Privacy, security depend on program managers, experts say

Program managers need to apply privacy and security best practices early when they plan systems if they want to manage risk effectively, said Robert Wright, principal at Merrill and former chief of the plans and program management unit in the FBI’s Cyber Division. Program management is about managing risk, he said.

To know what to implement, program managers should use as their reference guide laws such as the Privacy Act and requirements of the Office and Management and Budget that govern privacy and security, said Sally Wallace, associate deputy assistant secretary for privacy and records management at the Veterans Affairs Department.

Agency executives who are responsible for their organizations' compliance with security and privacy laws and regulations push them down to program managers to follow through in daily operations.

For example, OMB has directed that agencies use personally identifiable information only when necessary and reduce the use of Social Security numbers. Program managers also must produce privacy impact assessments when they develop or procure information systems that use or collect sensitive data. The assessments are a tool for ensuring that privacy is addressed through the life cycle of each IT system, and they identify risks in collecting information, Wallace said Oct. 11 at the Program Management Summit 2007, sponsored by the E-Gov Institute, a division of Federal Computer Week’s corporate owner, 1105 Media.

The Privacy Act requires agencies to publish in the Federal Register system of records notices for systems that store data and from which agencies retrieve information by an individual’s name or other identifier. The agency must detail in the notice the conditions under which it will use the personal information.

Most of VA’s attention surrounding privacy and security issues has focused on electronic data. But department officials plan to establish by December a policy to help safeguard information on paper, Wallace said.

VA plans to expand safeguards for paper-based data. Paper and mail have been issues, she said. For example, when a veteran wants to appeal a decision made at a regional office, that record is sent to VA offices in Washington. VA wants to make sure that it gets tracked, delivered and received, and doesn’t tear open or get sent to the wrong person. Those policies and procedures are in place for electronic data.

“We’re going to mandate those actions or equivalent, especially where we’re sending irreplaceable records from one place to another in VA,” Wallace said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

Featured

  • Oversight
    President of the United States of America, Donald J. Trump, attends the 2019 Army Navy Game in Philadelphia, Pa., Dec. 14, 2019. (U.S. Army photo by Sgt. Dana Clarke)

    Trump shakes up official watchdog ranks

    The White House removed an official designated to provide oversight to the $2 trillion rescue and relief fund and nominated a raft of new appointees to handle oversight chores at multiple agencies.

  • Workforce
    coronavirus molecule (creativeneko/Shutterstock.com)

    OMB urges 'maximum telework flexibilities' for DC-area feds

    A Sunday evening memo ahead of a potentially chaotic commute urges agency heads to pivot to telework as much as possible.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.