CIO Council turns focus on privacy

WILLIAMSBURG, Va. -- The CIO Council is formally addressing privacy issues — much the same way it looks at enterprise architecture, best practices and workforce challenges.

In May, the council created the Privacy Committee, headed by Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology and director of the CIO Council, and Ken Mortensen, the Justice Department’s acting chief privacy and civil liberties officer. The committee’s purpose is to discuss privacy issues related to governance, policy and security.

“We wanted to have an agency help lead the committee that has a privacy officer beyond” the chief information officer, Evans said after a panel discussion on security and privacy at the 17th annual Executive Leadership Conference, sponsored by the Industry Advisory Council. “Justice forcibly volunteered. Ken makes sure we don’t just look at the strict definitions of privacy laws but ensures we look at it from a practical standpoint, too.”

Mortensen said he believes there is a conflict when the CIO is also the privacy officer. He said the two jobs are different because CIOs try to manage and make information flow, while privacy officers must make sure information is kept private.

The Bush administration didn’t always support keeping the two functions separate. In early fiscal 2005, Rep. Tom Davis (R-Va.) introduced a provision repealing or modifying language in an appropriations bill that called for separate privacy officers. The administration watered down a similar provision in the Intelligence Reform and Terrorism Prevention Act.

Mortensen said some of the concern revolved around adding another layer of bureaucracy where it might not be needed. But he said there has been solid support at Justice for his position.

The recent attention to privacy is one reason the CIO Council formalized the committee.

Mortensen said the committee's most recent meeting discussed the Implementing Recommendations of the 9/11 Commission Act’s privacy requirements and how agencies could comply with them.

The law calls for specific agencies such has the CIA; Justice; and the Health and Human Services, State, and Homeland Security departments to have chief privacy officers. Those agencies must send lawmakers quarterly privacy reviews detailing the advice privacy officer have given to senior managers and the number and disposition of citizens’ complaints. The law also requires privacy officers to work with agency executives to report on data-mining activities.

“We want to look at the reporting requirements and make sure [they are] consistent for everyone if the reporting requirements are extended to everyone,” Mortensen said.

He added that the CIO Council and OMB decided to establish a privacy committee because they recognized the heightened focus that Congress, the public and agencies are placing on privacy issues.

“There are a lot of things happening, and we need to talk about it in a formal group,” he said. “The committee is a place OMB can come to get our feel on policy issues and challenges we are having.”

Mortensen said the torrent of data breaches in the past year has made privacy and security officers reconsider their roles.

“We have entered an era where privacy is at the forefront because a lot of it has to do with a lack of trust of people holding our personal information,” he said. “We need to instill trust in our ability to respond to vulnerabilities and ensure they don’t happen again.”

Mortensen said privacy incidents are personal and used the example of salary information to illustrate his point.

“For political appointees, the information is public, but for most others, salary information is very personal,” he said. “Privacy incidents can occur in a format that has nothing to do with technology, though technology usually is linked in some way.”


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.