The need for privacy

Should every agency have a chief privacy officer?

An Information Age argument about how agencies should best organize themselves to protect citizens' privacy rights has collided with the jurisdictional divides between power centers in Washington, D.C.

Specifically, a 4-month-old law requiring agencies to appoint chief privacy officers, which passed last year as part of Congress' omnibus spending bill, has provoked resistance from the Office of Management and Budget and Congress.

Few disagree that privacy is an important issue, particularly as agencies increasingly look for ways to share information electronically across organizational lines. Privacy is an issue that "can bring major initiatives to their knees," said Scott Hastings, chief information officer for the U.S. Visitor and Immigrant Status Indicator Technology program.

Supporters of the law that mandated chief privacy officers argue that new digital possibilities, which could cause leaks of confidentially collected public information, require each agency to appoint a single high-level person to take charge of privacy policy.

Opponents argue that it creates an unnecessary layer of bureaucracy while undermining the CIO's authority. They also say the provision creating the chief privacy officer was added to an appropriations bill at the last minute by Sen. Richard Shelby (R-Ala.) without discussion with oversight committees.

"We’re happy to have a debate on the merits," said David Marin, a spokesman for Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee. "What troubles us is when language is inserted at the 11th hour into a massive bill, without consultation or forewarning."

Davis introduced a bill last month that would repeal the privacy officer language in its entirety.

OMB officials also opposed the provision in the fiscal 2006 budget submission by reprinting the law and placing black brackets around it. "Bracketing" is often reserved for an omnibus provision the executive branch "flat-out hated but didn't want to make a veto item," said one House appropriations staffer, speaking on condition of anonymity.

"It doesn't necessarily mean that the administration rejects the substance of

the item," said Sarah Hawkins, an OMB spokeswoman. But a bracketed law might not "represent the most effective means of achieving a provision’s overall goals."

OMB has not been silent on privacy officers, issuing a memo in February requiring every agency to select a “senior agency official” as the privacy policy honcho.

But the memo does not derive statutorily from the omnibus legislation, said Karen Evans, OMB's administrator for e-government and information technology. It also does not require agencies to designate a privacy “chief,” and the CIO can be the designated privacy officer.

"We are focused on whether privacy is properly embedded in an organization and not the particular title of the official charged with this responsibility," Evans said.

The omnibus law does not specifically prohibit CIOs from also becoming chief privacy officers, said a Senate Appropriations Committee staffer who helped draft the language. But "I don't know how many more responsibilities the CIO can take on,": he added.

Reporting privacy compliance data will also become part of agencies' Federal Information Security Management Act (FISMA) reports, Evans said. What type of data agencies will include in the updated FISMA requirements "is the subject of ongoing internal discussion," she added.

The OMB memo is "a good indication that [OMB] is willing to support the letter of the law rather than the intent," said a federal official who requested anonymity. "A lot of times what happens is something that [OMB officials] feel will not be long-lived. It will be combined with other duties, with other responsibilities as opposed to a whole new program."

Still, the law has defenders. "The role of the privacy office is sufficiently substantial and unique that it cannot be shoehorned into an existing job description," said Sen. Patrick Leahy (D-Vt.), who opposes Davis' repeal bill. "The participation of privacy officers also facilitates congressional oversight."

And an imperfect measure is better than no privacy officer law at all, said Ari Schwartz, a privacy advocate and associate director of the Center for Democracy and Technology.

"Probably we would have ended up with better legislation had we done it in a different way," he said. "However, having chief privacy officers for certain agencies is a good idea."

Davis' argument that the privacy officer legislation undercuts the CIO is not entirely accurate, Schwartz said. Many privacy-related decisions are far beyond the purview of CIOs and one agency official needs to track every detail of privacy policy, he added.

CIOs should not assume agencywide privacy officer duties, argued one agency CIO, speaking on condition of anonymity. "All information inside a department doesn't go through the CIO's shop," the CIO said. For instance, requests for proposals don't, "and who's to say that somebody doesn't mention somebody's name and Social Security number in there? What’s that got to do with the CIO?"

Schwartz said a better law would have staked out middle ground between agency needs and CIO jurisdiction, but with major departments such as Justice and State currently without a chief privacy officer, "something trumps nothing."

Meanwhile, some federal officials say their agencies are now unsure how to fit privacy into their organizations. "We’re not looking at the letter of the law but the spirit of the guidance," said a Justice official. That department currently has an attorney in charge of privacy issues, but "we are thinking it needs to be someone who has some kind of information technology orientation as well."

But the general counsel’s office is right where privacy officers belong, the agency CIO said. "If I as a citizen have a problem because a federal agency sent my bank information somewhere, I should sue the agency. That’s my recourse."

But any differences between the law and the OMB memo shouldn’t matter, said Robert McFarland, assistant secretary for information and technology at the Department of Veterans Affairs. McFarland is his agency's designated privacy officer.

"I don't think it’s going to matter in the day-to-day operations because we’re going to take privacy as a very important part of our mission," he said.

What's in a memo?

Congress passed legislation last year requiring every agency to name a chief privacy officer. It was included in the omnibus appropriations bill. In addition, the law requires agency officials to:

  • Annually report to Congress on privacy violation complaints, internal privacy controls and the law’s implementation.
  • Establish a privacy protection policy that the public can easily identify.
  • Submit a review on agency privacy practices to an inspector general every two years.

By contrast, Office of Management and Budget officials issued a privacy policy memo in February that requires agency officials to:

  • Name a senior agency official who has agencywide responsibility for privacy issues.
  • Maintain appropriate documentation about the agency’s compliance with privacy policies.
  • Include privacy as part of annual Federal Information Security Management Act reviews.
— David Perera

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above