(4) Security, Intrusion, Detection Language.
Discussion: Many webmasters use information collected on a site to detect potentially harmful intrusions and to take
action once an intrusion is detected. In some situations, the policy of the agency may be not to collect personal
information such as from IP logs. In the event of authorized law enforcement investigations, however, and pursuant
to any required legal process, information from those logs and other sources may be used to help identify an
individual.
Sample One: The Department of Defense uses the following language to alert users that information may be
collected for security purposes:
"4. For site security purposes and to ensure that this service remains available to all users, this government computer
system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change
information, or otherwise cause damage.
5. Except for authorized law enforcement investigations, no other attempts are made to identify individual users or
their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in
accordance with National Archives and Records Administration guidelines.
6. Unauthorized attempts to upload information or change information on this service are strictly prohibited and may
be punishable under Infrastructure Protection Act."
Source: www.defenselink.mil/warning/warn-dl.html.
Sample Two: Department of Justice Privacy and Security Notice:
"For SITE SECURITY purposes and to ensure that this service remains available to all users, this Government
computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload
or change information, or otherwise cause damage.
NOTICE: We will not obtain personally-identifying information about you when you visit our site, unless you
choose to provide such information to us."
Source: www.usdoj.gov/privacy-file.htm
(5) Significant actions where information enters a System of Records.
Discussion:
To date, a large fraction of federal web pages have not collected significant amounts of identifiable information in
ways that entered directly into systems of records covered by the Privacy Act. Looking ahead, a greater range of
actions may take place based on information provided to web sites. Examples might include electronic commerce
transactions or updating of information about eligibility for benefits.
In systems of records where traditional paper collections of information are supplemented or replaced by electronic
forms offered through a web site, therules of the Privacy Act continue to apply. For situations where a Privacy Act
notice would be required in the paper-based world, the general principle is that the equivalent notice is required in
the on-line world. Posting of the relevant Privacy Act notice on the web page or through a well-marked hyperlink
would be appropriate.
Steering Committee for Federal Agency Privacy Policies