July 28, 2000
To: Gloria Joseph
Director, Division of Administration
From: Jane E. Altenhofen
Subject: Inspection Report No. OIG-INS-10-00-07: Internet Web Site User Privacy
We initiated this inspection in July 2000 to evaluate whether the National Labor Relations Board (NLRB) web site practices and procedures meet the Office of Management and Budget (OMB) requirements. In June 2000, OMB issued a memorandum that states that each agency "should immediately review its compliance with its stated web privacy policies" and must include "a description of your privacy practices and the steps taken to ensure compliance with this memorandum" in the agency budget submission this fall. We suggest that the Agency submit this report with the submission on information technology.
We interviewed NLRB staff in the Division of Information and the Division of Administration -- Information Technology Branch (ITB) and Library and Administrative Services Branch -- who make up the Web Site Committee. We also interviewed staff at the Government Printing Office (GPO). We reviewed OMB memorandums M-99-18, Privacy Policies on Federal Web Sites, issued June 2, 1999, and M-00-13, Privacy Policies and Data Collection on Federal Web Sites, issued June 22, 2000; 5 U.S.C. 552a; the NLRB web site privacy statement; and the web site visitor report provided to the NLRB by GPO.
The NLRB web site is hosted and maintained by GPO. The Web Site Committee prepares web site material and transmits it to GPO. Funding for the NLRB web site is included in the Library and Administrative Service Branch's budget.
OMB memorandum M-99-18 requires that an agency post clear privacy policies on its web site. The policy must clearly and concisely inform visitors to the site as to what information about the visitor will be collected during the web site visit, why the agency collects the information, and how the agency will use the information. The Privacy Act, 5 U.S.C. § 553a, requires that agencies protect an individual's right to privacy when its collects personal information.
OMB memorandum M-00-13 directs that agencies, or contractors operating web sites on behalf of agencies, not use technology that can track the activities of users over time and across different web sites unless, in addition to a clear and conspicuous notice, the following conditions are met: (1) there is a compelling need to gather the information; (2) there are appropriate and publicly disclosed privacy safeguards for handling the information gathered; and (3) the gathering of the information is personally approved by the head of the agency.
NLRB PRIVACY STATEMENT
The NLRB web site privacy statement clearly states that the NLRB collects no personal information about the user unless the user chooses to provide the information. Because the NLRB web site does not have interactive screens that require or allow a web site visitor to provide personal information, the only method of providing such personal information would be via e-mail. The privacy statement also provides clear notice that the only information automatically collected is the visitor's Internet domain and protocol address; the type of browser and operating system used to the access the web site; the files visited and the time spent in each file; and the time and date of the visit. This non-personal information does not require a statement about why the NLRB collects the information or how the NLRB will use the information.
WEB SITE VISITOR INFORMATION OBTAINED BY THE NLRB
The NLRB web site is hosted by the GPO. Monthly, GPO provides the NLRB with statistical report detailing user activity on the NLRB web site and the location of the Internet service provider used to access the NLRB web site. This statistical information does not provide personal information about NLRB web site users and complies with the NLRB's web site privacy statement. GPO does not employ technology on the NLRB web site that can track the activities of users over time and across different web sites.
This inspection report was reviewed by the Director, Division of Administration, who concurred with the factual findings.
This inspection was done in accordance with the Quality Standards for Inspections issued by the President's Council on Integrity and Efficiency.
cc: The Board