Testimony of Sally Katzen
before
The Committee on the Judiciary
Subcommittee on
Commercial and Administrative Law
on
on
"Privacy in the Hands
of the Government: The Privacy Officer for
the Department of Homeland Security"
Thank you for inviting me to testify today on a vitally important subject - "Privacy in the Hands of the Government." This Committee is to be congratulated, not only for its leadership in creating a statutory Privacy Officer in the Department of Homeland Security (DHS), but also for being vigilant in its oversight of that office.
I am currently a Visiting Professor at the University of Michigan Law School, where one of my courses is a seminar on "Technology Policy in the Information Age" - a significant portion of which is devoted to examining both the government and the private sector's privacy policies and practices. I have been involved in privacy policy for over a decade. In early 1993, I began serving as the Administrator of the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget (OMB); the "I" in OIRA signaled that I was, in effect, the chief information policy official for the federal government. Among other responsibilities, my office was charged with developing federal privacy policies, including implementation of the 1974 Privacy Act. Later in 1993, I was asked to chair the Information Policy Committee of the National Information Infrastructure Task Force, which had been convened by the Vice President and chaired by then Secretary of Commerce Ronald Brown. One of the first deliverables we produced was from my committee's Privacy Working Group - a revision of the 1973 Code of Fair Information Practices, entitled "Principles for Providing and Using Personal Information." During President Clinton's second term, I worked with the Vice President's Domestic Policy Advisor to create a highly visible and effective office for privacy advocacy in OMB; we selected Peter Swire to head that office and be the first Chief Counselor for Privacy, and I worked closely with him when I served as Deputy Director for Management at OMB during the last two years of the Clinton Administration. Since leaving government, I have, as indicated earlier, been teaching both at the graduate and undergraduate level.
Given the Committee's extensive work in this area, it is not necessary to speak at length on the importance of privacy in the history and culture of our country. Nonetheless, to provide context for the comments that follow, I want to be clear that, from my perspective, privacy is one of the core values of what we are as Americans. Whether you trace its roots from the first settlers and the "frontier" mentality of the early pioneers, or from the legal doctrines that flowed from Justice Brandeis' oft-quoted recognition in the late 19th century of "the right to be let alone," privacy has been one of the hallmarks of America -- cherished, prized, protected and defended throughout our country and throughout our history.
The "Information Age" has brought new opportunities to benefit from the free flow of information, but at the same time it has also raised privacy concerns to a new level. Computers and networks can assemble, organize and analyze data from disparate sources at a speed (and with an accuracy) that was unimaginable only a few decades ago. And as the capacity - of both the government and the private sector - to obtain and mine data has increased, Americans have felt more threatened - indeed, alarmed - at the potential for invasion (and exploitation) of their privacy.
Before
We thus have some - albeit limited - operational experience with the statutory scheme, and it is therefore timely to see what we have learned and what more could (and should) be done by this Committee to be responsive to privacy concerns.
I would draw two lessons from Ms. Kelly's tenure to date at DHS.
First, the existence of a Privacy Officer at DHS, especially someone who comes to the position with extensive knowledge of the issues and practical experience with the federal government, is highly beneficial. We know that some attention is now being paid to privacy concerns and that steps are being taken to advance this important value that might otherwise not have occurred.
Consider the CAPPS II project, in which Ms. Kelly has recently been involved. She inherited a Privacy Act Notice issued last winter that was dreadful. She produced a Second Privacy Act Notice that reflected much more careful thought about citizens' rights and provided more transparency about the process. Regrettably, there was some backsliding: the initial concept was that the information would be used only to combat terrorism, whereas the second Notice indicated that the information would be used not only for terrorism but also for any violation of criminal or immigration law. Also, the document was vague (at best) on an individual's ability to access the data and to have corrections made. And there was more that should have been said about the manner in which the information is processed through the various data bases. But there is no question that the Second Notice was greatly improved from the first.
Ms. Kelly was also involved with the US VISIT program, where she produced a Privacy Impact Analysis (PIA). Some had argued that a PIA was not required because the program did not directly affect American citizens or permanent residents. Nonetheless, to her credit, she prepared and issued a PIA that was quite thoughtful and was well received. Whether one agrees or disagrees with the underlying program, at least we know that someone was engaged in the issues that deserve attention and the product of that effort was released to the public.
As someone outside the government, it is hard to know how influential Ms. Kelly will be if - and it inevitably will happen - there is a direct conflict between what a program office within DHS wants to do and what the Privacy Officer would counsel against for privacy reasons. Effectiveness in this type of position depends on autonomy and authority - that is, on the aggressiveness of the office holder to call attention to potential problems and on support from the top. We may take some comfort from Secretary Ridge's comments; he has said all the right things about supporting the Privacy Officer. But we cannot now know what will happen when the "rubber meets the road."
This Committee, however, can further empower the Privacy Officer, and lay the foundation for remedying any problems that may arise, by maintaining its oversight and inquiring pointedly into how the Department operates. For example, Ms. Kelly (and Secretary Ridge) should be asked at what stage she is alerted to or brought into new initiatives; what avenues are open for her to raise any questions or concerns; and whether the Secretary will be personally involved in resolving any dispute in which she is involved. The timing of the release of the PIA for the US VISIT program suggests that Ms. Kelly may not always be consulted on a timely basis. As I read the E-Government Act of 2002, an agency is to issue a PIA before it develops or procures information technology that collects, maintains or disseminates information that is in an identifiable form. In this instance, the PIA was released much further down the road, when the program was about to go on line. Anything that helps the Privacy Officer become involved in new initiatives at the outset, before there is substantial staff (let alone money) invested in a project, would be highly salutary.
The second lesson that I take from the experience to date with the Privacy Officer at DHS is that there has been no diminution in the capacity of the Department to pursue its mission. Or as a political wag would say, the existence of a Privacy Officer in DHS has not caused the collapse of western civilization as we know it. This is wholly consistent with what most Americans think - that national security and privacy are compatible and are not intrinsically mutually exclusive.
The fact that there is no evidence that the existence, or any activity, of the Privacy Officer has caused DHS to falter leads me to suggest that the Committee consider expanding the number of statutory privacy offices from one to 24, covering all major Departments (the so-called Chief Financial Officers Act agencies) or at least a handful of critical agencies. Imagine the salutary effect that a statutory privacy office could have at the Department of Justice, the Department of the Treasury (and the Internal Revenue Service), the Department of Defense and the Veterans Administration, the Social Security Administration, and the Department of Health and Human Services. All of these agencies already have some form of privacy office in place, although many simply process Privacy Act complaints, requests, notices, etc. and do not involve themselves in the privacy implications of activities undertaken by their agencies. It is significant, I believe, that OMB guidance from two administrations (issued first during the Clinton Administration and repeated recently by the Bush Administration) has called for the creation of such offices in Executive Branch agencies. With the imprimatur of Congress, these offices can achieve the status (and increased influence) and gain the respect that the Privacy Officer has enjoyed at DHS. Equally important, by establishing statutory privacy offices, the Congress will be able to engage in systematic oversight of the attention paid to this important value in the federal government - something which has not occurred before this hearing today.
I hope I do not seem presumptuous to suggest - indeed, strongly urge - one further step: establishing at OMB a statutory office headed by a Chief Counselor for Privacy. As noted above, we had created such a position during the Clinton Administration, and it served us well. Peter Swire, the person we selected to head that office, was able to bring his knowledge, insights, and sensitivity to privacy concerns to a wide range of subjects. In his two years as Chief Counselor, he worked on a number of difficult issues, including privacy policies (and the role of cookies) on government websites, encryption, medical records privacy regulations, use and abuse of social security numbers, and genetic discrimination in federal hiring and promotion decisions, to name just some of the subjects that came from various federal agencies. He was also instrumental in helping us formulate national privacy policies that arose in connection with such matters as the financial modernization bill, proposed legislation to regulate internet privacy, and the European Union's Data Protection Directive.
I believe it is unfortunate that the current Administration has chosen not to fill that position. As a result, there is no senior official in the Executive Office of the President who has "privacy" in his/her title or who is charged with oversight of federal privacy practices, monitoring of interagency processes where privacy is implicated, or developing national privacy polices. Perhaps it was the absence of such a person that led to the Bush Administration's initial lack of support for the designation of a Privacy Officer at the Department of Homeland Security. Perhaps if someone had been appointed to that position, the Administration would not have appeared to be so tone deaf to privacy concerns in connection with the Patriot Act or any number of law enforcement issues that have made headlines over the past several years. An "insider" can provide both institutional memory and sensitivity to counterbalance the unfortunate tendency of some within the government to surveil first and think later. At the least, the appointment of a highly qualified privacy guru at OMB would mean that someone in a senior position, with visibility, would be thinking about these issues before - rather than after - policies are announced.
Finally, I understand that after this Hearing, the Committee will move to mark up H.R. 338, "The Defense of Privacy Act." That bill reflects a commendable desire to ensure that privacy impact statements are prepared by federal agencies as they develop regulations which may have a significant privacy impact on an individual or have a privacy impact on a substantial number of individuals. I was struck in reviewing the E-Government Act of 2002 for this testimony that it requires an agency to prepare a PIA not only before it develops or procures information technology that implicates privacy concerns, but also before the agency initiates a new collection of information that will use information technology to collect, maintain or disseminate any information in an identifiable form. This law has gone into effect, OMB has already issued guidance on how to prepare the requisite PIAs, and the agencies are learning how to prepare these PIAs using that model. Rather than impose another regime on agencies when they are developing regulations (which are frequently the basis for the information collection requests referenced in the E-Government Act of 2002), it might be preferable to amend the E-Government Act to expand its requirements to apply to regulations that implicate privacy concerns. That approach would have the added benefit of eliminating the inevitable debate over the judicial review provisions of H.R. 338, which go significantly beyond the judicial review provisions of any of the comparable acts (e.g., Reg.Flex., NEPA, Unfunded Mandates, etc.). Lastly, if you were to amend the E-Government Act to include privacy-related regulations, you might also consider including privacy-related legislative proposals from the Administration. As you know, Executive Branch proposals for legislation are reviewed by OMB before they are submitted to the Congress. If there were a Chief Counselor for Privacy at OMB, s/he would be able to provide input for the benefit of the Administration, the Congress and the American people.
Again,
thank you for inviting me to testify today.
This Committee has been an effective leader on privacy issues, and it is
encouraging that you are continuing the effort.
I would be pleased to elaborate on these comments or answer any
questions that you may have.
NEWSLETTER
|
Join the GlobalSecurity.org mailing list |
|
|