3 principles for chief privacy officers
Principles to help guide chief privacy officers as they stake out their turf
Congress passed a bill last year requiring each federal agency to appoint a chief privacy officer, but lawmakers failed to write a clear job description.
Although the legislation asked agencies to report to Congress on privacy violations and establish guidelines that are easy for the public to understand, it left the duties of the senior privacy official largely undefined.
Does the job require privacy officers to protect individual privacy? Is it the privacy officer's job to ensure compliance with privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) and the Freedom of Information Act? Who should the privacy officer represent the agency or the citizen in cases involving conflicts or complaints?
Experts say that defining the role of federal privacy officers is a work in progress. In most cases, privacy officers have to learn how to balance the demands of security and privacy in an age of terrorism. Franklin Reeder, chairman of the federal Information Security and Privacy Advisory Board, said he has a few ideas for federal privacy officers' duties.
"The challenges facing the chief privacy officer are growing as a result of new technology and new information practices, like the growing use of third-party data," Reeder said.
He leads a board that advises the National Institute of Standards and Technology and the Office of Management and Budget on information security and privacy issues. The board is expected to discuss the role of federal chief privacy officers in a meeting this month. Its members will try to reach consensus on the responsibilities of privacy officers in the federal government.
Experts offered the following suggestions for privacy officers' job descriptions.
Represent the agency, not individual citizens
In the best of all worlds, federal privacy officers could represent their agencies and individual citizens, Reeder said. But privacy officers have a different role from privacy advocates.
Agencies need both, Reeder said. They need someone who administers the provisions of the Privacy Act and someone who is more of an advocate than an administrator.
Reeder added that protecting individual privacy rights supports agencies "because you are helping them comply with the law."
Paul Rosenzweig, chairman of the Homeland Security Department's Privacy Committee and a senior legal research fellow at the Heritage Foundation, said federal privacy officers have been cast in a complicated role.
"The ideal privacy officer doesn't choose between the agency and the public," Rosenzweig said. "In the end, he works for the executive branch."
A privacy officer's main task is ensuring that privacy is considered within agency programs, Rosenzweig said. "It's a job for teaching the agency to achieve its mission, while also advancing liberty and privacy," he added.
Nancy Libin, staff counsel at the Center for Democracy and Technology, a think tank studying privacy issues, said she agreed, but added that the job is a balancing act.
"The agency is there to serve the public, and because these privacy values have a constitutional foundation, the privacy officer is there to enhance the agency's ability to ... achieve privacy protections and agency efficiency," Libin said.
Teach the fundamentals of fair information practices
Federal workers must understand the principles of fair information practices, and that is the role of a privacy officer, Reeder said.
The fiscal 2006 Transportation Appropriations Act, which President Bush signed into law in August, includes specific language for training federal employees to comply with federal privacy and data-protection policies. But that training is only the tip of the iceberg, Reeder said.
An important training element is "the awareness training, which is kind of soft, but [it] helps everybody who touches the data," he said.
Privacy awareness training must occur whenever agencies begin collecting new data, said John Fanning, a former privacy expert at the Department of Health and Human Services. "People ought to be taught to think hard about each piece of information they are collecting," he said.
"Training is essential," Libin said. "One of the most important roles and responsibilities of the chief privacy officer is to train the staff."
Monitor compliance with privacy laws
Reeder said duties related to data privacy should be rolled into one job. But others say the separation or consolidation of responsibilities depends on each agency and its particular mission.
Peter Swire, a privacy expert who served as chief counselor for privacy during the Clinton administration, said a chief privacy officer would not be the best person to oversee agencies' compliance with HIPAA, which defines protections for individual patient records.
Under HIPAA, each "covered entity" is required to have an officer responsible for privacy compliance, said Swire, who is now a law professor at Ohio State University.
Assist with development of impact assessments
Assist, Reeder said, but resist being the primary author of privacy impact assessments (PIAs). Those reviews are required each time a federal agency creates a new information system or begins collecting any new data that includes personally identifiable information.
The heavy lifting for such assessments should be the responsibility of the program office that is collecting the data, Reeder said. (TK word or more missing here???) e from the CPO, Reeder said. "The privacy office can provide technical assistance," he said.
Libin said she agreed, with a few qualifications. Federal agencies have many legitimate needs for collecting personal information, she said. The important matters are how agencies maintain personal information and how they share it among other agencies. "These are all areas where chief privacy officer plays such an important role," she said.
A related duty of the privacy officer is to make certain that the agency keeps federal privacy policies in mind when it buys new hardware and software, Swire said. A privacy officer can play a useful role in ensuring that privacy principles are built in from the start, he said. "The privacy office should blend privacy and technology."
Advocate privacy, remember security
Some agencies combine effective privacy practices with strong
security procedures, Reeder said, for example, the U.S. Postal Service, Internal Revenue Service, DHS.
In a new era of terrorism threats, privacy officials must weigh public safety and security considerations alongside privacy protections, Sotto said. "It's very difficult to come out with a hard and fast rule without understanding the particular circumstances," she said. "In certain instances, privacy rights may need to give way. But it's critical that the circumstances really be scrutinized as to where the balance ought to fall at any given time."
NEXT STORY: 911 wiped out in many areas