Artificial Intelligence and Data Analytics (AIDA) Guidebook

12 Summary
Technology is fundamentally transforming how government interacts with the public.
Integration of the strategies discussed in this guidebook promote a Federal Government that is
more efficient, effective, and better equipped to deliver services to the American people.
Exponential advances in computing power, the rise of novel information networks, and
unleashed innovation have created new platforms that are enabling the development of a 21st
century digital government.
This guidebook provides tools, tips, and strategies to link data in the information layer, the
platform layer, and the presentation layer using secure interoperable cloud-based platforms. It
also provides a comprehensive framework for implementing shared analytics, machine
learning, AI, and other emerging technologies. Finally, the AIDA Guidebook outlines when and
how to leverage shared analytics throughout government agencies and other organizations
using repeatable and resilient models, core analytic terms of reference, and associated
definitions while promoting data standardization, optimization, and innovation – supporting the
implementation of the Federal Government AI Strategy.

Page 51
Artificial Intelligence and Data Analytics (AIDA) Guidebook

13 Next Steps
In order to ensure usability it will be necessary to link this framework to federal IT laws,
regulations, policies, and procedures underpinned by Federal Information Security
Modernization Act (FISMA), Federal Acquisition Reform Act (FARA), Information Technology
Management Reform Act (ITMRA), Paperwork Reduction Act (PRA), Federal Financial
Management Improvement Act (FFMIA), Federal Managers Financial Integrity Act (FMFIA), and
Government Performance and Results Act Modernization Act (GPRA-MA). Furthermore, this
framework needs to expand upon best practices to ensure data protection in transit and at rest,
and best practices to reduce administrative burdens associated with regulatory compliance
such as the Authorization to Operate (ATO) process. Additional activities include building best
practices and exemplar use cases for data management frameworks, operational security,
protecting intellectual property, building non-biased training datasets, and ensuring there are
mechanisms to ensure that data being used is 'fit for purpose'.

This guidebook is intended to become a living document, updated as new information and
guidance becomes available. It is also recommended that ATARC and its partners continue to
identify projects, use cases, and lessons learned for community reference and identify potential
venues to share those findings in partnership with academia.

Page 52
Artificial Intelligence and Data Analytics (AIDA) Guidebook

Appendix A: Representative Laws and Federal Policies

The Federal Trade Commission Act, 1914

The Federal Trade Commission (FTC) is one of the few agencies solely focused on consumer
data. Their mission is to protect consumers by enforcing actions to safeguard consumers
against unfair or deceptive practices and to enforce federal privacy and data protection
regulations. Deceptive practices include a company or organization's failure to comply with its
published privacy policies and its failure to provide adequate security of personal identifiable
information (PII) or use of deceptive advertising or marketing methods. Many other federal
laws around consumer data have been slotted under the FTC.

Title 26, 1939

Title 26 pertains to the statistical work carried out by the US Census Bureau for the collection of
Internal Revenue Service (IRS) data regarding households and businesses. It states the
conditions in which the IRS may communicate Federal Tax Returns and Return Information (FTI)
with other agencies, including the Census Bureau. Title 26 specifically allows the IRS to send FTI
to the Census Bureau for the purpose of building censuses and national economic accounts in
addition to conducting other federally authorized statistical tasks.

Title 13 - Covers US Census Bureau Data, 1954

Both individuals and businesses are covered by Title 13. These protections include never
disclosing or publishing personal information such as names, addresses, phone numbers, or
Social Security Numbers, and the data collected by the Census Bureau cannot be used against
respondents in a court of law. Census Bureau workers are also held to a higher standard of
confidentiality; they must safeguard respondents' information for life and, if it is broken, face
the following penalties: a federal prison sentence up to five years and a $250,000 fine.

The Fair Credit Reporting Act (FCRA), 1970

The Fair Credit Reporting Act (FCRA) protects consumers from consumer reporting agencies.
Amended by the Fair and Accurate Credit Transactions Act (FACTA), it further restricts the use
of information with a bearing on an individual's credit worthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, and mode of living to
determine eligibility for credit, employment, and insurance among other restrictions on how
credit card information can be viewed and seen. The Consumer Financial Protection Bureau and
FTC provide additional authority to operate.

Page 53
Artificial Intelligence and Data Analytics (AIDA) Guidebook

Family Educational Rights and Privacy Act (FERPA), 1974

The Family Educational Rights and Privacy Act (FERPA) is a federal law, enforced by the
Department of Education (ED), that protects the privacy of student education records and
applies to all schools which receive funds under an applicable program under ED. FERPA gives
parents certain rights pertaining to their children’s education records and the rights are
transferred to the child at the legal age of 18. FERPA prohibits improper disclosure of PII
derived from education records. Violations of FERPA result in a withdrawal of federal funding.
ED has changed their enforcement tactics of FERPA with now just focusing on the highest-risk
issues for investigations.

Privacy Act of 1974

This Act establishes a code of fair information practices that governs the collection,
maintenance, use, and dissemination of information about individuals maintained in systems of
records by federal agencies. Agencies must give public notice of their systems of records by
publication in the Federal Register. US citizens are given the right to examine and edit their
records and are protected against unwarranted invasion of their privacy resulting from the
collection, maintenance, use, and disclosure of their personal information.

42 CFR Part 2 regulations, pertaining to the Confidentiality of Substance Use Disorder Patient
Records, 1975
Similar to the protection of certain patient information under HIPAA and its implementing
regulations, the confidentiality of alcohol and drug abuse patient records is protected by
federal law under 42 U.S.C. § 290dd-2 and its implementing regulations under 42 C.F.R. Part 2.
Specifically, Part 2 protects the confidentiality of patient records maintained in connection with
the provision of substance abuse education, prevention, rehabilitation, treatment, training, or
research by, or as part of, a federally assisted program. Part 2 is enforced by the federal
Substance Abuse and Mental Health Services Administration (SAMHSA). 42 C.F.R. Part 2 was
most recently updated in 2020.

Federal Managers Financial Integrity Act of 1982 (FMFIA) (Public Law 97-255)
The purpose of the Federal Financial Integrity Act of 1982 (FMFIA) is to update the Accounting
and Auditing Act of 1950 to require Federal agencies to create internal accounting and
administrative controls. These controls are created to prevent the waste or misuse of both
agency funds and property as well as confirm the accountability of assets.

Cable Communications Policy Act (CCPA), 1984

The Cable Communications Policy Act (CCPA) is an amendment to the original Communications
Act of 1934, which aligned regulations of telephone, telegraph, and radio communications

Page 54
Artificial Intelligence and Data Analytics (AIDA) Guidebook

under the Federal Communications Commission (FCC). This Act gave the FCC jurisdiction and
authority over the cable television industry and extended the protection of subscriber privacy.
The FCC has grown into a large independent government agency that regulates all interstate
communications.

Chief Financial Officers (CFO) Act of 1990 (Public Law 101-576)

The Chief Financial Officers (CFO) Act passed with the intention to improve the general and
financial management practices of the Federal Government by outlining standards for financial
performance and disclosure. The OMB was also given an increased role of management over
federal financial management in addition to all twenty-four departments and agencies given a
new position of chief financial officer.

Paperwork Reduction Act (PRA) of 1995 (Public Law 104-13)

The Paperwork Reduction Act (PRA) was enacted with the goal of reducing the paperwork load
for individuals, small businesses, education and nonprofit entities, federal contractors, state,
local, and tribal governments, and all other persons impacted from the collection of
information for or by the Federal Government. It requires that every federal agency receive
approval from the OMB before using identical questions to collect information from ten or
more people.

The Health Information Portability and Accountability Act (HIPAA), 1996 (Public Law 104-191)
The Health Information Portability and Accountability Act (HIPAA), enforced by the Department
of Health and Human Services (HHS), is a federal law that protects sensitive patient health
information from being disclosed without the consent or knowledge of a patient through
national standards. HIPAA included Administrative Simplification provisions that required HHS
to adopt national standards for electronic health care transactions and code sets, unique health
identifiers, and security. At the same time, Congress recognized that advances in electronic
technology could erode the privacy of health information. Consequently, Congress incorporated
into HIPAA provisions that mandated the adoption of federal privacy protections for
individually identifiable health information. HHS published a final Privacy Rule in December
2000, which was later modified in August 2002. This Rule set national standards for the
protection of individually identifiable health information by three types of covered entities:
health plans, health care clearinghouses, and health care providers who conduct the standard
health care transactions electronically. HHS published a final Security Rule in February 2003.
This Rule sets national standards for protecting the confidentiality, integrity, and availability of
electronic protected health information. In November 2019, HHS updated its regulations to
reflect required annual inflation-related increases to civil monetary penalties, including those
violations of HIPAA’s “administrative simplification” provisions. Administrative simplification
generally includes HIPAA’s privacy and security requirements, including rules as to how health

Page 55
Artificial Intelligence and Data Analytics (AIDA) Guidebook

plan data are exchanged, and the affected penalties are included in the Code of Federal
Regulations at 45 C.F.R. § 160.404(b).

Federal Financial Management Improvement Act (FFMIA), 1996

The purpose of the Federal Financial Management Improvement Act of 1996 (FFMIA) is to
advance Federal financial management by ensuring that Federal financial management systems
provide accurate, reliable, and timely financial management information to the government’s
managers. The intent and the requirements of this Act go well beyond the directives of the CFO
Act and the Government Management Reform Act of 1994 (GMRA) to publish audited financial
reports. Compliance with the FFMIA will provide the basis for the continuing use of reliable
financial management information by program managers, and by the President, the Congress
and the public.

Clinger-Cohen Act of 1996

Divisions D - Federal Acquisition Reform Act (FARA) and Division E – Information Technology
Management Reform Act (ITMRA) of the National Defense Authorization Act of 1996 are
collectively referred to as the Clinger-Cohen Act. The Clinger-Cohen Act eliminates the General
Services Administration’s (GSA) single authority to acquire technology and permitted individual
federal agencies to accept that role.

Federal Financial Management Improvement Act of 1996 (FFMIA) (Public Law 104-208)
The purpose of the Federal Financial Management Improvement Act of 1996 (FFMIA) is to
improve Federal financial management by certifying that federal financial management systems
provide correct, reliable, and prompt financial management information to government
managers.

Children’s Online Privacy Protection Act (COPPA), 1998

The Children’s Online Privacy Protection Act (COPPA) prohibits the collection of any information
from a child under the age of 13 online and from digitally connected devices. The Act requires
publications of privacy notices and collection of verifiable parental consent when information
from children is being collected. COPPA has not been updated since 2013 and continuously is
competing against the growing rate of technology. COPPA potentially has a much larger role to
play as digital content develops for younger audiences.

Gramm Leach Bliley Act (GLBA), 1999

The Gramm Leach Bliley Act (GLBA) governs the protection of personal information in the hands
of banks, insurance companies, and more within the finance industry. This statute specifically
addresses Nonpublic Personal Information (NPI), which includes any information that a financial
service company collects from its customers in connection with the provision of its services.

Page 56