The U. S. Government Publishing Office (GPO) places a high priority on protecting information in identifiable form that is collected, used, maintained, and disseminated by the Agency. In so doing, the Agency's policies for the protection of such information are responsive to numerous statutory requirements and oversight guidance provided by the Office of Management and Budget (OMB) memoranda and circulars. Note that as a Legislative branch agency GPO is not required by law to adhere to the requirements and oversight guidance, but the Agency has recognized the requirements and oversight guidance as a best practice. Review Awareness and Best Practices.

Purpose

The GPO Privacy Program establishes a framework for the protection of personally identifiable information (PII) at the U. S. Government Publishing Office. Appropriate measures are established to protect PII from unauthorized use, access, disclosure, or sharing and to protect related information systems from unauthorized access, modification, disruption, or destruction. Review the Privacy Incident Reporting Process.

Authority

GPO Directive 825.41A: Privacy Program: Protection of Personally Identifiable Information (PII) establishes the GPO Privacy Program in compliance with Federal regulations (as best practices), and other GPO policies that provide direction and guidance concerning security planning. References to various laws, regulations, directives, and other policy and procedure guidance applicable to privacy and IT security are provided below as informative (non-required) references.

References

GPO Directive 825.41A Privacy Program: Protection of Personally Identifiable Information (PII) incorporates by reference all the provisions of GPO Directive 825.33B, Information Technology (IT) Security Program Statement of Policy, and its appendices, dated May 24, 2011

OMB Memorandum 07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated May 22, 2007

National Institute of Standards and Technology Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (Final), dated April 2013

NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations - Appendix J, Privacy Control Catalog, dated April 30, 2013

GPO Directive 840.7A GPO Comprehensive Records Schedule 2014, issued September 2, 2014

Policy

The U. S. Government Publishing Office (GPO) will protect the confidentiality of PII consistent with best practices to ensure that it is not subject to unauthorized use, access, disclosure, or sharing. These efforts extend to related information systems so that they also will not be subject to unauthorized access, modification, disruption, or destruction. Individuals may, in the regular course of agency activities, disclose employee names, work telephone numbers, work email addresses, other business-related identifying information, and other PII that is otherwise permitted to be made public by law or regulation. Information Security establishes requirements for the maintenance and security of personally identifiable information (PII) maintained on agency information technology (IT) systems. The Information Security Division provides guidance and resources to help users understand these requirements and how they are implemented in the U. S. Government Publishing Office (GPO) business units.

The Privacy Compliance Documentation (PTA and PIA)

The privacy compliance documentation Privacy Threshold Analysis (PTA) and Privacy Impact Assessments (PIA) embody the collaboration of program, technical, legal, security, and privacy teams across the agency. PIAs are appropriately published to the public facing website in order to foster transparency and individual participation regarding how GPO uses personally identifiable information (PII) to fulfill its mission. The GPO Privacy Office is currently in the process of implementing this for GPO.

Privacy Threshold Analysis (PTA)

The PTA is an administrative form created by the Privacy Office to efficiently and effectively identify the use of PII across agency business units. The PTA focuses on three areas of inquiry:

• Business data and business processes within each business unit.
• Potential connections with individuals including the use of PII – any use of social security numbers (SSNs) must be specifically identified. 

The business units privacy Point of Contact (POC) should ensure that its respective PTA is completed and sent to the Privacy Office. If SSNs are to be used, the PTA specifically identifies the justification and authority for using SSNs. Upon receipt of the PTA, the Privacy Office determines the applicability of other privacy compliance requirements including the PIA. The PTA is complete when the Privacy Office validates it and sends the final copy back to the identified point of contact. The GPO Privacy Office has completed the initial PTAs for GPO.

Privacy Impact Assessment (PIA)

The PIA is required for all projects that use personally identifiable information (PII) at GPO. The PIA is an assessment document required by the E-Government Act of 2002 and in support of the Department’s privacy protection requirements under the Homeland Security Act of 2002, as amended. The PIA must be completed, finalized, and approved by the Privacy Officer before PII is loaded or used. The PIA focuses on the following areas of inquiry:

• Information Collection
• Information Use
• Information Retention
• Information Sharing (internal and external)
• Notice
• Individual Access, Redress, and Correction
• Security
• Technology 

The Privacy program manager should ensure that the PIA drafting process begins with the business units POC immediately after the validation of the PTA processing PII. PIAs are drafted through an iterative process involving the Business Unit Privacy Point of Contact (POC), the Privacy Office, GPO stakeholders and any other application and systems representatives. The PIA is complete when the Privacy Officer signs it. As a general matter and by the discretions of the GPO Privacy Office, finalized PIAs are generally published on the Privacy Office's website. The GPO Privacy Office has completed the initial PIAs for GPO.

Legal Information

The concept of online privacy includes the right to decide what personal information you choose to submit online, and how that information will be used, if at all. To protect user privacy, GPO follows Office of Management and Budget (OMB) recommendations and other suggestions regarding Internet privacy policy for Federal Government websites. In doing so, we strive to make users aware of the kinds of information we collect from them, explaining why we collect that information, how we use it, and whether it will be shared with others.

Information Collected Automatically

When users surf the GPO website or hosted Federal websites, GPO collects the following data for statistical purposes only:

• the IP address from which users access our website;
• the date and time of their visits;
• the URLs of the pages that they view;
• WAIS searches and retrievals, including search terms.

We use these statistics to make improvements to gpo.gov, not to identify individual users or their searches. We do not enable cookies to monitor usage or to gather users' personal information.

Information Collected via Correspondence with GPO

Personal information submitted by a user in comments or questions via phone, fax, or e-mail is not distributed to parties outside of GPO. Identifying information, such as name, e-mail address, and phone or fax number, is used only for responding to users' comments or questions, and is not made available for other purposes.

Definitions

Cookies: Cookies are small pieces of information that web servers or pages store on a user's hard drive. There are two types of cookies: session cookies and persistent cookies. Both types of cookies allow internet servers to "remember" specific information about a user. Websites use them primarily to personalize their sites for individual users, to keep track of orders when users purchase products, and to target advertising toward users based on the information that they access. However, session cookies will "remember" that information for only as long as you explore a website during one "session", or visit to the website. Session cookies will not "remember" information about you when you return to the site for subsequent visits. However, persistent cookies will "remember" this information for more than one session. OMB has decided that persistent cookies should not be allowed on Government websites, except in "the most unusual of circumstances." GPO currently follows this recommendation.

Encryption: Encryption technology ensures the protection of personal information via private, secure transactions.

Security: Site security is the concept of monitoring network traffic to identify unauthorized attempts to upload or change information on GPO's servers.

In the case that suspicious activity of this sort arises, a user's personal information may be tracked to identify a possible threat. This is the only reason that GPO will ever collect personal information and/or monitor user activity without asking permission or giving prior notice.

Note: To assist users in finding official Government information, we provide links to other websites. Once users have left gpo.gov and entered another site, they are subject to the policies and legal notices on that site.

Copyright Status Notice

Unless specifically stated otherwise, all information on the U. S. Government Publishing Office (GPO) website is in the public domain, and may be reproduced, published or otherwise used without GPO's permission. 

Some photographs in major banners and navigation headings are commercially licensed and cannot be reproduced, published or otherwise used.