There are many interrelated aspect of data governance and management that Federal Agencies are responsible for. Here are a few of the most common policy elements that you may encounter in dealing with IT systems. Key considerations include how data is collected, stored, archived as well as public access to government data

This topic is also a major concern for IT security. Main Cybersecurity Article.

Personally Identifiable Information (PII)

The Privacy Act of 1974 requires that federal agencies protect access to personal information collected about individuals.

The Office of Management and Budget (OMB) defined Personally Identifiable Information (PII) in M-07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information:

information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

This memo further requires agencies to only keep the minimum amount of personal information necessary to carry out the agency’s function.

M-10-23 Guidance for Agency Use of Third-Party Websites and Applications extends this guidance to practices for websites, and specifically addresses Privacy Impact Assessments (PIAs)

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

The The Health Insurance Portability and Accountability Act (HIPAA) sets privacy requirements specifically for healthcare-related businesses or organizations dealing with healthcare records of individuals. Under the Privacy Rule, these entities cannot disclose health information without the owner’s explicit consent. There are several exceptions where authorization is not needed, such as in law enforcement and court cases, as well as any “essential government functions,” for instance in preventing a pandemic. Employee information tracked as part of official employment records also are not covered, even if the employer is a covered healthcare entity.

HIPAA also does not cover non-healthcare related entities, for instance health information entered into a mobile app on your phone or given to a DNA testing company.

In short, HIPAA usually does not apply to Federal agencies for most practical purposes.

Family Educational Rights and Privacy Act of 1974 (FERPA)

The Family Educational Rights and Privacy Act of 1974 (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) generally protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. FERPA gives parents certain rights over their children’s education records, which transfer to the student when they reach the age of 18 or attend a school beyond the high school level.

Generally, schools must have written permission from the parent or eligible student in order to release any information from a student’s educational record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under several exceptions.

In short, FERPA usually does not apply to Federal agencies for most practical purposes, but may be a consideration when working with The Department of Education (DOEd).

Confidential Information Protection and Statistical Efficiency Act (CIPSEA)

The Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA) sets requirements on statistical agencies with regard to the confidential handling of data collected for statistical purposes. This is intended to add confidentiality requirements to things like census data. It does, however, allow for some data sharing between the Census Bureau, the Bureau of Labor Statistics, and the Bureau of Economic Analysis.

The Evidence-Based Policymaking Act also expanded this law and directed statistical agencies to assess their usage and disclosure of confidential information. It also makes it a felony for staff to deliberately disclose such info. This act also directs statistical agencies to find opportunities to share information with each other to reduce duplicative actions.

Data Collection & Privacy

There area lots of hurdles to jump when collecting data from the public at a federal agency. The Paperwork Reduction Act of 1995 requires that before agencies collect any data from the public – PII or not – the collection must be reviewed in advance by The Office of Information and Regulatory Affairs (OIRA).

Exceptions to this include:

  • collecting data from less than ten people,
  • collecting data from federal employees as part of their official duties,
  • requests for feedback such as user surveys, and
  • comments and discussions gathered at public hearings or online meeting.

The Privacy Act further requires that a federal agency must file a System of Records Notice (SORN) in the [Federal Register] if personal information is going to be collected about individuals, to notify the public of such collections.

The E-Gov Act also requires the agency to perform a Privacy Impact Assessment (PIA) before creating or purchasing a new information system.

OMB M-22-10 was recently issued directing agencies to reduce the burden on the public to supply data for benefit programs, including the psychological burden on individuals. It also states that agencies should be doing user testing in alignment with Customer Experience (CX) principles, and clarifies the lowered requirements for this testing.

Given the amount of time and hassle involved in these approval and review processes, agencies typically will write the notices/requests broadly, to avoid going through the whole process repeatedly for small changes, system migrations, etc.

In 2016, Executive Order 13719 created Senior Agency Officials for Privacy (SAOP) at federal agencies, responsible for the collection and handling of information gathered about individuals – but responsibility for protection of this information typically remains with Chief Information Officer (CIO)s. OMB M-16-24 gives implementation details for this EO.

Data Classification

There are two primary types of data control classification in government. The first, and most well-known, is Classified National Security Information. When you hear people talk about “Top Secret” documents or clearance, this is what they are referring to. The specific guidance on classification of this nature has changed several times over the years. The most recent guidance released in 2009 in Executive Order 13526 defines three levels:

(1) “Top Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.

(2) “Secret” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.

(3) “Confidential” shall be applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.

Top Secret documents may also be marked for additional controls, commonly referred to as Sensitive Compartmented Information (TS/SCI).

If a federal employee or contractor must deal with these classified documents, they must obtain the matching clearance from their agency, which involves a security investigation and background check. Outside of The Department of Defense (DOD), The Department of Homeland Security (DHS), or specific Cybersecurity roles, these clearances are not common - even most staff at OMB do not possess a clearance, and they usually aren’t needed for day-to-day technology work. Note that for most government roles, employees must at a minimum possess a Public Trust review and approval, but this is not actually considered a security clearance. It can still take weeks - or months - to receive this clearance.

These materials typically must be viewed only within a Sensitive Compartmented Information Facility (SCIF), to ensure that the data is protected. Each main agency office typically has a SCIF. Staff without clearance may enter a SCIF, but specific procedures must be followed - usually they must be escorted. Electronic devices such as agency cellphones are typically not allowed to be brought into a SCIF.

Executive Order 13556 created the designation of Controlled Unclassified Information (CUI), which replaced the older designation of For Official Use Only (FOUO). This is information that does not require the protections of classified information, and thus a security clearance is not required for viewing this information, but special protections are required specifically for storage and dissemination. As such, the designation is important for cybersecurity and records management purposes. Examples of this type of data can include agency-specific internal policy documents or “deliberative” drafts that have not been finalized.

The second type of data control classification is for systems which host any government data. See the main Security Assessment article for more details.

Open Data

For more information on open data, readers should refer to Open Government Data: The Book.

The government has a duty to be transparent to the public in its operations. This is a fundamental tenet of democracy, but is also incorporated in law and policy. One method to provide transparency is through providing Open Data, data which is provided for use by the public without license or restriction.

The most recent official OMB policy on Open Data is M-13-13 issued in 2013. This memo directs agencies to be more proactive in publishing open data sets, and requires them to keep and publish an inventory of these on the agency website at the url /data. Additionally, a catalog of open data provided by the federal government is hosted on In 2010, the OMB Open Government Directive (M-10-06) required Agencies agencies to create a strategic plan for open data, updated every two years, hosted on the agency’s website at the url /open. However, many agencies have not updated their plans in quite some time - notably the The Department of Veterans Affairs (VA) has never updated theirs. Many of the requirements under M-13-13 were made permanent by the Open, Public, Electronic and Necessary (OPEN) Government Data Act in 2017.

Open data laws at the federal, state, and local levels are often referred to as, or explicitly named, “sunshine laws.” An example is the Government in the Sunshine Act of 1976. In addition to procedural information, budget, contracts, and procurement data is also a key area of interest for watchdog groups.

Note that Open Data can refer to things beyond just statistical data & spreadsheets; it often refers to policies and procedures as well. For instance, agencies are required by the GPRA Modernization Act of 2010 to publish strategic plans on how they are achieving their mission requirements, and those plans must be published on the agency’s public website.

Freedom of Information Act (FOIA)

The Freedom Of Information Act (FOIA) requires that all agencies publish publicly their policies and procedures. Moreover, it establishes the right of the public to request any records the agency might possess. There are exceptions to this, for instance agencies do not have to release information if it contains issues of national security, trade secrets, or personal information on individuals. Agencies may charge a reasonable fee for the production of these records, but it may take months - or even years - for these to be returned to the requester. In an agency, these requests are commonly known as FOIA requests.

In general, agencies respond to FOIA requests directly back to the requestor. However, for many years many agencies have been pressured by watchdog groups to adopt a “Release to One, Release to All” policy, in which responses to all FOIA requests are made openly available online for the public to review. Although a limited six-month pilot was performed during the Obama administration in 2015, these were not formalized in most agencies.

Records Management

The Federal Records Act of 1950 established a requirement for federal agencies to keep copies of key records. This was augmented by the Presidential Records Act of 1978, which specifically applies to the records of the president and their political appointees. By these laws, The National Archives and Records Administration (NARA) is responsible for overseeing records management, and agencies also send copies of their records to NARA for preservation.

Records may include policies and procedures, emails, and other information. In general, most records are kept for seven years, except for records of historical importance which may be kept permanently. (Refer to NARA’s records schedule for more details.) OMB M-19-21 requires all agencies to move away from paper-based records, and by the end of calendar year 2022 they must only submit electronic records to NARA.

Title 44 of the U.S. Code deals with records management; specifically chapters 29, 31, and 33 deal with federal records and chapter 22 deals with presidential records.

OMB Circular A-130 Managing Information as a Strategic Resource sets forth agency (and particularly, CIO) policy responsibilities for planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources and supporting infrastructure and services. This document was revised in 2016 to include references to recent changes in law and policy, including the roles of Senior Agency Officials for Privacy (SAOP). Of particular note is Appendix II: Responsibilities for Managing Personally Identifiable Information under The Privacy Act and The Fair Information Practice Principles (FIPPs).

Chief Data Officer (CDO)

Given the large number of data-oriented tasks at an agency, the Foundations for Evidence-Based Policymaking Act created the position of the Chief Data Officer (CDO) at each agency. This role shares some responsibilities for technology management and security with the CIO and Chief Information Security Officer (CISO), though in most cases the CIO retains the primary authority.

However, the CDO may be positioned anywhere in the organization - sometimes reporting to the CIO, but just as often in an arbitrary other office, such as at The Small Business Administration (SBA) they’re part of the CFO’s office. Due to no funding being provided with the Act - and thus no additional staff slots - in many agencies the CDO role was assigned as an additional title for an existing staff member. For instance, at The Department of Justice (DOJ) the CIO is also the CDO.

The creation of the CDO role also tied closely to other presidential initiatives around 2018 under the Federal Data Strategy. Although the strategy was intended to be a 10-year plan with annual updates from agencies, it has received less attention in the current administration.