Privacy, security depend on program managers, experts say

Program managers need to apply privacy and security best practices early when they plan systems if they want to manage risk effectively, said Robert Wright, principal at Merrill and former chief of the plans and program management unit in the FBI’s Cyber Division. Program management is about managing risk, he said.To know what to implement, program managers should use as their reference guide laws such as the Privacy Act and requirements of the Office and Management and Budget that govern privacy and security, said Sally Wallace, associate deputy assistant secretary for privacy and records management at the Veterans Affairs Department.Agency executives who are responsible for their organizations' compliance with security and privacy laws and regulations push them down to program managers to follow through in daily operations.For example, OMB has directed that agencies use personally identifiable information only when necessary and reduce the use of Social Security numbers. Program managers also must produce privacy impact assessments when they develop or procure information systems that use or collect sensitive data. The assessments are a tool for ensuring that privacy is addressed through the life cycle of each IT system, and they identify risks in collecting information, Wallace said Oct. 11 at the Program Management Summit 2007, sponsored by the E-Gov Institute, a division of Federal Computer Week’s corporate owner, 1105 Media.The Privacy Act requires agencies to publish in the Federal Register system of records notices for systems that store data and from which agencies retrieve information by an individual’s name or other identifier. The agency must detail in the notice the conditions under which it will use the personal information.Most of VA’s attention surrounding privacy and security issues has focused on electronic data. But department officials plan to establish by December a policy to help safeguard information on paper, Wallace said.VA plans to expand safeguards for paper-based data. Paper and mail have been issues, she said. For example, when a veteran wants to appeal a decision made at a regional office, that record is sent to VA offices in Washington. VA wants to make sure that it gets tracked, delivered and received, and doesn’t tear open or get sent to the wrong person. Those policies and procedures are in place for electronic data.“We’re going to mandate those actions or equivalent, especially where we’re sending irreplaceable records from one place to another in VA,” Wallace said.