An introduction to privacy

Understand privacy requirements for agency websites

What is privacy?

Federal agencies must take great care when collecting information from users to protect their privacy, and publish a privacy policy to clearly disclose how that information will be used. The privacy policy should be easy for users to find and understand (written in plain language), and include a link to the agency’s Privacy Program page. Privacy controls prevent the inappropriate disclosure of sensitive information.

Why is privacy important?

As public servants, one of our greatest responsibilities is to ensure that people can trust us to keep their information safe. Protecting the privacy of visitors to federal websites is paramount to improving the public’s trust in government.

How to handle personally identifiable information

Personally identifiable information, commonly known as PII, includes any piece of information that could be used to identify a specific person.

Generally, personally identifiable information is a name or unique identifier, plus one of the following data elements:

  • Family and contact information such as a birthday or address
  • Education, including student records
  • Government-issued identifiers such as a passport or driver’s license number
  • Employment, including performance ratings and personnel records
  • Financial information, including account numbers or credit history
  • Health information, such as medical records
  • Biometrics, including photos or fingerprints
  • Demographic info, including sex or citizenship

If your agency needs to collect personally identifiable information from users (or if users could provide this information even if you don’t ask for it), your agency should publish a Privacy Act Statement that explains the agency’s legal authority for collecting personal data and how that data will be used.

When determining whether and how to collect personally identifiable information, identify a clear business requirement for every piece of information, and collect only the information you need to meet that requirement. Never collect personally identifiable information “just in case.” Apply this same rigor not just to websites, but other methods of information collection such as surveys and customer emails.

To help users understand why you’re asking for their personally identifiable information:

  1. Link to your agency’s Privacy Program page from your website’s “About” page.
  2. Link to the site’s privacy policy from the USWDS Identifier component in your website footer.
  3. Keep all privacy policies and information up-to-date.

To complete your privacy coverage, consult with your agency’s Privacy Office to put strong controls in place to keep user information safe. Discuss whether you need to conduct a Privacy Threshold Assessment (PTA) or Privacy Impact Assessment (PIA), or publish a System of Records Notice (SORN). Also consult with them when considering adoption of third-party websites and applications, to ensure proper privacy protections are in place for users.

What can I do next?

Do you ever wonder how many visitors your agency’s privacy website gets, what they search for, how long they stay, and if they are mobile users? Or does your Senior Agency Official for Privacy ever ask how well your privacy resources are serving your users?

It’s important to understand how visitors use the privacy pages on your agency websites. Watch the 52-minute video, Analyzing web metrics for federal privacy professionals, to understand how you can use data from the Digital Analytics Program to improve the privacy-related pages on your website.