NOAA's National Ocean Service
Office of the CIO
The term "NOS OCIO Web Applications" in this policy refers to all web applications hosted and managed by the NOAA National Ocean Service (NOS) Office of the Chief Information Officer (OCIO). The following discloses the information gathering and dissemination practices for NOS OCIO Web Applications.
The NOS OCIO Web Applications primarily collect, store and display data for these basic purposes:
The NOS OCIO is committed to protecting the privacy of site visitors and application users as well as any personal information that users may provide.
Links to NOAA/NOS Websites
Links to External Websites
NOS OCIO Web Applications contain links to other external sites. NOS OCIO office is not responsible for the privacy practices or the content of such websites.
A cookie is a text file that lives on the client user's computer. Cookies are either stored in memory (session cookies) or placed on users' hard disk (persistent cookies). A persistent cookie can keep information in the user's browser to a long lifespan until deleted.
NOS OCIO Web Applications only use session cookies. Persistent cookies are prohibited. When an authenticated user logs off, cookies are emptied. Sensitive information, including user credentials, is not stored in cookies.
Users may determine how their browser handles cookies, and may disable cookies being stored. However, by disabling cookies certain web applications' features and functionality may no longer work properly, or function at all.
Session information is stored on the server. It is typically stored in web server memory and exists for 20 minutes by default. Sessions work like a token, allowing access and passing information while the user has the browser open. When users close their browsers they also lose their sessions.
A unique session ID is generated for users when they log on to a NOS OCIO Web Application. The session ID is not associated with the user's computer or with the user individually. It is also not related to the unique user ID that may be generated when a user authenticates.
The session ID may be used to track a user's actions in the application. This is used for security and error resolution purposes only.
For applications requiring user credentials, user information stored in session may be used as explained in the section on Authentication.
When an authenticated user logs off, all information stored by a NOS OCIO Web Application in session memory is deleted. The session itself is deleted when a user's browser is closed.
Some NOS OCIO Web Applications require user authentication. Authentication may be based on the existence of an entry in the NOAA LDAP directory or on the presence of application-specific credentials stored in a NOS OCIO database. Credentials stored in a database are not related to credentials stored elsewhere and are not used for purposes other than authentication.
The purpose of authentication is to control access to protected data and restrict actions that may be performed. Once a user has been authenticated, a unique internal user ID is stored, usually in session but possibly in cookies (see the sections on Cookies and Session). This ID is stored only as long as the user session is valid. This unique internal user ID is based on internal database record keys and is not related in any way to any other identification owned by or assigned to the user.
The stored internal user ID may be used to track a user's actions while logged in to the application:
A user's password is not stored in session or in cookies. Once the user has logged off, all user information stored outside of the authentication source is deleted.
Access & Audit Logs
A user's actions may be logged as follows:
Access to log files is restricted to system administrators and application administrators. They may be shared with appropriate IT security officials when necessary.
Private Data Collection
Any information gathered by NOS OCIO Web Applications is limited to that data needed to provide users with accurate and appropriate service. User information is only used for particular project purposes and is not shared outside the Federal government. Accordingly, the privacy and personal information visitors provide is stored in a secure location accessible only by designated staff, and is used only for the purposes for which visitors provide the information.
Personally identifiable information (PII) collected or stored by applications in the NOS OCIO Web Applications is limited to: name, address, phone, e-mail address, organization name, organization address, and position. In some limited-access applications, the PII is collected using some other method (mail, e-mail, fax, business card, etc.) and is entered by authorized NOS staff.
The information is collected from NOAA/NOS staff, NOAA/NOS partners, and members of the general public.
NOS OCIO Web Applications have reasonable security measures in place to protect the loss, misuse, and alteration of the information under our control. These measures include administrative, technical, physical and procedural steps to protect users' data from misuse, unauthorized access or disclosure, loss, alteration, or destruction.
The current Privacy Impact Assessment for NOS OCIO Web Applications, referenced as the National Ocean Service Web Application Subsystem, is reachable from the page linked here: http://www.cio.noaa.gov/services_programs/privacy.html
Rights under the Privacy Act
Your rights under the Privacy Act can be found at the following address: https://www.gsa.gov/graphics/staffoffices/Your_Right_to_Federal_Records.pdf