Federal Chief Privacy Officer Urged

Board: Government Must Update Privacy Laws
Federal Chief Privacy Officer Urged
A government advisory panel recommends the creation of a federal chief privacy officer within the White House Office of Management and Budget as well as changes to the 35-year-old Privacy Act to reflect the impact of new technology on privacy.

The report from the Information Security and Privacy Advisory Board, entitled Toward A 21st Century Framework for Federal Government Privacy Policy, also calls on the government to hire chief privacy officers for most major agencies and to create a government-wide federal Chief Privacy Officers' Council.

"Inattention by policymakers to the underlying problems, and relatively little White House guidance, has meant that privacy policy is left to the individual agencies," says the report issued Wednesday. "There has been a lack of government wide direction, and only a few privacy leaders in key agencies have been empowered by their internal leadership to fill the policy vacuum."

The board's report points out that new technologies not covered by the decades-old law generate new questions and concerns, such as the federal government's failure to provide guidance on technologies that allow civilian agencies to track individuals and retain data about them by default.

"New technologies are generating new questions and concerns; and government use of private-sector databases now allows the collection and use of detailed personal information with little privacy protections," advisory board Chairman Dan Chenok, a senior vice president at IT services provider Pragmatics and a former IT official at OMB, wrote to OMB Director Peter Orszag, Federal CIO Vivek Kundra and Kevin Neyland, acting administrator of OMB's Office of Information and Regulatory Affairs.

Among the advisory board's recommendations:

  • Amend the Privacy and E-Government Acts to improve government privacy notices; revised the definition of systems of records based on how the government uses, not holds, of records; and cover commercial data sources.

  • Government leadership on privacy must be improved by OMB hiring a chief privacy officer who's provided with proper resources, regularly updating OMB's Privacy Act guidelines; hiring chief privacy officers at all agencies with chief financial officers; and creating a Chief Privacy Officers' Council.

  • OMB should update its cookie policy. The current policies depend on bureaucratic speed bumps to protect user privacy. While this strategy has worked to some degree, the utility cookies in Web 2.0 services will likely create greater incentive to circumvent user protections. Instead of banning the use of cookies, the government should be requiring clear opt-in consent process for the use of cookies.

  • Hold agencies accountable on minimizing the use of Social Security numbers.

  • OMB should work with U.S.-CERT to create interagency information on data loss. Security and privacy personnel need more information from US-CERT about the incidents that other agencies report. Agencies are contributing information and could learn a great deal about the types of incidents to look out for; the quality of their own reporting; and other best practices. One means to help share this information among agencies would be to create a closed system to share information about data loss incidents.

The Information Security and Privacy Advisory Board was created by the Computer Security Act of 1987 as the Computer System Security and Privacy Advisory Board, but renamed with passed of the E-Government Act of 2002. Federal law charges the board with identifying emerging managerial, technical, administrative and physical safeguard issues relative to information security and privacy and to advise the National Institute of Standards and Technology, the Commerce secretary and OMB director on information security and privacy issues pertaining to federal government information systems, including thorough review of proposed standards and guidelines developed by NIST.

Besides Chenok, advisory board members include Jaren Doherty, associate deputy assistant secretary for cyber security at the Department of Veteran Affairs; Brian Gouker, senior advisor, Informance Assurance Directorate, National Security Agency; Joseph Guirrei, Kforce; Rebecca Leng, deputy assistant inspector general for information technology and computer security at the Department of Transportation; Lynn McNulty, McNulty and Associates; Alexander Popowycz, vice president, Fidelity Investments; Lisa Schlosser, Environmental Protection Agency; Howard Schmidt, CEO, R&H Security Consulting; Fred Schneider, Cornell University computer science proessor; Ari Schwartz, chief operating officer at the Center for Democracy and Technology; and Peter Weinberg, senior software engineer at Google.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.