An Examination of the Privacy Impact Assessment as a Vehicle for Privacy Policy  Implementation in U.S. Federal Agencies

TR Number
Journal Title
Journal ISSN
Volume Title
Virginia Tech

The Privacy Act of 1974 was designed to protect personal privacy captured in the records held by government agencies.  However, the scope of privacy protection has expanded in light of advances in technology, heightened security, ubiquitous threats, and the value of information. This environment has raised the expectations for public sector management of sensitive personal information and enhanced privacy protections.  While the expanse of privacy policy implementation is broad, this study focuses specifically on how agencies implement privacy impact assessments (PIAs) as required under Section 208 of the E-Government Act of 2002.  An enhanced understanding of the PIA implementation process serves as a portal into the strategic considerations and management challenges associated with broader privacy policy implementation efforts.

A case study of how the U.S. Postal Service and the U.S. Department of Veterans Affairs have implemented PIAs provides rich insights into privacy policy implementation and outcomes.  Elite interviews enriched by process data and document analysis show how each organization undertook different approaches to PIA implementation over time.  This study introduces the sociology of law literature using Lauren Edelman's conceptual framework to understand how organizations respond to and interpret law from within the organization, or endogenously.  Building upon Edelman's model, certain characteristics of the PIA implementation are analyzed to provide rich description of the factors that influence the implementation process and lead to different policy outcomes.

The findings reflect valuable insights into the privacy policy implementation process and introduce the sociology of law literature to the field of public administration.  This literature furthers our understanding of how organizations enact policy over time, how the implementation process unfolds and is impacted by critical factors, and for identifying emergent patterns in organizations.  This study furthers our understanding how privacy policy, in particular, is implemented over time by examining the administrative capacities and levels of professionalism that are utilized to accomplish this effort.  This research comes at a critical time in the context of the emerging legal and political environment for privacy that is characterized by new expectations by the public and the expanding role of government to manage and protect sensitive information.

privacy, privacy impact assessment, privacy policy, data breach, e-government