CIO Council turns focus on privacy

WILLIAMSBURG, Va. -- The CIO Council is formally addressing privacy issues — much the same way it looks at enterprise architecture, best practices and workforce challenges.In May, the council created the Privacy Committee, headed by Karen Evans, the Office of Management and Budget’s administrator for e-government and information technology and director of the CIO Council, and Ken Mortensen, the Justice Department’s acting chief privacy and civil liberties officer. The committee’s purpose is to discuss privacy issues related to governance, policy and security.“We wanted to have an agency help lead the committee that has a privacy officer beyond” the chief information officer, Evans said after a panel discussion on security and privacy at the 17th annual Executive Leadership Conference, sponsored by the Industry Advisory Council. “Justice forcibly volunteered. Ken makes sure we don’t just look at the strict definitions of privacy laws but ensures we look at it from a practical standpoint, too.”Mortensen said he believes there is a conflict when the CIO is also the privacy officer. He said the two jobs are different because CIOs try to manage and make information flow, while privacy officers must make sure information is kept private.The Bush administration didn’t always support keeping the two functions separate. In early fiscal 2005, Rep. Tom Davis (R-Va.) introduced a provision repealing or modifying language in an appropriations bill that called for separate privacy officers. The administration watered down a similar provision in the Intelligence Reform and Terrorism Prevention Act.Mortensen said some of the concern revolved around adding another layer of bureaucracy where it might not be needed. But he said there has been solid support at Justice for his position.The recent attention to privacy is one reason the CIO Council formalized the committee.Mortensen said the committee's most recent meeting discussed the Implementing Recommendations of the 9/11 Commission Act’s privacy requirements and how agencies could comply with them.The law calls for specific agencies such has the CIA; Justice; and the Health and Human Services, State, and Homeland Security departments to have chief privacy officers. Those agencies must send lawmakers quarterly privacy reviews detailing the advice privacy officer have given to senior managers and the number and disposition of citizens’ complaints. The law also requires privacy officers to work with agency executives to report on data-mining activities.“We want to look at the reporting requirements and make sure [they are] consistent for everyone if the reporting requirements are extended to everyone,” Mortensen said.He added that the CIO Council and OMB decided to establish a privacy committee because they recognized the heightened focus that Congress, the public and agencies are placing on privacy issues.“There are a lot of things happening, and we need to talk about it in a formal group,” he said. “The committee is a place OMB can come to get our feel on policy issues and challenges we are having.”Mortensen said the torrent of data breaches in the past year has made privacy and security officers reconsider their roles.“We have entered an era where privacy is at the forefront because a lot of it has to do with a lack of trust of people holding our personal information,” he said. “We need to instill trust in our ability to respond to vulnerabilities and ensure they don’t happen again.”Mortensen said privacy incidents are personal and used the example of salary information to illustrate his point.“For political appointees, the information is public, but for most others, salary information is very personal,” he said. “Privacy incidents can occur in a format that has nothing to do with technology, though technology usually is linked in some way.”