With the increasing use of AI amongst Federal agencies, the White House Office of Management and Budget’s (OMB) Office of Information and Regulatory Affairs (OIRA) said the government’s handling of personally identifiable information (PII) that powers AI technology “merits renewed attention.”
In a request for information (RFI) issued today, OIRA is seeking input from the public on issues related to Federal agency collection, processing, maintenance, use, sharing, dissemination, and disposition of commercially available information (CAI) containing PII.
President Biden’s October 2023 executive order (EO) on AI recognized “privacy risks potentially exacerbated by AI – including by AI’s facilitation of the collection or use of information about individuals” as a risk, and it tasked OMB with taking steps to mitigate it.
President Biden’s EO defines CAI as “any information or data about an individual or group of individuals, including an individual’s or group of individuals’ device or location, that is made available or obtainable and sold, leased, or licensed to the general public or to governmental or non-governmental entities.”
“Procuring CAI containing PII from third parties, such as data brokers, for use with AI and for other purposes raises privacy concerns stemming from a lack of transparency with respect to the collection and processing of high volumes of potentially sensitive information,” OIRA Administrator Richard Revesz wrote in an Oct. 15 blog post accompanying the new RFI.
He continued, “The privacy concerns associated with CAI containing PII raise questions about whether agencies need to take additional steps to apply the framework of privacy law and policy to mitigate the risks exacerbated by new technology.”
In its RFI posted today, OMB is seeking answers to more than a dozen questions by Dec. 16.
Specifically, OMB wants to know what guidance it should consider administering to agencies on ways to mitigate privacy risks from Feds’ handling of CAI containing PII.
OMB wants input on additional potential marching orders for agencies, including establishing “comprehensive” inventories of CAI containing PII and creating periodic reports on their handling of CAI containing PII.
The RFI also aims to explore how AI exacerbates privacy risks associated with agency handling of CAI containing PII.