Privacy policies should not be optional

The chronic insensitivity of federal agencies to the issue of personal privacy is endlessly amazing. Hardly a day goes by without a headline about the public's concern about invasions of privacy. And yet the government blunders on its business-as-usual course, poking into the nooks and crannies of people's lives.

In March, federal banking agencies withdrew "Know Your Customer" rules that would have required banks to gather detailed information about their customers on a routine basis, analyze the information, track profiles on some customers and report their findings to the feds. The agencies received more than 200,000 angry messages from the public protesting the proposed invasion of privacy. Interestingly, groups politically to the far right and those to the far left were unanimous in opposing this government action. Why were these rules issued in the first place? Did no one in the banking agencies anticipate this reaction from the public?

Federal statistical agencies report that the public's rate of refusal to answer voluntary government surveys has slowly but steadily risen over the past several decades. Every year more Americans say no when their government asks for information.

What is the explanation for this phenomenon? Erosion of public trust in government. Increasingly, the public simply does not believe that Uncle Sam is a benign gentleman who has their best interests at heart.

The Center for Democracy and Technology (CDT) has published results of a new survey showing that agencies' World Wide Web sites are woefully deficient in publishing privacy policies. CDT found that 22 agencies had no clearly labeled privacy notices on their home pages. Six of these agencies were Cabinet departments, not small agencies. CDT categorized another eight agencies as having poorly labeled policies. On the plus side, 16 agencies had privacy statements that were easy to find.

In the business world, large companies that do business in the European Union are shelling out six-figure sums to major accounting firms for privacy audits so that they can be certified as complying with EU privacy regulations. The accounting firms do more than examine whether the companies have privacy policies in place. They also scrutinize the firms' information-handling practices and whether in fact employees handle personal information in accord with the policies.

Wouldn't it be a wonderful little exercise if federal inspectors general were to devise similar privacy audits for the agencies? Imagine a detailed list of the organizational behaviors an agency should be engaging in to protect personal privacy, starting with clearly enunciated policies but continuing down into detailed information-handling procedures. What results would you predict from such audits?

If you want to see for yourself that this is not a trivial matter, go to bbbonline.com and look at the Better Business Bureau's new BBBOnLine Privacy Program. Print out the Compliance Assessment Questionnaire and look it over to see what a business must do to acquire the BBB Privacy Seal. The questionnaire runs to almost 20 pages. Even granting that some sections of the questionnaire, such as parental consent, might not apply to federal agencies, a reading of the assessment should be a sobering experience for federal Webmasters.

A few things really can command an agency's attention, and one of them is its budget. I endorse CDT's call that the Office of Management and Budget tell agencies to post a privacy policy in 30 days or risk cuts in information technology budgets.

-- Sprehe is president of Sprehe Information Management Associates, Washington, D.C. He can be reached at jtsprehe@jtsprehe.com.