3 principles for chief privacy officers
- By Judi Hasson
- Sep 05, 2005
Congress passed a bill last year requiring each federal agency to appoint a chief privacy officer, but lawmakers failed to write a clear job description.
Although the legislation asked agencies to report to Congress on privacy violations and establish guidelines that are easy for the public to understand, it left the duties of the senior privacy official largely undefined.
Does the job require privacy officers to protect individual privacy? Is it the privacy officer's job to ensure compliance with privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) and the Freedom of Information Act? Who should the privacy officer represent the agency or the citizen in cases involving conflicts or complaints?
Experts say that defining the role of federal privacy officers is a work in progress. In most cases, privacy officers have to learn how to balance the demands of security and privacy in an age of terrorism. Franklin Reeder, chairman of the federal Information Security and Privacy Advisory Board, said he has a few ideas for federal privacy officers' duties.
"The challenges facing the chief privacy officer are growing as a result of new technology and new information practices, like the growing use of third-party data," Reeder said.
He leads a board that advises the National Institute of Standards and Technology and the Office of Management and Budget on information security and privacy issues. The board is expected to discuss the role of federal chief privacy officers in a meeting this month. Its members will try to reach consensus on the responsibilities of privacy officers in the federal government.
Experts offered the following suggestions for privacy officers' job descriptions.
Represent the agency, not individual citizens
In the best of all worlds, federal privacy officers could
represent their agencies and individual citizens, Reeder said. But privacy officers have a different role from privacy advocates.
Agencies need both, Reeder said. They need someone who
administers the provisions of the Privacy Act and someone who is more of an advocate than an administrator.
Reeder added that protecting individual privacy rights supports agencies "because you are helping them comply with the law."
Paul Rosenzweig, chairman of the Homeland Security Department's Privacy Committee and a senior legal research fellow at the Heritage Foundation, said federal privacy officers have been cast in a complicated role.
"The ideal privacy officer doesn't choose between the agency and the public," Rosenzweig said. "In the end, he works for the executive branch."
A privacy officer's main task is ensuring that privacy is considered within agency programs, Rosenzweig said. "It's a job for teaching the agency to achieve its mission, while also advancing liberty and privacy," he added.
Nancy Libin, staff counsel at the Center for Democracy and Technology, a think tank studying privacy issues, said she agreed, but added that the job is a balancing act.
"The agency is there to serve the public, and because these privacy values have a constitutional foundation, the privacy officer is there to enhance the agency's ability to ... achieve privacy protections and agency efficiency," Libin said.
Teach the fundamentals of fair information practices
Federal workers must understand the principles of fair information practices, and that is the role of a privacy officer, Reeder said.
The fiscal 2006 Transportation Appropriations Act, which President Bush signed into law in August, includes specific language for training federal employees to comply with federal privacy and data-protection policies. But that training is only the tip of the iceberg, Reeder said.
An important training element is "the awareness training, which is kind of soft, but [it] helps everybody who touches the data," he said.
Privacy awareness training must occur whenever agencies begin collecting new data, said John Fanning, a former privacy expert at the Department of Health and Human Services. "People ought to be taught to think hard about each piece of information they are collecting," he said.
"Training is essential," Libin said. "One of the most important roles and responsibilities of the chief privacy officer is to train the staff."
Monitor compliance with privacy laws
Reeder said duties related to data privacy should be rolled into one job. But others say the separation or consolidation of responsibilities depends on each agency and its particular mission.
Peter Swire, a privacy expert who served as chief counselor for privacy during the Clinton administration, said a chief privacy officer would not be the best person to oversee agencies' compliance with HIPAA, which defines protections for individual patient records.
Under HIPAA, each "covered entity" is required to have an officer responsible for privacy compliance, said Swire, who is now a law professor at Ohio State University.