|
Back to DoD C3I/CIO Hot Topics page OFFICE OF THE SECRETARY OF DEFENSE MEMORANDUM FOR SECRETARIES OF THE MILITARY DEPARTMENTS SUBJECT: Privacy Polices and Data Collection on DOD Public Web Sites The Office of Management and Budget (OMB) has reaffirmed (attachment 1) that it is Federal policy that each Federal agency operating a public web site, or contractors operating such sites on behalf of an agency, must post clear privacy policies at their principal web sites, at known, major entry points to the sites, and at those sites where the agency or the contractor collects substantial personal information from the public. The OMB emphasizes that it also is Federal policy that web technology, such as "cookies," should not be used at Federal web sites to identify and track the activities of web users unless a compelling need exists to collect such information, appropriate publicized procedures are established to safeguard the information, and collection has been personally approved by the head of the agency. Finally, OMB points out that it is Federal policy that agencies, and contractors, who operate web sites directed at children must comply with the standards set forth in the Children's Online Privacy Protection Act of 1998 (Pub. L. 105-277, section 1301, et seq, as implemented by, 64 Federal Register 59888-59915 (November 3, 1999)) if personal information is being collected. This memorandum is to remind each Component that Department of Defense (DOD) policy (Attachment 2) prohibits the use of web technology which collects user-identifying information such as extensive lists of previously visited sites, e-mail addresses, or other information to identify or build profiles on individual visitors to DOD publicly accessible web sites. DOD policy, however, does permit the use of "cookies" or other web technology to collect or store non-user identifying information but only if users are advised of what information is collected or stored, why it is being done, and how it is to be used. This policy will be clarified to make clear that "persistent cookies" (i.e., those that can be used to track users over time and across different web sites) are authorized only when there is a compelling need to gather the data on the site; appropriate technical procedures have been established to safeguard the data; and the Secretary of Defense has personally approved use of the cookie. Each DOD Component must review its web privacy practices to ensure that they are in compliance with the OMB memorandum and DOD policy. Components will provide written confirmation NLT October 2, 2000 that the required review has been conducted and necessary corrective action, if necessary, taken. My point of contact is Mr. Vahan Moushegian, Jr., Director, the Defense Privacy Office. He may be reached at (703) 607-2943. /signed/ Attachments: |