4.15 Senior Agency Official for Privacy (SAOP)
The SAOP, designated by the head of each agency, has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals. (OMB M-16-24. Role and Designation of Senior Agency Officials for Privacy. 9/15/2016.)
- Policy Making: The SAOP shall have a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals that have privacy implications. In this role, the SAOP shall ensure that the agency considers and addresses the privacy implications of all agency regulations and policies, and shall lead the agency’s evaluation of the privacy implications of legislative proposals, congressional testimony, and other materials pursuant to OMB Circular No. A-19.7.
- Compliance: The SAOP shall have a central role in overseeing, coordinating, and facilitating the agency’s privacy compliance efforts. In this role, the SAOP shall ensure that the agency complies with applicable privacy requirements in law, regulation, and policy. Relevant authorities include, but are not limited to, the Privacy Act of 1974; the Paperwork Reduction Act of 1995; the E- Government Act of 2002; the Health Insurance Portability and Accountability Act of 1996; OMB Circular A-130; Privacy Act Implementation: Guidelines and Responsibilities; 13 OMB Circular A- 108; OMB’s Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988; and OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
- Risk Management: The SAOP shall manage privacy risks associated with any agency activities that involve the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems. The SAOP’s review of privacy risks shall begin at the earliest planning and development stages of agency actions and policies that involve PII and continue throughout the life cycle of the programs or information systems. Appropriately managing privacy risks may require agencies to take steps beyond those required in law, regulation, and policy.
Federal Privacy Council (FPC) (Federal Privacy Council. Vision and Purpose.)
- The FPC is the principal interagency forum to improve the privacy practices of agencies and entities acting on their behalf. The work of the Federal Privacy Council shall strengthen protections of people’s personal information and privacy rights across the Federal Government. To achieve this purpose, the Federal Privacy Council shall: support interagency efforts to protect privacy and provide expertise and assistance to agencies; expand the skill and career development opportunities of agency privacy professionals; improve the management of agency privacy programs by identifying and sharing lessons learned and best practices; and promote collaboration between and among agency privacy professionals to reduce unnecessary duplication of efforts and to ensure the effective, efficient, and consistent implementation of privacy policy government-wide. (Federal Privacy Council. Vision and Purpose.) FPC.gov is where the Council shares priorities, key privacy policies, news, and the programs and events sponsored by the Council. (Ibid.)