Other testimony from the hearing: http://www.house.gov/judiciary/commercial.htm --- http://www.house.gov/judiciary/kelly021004.htm TESTIMONY OF NUALA O’CONNOR KELLY CHIEF PRIVACY OFFICER U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE SUBCOMMITTEE ON COMMERCIAL AND ADMINISTRATIVE LAW OF THE JUDICIARY COMMITTEE OF THE U.S. HOUSE OF REPRESENTATIVES FEBRUARY 10, 2004 Chairman Cannon, Ranking Member Watt, Members of the subcommittee, and distinguished colleagues on this panel, it is an honor to testify before you today on the activities of the United States Department of Homeland Security’s Privacy Office, which I am privileged to lead as the first Chief Privacy Officer of the Department of Homeland Security. The protection of privacy, of the dignity of the individual, is not a value that can be added on to this or any other organization later, and that is why I am so pleased to have been here from almost the very beginning. This value is one that must be embedded in the very culture and structure of the organization. I know that we can and will succeed in this—not only because our leadership believes in protecting the sanctity of the individual, but also because our over 180,000 employees are also great Americans, who believe in and act on these values—for themselves, their neighbors, and their children—each day. Establishment of the DHS Privacy Office The creation of the Department of Homeland Security and its many programs raise no shortage of important privacy and civil liberties issues for this nation to address. This Department, led by Secretary Tom Ridge, and this Administration, led by President Bush, are committed to addressing these critical issues as they seek to strengthen our homeland. A crucial part of this commitment is support for the creation and the mission of the Privacy Office at the Department of Homeland Security. Secretary Ridge articulated his vision for this office, stating that the privacy office “will be involved from the very beginning with every policy initiative and every program initiative that we consider,” to ensure that our strategy and our actions are consistent with not only the federal privacy safeguards already on the books, but also “with the individual rights and civil liberties protected by our laws and our Constitution.” As Members of this subcommittee are uniquely aware, the enabling statute for the Department of Homeland Security contains Section 222, which directs the Secretary to appoint a senior official in the Department to assume primary responsibility for privacy policy. This includes conducting and oversight of formal Privacy Impact Assessments to “assure that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information.” This office also oversees the Department’s compliance with the Privacy Act of 1974 and the Privacy Impact Assessment requirements of the Electronic Government Act of 2002, and is directed to “evaluate legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government.” Uniquely and importantly, under the enabling statute, the DHS Chief Privacy Officer provides an annual report to Congress on the activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act, internal controls, and other matters. Key Legal Frameworks enforced by the Privacy Office One of the primary legal frameworks underlying the mission of the DHS Privacy Office is, obviously, the federal Privacy Act of 1974. The Privacy Act, 5 U.S.C. § 552a, provides a code of fair information practices that governs the collection, maintenance, use, and dissemination of personal information by federal agencies. Emanating from concerns about the ability to aggregate personal information--partly due to new technologies like mainframe computers of that day--this law provides substantial notice, access, and redress rights for citizens and legal residents of the United States whose information is held by some part of the executive branch of the federal government. The law provides robust advance notice, through detailed "system of records" notices, about the creation of new technological or other systems containing personal information. The law also provides the right of access to one’s own records, the right to know and to limit other parties with whom the information has been shared, and the right to appeal determinations regarding the accuracy of those records or the disclosure of those records. The Privacy Act is our country’s articulation of Fair Information Principles; the Act both protects the information of our citizens and also provides our citizens rights to access that data. Under the Freedom of Information Act, 5 U.S.C. § 552, the principle that persons have a fundamental right to know what their government is doing is enforced on a daily basis. Almost any person at any time has the right to query a federal agency for documents and records. Our government and our agency are grounded on principles of openness and accountability, tempered, of course, by the need to preserve the confidentiality of sensitive personal, commercial, and governmental information. The Freedom of Information Act is the primary statute that attempts to balance these countervailing public concerns. A robust FOIA/PA program is a critical part of any agency's fundamental processes; it helps to provide assurance to the public that, in pursuing its mission, an agency will also pursue balanced policies of transparency and accountability while preserving personal privacy. The U.S. federal government will spend hundreds of millions of dollars processing and responding to FOIA requests next year, and thousands of federal workers will spend all or part of their day compiling responses to those requests. Our agency alone has over 300 staff members across the Department who work full or part-time on Privacy Act and FOIA issues. This past fall, the Office of Management and Budget released its guidance under Section 208 of the E-Government Act of 2002—which mandates Privacy Impact Assessments for all federal agencies when there are new collections of, or new technologies applied to, personally identifiable information. This, really a third pillar of the privacy framework at the federal level reflects, once again, a growing reliance on technology to move data--both in government spaces and on the Internet. With the addition of the privacy provisions of the E-Government Act to existing privacy protections, our citizens now benefit from a comprehensive framework within which government considers privacy in the ordinary course of business. The Act and underlying guidance synthesize numerous prior statements and guidance on privacy practices and notices, and will assist privacy practitioners in prioritizing their efforts. In particular, the guidance provides direction on the content of privacy policies and on the machine-readability of privacy policies. Further, the act outlines the parameters for privacy impact assessments. Although in use by some agencies already, generally privacy impact assessments are a new and important tool in the toolbelt of privacy practitioners across the federal government. These new requirements formalize an important principle: that data collection by the government should be scrutinized for its impact on the individual and that individual’s data…and ideally before that data collection is ever implemented. The process, the very exercise of such scrutiny, is a crucial step towards narrowly tailoring and focusing data collection towards the core missions of government. This practice should provide even greater awareness, both by those seeking to collect the data and those whose data is collected, of the impact on the individual and the purpose of the collection. I am pleased to have been a small part of the discussions towards the development of guidance on privacy impact assessments. These new requirements set the bar high for privacy practitioners. These requirements also reflect, I believe, a growing sensitivity and awareness on the part of our citizens regarding personal data flows in the public and private sectors. I believe that this guidance will allow federal agencies to respond to citizens’ concerns about these activities and also to be current with, or perhaps even slightly ahead of, the evolution of privacy practices in the private sector. Under the Privacy Act, in concert with the Freedom of Information Act and the E-Government Act, citizens, legal residents, and visitors to the United States have been afforded almost unequalled transparency into the federal government’s activities and the federal government’s use of personal information about them. A robust FOIA/PA program is imperative to provide the public with assurances that any information DHS collects is being maintained consistent with all legal and regulatory requirements. Operationalizing Privacy Throughout the Department of Homeland Security Best Practices through Management Leadership The DHS Privacy Office works to promote best practices with respect to privacy and infuse respectful information privacy principles and practices for all employees into the DHS culture. A major and substantial goal at the outset for my tenure is to ‘operationalize’ privacy awareness and best practices throughout DHS, working not only with Secretary Ridge and our senior policy leadership of the various agencies and directorates of the department, but also with our Privacy Act and FOIA teams, as well as operational staff across the Department. Consistent Policies and Education Efforts Through internal educational outreach and the establishment of internal clearance procedures, we are sensitizing DHS directorates and components to consider privacy whenever developing new programs or revising existing ones. We are reviewing new technologies to ensure that privacy protections are incorporated in the development and implementation of these new systems. Our headquarters staff has been reviewing all Privacy Impact Assessments being conducted throughout the Department. In this process, DHS professionals have become educated about to the need to consider--and the framework for considering--the privacy impact of their technology decisions. We are reviewing Privacy Act systems notices before they are sent forward and ensuring that we collect only those records that are necessary to support our mission. We also guide DHS agencies in developing appropriate privacy policies for their programs and serve as a resource for any question that may arise concerning privacy, information collection or disclosure. We work closely with various DHS policy teams, the Office of the General Counsel, and the Chief Information Officers to ensure that the mission of the Privacy Office is reflected in all DHS initiatives. And of course we also work in concert with the Department’s Office for Civil Rights and Civil Liberties, which is the other statutorily mandated office at DHS Headquarters with an individual liberties focus. Integrated Privacy and Disclosure Mandates The work of the Privacy Office includes not only the statutory Privacy Act and Privacy Impact Assessement work, but also integrates Freedom of Information Act oversight for the Department. This additional responsibility was redelegated to the Privacy Office last summer by Secretary Ridge, in recognition of the close connection between privacy and disclosure laws, and the functional synergies of the work of our Privacy Act and FOIA specialists across the Department. Transparency and Outreach to the Public The DHS Privacy Office also seeks to anticipate and satisfy public needs and expectations, by providing a crucial link between those outside DHS who are concerned about the privacy impact of the Department's initiatives, and those inside the Department who are diligently working to achieve the Department’s mission. Our role is not only to inform, educate, and lead privacy practice within the Department, but also to serve as listeners and as a receptive audience to those outside the Department who have questions or concerns about the Department’s operations. To that end, my office has engaged in consistent and substantial outreach efforts to members of the advocacy community, industry representatives, other U.S. agencies, foreign governments, and most importantly, the American public, not only to inform and educate those constituencies, but also, even more importantly, to hear their concerns, to share those concerns with the Department’s leadership, and to see that those concerns are addressed in our programs and in the development of our policies. Recent coverage of our privacy program, in particular our Privacy Impact Assessment, or PIA, of the US-VISIT program, demonstrated how information-collection efforts, especially those employing new or unfamiliar technology, can be done in a privacy-sensitive way. Operationally, this particular PIA demonstrated an effective internal system whereby staff from across the department worked together to create a document that was at once technologically detailed and also reader-friendly. Key Policy Challenges The Use of Private-Sector Data I can think of no more compelling public policy issue, particularly one that affects the privacy of our citizens and visitors to this country, than the sharing of personal information between the public and private sector. It is one that has been successfully—and less successfully—navigated by other agencies within the Federal government, and it is one that we examine and grapple with in programs within every single directorate and agency within the Department of Homeland Security almost every day. It is the Privacy Office’s role to facilitate this conversation about and this examination of the responsible uses of information by government agencies within DHS. That role sometimes requires us to encourage, and even force conversation between those who label themselves as being concerned only with privacy, and those who consider themselves all about security. I challenge those who feel the need to be one or the other. It is, in fact, possible, to achieve both responsible privacy practices and achieve the mission of the Department of Homeland Security. Issues of privacy and civil liberties are most successfully navigated when the necessary legal and policy protections are built in to the systems or programs from the very beginning—both in the intelligent use of technology, and in the responsible execution of programs. Further, clear rules—both in the private sector and in the public sector—are necessary to ensure that such information sharing is done in a legitimate, respectful, and limited fashion. International Cooperation A key focus of the Privacy Office’s work has been to engage the data protection authorities internationally. Privacy professionals the world over share a common interest in assuring public trust in government operations by encouraging transparency, as well as respect for fair information principles such as collection limitation, purpose specification, use limitation, data quality, security safeguards, openness, participation, and accountability. Our office has participated in the meetings of the International Association of Data Protection and Privacy Commissioners, although the office is not recognized at this time as an accredited data protection authority. We have also worked cooperatively with data protection authorities, or DPAs, to enable cross-border dispute resolution of personal data issues. Our office is both a point of appeals for complaints about our various directorates’ programs, and also a point of contact for our international counterparts, whether acting to communicate policy concerns or individual citizens’ complaints. Balancing the Need for Transparency and the Need for Security in Operations Perhaps the most difficult issue in a law enforcement or counter-terrorism context is the need to afford transparency and access to information for individuals, while also safeguarding information that is essential to an ongoing investigation of some type. Our office seeks to assist the agency in achieving this balance in a number of ways. First, rules and procedures for accessing information must be clear, easily attainable by individuals, and easily understood. Second, determinations that information is sensitive or otherwise protected must be narrowly tailored and well grounded. Third, systems must be in place whereby individuals can be assisted in correcting information that may impact them in some way, even when that information is deemed protected. An example of this is the use of citizen advocates or ombudsmen, where by government employees who have security clearance or access to information act on behalf of individuals to correct misidentifications or incorrect information that is associated with an individual. In addition, these processes must be efficient and minimally burdensome on the individual, and must provide for an appeal or further redress process that is adequately independent to ensure fairness for the individual. These processes exist in certain places within our Department, and should be implemented where personal information is collected by the government and used in a way that impacts the individual. The DHS Privacy Office plays a role in performing that independent review and appeal process for our directorates and citizens. The Defense of Privacy Act The DHS Privacy Office applauds the subcommittee for its interest in privacy issues, and even more, privacy practices across the federal government. We in government are often quick to point to private-sector lapses in privacy policy, and we should be equally vigilant about our own use of personal data. While the federal government benefits from the requirements of the Privacy Act of 1974, it is also true that new technologies have allowed data sharing in new and perhaps unexpected ways. The Privacy Impact Assessment requirements of the E-Government Act of 2002 recognize these new technological challenges and seek to provide reader-friendly information about such data collections in a new and perhaps more technologically savvy fashion. The proposed Defense of Privacy Act shares many similarities with the PIA requirements under the E-Government Act, ones that are worth noting, such as the need for a “senior agency official with primary responsibility for privacy policy.” While the need for a statutory privacy officer at DHS may be virtually unique in the federal government, given the agency’s size and the co-mingling of parts of more than 22 former federal agencies, the need for senior policy leadership at any agency that affects public data is certainly recognized. Further, the Act does clarify the timing of PIAs, to be both a prospective document, issued at the NPRM stage, and a final document, issued in response to public comments. We at DHS have, and fully intend to continue to publish PIAs for public comment and we believe that this public dialogue is essential to our understanding of public concerns about DHS programs. I should note that the Administration continues to review this legislation, and we may have additional comments at a later time. Internal and External Role I am often asked whether I view my job as a privacy advocate and thus at odds with the activities of the Department. The answer is absolutely not. As Secretary Ridge has articulated on many occasions, the Department of Homeland Security’s mission is more than just counter-terrorism, more than just the protection of people and places and things. It is also the protection of our liberties and our way of life, and that includes the ability to engage in public life with dignity, autonomy, and a general expectation of respect for personal privacy. Thus, the protection of privacy is neither an adjunct nor the antithesis to the mission of the Department of Homeland Security. Privacy protection, in fact, is at the core of that mission. I am very much in agreement with the statutory definition of my office's position as being both "within" and "without" the Department of Homeland Security. As part of the department, we are able to serve as educators, as leaders, and as full participants in the policy direction of important programs. And as outsiders, we are able to turn a critical eye on the most controversial and the most mundane aspects of the Department's operations. But I do not position my office as the enemy of the mission of this department. Rather, I see it as crucial, fundamental to successfully achieving that mission. On a daily basis, I am aware of what it means to set parameters for the federal government’s use of personal information—information that has been given to us in our capacity as the provider of services, as the caretaker of the public’s physical security, and, most importantly, the custodian of the public's trust. Secretary Ridge has said that “Fear of government abuse of information…is understandable, but we cannot let it stop us from doing what is right and responsible.” The antidote to fear, as he has said, “is an open, fair, and transparent process that guarantees the protection and the privacy of that data.” I commit to this Committee, to the American people whom we serve, and to our neighbors around the globe, that the Privacy Office is implementing this philosophy on a daily basis at the Department of Homeland Security. I thank you for your time, and for your interest in and support of the Department of Homeland Security Privacy Office. _______________________________________________ Politech mailing list Archived at http://www.politechbot.com/ Moderated by Declan McCullagh (http://www.mccullagh.org/)
This archive was generated by hypermail 2b30 : Wed Feb 11 2004 - 23:15:26 PST