The need for privacy

Should every agency have a chief privacy officer?

An Information Age argument about how agencies should best organize themselves to protect citizens' privacy rights has collided with the jurisdictional divides between power centers in Washington, D.C.

Specifically, a 4-month-old law requiring agencies to appoint chief privacy officers, which passed last year as part of Congress' omnibus spending bill, has provoked resistance from the Office of Management and Budget and Congress.

Few disagree that privacy is an important issue, particularly as agencies increasingly look for ways to share information electronically across organizational lines. Privacy is an issue that "can bring major initiatives to their knees," said Scott Hastings, chief information officer for the U.S. Visitor and Immigrant Status Indicator Technology program.

Supporters of the law that mandated chief privacy officers argue that new digital possibilities, which could cause leaks of confidentially collected public information, require each agency to appoint a single high-level person to take charge of privacy policy.

Opponents argue that it creates an unnecessary layer of bureaucracy while undermining the CIO's authority. They also say the provision creating the chief privacy officer was added to an appropriations bill at the last minute by Sen. Richard Shelby (R-Ala.) without discussion with oversight committees.

"We’re happy to have a debate on the merits," said David Marin, a spokesman for Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee. "What troubles us is when language is inserted at the 11th hour into a massive bill, without consultation or forewarning."

Davis introduced a bill last month that would repeal the privacy officer language in its entirety.

OMB officials also opposed the provision in the fiscal 2006 budget submission by reprinting the law and placing black brackets around it. "Bracketing" is often reserved for an omnibus provision the executive branch "flat-out hated but didn't want to make a veto item," said one House appropriations staffer, speaking on condition of anonymity.

"It doesn't necessarily mean that the administration rejects the substance of

the item," said Sarah Hawkins, an OMB spokeswoman. But a bracketed law might not "represent the most effective means of achieving a provision’s overall goals."

OMB has not been silent on privacy officers, issuing a memo in February requiring every agency to select a “senior agency official” as the privacy policy honcho.

But the memo does not derive statutorily from the omnibus legislation, said Karen Evans, OMB's administrator for e-government and information technology. It also does not require agencies to designate a privacy “chief,” and the CIO can be the designated privacy officer.

"We are focused on whether privacy is properly embedded in an organization and not the particular title of the official charged with this responsibility," Evans said.

The omnibus law does not specifically prohibit CIOs from also becoming chief privacy officers, said a Senate Appropriations Committee staffer who helped draft the language. But "I don't know how many more responsibilities the CIO can take on,": he added.

Reporting privacy compliance data will also become part of agencies' Federal Information Security Management Act (FISMA) reports, Evans said. What type of data agencies will include in the updated FISMA requirements "is the subject of ongoing internal discussion," she added.

The OMB memo is "a good indication that [OMB] is willing to support the letter of the law rather than the intent," said a federal official who requested anonymity. "A lot of times what happens is something that [OMB officials] feel will not be long-lived. It will be combined with other duties, with other responsibilities as opposed to a whole new program."

Still, the law has defenders. "The role of the privacy office is sufficiently substantial and unique that it cannot be shoehorned into an existing job description," said Sen. Patrick Leahy (D-Vt.), who opposes Davis' repeal bill. "The participation of privacy officers also facilitates congressional oversight."

And an imperfect measure is better than no privacy officer law at all, said Ari Schwartz, a privacy advocate and associate director of the Center for Democracy and Technology.

"Probably we would have ended up with better legislation had we done it in a different way," he said. "However, having chief privacy officers for certain agencies is a good idea."

Davis' argument that the privacy officer legislation undercuts the CIO is not entirely accurate, Schwartz said. Many privacy-related decisions are far beyond the purview of CIOs and one agency official needs to track every detail of privacy policy, he added.

CIOs should not assume agencywide privacy officer duties, argued one agency CIO, speaking on condition of anonymity. "All information inside a department doesn't go through the CIO's shop," the CIO said. For instance, requests for proposals don't, "and who's to say that somebody doesn't mention somebody's name and Social Security number in there? What’s that got to do with the CIO?"

Schwartz said a better law would have staked out middle ground between agency needs and CIO jurisdiction, but with major departments such as Justice and State currently without a chief privacy officer, "something trumps nothing."

Meanwhile, some federal officials say their agencies are now unsure how to fit privacy into their organizations. "We’re not looking at the letter of the law but the spirit of the guidance," said a Justice official. That department currently has an attorney in charge of privacy issues, but "we are thinking it needs to be someone who has some kind of information technology orientation as well."

But the general counsel’s office is right where privacy officers belong, the agency CIO said. "If I as a citizen have a problem because a federal agency sent my bank information somewhere, I should sue the agency. That’s my recourse."

But any differences between the law and the OMB memo shouldn’t matter, said Robert McFarland, assistant secretary for information and technology at the Department of Veterans Affairs. McFarland is his agency's designated privacy officer.

"I don't think it’s going to matter in the day-to-day operations because we’re going to take privacy as a very important part of our mission," he said.

What's in a memo?

Congress passed legislation last year requiring every agency to name a chief privacy officer. It was included in the omnibus appropriations bill. In addition, the law requires agency officials to:

  • Annually report to Congress on privacy violation complaints, internal privacy controls and the law’s implementation.
  • Establish a privacy protection policy that the public can easily identify.
  • Submit a review on agency privacy practices to an inspector general every two years.

By contrast, Office of Management and Budget officials issued a privacy policy memo in February that requires agency officials to:

  • Name a senior agency official who has agencywide responsibility for privacy issues.
  • Maintain appropriate documentation about the agency’s compliance with privacy policies.
  • Include privacy as part of annual Federal Information Security Management Act reviews.
— David Perera

About the Author

David Perera is a special contributor to Defense Systems.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group