2164.1 CIO Internal Clearance Process for GSA Data Assets
GENERAL SERVICES ADMINISTRATION
Washington, DC 20405
September 14, 2015
SUBJECT: Internal Clearance Process for GSA Data Assets
1. Purpose. This Order provides the internal clearance process that the General Services Administration (GSA) must follow before releasing GSA data assets. GSA IT’s Office of Enterprise Information & Data Management (IDM) established this process in collaboration with the Office of General Counsel (OGC), the Freedom of Information Act (FOIA) Division, the Privacy Officer in GSA IT, and the Executive Secretariat Division. The established clearance process ensures that the privacy, security, and confidentiality of GSA’s critical data assets are protected from unauthorized access, release, and dissemination.
2. Background. Under Presidential Executive Order 13642 issued May 9, 2013, Making Open and Machine Readable the New Default for Government Information, and OMB Memorandum M-13-13 issued May 9, 2013, Open Data Policy-Managing Information as an Asset, there is an increased demand for data transparency, integration, and sharing across GSA. Better access to timely and accurate data within GSA will enable better data-driven management and decision-making; increase transparency around business operations and; improve the level of collaboration between GSA, the public and private sectors, and GSA’s Federal agency partners. Open access to data will also benefit GSA’s consolidated investment strategy by allowing more effective decision-making for strategic investments.
In accordance with internal GSA Memorandum 263508 dated February 14, 2014, Increasing Data Sharing, Transparency and Reuse at GSA, the Administrator of GSA delegated to the Chief Information Officer (CIO) authority and responsibility to store, manage, and protect data within GSA, for both internal agency use and for sharing with external stakeholders. As such, the CIO is responsible for the security of the data assets prior to release for both internal agency use and for use by external stakeholders. Any such release must be managed and controlled through the approved internal clearance process.
3. Cancellation. IL-14-04 Internal Clearance process for GSA Data Assets dated September 11, 2014 is cancelled.
4. Applicability. This Order applies to all GSA employees and others whose official duties include releasing information to the public such as through FOIA or other official requests and who collect, maintain, use, manage, or come in contact with personally identifiable or sensitive information owned by GSA. It applies to the Office of Inspector General (OIG) only to the extent that the OIG determines it is consistent with the OIG’s independent authority under the Inspector General Act of 1978 and it does not conflict with other OIG policies or the OIG mission.
5. Objectives. At a minimum, GSA is required to:
a. Review information for valid restrictions prior to release for both internal agency use and external stakeholders in order to ensure proper safeguarding of privacy, security, and confidentiality of Government, proprietary, and procurement information of a sensitive manner;
b. Document reasons why a data asset or certain components of a data asset should not be released;
c. Consult with GSA’s Privacy Officer, OGC, and the FOIA Division Director regarding any identified data assets or any portion of data assets that should not be released; and
d. Encourage dialogue internally to identify more data assets that may be released.
6. Policy. For secure clearance processing of GSA data assets prior to release, the following sequence of steps must be followed:
a. The Data Owner, the Portfolio Data Manager (PDM), or both, identify the Services and Staff Office (SSO) data assets to catalog in GSA’s Enterprise Data Inventory (EDI) and for possible public release. Refer to CIO 9297.1 GSA Data Release Policy on releasing information relating to GSA employees, contractors, and others on whom GSA maintains information.
Recommendations for identifying restrictions, such as licensing agreements or vendor agreements, should accompany the submission for consideration by GSA’s Privacy Officer, OGC, and the FOIA Division Director, and should include a recommendation regarding the access level (Public, Restricted Public, or Non-Public, as those terms are defined below). However, any data assets that contain information pertaining to OIG should be sent to the Inspector General FOIA Office for a determination to authorize release, and not sent to the GSA FOIA Division or firstname.lastname@example.org. The OIG’s FOIA process and Public Release process are completely independent of GSA. However, if GSA has any documents that are under GSA’s purview that contain GSA, OIG equities, the GSA FOIA Division is required to inform the OIG so they can review and approve or disapprove posting.
c. The FOIA Division receives information for potential release. The FOIA Division reviews the information to determine if this information can be released to the public in accordance with the FOIA laws and regulations. If the data assets are in compliance, the FOIA Division Director will notify OGC.
d. OGC will coordinate review with the GSA Privacy Officer for additional review.
e. Upon final review, OGC notifies the FOIA Division of their findings. The FOIA Division Director then notifies the Data Owner/Manager and IDM Office at email@example.com of the final recommendation for releasing the data assets.
f. If the FOIA Division Director, OGC, or Privacy Officer does not approve releasing the data assets, the FOIA Division will notify the Data Owner/Manager who initiated the process, as well as firstname.lastname@example.org, that the data assets package has not cleared review, explain why, and, if possible, suggest necessary revisions.
g. If modifications are needed for release based on findings at any of steps 6.c through 6.f above, the process will start over at step 6.a.
h. If there are no suggested modifications from the FOIA Division Director, OGC, or Privacy Officer, and the data assets are not approved for release, it will be included in the GSA EDI on MAX.gov but not posted at gsa.gov/data with other public data assets.
i. Additional reviews by the Executive Secretariat Division may be added as requested by the Data Owner/Manager, FOIA Division Director, OGC, or Privacy Officer.
The above clearance process will result in the designation of one of three “access levels” for each data asset: Public, Restricted Public, or Non-Public.
- Public: Data asset is or could be made publicly available to all without restrictions. The “access level comment” field, a metadata field in EDI, may be used to provide information on how to remove or reduce technical or resource barriers to public access.
- Restricted Public: Data asset is available under certain use restrictions. One example, among many, is a data asset that can only be made available to select researchers under certain conditions, because the data assets contain sufficient detail or linkages that make it possible to identify individuals, even though the data assets have been stripped of Personally Identifiable Information (PII). This category includes some, but not all, data assets designated by Executive Order 13556 “Controlled Unclassified Information (CUI)” as CUI. The access level comment field must be completed with details on how one can obtain access.
- Non-Public: Data asset is not available to members of the public. This category includes data assets that are only available for internal use by the Federal Government, such as by a single program, single agency, or across multiple agencies. This category might include some, but not all, data assets designated by Executive Order 13556 as CUI. Some non-public data assets may still potentially be available to other intra-agency operating units and/or other Government agencies, as discussed in OMB Memorandum M-11-02 Sharing Data While Protecting Privacy dated November 3, 2010. The access level comment field for non-public data assets must contain an explanation for the reasoning behind why these data assets cannot be released.
- Executive Order 13556 - Controlled Unclassified Information - November 4, 2010
Chief Information Officer
Office of GSA IT