Up to their ears in issues

Even as Congress and the Bush administration attempt to lasso privacy concerns by placing chief privacy officers in the saddle at agencies, few privacy officials toil to accomplish the same tasks.

At the Commerce Department, for example, chief privacy officer Daniel Caprio works with technology companies to address security and privacy issues that could cut into sales of U.S. products and services.

A few blocks south of Commerce's downtown Washington, D.C., location, chief privacy officer Zoe Strickland is in the midst of a massive overhaul of the U.S. Postal Service's records systems and record-retention policies. She is also making USPS' privacy policies more accessible by providing summaries and the full texts online.

Meanwhile at the Homeland Security Department, chief privacy officer Nuala O'Connor Kelly is wrestling with the privacy implications of biometric identification cards, data mining and other unproven, cutting-edge technologies. Additionally, she must operate in a culture that leans toward secrecy with citizens who are wary of government intrusions into their private lives.

New for 2005

In the omnibus spending bill for fiscal 2005, Congress required agencies to appoint chief privacy officers and outline their responsibilities for protecting personal information. The requirements include safeguarding information systems from intrusions, unauthorized disclosures, and disruption or damage. Agencies also must have their privacy policies and practices audited by an independent auditor every two years.

In response to the law, the Office of Management and Budget issued a memo directing agencies to designate a senior official who would be responsible for privacy programs. The memo states that agencies could give that responsibility to the chief information officer or someone else at the assistant secretary level.

Many major agencies — the Agriculture and Labor departments, for example — have given the privacy job to the CIO. But others, including Commerce, DHS and the Postal Service, have not.

Caprio is also Commerce's deputy assistant secretary for technology policy. At DHS, Kelly reports directly to the secretary. Strickland reports to USPS' vice president, who is the consumer advocate and answers to the postmaster general.

When agencies first named privacy officers, they often placed them in the office of the general counsel because their primary responsibility was ensuring compliance with the Privacy Act of 1974. Since then, Congress has passed several other laws with privacy provisions, including the E-Government Act of 2002, which requires privacy impact assessments for new systems and data collection programs.

Differing demands

At the Internal Revenue Service, the main issue for privacy officials is data minimization, or limiting how much personal information about taxpayers stays in the agency's files.

Like many other federal privacy officials, Strickland and Kelly also are in charge of Freedom of Information Act compliance at their departments. At Commerce, a separate unit in the Office of Management and Organization deals with FOIA requests.

Overkill?

Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, disapproved of the governmentwide privacy provisions in the appropriations bill because CIOs already have information security and privacy responsibilities. Because he feels another official is not necessary, Davis is trying to repeal the provisions, Section 522 of the Consolidated Appropriations Act of 2005.

Some agency officials have complained that privacy laws are burdensome and bureaucratic. Kelly said that's not the way it should be. Privacy rules and the officials who enforce them are "part of a core value structure, part of a trust agenda, part of how an organization thinks about its service to its customers, its clients — in this case, our citizens and visitors to this country," she said.

"People have made the analogy — and I think it's a very apt one — that privacy is to the Information Age as environmental compliance was to the Industrial Age," Kelly said. "When done well, it is part of the core value structure of an organization. When done poorly, it's one of the really unfortunate outgrowths and really disastrous for a company or for a government institution."

Beyond privacy

Both Caprio and Kelly said their roles go beyond privacy. "The title of chief privacy officer is really too narrow, because what we're really talking about is information management — the responsible use of information," Caprio said.

For much of the first half of this year, he focused on issues involving radio frequency identification systems, especially potential privacy implications. Caprio worked with industry to avoid privacy complaints that could limit implementation of RFID.

"We have the introduction of new technology, and then the privacy and security issues begin to take over, and the technology then morphs into a privacy and security issue," he said. "For instance, with RFID, the concerns are not about the technology. The concerns are about the collection and use of data."

"The word 'privacy' is really very visceral, and people have very strong and appropriate reactions to wanting to protect their personal privacy," Kelly said. "But I think we almost need to move beyond that word" into responsible and fair information principles and practices.

Ferris is a freelance writer in Chevy Chase, Md. She can be reached at ferrisn@att.net.