Skip to site content

Chapter 11 - Use of Persistent Cookies

Part 8 - Information Resources Management

Title Section
Introduction 8-11.1
    Purpose 8-11.1A
    Background 8-11.1B
    Scope 8-11.1C
    Authority 8-11.1D
    Acronyms 8-11.1E
    Definitions 8-11.1F
    Policy 8-11.1G
    Procedures 8-11.1H
    Chief Information Officer Role/Responsibilities 8-11.1I
    Internet Information Services Managers 8-11.1J

8-11.1  INTRODUCTION

  1. PURPOSE.  This chapter establishes the policies and responsibilities for the use of Web cookies by the Indian Health Service (IHS).
  2. BACKGROUND.  On June 22, 2000, the Office of Management and Budget (OMB) issued Memorandum M-00-13 on "Privacy Policies and Data Collection on Federal Web Sites," which included language on the usage of Web cookies for tracking Internet visitors.  The Federal Chief Information Officer (CIO) Council requested clarification to this memorandum on July 28, 2000.  The OMB provided specifications on "session" and "persistent" Web cookies on September 5, 2000:

    We are concerned about persistent cookies even if they do not themselves contain personally identifiable information.  Such cookies can often be linked to a person after the fact, even where that was not the original intent of the web site operator.  For instance, a person using the computer later may give his or her name or e-mail address to the agency.  It may then be technically easy for the agency to learn the complete history of the browsing previously done by users of that computer, raising privacy concerns even when the agency did not originally know the names of the users.

    We recognize that agency web sites can also seek information from visitors in ways that do not raise privacy concerns.  Specifically, they may retain the information only during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different web sites.  When used only for a single session or transaction, such information can assist web users in their electronic interactions with the government without threatening their privacy.  One example of such an approach that supports electronic government would be the use of a shopping cart to purchase a number of items online from the United States Mint.  Another example would be the current technology that assists users in filling out applications that require accessing multiple web pages on the Department of Education's Direct Consolidation Loan site.  We do not regard such activities as falling within the scope of Memorandum M-00-13.

  3. SCOPE.  This chapter applies to all IHS organizational components including, but not limited to, Headquarters, Area Offices, and service units conducting business for and on behalf of the IHS through contractual relationships when using IHS IT resources.  The policies contained in this chapter apply to all IHS IT activities including the equipment, procedures, and technologies that are employed in managing these activities.  The policy includes all IHS office locations, travel, teleworking, and other off-site locations.  Agency officials shall apply this chapter to contractor personnel, interns, externs, and other non-Government employees by incorporating such reference in contracts or memorandums of agreement as conditions for using Government-provided IT resources.  This chapter applies to all IHS Web sites, whether owned and operated by IHS, or operated on behalf of IHS.
  4. AUTHORITY.
    1. Department of Health and Human Services (HHS) Information Resources Management (IRM) Policy, "Usage of Persistent Cookies," HHS-IRM-2000-0009, January 8, 2001
    2. Office of Management and Budget Memorandum, M-00-13, "Privacy Policies and Data Collection on Federal Web Sites," 06/22/2000
  5. ACRONYMS.
    1. CIO  Chief Information Officer
    2. HHS  Department of Health and Human Services
    3. DASIRM  Deputy Assistant Secretary for Information Resources Management
    4. IHS  Indian Health Service
    5. IRM  Information Resources Management
    6. OMB  Office of Management and Budget
  6. DEFINITIONS.
    1. Exempted Cookies.  "Exempted cookies" include those that retain information only during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different Web sites.
    2. "Persistent" Web Cookies.  A persistent Web cookie is one that can "track" the activities of users over time and across different Web sites.
    3. "Session" Web Cookies.  A session Web cookie retains information only during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different Web sites.
    4. Web Cookies.  A Web cookie is a mechanism that allows the server to store its own information about a user on the user's own computer.
  7. POLICY.  "Persistent" web cookies shall not be used on IHS Web sites, or by contractors when operating Web sites on behalf of IHS, unless the following conditions are met:
    1. The site gives clear and conspicuous notice.
    2. There is a compelling need to gather the data on the site.
    3. Appropriate and publicly disclosed privacy safeguards exist for handling any information derived from the Web cookies.
    4. The Secretary, HHS, gives personal prior approval for the use.
  8. PROCEDURES.  Any IHS organization utilizing persistent Web cookies as of the date of issuance of this chapter shall submit a written waiver request to the IHS CIO, who will approve/disapprove the request.  Approved requests will be forwarded by the IHS CIO to the Secretary, HHS, through the HHS Deputy Assistant Secretary for Information Resources Management (DASIRM) within 14 calendar days.

    The IHS shall register any usage of "persistent" Web cookies with the HHS Office of IRM quarterly.  A master list of all IHS persistent Web cookies shall be maintained by the IHS Webmaster and the HHS Office of IRM.

  9. CHIEF INFORMATION OFFICER ROLE/RESPONSIBILITIES.  The IHS CIO shall ensure the following:
    1. All justification paperwork for any planned usage of "persistent" Web cookies is submitted to the Secretary, HHS, through the DASIRM, prior to their usage.
    2. The Secretary's prior personal approval is acquired.
    3. A clear and conspicuous notice of "persistent" Web cookies usage is provided stating why there is a compelling need to gather the data on the site.
    4. Appropriate and publicly disclosed privacy safeguards exist for handling any information derived from the Web cookies.
    5. The IHS registers any usage of "persistent" Web cookies with the DASIRM on a quarterly basis.
  10. INTERNET INFORMATION SERVICES MANAGERS.  The IHS Internet Information Services Manager, Division of Information Resources (DIR), shall:
    1. be responsible for posting clear and conspicuous notice of any "persistent" Web cookies usage on his/her Web site, and
    2. ensure appropriate and publicly disclosed privacy safeguards exist for handling any information derived from the Web cookies.