Protecting Privacy in Public Private Partnerships: What Government Agencies Should Know
By Rebecca Andino, PMP, CIPP/G and David Carpenter, CISM, CIPP
Public Private Partnerships (PPPs) are business models in which state, local or federal government entities and private industry establish formal partnerships to achieve mutually beneficial outcomes. According to the National Council for Public Private Partnerships (http://ncppp.org), PPPs are more common than one might think, and account for 23 out of 65 basic services in the average U.S. city.
PPPs can provide the public sector an improved or continued level of service, at reduced costs. They exist in nearly every major sector, from human services and education, to transportation infrastructure.
Privacy issues can arise when private partners collect individuals' personal information. For example, personal information is collected in PPPs when private partners perform counseling, economic development, traffic ticket issuance and air passenger screening. By definition, private partners in PPPs are not required to comply with the Privacy Act of 1974. Nor can one assume they follow any of the Fair Information Practice Principles (FIPPs), which are best practices but not necessarily required by law. Yet, a breach of personal information could result in harm to the individuals affected, reputation damage to the government sponsor and could, ultimately, cause a program to fail.
The solution is for the government sponsor to establish and enforce a comprehensive set of privacy standards that are required of private partners for a particular PPP. For the TSA Registered Traveler PPP, ICF International developed security and privacy standards based on National Institute of Standards and Technology (NIST) guidance and FIPPs. The standards are flexible enough to allow market-driven innovation, yet provide TSA assurance that its private partners maintain necessary levels of security and privacy protection of sensitive participant information.
It is important to consider privacy requirements throughout each phase of the program lifecycle; once a PPP is established, imposing additional governmental requirements could be financially or contractually burdensome or create a competitive disadvantage to the private partner. Government managers should consider the questions and recommendations below when establishing Public Private Partnerships.
Does the public know data is being collected? Do they have access to data use policies?
- Write and publish a Privacy Impact Assessment.
- Inform the public of data collection activities via publications such as the Federal Register and the agency Web site, as well as communications with news media and privacy advocate groups. Proactive communication is especially important in programs where data collection is passive, such as traffic light cameras or traffic speed detection.
2. Collection Limitation
Does each entity in the PPP collect and maintain only the minimum required information in support of the program? Is information collected by fair and legal means?
- Seek legal counsel to ensure the PPP activities are not an invasion of privacy in cases where individuals' data is obtained without their express consent (i.e., by traffic light cameras or in airline passenger checks).
- Ensure that each data item collected can be justified. For example, the government is not allowed to require participants to provide their Social Security number in order to participate in or benefit from the PPP (per the Privacy Act of 1974, 2004 Edition).
- Develop a matrix that shows the types of information accessed, stored and retained by each entity in the PPP, and the justification for each. An example based on the Registered Traveler matrix is shown in Table 1.
3. Purpose Specification
Do data collection forms explain the purpose for the collection of the information? Is there assurance that PPs will not use the data collected for purposes other than the purpose stated at the time of collection?
- Require PPs to state the purpose of the data collection and display any required government notices on all information collection forms. For Registered Traveler, PPs are required to display a TSA Privacy Act statement on enrollment forms.
- If PPs collect additional information for business or marketing purposes, ensure those fields are physically separated from government collection fields and clearly labeled as non-government fields.
Note that it may be desirable — or necessary — to allow PPs to collect additional data for business purposes, such as email addresses, contact preferences or credit card numbers. For Registered Traveler, TSA allows PPs to collect additional information from participants as long as forms are distinctly labeled and separate from the government collection forms.
4. Use Limitation
Does the program have assurance that PPs are using the information only for the purposes in which it was collected?
- Do not allow PPs to use participant information in any way other than the purpose stated at the time of collection, unless they obtain opt-in consent from participants. For example, Registered Traveler PPs may only share their participant information with partner companies, such as car rental companies and hotels, if participants opt-in.
5. Data Quality
Are participants able to access and correct their data? Are there adequate quality assurance processes on both sides of the PPP?
- Develop metrics for measuring data quality, particularly across system boundaries. One method of measuring data quality is to schedule regular checks to compare PP records with government records to ensure data values are consistent. Perform in-depth reviews to reconcile any conflicting results and correct any processing issues.
- Build data quality checks into the business processes. For example, all Registered Traveler fingerprint enrollments are checked against all existing enrollments as a fraud detection measure.
6. Individual Participation
Do individuals have the right to appeal decisions made by the PPP that affect them?
- Develop and publish a redress process or appeals process.
- Consider implementing mechanisms for the government to interact directly with participants in special circumstances. For example, TSA communicates directly with participants, bypassing the PP, to discuss redress matters.
7. Security Safeguards
Is individual data secured by the PP and the government? Is a security and privacy program implemented that provides the government reasonable assurance of the security of individuals' PPP information?
- Develop and publish security and privacy standards for the program. The standards should contain general as well as program-specific controls to ensure information is protected at the appropriate levels. It is recommended that the standards be a tailored version of an industry standard such as NIST SP 800-53 or ISO 27002.
- Assess PP compliance with security and privacy standards. Use an IPA firm or other auditor to provide the government assurance of information protection.
- Ensure data in transit is protected between the PP and the government. For example, TSA requires data in transit to be encrypted using the Triple Data Encryption Standard as specified by FIPS 140-2. However, other methods of data protection, such as virtual private networks (VPN) and hand-delivery, may also be acceptable depending on the circumstances.
- If the PPP issues participant identification items (such as SmartCards or RFID fobs), minimize the amount of sensitive information stored on the card in case the card is lost or stolen. However, to support industry participation and marketing efforts, the government may decide to allow the PPs to apply branding to identification items, provided certain guidelines are met. In Registered Traveler, the government permits the PPs to store marketing and customer reward information in a separate payload on the identification card, as long as the cards meet certain minimum standards.
- Establish a process and timeframe for reporting security incidents and privacy breaches to the government.
Is there a clear understanding of the security and privacy obligations of PPs and consequences for non-compliance?
- Require PPs to designate a single point of contact responsible for all security and privacy matters for their company.
- Do not authorize PPs to begin operations until they demonstrate adequate security and privacy protections are in place. Develop a checklist to assist PPs through the approval process. For Registered Traveler, PPs may not begin operations until a number of requirements are met, including an initial IPA attestation of compliance.
- Ensure that PPs are responsible for the security of personal information. Verify that there are appropriate levels of security through periodic IPA attestations and ad hoc audits.
- Reserve the right to halt operations for non-compliance with security and privacy requirements, data or privacy breaches, or any other significant concerns about data protection.
Rebecca Andino, PMP, CIPP/G, is president and founder of Highlight Technologies, a firm providing program management and privacy consulting services to national security programs. In her previous position at ICF International, she provided privacy consulting, program management and strategic planning to TSA's Registered Traveler program. Rebecca Andino may be contacted at email@example.com or 202-271-0469.
David Carpenter, CISM, CIPP, is a Technical Specialist at ICF International and serves as Information Security Manager for TSA's Registered Traveler program. Mr. Carpenter played a key role in the development and implementation of the Information Security, Privacy, and Compliance framework for the RT Program. He may be contacted at firstname.lastname@example.org or 571-226-7994.