Minimizing Disclosure Risk in HHS Open Data Initiatives. 3. Open Data Policy—Managing Information as an Asset

09/29/2014

Memorandum M-13-13, issued by OMB in conjunction with the Executive Order, and also directed to the heads of executive departments and agencies, establishes a framework to support effective information management strategies that will promote open data. An attachment to the memorandum includes four sections: a list of legal definitions relevant to the Open Data Policy, a synopsis of the scope of open data policies, a brief description of the policy requirements, and guidelines for implementation.

This memo applies to “all new information collection, creation, and system development efforts as well as major modernization projects that update or re-design existing information systems.” National Security Systems are noted to be exempt from these policies.

The policy requirements described by OMB are intended to support downstream information processing in the most efficient, cost-effective, and safest manner. To this end OMB will require agencies to begin planning management of information resources at the earliest possible stage, in order to minimize costly future maintenance. Agencies are directed to adopt the following policies: use machine-readable and open formats; use data standards; remove all restrictions on distribution of public data (open license); and describe data using common core metadata (i.e. origin, linked data, geographic location, time period/interval, and data quality). Agencies are also directed to build systems supporting interoperability, such as those outlined in OMB’s Common Approach to Federal Enterprise Architecture. These policies will likely support development of further requirements (detailed in the memo), which are to create an enterprise data inventory and maintain a public listing on Data.gov.

Within six months of the release of this memorandum, agencies were requested to take the following actions:

  • Create and maintain an enterprise data inventory
  • Create and maintain a public data listing
  • Create a process to engage with customers to help facilitate and prioritize data release
  • Clarify roles and responsibilities for promoting efficient and effective data release practices

Agencies were also asked to document their decisions that particular information should not be released as public datasets.

The memorandum gives particular attention to the protection of privacy and confidentiality, and the mosaic effect is noted as an issue of particular concern to this goal. To counteract potential breaches of privacy, guidelines for risk-minimization are detailed. These guidelines include the following: collect or create only necessary and useful information; limit collection of identifying information; limit sharing identifying or proprietary information; take into account the levels of risk and potential harm that are associated with the dissemination of particular datasets; and consider information that is already public when releasing de-identified data (that is, be aware of the mosaic effect). OMB also requires that a Senior Agency Official of Privacy or the equivalent assume a central role in the implementation process.

View full report

Preview
Download

"rpt_Disclosure.pdf" (pdf, 1.01Mb)

Note: Documents in PDF format require the Adobe Acrobat Reader®. If you experience problems with PDF documents, please download the latest version of the Reader®