Federal Chief Privacy Officer UrgedBoard: Government Must Update Privacy Laws
The board's report points out that new technologies not covered by the decades-old law generate new questions and concerns, such as the federal government's failure to provide guidance on technologies that allow civilian agencies to track individuals and retain data about them by default.
"New technologies are generating new questions and concerns; and government use of private-sector databases now allows the collection and use of detailed personal information with little privacy protections," advisory board Chairman Dan Chenok, a senior vice president at IT services provider Pragmatics and a former IT official at OMB, wrote to OMB Director Peter Orszag, Federal CIO Vivek Kundra and Kevin Neyland, acting administrator of OMB's Office of Information and Regulatory Affairs.
Among the advisory board's recommendations:
- Amend the Privacy and E-Government Acts to improve government privacy notices; revised the definition of systems of records based on how the government uses, not holds, of records; and cover commercial data sources.
- Government leadership on privacy must be improved by OMB hiring a chief privacy officer who's provided with proper resources, regularly updating OMB's Privacy Act guidelines; hiring chief privacy officers at all agencies with chief financial officers; and creating a Chief Privacy Officers' Council.
- Hold agencies accountable on minimizing the use of Social Security numbers.
- OMB should work with U.S.-CERT to create interagency information on data loss. Security and privacy personnel need more information from US-CERT about the incidents that other agencies report. Agencies are contributing information and could learn a great deal about the types of incidents to look out for; the quality of their own reporting; and other best practices. One means to help share this information among agencies would be to create a closed system to share information about data loss incidents.
The Information Security and Privacy Advisory Board was created by the Computer Security Act of 1987 as the Computer System Security and Privacy Advisory Board, but renamed with passed of the E-Government Act of 2002. Federal law charges the board with identifying emerging managerial, technical, administrative and physical safeguard issues relative to information security and privacy and to advise the National Institute of Standards and Technology, the Commerce secretary and OMB director on information security and privacy issues pertaining to federal government information systems, including thorough review of proposed standards and guidelines developed by NIST.
Besides Chenok, advisory board members include Jaren Doherty, associate deputy assistant secretary for cyber security at the Department of Veteran Affairs; Brian Gouker, senior advisor, Informance Assurance Directorate, National Security Agency; Joseph Guirrei, Kforce; Rebecca Leng, deputy assistant inspector general for information technology and computer security at the Department of Transportation; Lynn McNulty, McNulty and Associates; Alexander Popowycz, vice president, Fidelity Investments; Lisa Schlosser, Environmental Protection Agency; Howard Schmidt, CEO, R&H Security Consulting; Fred Schneider, Cornell University computer science proessor; Ari Schwartz, chief operating officer at the Center for Democracy and Technology; and Peter Weinberg, senior software engineer at Google.