3 principles for chief privacy officers

Congress passed a bill last year requiring each federal agency to appoint a chief privacy officer, but lawmakers failed to write a clear job description.

Although the legislation asked agencies to report to Congress on privacy violations and establish guidelines that are easy for the public to understand, it left the duties of the senior privacy official largely undefined.

Does the job require privacy officers to protect individual privacy? Is it the privacy officer's job to ensure compliance with privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) and the Freedom of Information Act? Who should the privacy officer represent — the agency or the citizen — in cases involving conflicts or complaints?

Experts say that defining the role of federal privacy officers is a work in progress. In most cases, privacy officers have to learn how to balance the demands of security and privacy in an age of terrorism. Franklin Reeder, chairman of the federal Information Security and Privacy Advisory Board, said he has a few ideas for federal privacy officers' duties.

"The challenges facing the chief privacy officer are growing as a result of new technology and new information practices, like the growing use of third-party data," Reeder said.

He leads a board that advises the National Institute of Standards and Technology and the Office of Management and Budget on information security and privacy issues. The board is expected to discuss the role of federal chief privacy officers in a meeting this month. Its members will try to reach consensus on the responsibilities of privacy officers in the federal government.

Experts offered the following suggestions for privacy officers' job descriptions.

oneRepresent the agency, not individual citizens

In the best of all worlds, federal privacy officers could represent their agencies and individual citizens, Reeder said. But privacy officers have a different role from privacy advocates.

Agencies need both, Reeder said. They need someone who administers the provisions of the Privacy Act and someone who is more of an advocate than an administrator.

Reeder added that protecting individual privacy rights supports agencies "because you are helping them comply with the law."

Paul Rosenzweig, chairman of the Homeland Security Department's Privacy Committee and a senior legal research fellow at the Heritage Foundation, said federal privacy officers have been cast in a complicated role.

"The ideal privacy officer doesn't choose between the agency and the public," Rosenzweig said. "In the end, he works for the executive branch."

A privacy officer's main task is ensuring that privacy is considered within agency programs, Rosenzweig said. "It's a job for teaching the agency to achieve its mission, while also advancing liberty and privacy," he added.

Nancy Libin, staff counsel at the Center for Democracy and Technology, a think tank studying privacy issues, said she agreed, but added that the job is a balancing act.

"The agency is there to serve the public, and because these privacy values have a constitutional foundation, the privacy officer is there to enhance the agency's ability to ... achieve privacy protections and agency efficiency," Libin said.

oneTeach the fundamentals of fair information practices

Federal workers must understand the principles of fair information practices, and that is the role of a privacy officer, Reeder said.

The fiscal 2006 Transportation Appropriations Act, which President Bush signed into law in August, includes specific language for training federal employees to comply with federal privacy and data-protection policies. But that training is only the tip of the iceberg, Reeder said.

An important training element is "the awareness training, which is kind of soft, but [it] helps everybody who touches the data," he said.

Privacy awareness training must occur whenever agencies begin collecting new data, said John Fanning, a former privacy expert at the Department of Health and Human Services. "People ought to be taught to think hard about each piece of information they are collecting," he said.

"Training is essential," Libin said. "One of the most important roles and responsibilities of the chief privacy officer is to train the staff."

oneMonitor compliance with privacy laws

Reeder said duties related to data privacy should be rolled into one job. But others say the separation or consolidation of responsibilities depends on each agency and its particular mission.

Peter Swire, a privacy expert who served as chief counselor for privacy during the Clinton administration, said a chief privacy officer would not be the best person to oversee agencies' compliance with HIPAA, which defines protections for individual patient records.

Under HIPAA, each "covered entity" is required to have an officer responsible for privacy compliance, said Swire, who is now a law professor at Ohio State University.

Additional principles for chief privacy officers

oneAssist with development of impact assessments

Assist, Reeder said, but resist being the primary author of privacy impact assessments (PIAs). Those reviews are required each time a federal agency creates a new information system or begins collecting any new data that includes personally identifiable information.

The heavy lifting for such assessments should be the responsibility of the program office that is collecting the data, Reeder said. (TK — word or more missing here???) e from the CPO, Reeder said. "The privacy office can provide technical assistance," he said.

Libin said she agreed, with a few qualifications. Federal agencies have many legitimate needs for collecting personal information, she said. The important matters are how agencies maintain personal information and how they share it among other agencies. "These are all areas where chief privacy officer plays such an important role," she said.

A related duty of the privacy officer is to make certain that the agency keeps federal privacy policies in mind when it buys new hardware and software, Swire said. A privacy officer can play a useful role in ensuring that privacy principles are built in from the start, he said. "The privacy office should blend privacy and technology."

oneAdvocate privacy, remember security

Some agencies combine effective privacy practices with strong

security procedures, Reeder said, for example, the U.S. Postal Service, Internal Revenue Service, DHS.

In a new era of terrorism threats, privacy officials must weigh public safety and security considerations alongside privacy protections, Sotto said. "It's very difficult to come out with a hard and fast rule without understanding the particular circumstances," she said. "In certain instances, privacy rights may need to give way. But it's critical that the circumstances really be scrutinized as to where the balance ought to fall at any given time."

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group