PRIVACY IMPACT ASSESSMENT
MyUSA
May 2013
Prepared by:
Office of Citizen Services and
Innovative Technologies
General Services Administration
PART II. SYSTEM ASSESSMENT
A. Data in the System
Question / Explanation/Instructions1. Describe all information to be included in the system, including personal data. / MyUSA consists of various different services.
discovery.my.usa.gov collects anonymous feedback from users visiting government websites. Information is in the form of either a rating for a web page (1, 2, 3, 4 or 5 stars) or general text feedback on a web page.
my.usa.gov provides a single account for all citizen-government interactions. Users create an account that can include their email address. As citizens authorize additional third-party applications (often developed and maintained by other agencies), these third-party applications may store information at the citizen’s request in their account. This information could include notifications or tasks.
1.a. What stage of the life cycle is the system currently in? / Development/Implementation
2.a. What are the sources of the information in the system? / Information is either provided by the user, or stored in the user’s account by a third-party application with the user’s permission.
2.b. What GSA files and databases are used? / N/A
2.c. What Federal agencies are providing data for use in the system? / Currently, none. In the future we hope that all agencies will utilize the system to store information on behalf of citizens.
2.d. What State and local agencies are providing data for use in the system? / Currently, none. In the future we hope that state and local agencies will use the system.
2.e. What other third party sources will the data be collected from? / None
2.f. What information will be collected from the individual whose record is in the system? / Email address
3.a. How will the data collected from sources other than Federal agency records or the individual be verified for accuracy? / N/A
3.b. How will data be checked for completeness? / All information collected is optional. Users will have the opportunity to review their information prior to submission and can check for completeness at any time.
3.c. Is the data current? How do you know? / Users will have the opportunity to review their information prior to submission, and can update their information at any time.
4. Are the data elements described in detail and documented? If yes, what is the name of the document? / Yes. See C.1 of this document.
B. Access to the Data
Question / Explanation/Instructions1. a. Who will have access to the data in the system? / Users will only have access to their own information, and may choose to share it with agencies on a case-by-case basis. Systems administrators of the MyUSA service, in the course of their normal duties, will have access to the system.
1.b. Is any of the data subject to exclusion from disclosure under the Freedom of Information Act (FOIA)? If yes, explain the policy and rationale supporting this decision. / Yes. As personal information, all data will fall under exemption 6.
2. How is access to the data by a user determined? Are criteria, procedures, controls, and responsibilities regarding access documented? / Users log into their account by creating a username and password, or authenticating with a FICAM-approved third-party. Upon logging in, a secure cookie is placed on the user’s computer containing a unique identifier. This identifier is used to authenticate the user on subsequent requests and to associate them with their user profile. A user’s information can only be accessed by the user themselves.
All traffic to and from the server is encrypted.
A user may grant an outside, third-party, access to their information using the OAuth 2.0 authorization framework.
Whenever the codebase is changed, automated tests are performed to verify the application’s core logic is not affected (unit and integration testing).
3. Will users have access to all data in the system or will the user's access be restricted? Explain. / Access is restricted to the user’s own data.
4. What controls are in place to prevent the misuse (e.g. browsing) of data by those having access? / The system is programmatically designed to restrict an individual user’s access only to their own data.
Systems administrators have the ability to access the entire database for maintenance purposes. Access to systems administrators is granted only on an as-needed basis; all administrators are trained in proper usage of the system and data privacy, and administrative use of the system is monitored.
5.a. Do other systems share data or have access to data in this system? If yes, explain. / Users may grant access to their information by third-party applications built, for example, by other agencies. The user must opt-in to this information sharing using an industry-standard OAuth 2.0 authorization which provides for user-specific keys to be generated and passed between MyUSA and the third-party application. Access can be revoked at any time by the user.
5.b. Who will be responsible for protecting the privacy rights of the clients and employees affected by the interface? / Office of Citizen Services and Innovative Technologies, XC, GSA.
6.a. Will other agencies share data or have access to data in this system (International, Federal, State, Local, Other)? / MyUSA is intended as a platform to allow agencies (federal, state, and local) to build “apps” on top of. Any agency that builds an app may have access to information, but such access would be granted on a case-by-case basis with the user’s explicit authorization as described above. Information is not shared between applications except with the user’s explicit authorization.
6.b. How will the data be used by the agency? / Data will be used to customize online experiences for individual users, such as pre-filling common fields across existing information collections.
6.c. Who is responsible for assuring proper use of the data? / See 5.b.
6.d. How will the system ensure that agencies only get the information they are entitled to? / The system uses the OAuth 2.0 protocol to capture user authorization for access to their information. The OAuth standard allows the user to indicate that they authorize a third-party application to access their account resources without sharing their account credentials (i.e. username and password).
As an example, a third-party application that wished to access a user’s account would redirect the user to the MyUSA service using a special identifier that would indicate to MyUSA that this request was being made on behalf of this specific application. The user would authenticate with MyUSA, either using a locally-issued credential (username and password) or a FICAM-approved third-party authentication service. Once authenticated with MyUSA, MyUSA would query the user for authorization to allow the third-party application to access their MyUSA account. If the user consents, MyUSA returns a unique access token to the third-party application that the third-party application can then use to access the user’s MyUSA account. This token is valid only for this specific user and this specific application.
For more information on OAuth 2.0, see
7. What is the life expectancy of the data? / Information is completely under the control of the user, and can be deleted by them at any time.
8. How will the data be disposed of when it is no longer needed? / When information is deleted by a user, or a user deletes their account, the information is purged from the system.
C. Attributes of the Data
Question / Explanation/Instructions1. Is the use of the data both relevant and necessary to the purpose for which the system is being designed? / Yes.
2.a. Will the system derive new data or create previously unavailable data about an individual through aggregation from the information collected? / No.
2.b. Will the new data be placed in the individual's record (client or employee)? / No. No new data is being created or derived.
2.c. Can the system make determinations about individuals that would not be possible without the new data? / N/A - No new data is being created or derived.
2.d. How will the new data be verified for relevance and accuracy? / N/A - No new data is being created or derived.
3.a. If the data is being consolidated, what controls are in place to protect the data and prevent unauthorized access? Explain. / N/A - no data consolidation
3.b. If processes are being consolidated, are the proper controls remaining in place to protect the data and prevent unauthorized access? Explain. / N/A - no process consolidation
4. How will the data be retrieved? Can it be retrieved by personal identifier? If yes, explain. / Users can create a username and password, or can use an existing FICAM-approved service such as Google or PayPal to login to their MyUSA Account. At the time an account is created, a unique ID is assigned to each user. When a user logs in, their e-mail address is used to retrieve their user ID. This ID is used to retrieve records associated with the account.
5. What are the potential effects on the privacy rights of individuals of:
a. Consolidation and linkage of files and systems;
b. Derivation of data;
c. Accelerated information processing and decision making; and
d. Use of new technologies.
How are the effects to be mitigated? / aMyUSA will allow individuals to have a consistent persona (similar to a user account or private social media profile) when interacting with government agencies digitally. While no systems are being consolidated by the use of MyUSA, interactions with one agency may share a common identifier (such as an e-mail address) with another agency. The system will limit applications such that they will not be able to share information with each other.
bN/A - no data derived.
cA/A – MyUSA overlays on top of existing agency processes- MyUSA will not be directly responsible for accelerated processing and decision-making in regards to federal agency transactions users may be able to conduct with the help of the MyUSA platform.
dMyUSA uses new technologies to enhance transparency and give users control over their information and how government interacts with it.
MyUSA mitigates the above risks in three ways:
1MyUSA simply provides a layer of convenience on top of existing government processes, such as pre-filling a PDF form before submitting it in physical form. This serves to complement, rather than replace existing systems, and as such, is completely optional.
2Decentralization – with the exception of the core profile information, Agencies will continue to maintain their own task-specific records allowing for the storage of data to be decentralized. Each agency has their own processes and protections for securing the privacy of the data they collect and process.
3Control – MyUSA provides an additional layer of control. Users must explicitly authorize an application, specifying what information they share, and may revoke such permission at any time.
D. Maintenance of Administrative Controls
Question / Explanation/Instructions1.a. Explain how the system and its use will ensure equitable treatment of individuals. / There is no ability to distinguish between users. All users are of the same class, and thus are programmatically indistinguishable.
1.b. If the system is operated in more than one site, how will consistent use of the system be maintained at all sites? / n/a – The system is a centralized service and is not being operated in multiple locations
1.c. Explain any possibility of disparate treatment of individuals or groups. / n/a - Since all users are programmatically indistinguishable, there is no possibility of disparate treatment of individuals or groups
2.a. What are the retention periods of data in this system? / MyUSA will follow GSA’s existing records disposition schedules. Users may delete their information at any time.
2.b. What are the procedures for eliminating the data at the end of the retention period? Where are the procedures documented? / Users may delete their data at any time. Upon the conclusion of the retention period, the MyUSA app provides an administrative interface which can be used to filter and delete records as needed.
2.c. While the data is retained in the system, what are the requirements for determining if the data is still sufficiently accurate, relevant, timely, and complete to ensure fairness in making determinations? / MyUSA does not use the data to make any determinations. Users will have the opportunity to review such information before submission to another agency.
3.a. Is the system using technologies in ways that Federal agencies have not previously employed (e.g. Caller-ID)? / Yes. Users have the option of creating a persona (similar to a user account or private social media profile) that will persist across transactions and agencies. We are also allowing agencies to interact with such persona when explicitly authorized by the user.
3.b. How does the use of this technology affect individuals’ privacy? / MyUSA provides additional controls as to the disclosure of such information, which would not otherwise be possible. All requests for information must be explicitly authorized by the user.
4.a. Will this system provide the capability to identify, locate, and monitor individuals? If yes, explain. / No.
4.b. Will this system provide the capability to identify, locate, and monitor groups of people? If yes, explain. / No.
4.c. What controls will be used to prevent unauthorized monitoring? / Users can only access the information they provided, and must explicitly authorize an agency to access it. Administrative and operational access to the data will be on an “as needed” basis, and will be rare.
5.a. Under which Privacy Act System of Records notice (SOR) does the system operate? Provide number and name. / Currently this is not a system of records. GSA/OCSIT-1 (MyUSA) will be posted in the Federal Register and reflects the future state of what personal information will be collected.
5.b. If the system is being modified, will the SOR require amendment or revision? Explain. / N/A. This is a new system.