Privacy Program
The U. S. Government Publishing Office (GPO) places a high priority on protecting information in identifiable form that is collected, used, maintained, and disseminated by the Agency. In so doing, the Agency's policies for the protection of such information are responsive to numerous statutory requirements and oversight guidance provided by the Office of Management and Budget (OMB) memoranda and circulars. Note that as a Legislative branch agency GPO is not required by law to adhere to the requirements and oversight guidance, but the Agency has recognized the requirements and oversight guidance as a best practice. Review GPO Basic Privacy Awareness and Best Practices.
Purpose
The GPO Privacy Program establishes a framework for the protection of personally identifiable information (PII) at the U. S. Government Publishing Office. Appropriate measures are established to protect PII from unauthorized use, access, disclosure, or sharing and to protect related information systems from unauthorized access, modification, disruption, or destruction.
Authority
GPO Directive 825.41B: Privacy Program: Protection of Personally Identifiable Information (PII) establishes the GPO Privacy Program in compliance with Federal regulations (as best practices), and other GPO policies that provide direction and guidance concerning security planning. References to various laws, regulations, directives, and other policy and procedure guidance applicable to privacy and Information Technology (IT) security are provided below as informative (non-required) references.
References
GPO Directive 825.41B Privacy Program: Protection of Personally Identifiable Information (PII) incorporates by reference all the provisions of GPO Directive 825.33C, IT Security Program Statement of Policy, and its appendices, dated March 19, 2021.
OMB Memorandum M-17-06 Safeguarding Policies for Federal Agency Public Websites and Digital Services (Nov. 8, 2016) stating, the agency’s Privacy Program Page must be located at www.[agency].gov/privacy and must be accessible through the agencies’ “About” page.
OMB Memorandum M-17-12 Provides guidance regarding preparing for and responding to a breach of Personally Identifiable Information (January 3, 2017).
National Institute of Standards and Technology Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (Final), dated April 2013
NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations - Appendix J, Privacy Control Catalog, dated April 30, 2013.
GPO Directive 840.7A GPO Comprehensive Records Schedule 2014, issued September 2, 2014.
Superintendent Public Policy Statement 2019-2 Redaction of Personally Identifiable Information from GPO’s System of Online Access by the Superintendent of Documents.
Policy
The U. S. Government Publishing Office (GPO) will protect the confidentiality of PII consistent with best practices to ensure that it is not subject to unauthorized use, access, disclosure, or sharing. These efforts extend to related information systems so that they also will not be subject to unauthorized access, modification, disruption, or destruction. Individuals may, in the regular course of agency activities, disclose employee names, work telephone numbers, work email addresses, other business-related identifying information, and other PII that is otherwise permitted to be made public by law or regulation. IT Security division establishes requirements for the maintenance and security of personally identifiable information (PII) maintained on agency IT systems. The IT Security division further provides guidance and resources to help users understand these requirements and how they are implemented in the U. S. Government Publishing Office (GPO) business units.
PII in Government Publications on govinfo
In accordance with Superintendent Public Policy Statement 2019-2 Redaction of Personally Identifiable Information from GPO’s System of Online Access by the Superintendent of Documents, GPO redacts high-impact PII from publicly accessible files in GPO’s system of online access, govinfo. If you discover PII in a publication (other than United States Courts Opinions collection) on govinfo, please let us know by submitting an askGPO inquiry under the category govinfo.gov question.
United States Courts Opinions on govinfo
United States Courts Opinions (USCOURTS) collection is a collaborative effort between GPO and the Administrative Office of the United States Courts (AOUSC) to provide public access to opinions from selected United States appellate, district, and bankruptcy courts. The USCOURTS collection is consistent with the E-Government Act's requirement for the substance of all written opinions, issued after April 16, 2005, to be made available in a text searchable format [Pub. L. No. 107-347, Title II, Section 205].
Per Superintendent of Documents Public Policy Statement 2019-3 Access to U.S. Government Information within Scope of the Public Information Programs of the Superintendent of Documents, GPO will not inhibit access to or indexing of Government information on govinfo. The only exception to this is when the originating agency, in this case the court that issued the opinion, determines it is necessary to withdraw the publication from public access.
If you discover any PII on the GPO hosted USCOURTS collection on govinfo, and if you have any question or need additional information, please contact the Administrative Office of the U.S. Courts directly at [email protected]. Only AOUSC can direct GPO to remove any information from the USCOURTS collection.
The Privacy Compliance Documentation (PTA and PIA)
The privacy compliance documentation Privacy Threshold Analysis (PTA) and Privacy Impact Assessments (PIA) embody the collaboration of program, technical, legal, security, and privacy teams across the agency. PIAs are appropriately published in order to foster transparency and individual participation regarding how GPO uses personally identifiable information (PII) to fulfill its mission.
Privacy Threshold Analysis (PTA)
The PTA is an administrative form created by the Privacy Office to efficiently and effectively identify the use of PII across agency business units. The PTA focuses on three areas of inquiry:
- Business data and business processes within each business unit.
- Potential connections with individuals including the use of PII – any use of social security numbers (SSNs) must be specifically identified.
The business unit’s privacy Point of Contact (POC) should ensure that its respective PTA is completed and sent to the Privacy Office. If SSNs are to be used, the PTA specifically identifies the justification and authority for using SSNs. Upon receipt of the PTA, the Privacy Office determines the applicability of other privacy compliance requirements including the PIA. The PTA is complete when the Privacy Office validates it and sends the final copy back to the identified point of contact.
Privacy Impact Assessment (PIA)
The PIA is required for all projects that use personally identifiable information (PII) at GPO. The PIA is an assessment document required by the E-Government Act of 2002 and in support of the Agency’s privacy protection requirements under the Homeland Security Act of 2002, as amended. The PIA must be completed, finalized, and approved by the Privacy Officer before PII is loaded or used. The PIA focuses on the following areas of inquiry:
- Information Collection
- Information Use
- Information Retention
- Information Sharing (internal and external)
- Notice
- Individual Access, Redress, and Correction
- Security
- Technology
The Privacy program manager should ensure that the PIA drafting process begins with the business units POC immediately after the validation of the PTA processing PII. PIAs are drafted through an iterative process involving the Business Unit Privacy Point of Contact (POC), the Privacy Office, GPO stakeholders and any other application and systems representatives. The PIA is complete when the Privacy Officer signs it.
Legal Information
Legal Information
The concept of online privacy includes the right to decide what personal information you choose to submit online, and how that information will be used, if at all. To protect user privacy, GPO follows Office of Management and Budget (OMB) recommendations and other suggestions regarding Internet privacy policy for Federal Government websites. In doing so, we strive to make users aware of the kinds of information we collect from them, explaining why we collect that information, how we use it, and whether it will be shared with others.
Information Collected Automatically
When users surf the GPO website or hosted Federal websites, GPO collects the following data for statistical purposes only:
- the IP address from which users access our website;
- the date and time of their visits;
- the URLs of the pages that they view;
We use these statistics to make improvements to gpo.gov, not to identify individual users or their searches. We do not enable cookies to monitor usage or to gather users' personal information.
Information Collected via Correspondence with GPO
Personal information submitted by a user in comments or questions via phone, fax, or e-mail is not distributed to parties outside of GPO. Identifying information, such as name, e-mail address, and phone or fax number, is used only for responding to users' comments or questions, and is not made available for other purposes.
Definitions
Cookies: Cookies are small pieces of information that web servers or pages store on a user's hard drive. There are two types of cookies: session cookies and persistent cookies. Both types of cookies allow internet servers to "remember" specific information about a user. Websites use them primarily to personalize their sites for individual users, to keep track of orders when users purchase products, and to target advertising toward users based on the information that they access. However, session cookies will "remember" that information for only as long as you explore a website during one "session", or visit to the website. Session cookies will not "remember" information about you when you return to the site for subsequent visits. However, persistent cookies will "remember" this information for more than one session. OMB has decided that persistent cookies should not be allowed on Government websites, except in "the most unusual of circumstances." GPO currently follows this recommendation.
Encryption: Encryption technology ensures the protection of personal information via private, secure transactions.
Security: Site security is the concept of monitoring network traffic to identify unauthorized attempts to upload or change information on GPO's servers.
In the case that suspicious activity of this sort arises, a user's personal information may be tracked to identify a possible threat. This is the only reason that GPO will ever collect personal information and/or monitor user activity without asking permission or giving prior notice.
Note: To assist users in finding official Government information, we provide links to other websites. Once users have left gpo.gov and entered another site, they are subject to the policies and legal notices on that site.
Copyright Status Notice
Unless specifically stated otherwise, all information on the U. S. Government Publishing Office (GPO) website is in the public domain, and may be reproduced, published or otherwise used without GPO's permission.
Some photographs in major banners and navigation headings are commercially licensed and cannot be reproduced, published or otherwise used.