Note: This blog is adapted from testimony delivered before the Senate Homeland Security and Governmental Affairs' Subcommittee on Oversight of Government Management, the Federal Workforce and the District of Columbia.
See Also: Proactive Malware Hunting
First, the chief privacy officer is important for the "clearance" process."
To ensure a unified administration position, for congressional testimony, executive orders and many other documents, drafts are circulated for clearance among the various agencies and components of the Executive Office of the President. Once comments are received, discussions are sometimes needed to resolve differences of opinion, with appeal to more senior officials if differences are not resolved at lower levels. In addition to these structured clearance procedures, agency experts on an issue such as privacy often get engaged earlier in the policy planning process, in a variety of working groups and less-formal methods of sharing expertise and views.
From my time as chief counselor for privacy in the White House Office of Management and Budget, the number of privacy issues addressed by federal agencies is far greater than many people realize. Here is a list of the sorts of privacy issues that can arise in each of the cabinet departments:
- Agriculture: Migrant worker records.
- Defense and Veterans Affairs: Records of service members.
- Education: Education records, including for for-profit institutions.
- Energy: Smart grid.
- Health and Human Services: Medical records; many forms of human services records.
- Homeland Security: Numerous issues, including transportation safety and immigration.
- Housing and Urban Development: Public housing records.
- Interior: National park reservations and other services provided online.
- Justice: Numerous issues.
- Labor: Records of union membership.
- State: International privacy issues.
- Transportation: Drone surveillance.
- Treasury: Financial privacy; money laundering.
This list shows a wide variety of privacy issues, and also that privacy issues emerge for new agencies over time. As one example, surveillance by drones is becoming an important privacy issue as the Federal Aviation Administration permits expanded use of drones within the borders of the United States. For these kinds of emerging issues, the expertise developed by a federal CPO would be quite useful.
Second, along with clearance, the executive branch needs effective coordination to develop and announce the administration position in international settings. Data flows today are pervasively global. We are reminded of this reality by the ongoing debates about the European Union's draft Regulation on Data Protection. A very wide range of Internet and other private-sector data practices would be affected if that regulation were to go into effect as written.
From my time at OMB and in the National Economic Council, there are certainly existing mechanisms for policy coordination. The NEC and National Security Council are experienced at bringing together the relevant agencies to coordinate on complex policy problems. These policy mechanisms, however, are not a good match for the ongoing privacy challenges. Resolving privacy issues often requires cross-cutting expertise, drawing on domains including information technology, law, business practices and policy. When this complexity is added to the complex interagency and international dimensions of the issue, the policy councils do not have the staffing and infrastructure to do a good enough job on managing privacy issues over time.
Congress should create by legislation the Office of the Federal Chief Privacy Officer, and similarly require each major agency to have a CPO.
My sense is that this shift reflects the institutional difficulties in establishing a new office unless there is Congressional support. Existing offices are reluctant to cede their current roles and budget. Congress mandated creation of the office of the chief privacy officer when it created the Department of Homeland Security, and CPO in that department has been effective at having institutional support compared with other agencies.
Based on my experience, OMB is an effective location for the federal CPO. This fits the management responsibilities of the Office of Management and Budget. In 1999, after a survey found that privacy policies were lacking on many federal agency websites, we were tasked with defining acceptable privacy policies and then making sure that agencies posted them. That experience taught my staff and me the challenges of complying with rules and public scrutiny. That kind of experience helps the CPO be more realistic when developing policy that other organizations are expected to follow.
One topic that could benefit from further discussion is how to integrate a federal CPO with the Privacy and Civil Liberties Oversight Board. One way to split responsibilities is for the federal CPO to coordinate policy and oversight for unclassified information technology systems, while the PCLOB would take the lead on classified systems. This apportionment of responsibilities would parallel the existing, different requirements for classified and unclassified systems generally. In terms of function, the federal CPO would take the lead on clearance and other issues of cross-agency coordination. The PCLOB is designed to be independent of the executive branch, and thus would not play that inter-agency coordination role. Instead, its principal responsibilities would include oversight and investigation of data used in connection with anti-terrorism efforts.
Peter Swire is a law professor at Ohio State University, senior follow at the Center for American Progress and policy fellow at the Center for Democracy and Technology. Swire served as chief counselor for privacy in the White House Office of Management and Budget during the Clinton administration and special assistant to the president for economic policy in the Obama White House.