4.15 Senior Agency Official for Privacy (SAOP)
The SAOP, designated by the head of each agency, has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals. (OMB M-16-24. Role and Designation of Senior Agency Officials for Privacy. 9/15/2016.)
- Policy Making: The SAOP shall have a central policy-making role in the agency’s development and evaluation of legislative, regulatory, and other policy proposals that have privacy implications. In this role, the SAOP shall ensure that the agency considers and addresses the privacy implications of all agency regulations and policies, and shall lead the agency’s evaluation of the privacy implications of legislative proposals, congressional testimony, and other materials pursuant to OMB Circular No. A-19.7.
- Compliance: The SAOP shall have a central role in overseeing, coordinating, and facilitating the agency’s privacy compliance efforts. In this role, the SAOP shall ensure that the agency complies with applicable privacy requirements in law, regulation, and policy. Relevant authorities include, but are not limited to, the Privacy Act of 1974; the Paperwork Reduction Act of 1995; the E- Government Act of 2002; the Health Insurance Portability and Accountability Act of 1996; OMB Circular A-130; Privacy Act Implementation: Guidelines and Responsibilities; 13 OMB Circular A- 108; OMB’s Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988; and OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002.
- Risk Management: The SAOP shall manage privacy risks associated with any agency activities that involve the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems. The SAOP’s review of privacy risks shall begin at the earliest planning and development stages of agency actions and policies that involve PII and continue throughout the life cycle of the programs or information systems. Appropriately managing privacy risks may require agencies to take steps beyond those required in law, regulation, and policy.
Federal Privacy Council (FPC) (Federal Privacy Council. Vision and Purpose.)