Recasting the privacy officer

Federal privacy officers shouldn’t be typecast in the role of Dr. No, panelists at the Information Resources Management Conference said today in a wide-ranging discussion.Barbra Symonds, director of the IRS’ Privacy and Information Office, and Jim Dempsey, policy director of the Center for Democracy and Technology, described different ways in which privacy officers can shed the naysayer stereotype by helping and not hindering IT officials.Dr. No was a villain in Ian Fleming’s series of James Bond spy novels."I like to call us the friendly auditors," Symonds said. She emphasized the need to convince IT officials to build privacy controls into systems as they are being developed.Symonds added that when she talks to private companies that build the software taxpayers use to file tax returns, she emphasizes that they can use their systems’ privacy features as a selling point."It’s not that all information-sharing is evil and wrong," Symonds said. She added that privacy officers can help system designers focus on methods of limiting the amount of information shared with a particular group of users to the data that they really need to help improve privacy controls.At the same time, Symonds said, privacy officials sometimes face problems with disgruntled software developers who leave back doors or "God keys" hidden in systems. "Many software developers don’t like to document what they have done," she said. "But as soon as there is a problem, everyone wants to see the audit log."Kenneth Mortenson, the Homeland Security Department’s privacy officer, described how his agency’s privacy operation has shifted from the policy advisory function carried out by former privacy officer Nuala O’Connor Kelly to an operational role."We are working to ensure that technology sustains privacy and does not erode it," Mortenson said. He noted that the right to privacy is not an absolute right, just as the freedom of speech guaranteed by the Constitution is not an absolute right.Mortenson’s office has developed a template for program managers to use as they build privacy controls into their systems. DHS also has evaluated the privacy effects of national security systems and intelligence systems, Mortenson said. DHS is looking to attain a situational awareness of privacy issues in the department, similar to the situational awareness that military organizations develop, he said.Dempsey noted that authentication is one of the most difficult problems for privacy policy specialists. He said that in some cases, there is a need for 100 percent authentication, while in other matters it is important to preserve anonymity.Dempsey described with concern a recent situation in which one of the companies he deals with personally asked for the last four digits of his Social Security number to authenticate a transaction. While he has at times proposed that Social Security numbers be made public because they are in fact not secure information, he also said, "The individual retains an interest in how [personal] information is being shared [after an agency gathers it]."Federal privacy officers can serve as advocates within their agencies to help IT program managers ask the appropriate questions as they design systems, Dempsey added.Dempsey said his organization is set to publish a new set of studies on privacy policy July 13 that will amplify and refine its analysis of the issues.In response to a question about how officials in small agencies can learn how to comply with federal privacy law and policy, Symonds noted that the Treasury Department’s Web site includes a privacy policy guide, and the Defense Department has posted "Privacy 101" and "Privacy 201" documents online.