[Politech] Homeland Security chief privacy officer reports to Congress [priv]

From: Declan McCullagh (declan@private)
Date: Wed Feb 11 2004 - 22:02:06 PST

  • Next message: Declan McCullagh: "[Politech] Weekly column: Is Silicon Valley really (gasp) Republican?"

    Other testimony from the hearing:
    http://www.house.gov/judiciary/commercial.htm
    
    ---
    
    http://www.house.gov/judiciary/kelly021004.htm
    
    TESTIMONY
    OF
    NUALA O’CONNOR KELLY
    CHIEF PRIVACY OFFICER
    U.S. DEPARTMENT OF HOMELAND SECURITY
    
    BEFORE THE
    SUBCOMMITTEE ON COMMERCIAL AND ADMINISTRATIVE LAW
    OF THE
    JUDICIARY COMMITTEE OF THE U.S. HOUSE OF REPRESENTATIVES
    
    FEBRUARY 10, 2004
    
    
    
    Chairman Cannon, Ranking Member Watt, Members of the subcommittee, and 
    distinguished colleagues on this panel, it is an honor to testify before 
    you today on the activities of the United States Department of Homeland 
    Security’s Privacy Office, which I am privileged to lead as the first Chief 
    Privacy Officer of the Department of Homeland Security.
    
    
    
    The protection of privacy, of the dignity of the individual, is not a value 
    that can be added on to this or any other organization later, and that is 
    why I am so pleased to have been here from almost the very beginning.  This 
    value is one that must be embedded in the very culture and structure of the 
    organization.  I know that we can and will succeed in this—not only because 
    our leadership believes in protecting the sanctity of the individual, but 
    also because our over 180,000 employees are also great Americans, who 
    believe in and act on these values—for themselves, their neighbors, and 
    their children—each day.
    
    
    
    
    
    Establishment of the DHS Privacy Office
    
    
    
    The creation of the Department of Homeland Security and its many programs 
    raise no shortage of important privacy and civil liberties issues for this 
    nation to address.   This Department, led by Secretary Tom Ridge, and this 
    Administration, led by President Bush, are committed to addressing these 
    critical issues as they seek to strengthen our homeland.    A crucial part 
    of this commitment is support for the creation and the mission of the 
    Privacy Office at the Department of Homeland Security.  Secretary Ridge 
    articulated his vision for this office, stating that the privacy office 
    “will be involved from the very beginning with every policy initiative and 
    every program initiative that we consider,” to ensure that our strategy and 
    our actions are consistent with not only the federal privacy safeguards 
    already on the books, but also “with the individual rights and civil 
    liberties protected by our laws and our Constitution.”
    
    
    
    As Members of this subcommittee are uniquely aware, the enabling statute 
    for the Department of Homeland Security contains Section 222, which directs 
    the Secretary to appoint a senior official in the Department to assume 
    primary responsibility for privacy policy.  This includes conducting and 
    oversight of formal Privacy Impact Assessments to “assure that the use of 
    technologies sustain, and do not erode, privacy protections relating to the 
    use, collection, and disclosure of personal information.”  This office also 
    oversees the Department’s compliance with the Privacy Act of 1974 and the 
    Privacy Impact Assessment requirements of the Electronic Government Act of 
    2002, and is directed to “evaluate legislative and regulatory proposals 
    involving collection, use, and disclosure of personal information by the 
    Federal Government.”  Uniquely and importantly, under the enabling statute, 
    the DHS Chief Privacy Officer provides an annual report to Congress on the 
    activities of the Department that affect privacy, including complaints of 
    privacy violations, implementation of the Privacy Act, internal controls, 
    and other matters.
    
    
    
    Key Legal Frameworks enforced by the Privacy Office
    
    One of the primary legal frameworks underlying the mission of the DHS 
    Privacy Office is, obviously, the federal Privacy Act of 1974. The Privacy 
    Act, 5 U.S.C. § 552a, provides a code of fair information practices that 
    governs the collection, maintenance, use, and dissemination of personal 
    information by federal agencies. Emanating from concerns about the ability 
    to aggregate personal information--partly due to new technologies like 
    mainframe computers of that day--this law provides substantial notice, 
    access, and redress rights for citizens and legal residents of the United 
    States whose information is held by some part of the executive branch of 
    the federal government. The law provides robust advance notice, through 
    detailed "system of records" notices, about the creation of new 
    technological or other systems containing personal information. The law 
    also provides the right of access to one’s own records, the right to know 
    and to limit other parties with whom the information has been shared, and 
    the right to appeal determinations regarding the accuracy of those records 
    or the disclosure of those records.  The Privacy Act is our country’s 
    articulation of Fair Information Principles; the Act both protects the 
    information of our citizens and also provides our citizens rights to access 
    that data.
    
    Under the Freedom of Information Act, 5 U.S.C.  § 552, the principle that 
    persons have a fundamental right to know what their government is doing is 
    enforced on a daily basis. Almost any person at any time has the right to 
    query a federal agency for documents and records. Our government and our 
    agency are grounded on principles of openness and accountability, tempered, 
    of course, by the need to preserve the confidentiality of sensitive 
    personal, commercial, and governmental information.  The Freedom of 
    Information Act is the primary statute that attempts to balance these 
    countervailing public concerns.    A robust FOIA/PA program is a critical 
    part of any agency's fundamental processes; it helps to provide assurance 
    to the public that, in pursuing its mission, an agency will also pursue 
    balanced policies of transparency and accountability while preserving 
    personal privacy.  The U.S. federal government will spend hundreds of 
    millions of dollars processing and responding to FOIA requests next year, 
    and thousands of federal workers will spend all or part of their day 
    compiling responses to those requests.  Our agency alone has over 300 staff 
    members across the Department who work full or part-time on Privacy Act and 
    FOIA issues.
    
    This past fall, the Office of Management and Budget released its guidance 
    under Section 208 of the E-Government Act of 2002—which mandates Privacy 
    Impact Assessments for all federal agencies when there are new collections 
    of, or new technologies applied to, personally identifiable 
    information.  This, really a third pillar of the privacy framework at the 
    federal level reflects, once again, a growing reliance on technology to 
    move data--both in government spaces and on the Internet.  With the 
    addition of the privacy provisions of the E-Government Act to existing 
    privacy protections, our citizens now benefit from a comprehensive 
    framework within which government considers privacy in the ordinary course 
    of business.  The Act and underlying guidance synthesize numerous prior 
    statements and guidance on privacy practices and notices, and will assist 
    privacy practitioners in prioritizing their efforts. In particular, the 
    guidance provides direction on the content of privacy policies and on the 
    machine-readability of privacy policies.
    
    Further, the act outlines the parameters for privacy impact assessments. 
    Although in use by some agencies already, generally privacy impact 
    assessments are a new and important tool in the toolbelt of privacy 
    practitioners across the federal government. These new requirements 
    formalize an important principle: that data collection by the government 
    should be scrutinized for its impact on the individual and that 
    individual’s data…and ideally before that data collection is ever 
    implemented. The process, the very exercise of such scrutiny, is a crucial 
    step towards narrowly tailoring and focusing data collection towards the 
    core missions of government. This practice should provide even greater 
    awareness, both by those seeking to collect the data and those whose data 
    is collected, of the impact on the individual and the purpose of the 
    collection.
    
    I am pleased to have been a small part of the discussions towards the 
    development of guidance on privacy impact assessments. These new 
    requirements set the bar high for privacy practitioners. These requirements 
    also reflect, I believe, a growing sensitivity and awareness on the part of 
    our citizens regarding personal data flows in the public and private 
    sectors. I believe that this guidance will allow federal agencies to 
    respond to citizens’ concerns about these activities and also to be current 
    with, or perhaps even slightly ahead of, the evolution of privacy practices 
    in the private sector.
    
    Under the Privacy Act, in concert with the Freedom of Information Act and 
    the E-Government Act, citizens, legal residents, and visitors to the United 
    States have been afforded almost unequalled transparency into the federal 
    government’s activities and the federal government’s use of personal 
    information about them.  A robust FOIA/PA program is imperative to provide 
    the public with assurances that any information DHS collects is being 
    maintained consistent with all legal and regulatory requirements.
    
    Operationalizing Privacy Throughout the Department of Homeland Security
    
    Best Practices through Management Leadership
    
    The DHS Privacy Office works to promote best practices with respect to 
    privacy and infuse respectful information privacy principles and practices 
    for all employees into the DHS culture.  A major and substantial goal at 
    the outset for my tenure is to ‘operationalize’ privacy awareness and best 
    practices  throughout DHS, working not only with Secretary Ridge and our 
    senior policy leadership of the various agencies and directorates of the 
    department, but also with our Privacy Act and FOIA teams, as well as 
    operational staff across the Department.
    
    Consistent Policies and Education Efforts
    
    Through internal educational outreach and the establishment of internal 
    clearance procedures, we are sensitizing DHS directorates and components to 
    consider privacy whenever developing new programs or revising existing 
    ones. We are reviewing new technologies to ensure that privacy protections 
    are incorporated in the development and implementation of these new 
    systems.  Our headquarters staff has been reviewing all Privacy Impact 
    Assessments being conducted throughout the Department.  In this process, 
    DHS professionals have become educated about to the need to consider--and 
    the framework for considering--the privacy impact of their technology 
    decisions.  We are reviewing Privacy Act systems notices before they are 
    sent forward and ensuring that we collect only those records that are 
    necessary to support our mission.  We also guide DHS agencies in developing 
    appropriate privacy policies for their programs and serve as a resource for 
    any question that may arise concerning privacy, information collection or 
    disclosure.  We work closely with various DHS policy teams, the Office of 
    the General Counsel, and the Chief Information Officers to ensure that the 
    mission of the Privacy Office is reflected in all DHS initiatives.  And  of 
    course we also work in concert with the Department’s Office for Civil 
    Rights and Civil Liberties, which is the other statutorily mandated office 
    at DHS Headquarters with an individual liberties focus.
    
    Integrated Privacy and Disclosure Mandates
    
    The work of the Privacy Office includes not only the statutory Privacy Act 
    and Privacy Impact Assessement work, but also integrates Freedom of 
    Information Act oversight for the Department.  This additional 
    responsibility was redelegated to the Privacy Office last summer by 
    Secretary Ridge, in recognition of the close connection between privacy and 
    disclosure laws, and the functional synergies of the work of our Privacy 
    Act and FOIA specialists across the Department.
    
    
    
    Transparency and Outreach to the Public
    
    
    
    The DHS Privacy Office also seeks to anticipate and satisfy public needs 
    and expectations, by providing a crucial link between those outside DHS who 
    are concerned about the privacy impact of the Department's initiatives, and 
    those inside the Department who are diligently working to achieve the 
    Department’s mission.  Our role is not only to inform, educate, and lead 
    privacy practice within the Department, but also to serve as listeners and 
    as a receptive audience to those outside the Department who have questions 
    or concerns about the Department’s operations. To that end, my office has 
    engaged in consistent and substantial outreach efforts to members of the 
    advocacy community, industry representatives, other U.S. agencies, foreign 
    governments, and most importantly, the American public, not only to inform 
    and educate those constituencies, but also, even more importantly, to hear 
    their concerns, to share those concerns with the Department’s leadership, 
    and to see that those concerns are addressed in our programs and in the 
    development of our policies.  Recent coverage of our privacy program, in 
    particular our Privacy Impact Assessment, or PIA,  of the US-VISIT program, 
    demonstrated how information-collection efforts, especially those employing 
    new or unfamiliar technology, can be done in a privacy-sensitive way. 
    Operationally, this particular PIA demonstrated an effective internal 
    system whereby staff from across the department worked together to create a 
    document that was at once technologically detailed and also reader-friendly.
    
    Key Policy Challenges
    
    The Use of Private-Sector Data
    
    I can think of no more compelling public policy issue, particularly one 
    that affects the privacy of our citizens and visitors to this country, than 
    the sharing of personal information between the public and private 
    sector.  It is one that has been successfully—and less 
    successfully—navigated by other agencies within the Federal government, and 
    it is one that we examine and grapple with in programs within every single 
    directorate and agency within the Department of Homeland Security almost 
    every day.
    
    
    
    It is the Privacy Office’s role to facilitate this conversation about and 
    this examination of the responsible uses of information by government 
    agencies within DHS.   That role sometimes requires us to encourage, and 
    even force conversation between those who label themselves as being 
    concerned only with privacy, and those who consider themselves all about 
    security.  I challenge those who feel the need to be one or the other.  It 
    is, in fact, possible, to achieve both responsible privacy practices and 
    achieve the mission of the Department of Homeland Security.  Issues of 
    privacy and civil liberties are most successfully navigated when the 
    necessary legal and policy protections are built in to the systems or 
    programs from the very beginning—both in the intelligent use of technology, 
    and in the responsible execution of programs.  Further, clear rules—both in 
    the private sector and in the public sector—are necessary to ensure that 
    such information sharing is done in a legitimate, respectful, and limited 
    fashion.
    
    International Cooperation
    
    A key focus of the Privacy Office’s work has been to engage the data 
    protection authorities internationally.  Privacy professionals the world 
    over share a common interest in assuring public trust in government 
    operations by encouraging transparency, as well as respect for fair 
    information principles such as collection limitation, purpose 
    specification, use limitation, data quality, security safeguards, openness, 
    participation, and accountability.  Our office has participated in the 
    meetings of the International Association of Data Protection and Privacy 
    Commissioners, although the office is not recognized at this time as an 
    accredited data protection authority. We have also worked cooperatively 
    with data protection authorities, or DPAs, to enable cross-border dispute 
    resolution of personal data issues.  Our office is both a point of appeals 
    for complaints about our various directorates’ programs, and also a point 
    of contact for our international counterparts, whether acting to 
    communicate policy concerns or individual citizens’ complaints.
    
    Balancing the Need for Transparency and the Need for Security in Operations
    
    Perhaps the most difficult issue in a law enforcement or counter-terrorism 
    context is the need to afford transparency and access to information for 
    individuals, while also safeguarding information that is essential to an 
    ongoing investigation of some type.  Our office seeks to assist the agency 
    in achieving this balance in a number of ways.  First, rules and procedures 
    for accessing information must be clear, easily attainable by individuals, 
    and easily understood.  Second, determinations that information is 
    sensitive or otherwise protected must be narrowly tailored and well 
    grounded.  Third, systems must be in place whereby individuals can be 
    assisted in correcting information that may impact them in some way, even 
    when that information is deemed protected.  An example of this is the use 
    of citizen advocates or ombudsmen, where by government employees who have 
    security clearance or access to information act on behalf of individuals to 
    correct misidentifications or incorrect information that is associated with 
    an individual.  In addition, these processes must be efficient and 
    minimally burdensome on the individual, and must provide for an appeal or 
    further redress process that is adequately independent to ensure fairness 
    for the individual.  These processes exist in certain places within our 
    Department, and should be implemented where personal information is 
    collected by the government and used in a way that impacts the 
    individual.  The DHS Privacy Office plays a role in performing that 
    independent review and appeal process for our directorates and citizens.
    
    The Defense of Privacy Act
    
    The DHS Privacy Office applauds the subcommittee for its interest in 
    privacy issues, and even more, privacy practices across the federal 
    government.  We in government are often quick to point to private-sector 
    lapses in privacy policy, and we should be equally vigilant about our own 
    use of personal data.  While the federal government benefits from the 
    requirements of the Privacy Act of 1974, it is also true that new 
    technologies have allowed data sharing in new and perhaps unexpected 
    ways.   The Privacy Impact Assessment requirements of the E-Government Act 
    of 2002 recognize these new technological challenges and seek to provide 
    reader-friendly information about such data collections in a new and 
    perhaps more technologically savvy fashion.
    
    The proposed Defense of Privacy Act shares many similarities with the PIA 
    requirements under the E-Government Act, ones that are worth noting, such 
    as the need for a “senior agency official with primary responsibility for 
    privacy policy.”  While the need for a statutory privacy officer at DHS may 
    be virtually unique in the federal government, given the agency’s size and 
    the co-mingling of parts of more than 22 former federal agencies, the need 
    for senior policy leadership at any agency that affects public data is 
    certainly recognized.
    
    Further, the Act does clarify the timing of PIAs, to be both a prospective 
    document, issued at the NPRM stage, and a final document, issued in 
    response to public comments.  We at DHS have, and fully intend to continue 
    to publish PIAs for public comment and we believe that this public dialogue 
    is essential to our understanding of public concerns about DHS programs.  I 
    should note that the Administration continues to review this legislation, 
    and we may have additional comments at a later time.
    
    
    
    Internal and External Role
    
    I am often asked whether I view my job as a privacy advocate and thus at 
    odds with the activities of the Department.  The answer is absolutely 
    not.  As Secretary Ridge has articulated on many occasions, the Department 
    of Homeland Security’s mission is more than just counter-terrorism, more 
    than just the protection of people and places and things.  It is also the 
    protection of our liberties and our way of life, and that includes the 
    ability to engage in public life with dignity, autonomy, and a general 
    expectation of respect for  personal privacy.  Thus, the protection of 
    privacy is neither an adjunct nor the antithesis to the mission of the 
    Department of Homeland Security.   Privacy protection, in fact, is at the 
    core of that mission.
    
    I am very much in agreement with the statutory definition of my office's 
    position as being both "within" and "without" the Department of Homeland 
    Security. As part of the department, we are able to serve as educators, as 
    leaders, and as full participants in the policy direction of important 
    programs. And as outsiders, we are able to turn a critical eye on the most 
    controversial and the most mundane aspects of the Department's operations. 
    But I do not position my office as the enemy of the mission of this 
    department. Rather, I see it as crucial, fundamental to successfully 
    achieving that mission.
    
    
    
    On a daily basis, I am aware of what it means to set parameters for the 
    federal government’s use of personal information—information that has been 
    given to us in our capacity as the provider of services, as the caretaker 
    of the public’s physical security, and, most importantly, the custodian of 
    the public's trust.  Secretary Ridge has said that “Fear of government 
    abuse of information…is understandable, but we cannot let it stop us from 
    doing what is right and responsible.” The antidote to fear, as he has said, 
    “is an open, fair, and transparent process that guarantees the protection 
    and the privacy of that data.”  I commit to this Committee, to the American 
    people whom we serve,  and to our neighbors around the globe, that the 
    Privacy Office is implementing this philosophy on a daily basis at the 
    Department of Homeland Security.
    
    
    
    I thank you for your time, and for your interest in and support of the 
    Department of Homeland Security Privacy Office.
    
    
    _______________________________________________
    Politech mailing list
    Archived at http://www.politechbot.com/
    Moderated by Declan McCullagh (http://www.mccullagh.org/)
    



    This archive was generated by hypermail 2b30 : Wed Feb 11 2004 - 23:15:26 PST