Robert Gellman | @Info.Policy: Chief privacy officers stuck in the middle
CPOs have to live by their wits, and be useful
Let’s try a role-playing exercise. You are the newly appointed chief privacy officer at your agency. How can you represent privacy interests internally, look functional to outsiders and not get your agency’s management mad at you? It isn’t easy to balance all these conflicting objectives.
A CPO in any organization is a person in the middle. It’s true for a CPO in a company, and it is true for a CPO in a federal agency. Even well-established internal privacy offices have to walk a tightrope.
CPOs face several institutional problems. They typically have little real power, limited resources and no natural base of support. Privacy remains a novel issue at many agencies. It often doesn’t even appear on the radar screen unless there is a crisis.
You will recall that Congress in 2004 directed agencies to establish CPOs. As the new kid on the block, a CPO has to define the role of the privacy office. It’s true that agencies have had to comply with the Privacy Act of 1974 for a generation, but most Privacy Act staffers have little power and influence. Can CPOs do better?
CPOs should not look to the Office of General Counsel as a role model. At most agencies, everyone hates the lawyers. The lawyers have the power to stop anything they don’t like by declaring it contrary to law. Agency lawyers frequently have no incentive to be helpful because they know that they can’t be fired, evaded or ignored by their clients. Anyway, a CPO does not have the clout a lawyer has.
Program offices may accept help from a CPO, but it is more likely that the CPO will have to prove something first. Some offices with privacy issues may require the CPO to bring the Wicked Witch’s broomstick—or the bureaucratic equivalent, which is a directive from the head of the agency—just to get in the door.
A CPO will have to live by his or her wits, but mostly by being useful. Often that means being a team player, finding practical solutions and, most important, doing things instead of telling others what to do.
Another problem faced by an externally visible CPO comes when the battle has been lost. A privacy issue surfaces in your agency, and you recommend that the agency take specific steps to minimize privacy intrusions. You fight it out internally, and the agency rejects your advice.
That’s bad enough, but here comes a call from a reporter asking what you think of the agency’s decision. If you say that the decision was wrong, you will surely tick off your agency head as well as the program office. Good luck having any influence in the future. But if you say the decision was right, you will lose your credibility with congressional critics and with the privacy advocates who are screaming that your agency just joined Big Brother’s team.
See what I mean about being in the middle? There is no place to turn without digging yourself in deeper. So what to do? I have an answer.
The solution is that a CPO has to be able to respond procedurally. If you don’t want to say that a decision was substantively right or wrong, the best answer is that the agency duly considered privacy when it made its decision. CPOs should define their own role in procedural terms to avoid being forced to lie or being left with nothing to say. That procedural response is appropriate even when the agency did the right thing for privacy.
In a better world, we would have a truly independent privacy office that could responsibly praise or criticize an agency, the administration, Congress or the courts without losing budget or influence. But without independence, the best that we can hope for is that privacy officials represent privacy assertively, be creative, work hard and live to fight another day.
Connect with the GCN staff on Twitter @GCNtech.