While responsible use of CAI may support agency missions, an agency's collection, processing, maintenance, use, sharing, dissemination, and disposition (hereafter “handling”) of CAI containing PII also can present privacy risks. For example, factors including the sensitivity and volume of PII contained in some CAI may exacerbate privacy risks and limit the application of key principles that are foundational to agency handling of PII, such as data minimization, transparency, and individual participation. As discussed in OMB Circular A-130, when considering the privacy risks associated with their handling of PII, agencies are responsible for evaluating the sensitivity of the data elements individually and when grouped together, as well as considering the volume of PII. These considerations are particularly important for agency handling of CAI, as participants in an August 2023 White House roundtable on data broker practices “explained how data brokers purchase or acquire large volumes of exceedingly detailed data about people including geolocation and health information—often without their knowledge or consent.” [4] As highlighted in Executive Order 14110, such privacy risks may be further exacerbated by artificial intelligence (AI) facilitating the collection or use of information about individuals, and the making of inferences about individuals. The readout from the White House roundtable addresses that concern as well, noting that “[r]ecent advancements in artificial intelligence, attendees cautioned, have rapidly expanded data brokers' abilities to draw inferences about individuals' lifestyles, desires, and weaknesses, and are incentivizing rampant data collection to fuel their development.” [5]
Executive Order 14110 identified agency practices related to CAI, particularly CAI that contains PII and including CAI procured from data brokers and CAI procured and processed indirectly through vendors, as an area for OMB to evaluate in relation to mitigating privacy risks potentially exacerbated by AI. Specifically, section 9(a)(i) and (ii) of Executive Order 14110 instructs OMB to “evaluate and take steps to identify [CAI] procured by agencies, particularly CAI that contains [PII]” and “evaluate . . . agency standards and procedures associated with the [handling] of CAI that contains [PII].”
As part of its implementation of Executive Order 14110, OMB is seeking public comment and input for OMB's consideration as it evaluates agency policies and procedures associated with the handling of CAI containing PII and assesses how agencies may mitigate privacy risks specifically arising from their handling of CAI containing PII. Per section 9(a)(i) and (ii) of Executive Order 14110, OMB's work in this area and therefore the scope of this RFI does not include CAI containing PII when it is used for the purposes of national security.[6]
Seeking Public Input on Agencies' Responsible Handling of CAI Containing PII
OMB seeks responses to the following questions:
General Considerations
1. How does AI potentially exacerbate privacy risks associated with agency handling of CAI containing PII?
a. What are the key privacy risks associated with agencies' handling of CAI containing PII that OMB should consider and why?
2. What frameworks, models, or best practices should OMB consider as it evaluates agency standards and procedures associated with the handling of CAI containing PII and considers potential guidance to agencies on ways to mitigate privacy risks from agencies' handling of CAI containing PII?
3. What, if any, changes to its current guidance should OMB consider to improve how agencies address and mitigate the privacy risks that may be associated with their handling of CAI containing PII?
a. Are there specific policies, standards, or procedures governing agencies' handling of CAI containing PII that OMB should include in guidance?
4. What, if any, implementation or other challenges could arise with using the definition of CAI in Executive Order 14110 to govern agency handling of CAI containing PII?
a. What, if any, aspects of the definition should OMB seek to clarify through guidance to address any such challenges?
Transparency Into Agency Handling of CAI Containing PII
5. Agencies provide transparency into the handling of PII through various means ( e.g., policies and directives, Privacy Act statements and other privacy notices at the point of collection, Privacy Act system of records notices, privacy impact assessments). What, if any, improvements would enhance the public's understanding of how agencies handle CAI containing PII?
6. What other approaches to sharing information with the public about how agencies handle CAI containing PII would be most useful, for example, to ensure data quality and to enhance public trust?
a. What type of information on this topic should agencies share publicly?
b. When, in what form, and to whom should agencies provide that information?
c. Should agencies disclose to individuals when CAI containing PII is used to inform a decision with respect to those individuals ( e.g., a determination of their eligibility for or receipt of a Federal benefit)?
i. What steps could agencies take to provide individuals with an opportunity to seek amendment of the CAI before agencies use it to make such decisions?
ii. What other steps could agencies take to verify accuracy, relevance, timeliness, and completeness of the CAI before using it to make decisions about individuals?
7. Should agencies establish and maintain comprehensive inventories of CAI containing PII that they handle? Why or why not?
a. If so, should these agency CAI inventories be publicly available? Why or why not?
i. Are there any categories of CAI containing PII that should not be included in a public inventory? If so, what risks support that exclusion?
ii. How would public CAI inventories be useful to stakeholders?
8. Should agencies create periodic reports on their handling of CAI containing PII? Why or why not?
a. If so, what information should be included in these reports, and to whom should OMB direct agencies to send these reports?
b. If so, should agencies make these reports publicly available and by what means ( e.g., post them on agency privacy program web pages)? ( print page 83519)
Agency Processes for Responsible Handling of CAI Containing PII
9. Should agencies handle CAI containing PII differently depending on the purpose for which it is used? Why or why not?
a. If so, what should be the criteria for any differences in handling CAI with PII, and what should those differences in handling be?
b. What, if any, specific use cases or scenarios are examples of where OMB guidance should limit or restrict how agencies handle CAI containing PII? What risks justify those limitations or restrictions?
c. Does agency input of CAI containing PII into an AI system, as defined by section 3 of Executive Order 14110, alter privacy risks and how?
i. How should agencies mitigate privacy risks associated with such input of CAI in an AI system?
ii. Does appropriate mitigation of privacy risks vary based on the type of AI system into which CAI is input and the purposes of that AI system? If so, how should those factors be considered in the mitigation of privacy risks?
10. What, if any, factors should OMB guidance include for agencies' consideration in their evaluation of how they can mitigate privacy risks associated with their handling of CAI containing PII ( e.g., source of the data, potential concerns with data quality, purpose of its use)?
a. How should agencies document their evaluation of these factors related to the handling of CAI containing PII?
b. Should agencies' evaluation of these factors related to the handling of CAI containing PII be made public and, if so, when and how?
c. Should a differentiation be made between CAI maintained on agency systems and CAI accessed or queried through third parties? What factors should OMB consider in guidance in relation to CAI accessed or queried through third parties?
11. What, if any, means of interagency information sharing should be considered to allow agencies to report problems with CAI containing PII ( e.g., recurring concerns with data quality)?
12. What, if any, guidance should OMB provide to agencies regarding how their agreements with third parties address privacy requirements for CAI containing PII ( e.g., specific compliance language in the requirements for contracts, licensing agreements, or other agreements)?
a. Should such agreements require third-party providers of CAI to provide information about the source of data, demonstrate the quality, reliability and validity of the data, attest to compliance with relevant laws and policies, or comply with certain privacy requirements? Why or why not? How might agencies require third-party providers to demonstrate the quality, reliability, and validity of the CAI?
b. Should such agreements require third-party providers of CAI to adopt policies aimed at allowing individuals access to information about them held by the third-party provider, the ability to dispute incomplete or inaccurate information held by a third-party provider of CAI containing PII, or control over how the information about them is used or shared? Why or why not?
c. Are there other practices to mitigate privacy risks that agencies might require within agreements with third parties?
Other Considerations
13. Should OMB guidance require agencies to manage CAI governance—including policies, procedures, and oversight of agency use of CAI—through a uniform mechanism?
14. What else should OMB consider when evaluating potential guidance to agencies on ways to mitigate privacy risks from agencies' activities related to CAI containing PII?
Richard L. Revesz,
Administrator, Office of Information and Regulatory Affairs.
Footnotes
1. Exec. Order 14110, 88 FR 75191 (Nov. 1, 2023).
Back to Citation2. See, e.g.,44 U.S.C. 3504(a); 5 U.S.C. 552a(v).
Back to Citation4. Readout of White House Roundtable on Protecting Americans from Harmful Data Broker Practices, White House (Aug. 16, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/08/16/readout-of-white-house-roundtable-on-protecting-americans-from-harmful-data-broker-practices/.
Back to Citation5. Id.
Back to Citation6. 88 FR 75217. For an example of work addressing this topic in the national security context, see the Intelligence Community Policy Framework for CAI issued by the Office of the Director of National Intelligence, available at https://www.dni.gov/files/ODNI/documents/CAI/Commercially-Available-Information-Framework-May2024.pdf.
Back to Citation[FR Doc. 2024-23773 Filed 10-15-24; 8:45 am]
BILLING CODE 3110-01-P
Document Information
- Published:
- 10/16/2024
- Department:
- Management and Budget Office
- Entry Type:
- Notice
- Action:
- Notice of request for information.
- Document Number:
- 2024-23773
- Dates:
- Consideration will be given to written comments received by December 16, 2024.
- Pages:
- 83517-83519 (3 pages)
- PDF File:
- 2024-23773.pdf