White House floats policy on privacy that straddles lawmakers’ opposing views

A fight over privacy is brewing on Capitol Hill, and it has nothing to do with the Homeland Security Department screening travelers or the General Services Administration’s lost credit-card data.The current spat revolves around a little-known provision in the fiscal 2005 omnibus appropriations bill requiring agencies to name chief privacy officers and perform a number of privacy oversight functions.Two influential lawmakers are battling over whether agencies need more privacy oversight and who should administer it. And the Office of Management and Budget is caught in the middle, trying to pacify both sides. To that end, OMB is drafting new reporting requirements and requiring agencies to name a senior official to be in charge of privacy.Rep. Tom Davis, chairman of the House Government Reform Committee, has vowed to repeal the provision, calling it duplicative and unnecessary. The Virginia Republican introduced a bill last month to take the law off the books.But Sen. Richard Shelby (R-Ala.), who wrote the provision into the Transportation, Treasury and General Government appropriations bill last session, will not let it die easily because the need is so immediate, said a Senate Appropriations Committee staff member.Although administration officials say they support some parts of the provision, President Bush asked in his 2006 budget request that the language be expunged.“We’ve always had to do privacy, and this had nothing to do with the administration not supporting privacy, because we do strongly,” said Karen Evans, OMB’s administrator for e-government and IT. “We are ensuring that agencies have a good privacy program in place. From our perspective, we are meeting the intent of Congress.”OMB officials will institute new governmentwide privacy reporting requirements as part of the annual Federal Information Security Management Act reports. And although each agency must give someone authority over privacy issues, the person will not have to carry the title of chief privacy officer.The White House sends its FISMA report, an aggregate of the reports from the agencies, to Congress every March 1. OMB will detail the new requirements in the FISMA guidance it provides to agencies each summer.“This will make agencies send us the data on an annual basis,” Evans said. “We still are working out what, exactly, the requirements will be, but it will heighten the awareness of privacy, which was Congress’ intent.”Evans added that requirements from the omnibus law that do not make it into the FISMA guidance will be added in special additional guidance to the dozen or so agencies specifically covered by the Transportation, Treasury and General Government bill: the General Services Administration, National Archives and Records Administration, Office of Personnel Management, OMB and a host of smaller agencies.OMB had asked agencies to name a senior official in charge of privacy matters by March 11. The person must play a “central role in overseeing, coordinating and facilitating” efforts to comply with federal rules such as the Privacy Act. In a memo to agencies, Clay Johnson III, OMB’s deputy director for management, said an agency’s CIO or another senior official could perform the role.Robert Gellman, a privacy expert and GCN columnist, said governmentwide requirements and chief privacy officers make little difference unless OMB and agency executives take privacy seriously.“You can’t legislate good management,” he said. “Many, but not all, agencies need someone managing privacy, but good privacy is good management. If that doesn’t happen, nothing will matter.”Davis’ contention is that the language is duplicative. He has noted that the requirements in Shelby’s privacy provision are addressed in at least four other laws, including the Clinger-Cohen Act, the E-Government Act and FISMA.“The legislation merely creates a layer of bureaucracy that contradicts existing federal information policy currently executed by the CIOs,” said Drew Crockett, spokesman for Government Reform. “Chairman Davis had both substantive, jurisdictional and process concerns with the privacy provision.”Crockett added that Davis is reviewing options that would let him amend language to repeal the provision to a bill that will “move it straight to the floor.”The Senate staff member countered that information privacy deals not only with electronic information but also paper records, and therefore is beyond the CIOs’ purview.“We ask a lot of the CIOs, and we are not sure if we can put this new responsibility on their back and expect them to fully and faithfully execute it with all the other requirements we ask of them,” he said. “The fact that large agencies have on their own or pursuant to this legislation put into place a chief privacy officer validates the need for this position.”The staff member also noted that the White House had no objections to the bill during negotiations on the conference report, so the committee is unclear why the administration wants it repealed now. Plus, he added, no other Senate or House members have complained about the provision.“I can’t help but wonder if Davis would like to use this as a sweetener for other legislation, or if he just wants to have his imprint on this bill,” the staff member said. “There may be some legitimate areas that need improving, but with the amount of information agencies collect, having a chief privacy officer makes sense.”