Privacy advocates push for czar

Congress should mandate a chief privacy officer position at the Office of Management and Budget to oversee federal policies and agency collaboration, privacy advocates said recently.

Every agency may not need its own statutory privacy officer, but lawmakers could examine which agencies need one, and a chief officer at OMB could oversee governmentwide efforts to implement privacy protections, they argued.

"An office inside OMB can provide both institutional memory and sensitivity to combat the unfortunate tendency in government to surveil first and think later," said Sally Katzen, a law professor and former deputy director for management at OMB under the Clinton administration. "If someone had been appointed, the administration may not have appeared to be so tone deaf to some issues."

Testifying Feb. 10 before the House Judiciary Committee's Commercial and Administrative Law Subcommittee, Katzen urged lawmakers to mandate the position, known as the chief counselor for privacy and filled during the Clinton administration by Peter Swire, now a law professor at Ohio State University.

Swire agreed with the idea of a mandated position because he was able to coordinate interagency issues, provide leadership on policies and set themes.

"The advantage of putting it in the statute is that it's a congressional decision to build privacy into the system," Swire said in a telephone interview. "It's easier to have congressional oversight. Also, it raises the visibility of the officers of the agencies. It becomes the jobs of the agencies to have a good story to tell on privacy."

Mandating the position would give the official more influence, forcing agencies to take the issues seriously, said Larry Ponemon, founder of the Ponemon Institute and adjunct professor of ethics and privacy at the CIO Institute. "It creates the perception of importance," he said.

The Homeland Security Department is the only agency to have a chief privacy officer position required by law. Nuala O'Connor Kelly holds the job. Other agencies have privacy officers, and OMB requires a senior-level position, but the duties are not legally required. A governmentwide official would help set standards and avoid duplication while providing direction, advocates say.

Some agencies that handle larger amounts of personal information, such as the U.S. Postal Service and the Internal Revenue Service, may need mandated privacy positions. However, requiring the position at agencies that don't handle much of that data might create more bureaucracy, officials warn.

"One way to strike the balance is to have a designated chief privacy officer in OMB, and then to go agency by agency where it is particularly necessary," James Dempsey, executive director of the Center for Democracy and Technology, told lawmakers.

The legislation that created O'Connor Kelly's position should be a model for

government, particularly the Justice

Department, Dempsey said. One lawmaker agreed and said the Justice reauthorization bill would be a good place to start.

"My sense is having done what we have done at DHS gives us a much better sense of [what else] can be done, particularly with statutory authority," said Rep. Chris Cannon (R-Utah), chairman of the subcommittee. "I suspect we are going to see more privacy officers."