Agencies settling in on better privacy controls

Wednesday - 1/29/2014, 3:45am EST

Jason Miller discusses his article with Federal Drive hosts Tom Temin and Emily Kopp.

Download mp3

Agencies are treating privacy today like they treated cybersecurity three or five years ago.

They realize it's important. They realize they have to do it. But they aren't exactly sure how and what it means to apply privacy to data.

"Privacy is a management issue. It's a classic risk management issue in the same way that cybersecurity issues are risk management issues and in the same way business expenditures are risk management issues," said Peter Miller, the chief privacy officer at the Federal Trade Commission, during a presentation at ACT- IAC's forum on cybersecurity and privacy in Washington Tuesday. "In order to do an effective job, you have to accurately identify the risks that are involved. Again, that talks about how you actually handle the risks associated and the issues, and is privacy actually involved?"

Like many experts preached for the last decade and still do today around cybersecurity, agencies need to consider privacy implications on the front end of any new system, data collection or other activity.

More than a decade after Congress passed the last major law addressing privacy, the E-Government Act of 2003, privacy issues are near the top of the list for many agencies with the recent National Security Agency data collection revelations, as well as the increased number of data breaches across the public and private sectors.

Over the last 40 years, agencies haven't ignored privacy. The Privacy Act of 1974 still applies today. The E-Government Act included privacy updates and new requirements, including the need for all agencies to do a privacy impact assessment when there are new collections of, or new technologies applied to, personally identifiable information.

And of course, the Office of Management and Budget required, as part of the E- Government Act's implementation guidance, that each agency name a senior official in charge of privacy.

Two faces of privacy

Some agencies named a person whose sole job is to be the chief privacy officer (CPO), such as the departments of Homeland Security and Justice. But others have added the CPO hat to their CIO or general counsel or assistant secretary for management.

So now, 10 years after the E-Government Act, 40 years after the Privacy Act and in the midst of recent data disclosures, agencies really are just beginning to understand how they need to address privacy issues.

Miller said part of the challenge is privacy is both subjective and objective.

Privacy, in many ways, is hard to define because it means different things to everyone. But there are rules and regulations that govern agency implementation — most of which need to be updated because Congress and the White House haven't kept them up with the changes in technology and how agencies use data. This discussion is very similar to the debate around cybersecurity that's been ongoing for the last three years between the administration and Congress.

Miller said the role of the CPO is similar to the role of a chief information security officer, but less defined in some respects.

"I want to be the person to support the business operations in a positive way. So privacy is never saying 'no.' Privacy is about saying 'yes' or 'yes, but there may be some modifications to a particular project or particular application.' But not something that actually stops an organization dead in the water," he said. "Of course, the other issue we all deal with is, privacy is just one component of an overall operation. So you have the IT piece, the business mission piece, you have stakeholders, and you have all these different pressures on an organization. So privacy can't always drive the process, but what it can do is inform the process."

A major role for the CPO is to convince the business owners about why privacy needs to be considered on the front end of any program, again similar to the way CISOs and CIOs were talking about cybersecurity three or five years ago.

Best practices available

Miller said the FTC is following several principles to improve its privacy processes.

"It's important that you know the data. I think one of the things privacy puts a real premium on is knowing where in an organization personal information resides, and knowing how it's used and where it's used, and that's separate from the other information an organization handles," he said. "One of the key issues for this, in terms of knowing the organization's data, is being able to break it down in a way that makes sense in terms of talking about it, identifying risks and moving on."