TESTIMONY
OF
NUALA O'CONNOR KELLY
CHIEF PRIVACY OFFICER
U.S.
DEPARTMENT OF HOMELAND SECURITY
BEFORE THE
SUBCOMMITTEE ON
COMMERCIAL AND ADMINISTRATIVE LAW
OF THE
JUDICIARY COMMITTEE
OF THE U.S.
HOUSE OF REPRESENTATIVES
FEBRUARY 10, 2004
Chairman Cannon,
Ranking Member Watt, Members of the subcommittee, and distinguished colleagues
on this panel, it is an honor to testify before you today on the activities of
the United States Department of Homeland Security's Privacy
Office, which I am privileged to lead as the first Chief Privacy
Officer of the Department of Homeland Security.
The protection of
privacy, of the dignity of the individual, is not a value that can be added on
to this or any other organization later, and that is why I am so pleased to
have been here from almost the very beginning.
This value is one that must be embedded in the very culture and
structure of the organization. I know
that we can and will succeed in this-not only because our leadership believes
in protecting the sanctity of the individual, but also because our over 180,000
employees are also great Americans, who believe in and act on these values-for
themselves, their neighbors, and their children-each day.
Establishment of the DHS Privacy
Office
The creation of
the Department of Homeland Security and its many programs raise no shortage of
important privacy and civil liberties issues for this nation to address. This Department, led by Secretary
Tom Ridge,
and this Administration, led by President Bush, are committed to addressing
these critical issues as they seek to strengthen our homeland. A crucial part of this commitment is
support for the creation and the mission of the Privacy
Office at the Department of Homeland Security.
Secretary Ridge articulated his vision for this office, stating that the
privacy office "will be involved from the very beginning with every policy
initiative and every program initiative that we consider," to ensure that our
strategy and our actions are consistent with not only the federal privacy
safeguards already on the books, but also "with the individual rights and civil
liberties protected by our laws and our Constitution."
As Members of this
subcommittee are uniquely aware, the enabling statute for the Department of
Homeland Security contains Section 222, which directs the Secretary to appoint
a senior official in the Department to assume primary responsibility for
privacy policy. This includes conducting and oversight of formal Privacy
Impact Assessments to "assure that the use of technologies sustain, and do not
erode, privacy protections relating to the use, collection, and disclosure of
personal information." This office also
oversees the Department's compliance with the Privacy
Act of 1974 and the Privacy Impact Assessment
requirements of the Electronic Government Act of 2002, and is directed to "evaluate
legislative and regulatory proposals involving collection, use, and disclosure
of personal information by the Federal Government." Uniquely and importantly, under the enabling
statute, the DHS Chief Privacy Officer provides
an annual report to Congress on the activities of the Department that affect
privacy, including complaints of privacy violations, implementation of the Privacy
Act, internal controls, and other matters.
Key Legal Frameworks enforced by the Privacy Office
One of the primary legal frameworks
underlying the mission of the DHS Privacy
Office is, obviously, the federal Privacy Act
of 1974. The Privacy Act, 5 U.S.C. § 552a,
provides a code of fair information practices that governs the collection,
maintenance, use, and dissemination of personal information by federal
agencies. Emanating from concerns about the ability to aggregate personal
information--partly due to new technologies like mainframe computers of that
day--this law provides substantial notice, access, and redress rights for
citizens and legal residents of the United
States whose information is held by some
part of the executive branch of the federal government. The law provides robust
advance notice, through detailed "system of records" notices, about
the creation of new technological or other systems containing personal
information. The law also provides the right of access to one's own records,
the right to know and to limit other parties with whom the information has been
shared, and the right to appeal determinations regarding the accuracy of those
records or the disclosure of those records.
The Privacy Act is our country's
articulation of Fair Information Principles; the Act both protects the
information of our citizens and also provides our citizens rights to access
that data.
Under
the Freedom of Information Act, 5 U.S.C.
§ 552, the principle that persons have a fundamental right to know what
their government is doing is enforced on a daily basis. Almost any person at
any time has the right to query a federal agency for documents and records. Our
government and our agency are grounded on principles of openness and
accountability, tempered, of course, by the need to preserve the
confidentiality of sensitive personal, commercial, and governmental
information. The Freedom of Information
Act is the primary statute that attempts to balance these countervailing public
concerns. A robust FOIA/PA program is
a critical part of any agency's fundamental processes; it helps to provide
assurance to the public that, in pursuing its mission, an agency will also
pursue balanced policies of transparency and accountability while preserving
personal privacy. The U.S.
federal government will spend hundreds of millions of dollars processing and
responding to FOIA requests next year, and thousands of federal workers will
spend all or part of their day compiling responses to those requests. Our agency alone has over 300 staff members
across the Department who work full or part-time on Privacy
Act and FOIA issues.
This past fall, the Office of Management and
Budget released its guidance under Section 208 of the E-Government Act of
2002-which mandates Privacy Impact Assessments
for all federal agencies when there are new collections of, or new technologies
applied to, personally identifiable information. This, really a third pillar of the privacy
framework at the federal level reflects, once again, a growing reliance on
technology to move data--both in government spaces and on the Internet. With the addition of the privacy provisions of
the E-Government Act to existing privacy protections, our citizens now benefit
from a comprehensive framework within which government considers privacy in the
ordinary course of business. The Act and
underlying guidance synthesize numerous prior statements and guidance on
privacy practices and notices, and will assist privacy practitioners in
prioritizing their efforts. In particular, the guidance provides direction on
the content of privacy policies and on the machine-readability of privacy
policies.
Further, the act outlines the parameters for
privacy impact assessments. Although in use by some agencies already, generally
privacy impact assessments are a new and important tool in the toolbelt of
privacy practitioners across the federal government. These new requirements
formalize an important principle: that data collection by the government should
be scrutinized for its impact on the individual and that individual's data.and
ideally before that data collection is ever implemented. The process,
the very exercise of such scrutiny, is a crucial step towards narrowly
tailoring and focusing data collection towards the core missions of government.
This practice should provide even greater awareness, both by those seeking to
collect the data and those whose data is collected, of the impact on the
individual and the purpose of the collection.
I am pleased to have been a small part of
the discussions towards the development of guidance on privacy impact
assessments. These new requirements set the bar high for privacy practitioners.
These requirements also reflect, I believe, a growing sensitivity and awareness
on the part of our citizens regarding personal data flows in the public and
private sectors. I believe that this guidance will allow federal agencies to
respond to citizens' concerns about these activities and also to be current
with, or perhaps even slightly ahead of, the evolution of privacy practices in
the private sector.
Under the Privacy
Act, in concert with the Freedom of Information Act and the E-Government Act,
citizens, legal residents, and visitors to the United
States have been afforded almost unequalled
transparency into the federal government's activities and the federal
government's use of personal information about them. A robust FOIA/PA program is imperative to
provide the public with assurances that any information DHS collects is being
maintained consistent with all legal and regulatory requirements.
Operationalizing Privacy
Throughout the Department of Homeland Security
Best Practices through Management Leadership
The DHS Privacy
Office works to promote best practices with respect to privacy and infuse
respectful information privacy principles and practices for all employees into
the DHS culture. A major and substantial
goal at the outset for my tenure is to 'operationalize' privacy awareness and
best practices throughout DHS, working
not only with Secretary Ridge and our senior policy leadership of the various
agencies and directorates of the department, but also with our Privacy
Act and FOIA teams, as well as operational staff across the Department.
Consistent Policies and Education Efforts
Through internal
educational outreach and the establishment of internal clearance procedures, we
are sensitizing DHS directorates and components to consider privacy whenever
developing new programs or revising existing ones. We are reviewing new
technologies to ensure that privacy protections are incorporated in the
development and implementation of these new systems. Our headquarters staff has been reviewing all
Privacy Impact Assessments being conducted
throughout the Department. In this
process, DHS professionals have become educated about to the need to
consider--and the framework for considering--the privacy impact of their
technology decisions. We are reviewing Privacy
Act systems notices before they are sent forward and ensuring that we collect
only those records that are necessary to support our mission. We also guide DHS agencies in developing
appropriate privacy policies for their programs and serve as a resource for any
question that may arise concerning privacy, information collection or
disclosure. We work closely with various
DHS policy teams, the Office of the General Counsel, and the Chief Information
Officers to ensure that the mission of the Privacy
Office is reflected in all DHS initiatives.
And of course we also work in
concert with the Department's Office for Civil Rights and Civil Liberties,
which is the other statutorily mandated office at DHS Headquarters with an
individual liberties focus.
Integrated Privacy and Disclosure Mandates
The work of the Privacy
Office includes not only the statutory Privacy
Act and Privacy Impact Assessement work, but
also integrates Freedom of Information Act oversight for the Department. This additional responsibility was
redelegated to the Privacy Office last summer
by Secretary Ridge, in recognition of the close connection between privacy and
disclosure laws, and the functional synergies of the work of our Privacy
Act and FOIA specialists across the Department.
Transparency and Outreach to the Public
The DHS Privacy
Office also seeks to anticipate and satisfy public needs and expectations, by
providing a crucial link between those outside DHS who are concerned about the
privacy impact of the Department's initiatives, and those inside the Department
who are diligently working to achieve the Department's mission. Our role is not only to inform, educate, and
lead privacy practice within the Department, but also to serve as listeners and
as a receptive audience to those outside the Department who have questions or
concerns about the Department's operations. To that end, my office has engaged
in consistent and substantial outreach efforts to members of the advocacy
community, industry representatives, other U.S. agencies, foreign governments,
and most importantly, the American public, not only to inform and educate those
constituencies, but also, even more importantly, to hear their concerns, to
share those concerns with the Department's leadership, and to see that those
concerns are addressed in our programs and in the development of our
policies. Recent coverage of our privacy
program, in particular our Privacy Impact
Assessment, or PIA, of the US-VISIT
program, demonstrated how information-collection efforts, especially those
employing new or unfamiliar technology, can be done in a privacy-sensitive way.
Operationally, this particular PIA demonstrated an effective internal system
whereby staff from across the department worked together to create a document
that was at once technologically detailed and also reader-friendly.
Key Policy Challenges
The Use of Private-Sector Data
I can think of no
more compelling public policy issue, particularly one that affects the privacy
of our citizens and visitors to this country, than the sharing of personal
information between the public and private sector. It is one that has been successfully-and less
successfully-navigated by other agencies within the Federal government, and it
is one that we examine and grapple with in programs within every single
directorate and agency within the Department of Homeland Security almost every
day.
It is the Privacy
Office's role to facilitate this conversation about and this examination of the
responsible uses of information by government agencies within DHS. That role sometimes requires us to
encourage, and even force conversation between those who label themselves as
being concerned only with privacy, and those who consider themselves all about
security. I challenge those who feel the
need to be one or the other. It is, in
fact, possible, to achieve both responsible privacy practices and achieve the
mission of the Department of Homeland Security.
Issues of privacy and civil liberties are most successfully navigated
when the necessary legal and policy protections are built in to the systems or
programs from the very beginning-both in the intelligent use of technology, and
in the responsible execution of programs.
Further, clear rules-both in the private sector and in the public
sector-are necessary to ensure that such information sharing is done in a
legitimate, respectful, and limited fashion.
International Cooperation
A key focus of the
Privacy Office's work has been to engage the
data protection authorities internationally.
Privacy professionals the world over
share a common interest in assuring public trust in government operations by
encouraging transparency, as well as respect for fair information principles
such as collection limitation, purpose specification, use limitation, data
quality, security safeguards, openness, participation, and accountability. Our office has participated in the meetings
of the International Association of Data Protection and Privacy
Commissioners, although the office is not recognized at this time as an
accredited data protection authority. We have also worked cooperatively with
data protection authorities, or DPAs, to enable cross-border dispute resolution
of personal data issues. Our office is
both a point of appeals for complaints about our various directorates'
programs, and also a point of contact for our international counterparts,
whether acting to communicate policy concerns or individual citizens'
complaints.
Balancing the Need for Transparency and the Need for Security in
Operations
Perhaps the most
difficult issue in a law enforcement or counter-terrorism context is the need
to afford transparency and access to information for individuals, while also
safeguarding information that is essential to an ongoing investigation of some
type. Our office seeks to assist the
agency in achieving this balance in a number of ways. First, rules and procedures for accessing
information must be clear, easily attainable by individuals, and easily
understood. Second, determinations that
information is sensitive or otherwise protected must be narrowly tailored and
well grounded. Third, systems must be in
place whereby individuals can be assisted in correcting information that may
impact them in some way, even when that information is deemed protected. An example of this is the use of citizen
advocates or ombudsmen, where by government employees who have security
clearance or access to information act on behalf of individuals to correct
misidentifications or incorrect information that is associated with an
individual. In addition, these processes
must be efficient and minimally burdensome on the individual, and must provide
for an appeal or further redress process that is adequately independent to ensure
fairness for the individual. These
processes exist in certain places within our Department, and should be
implemented where personal information is collected by the government and used
in a way that impacts the individual.
The DHS Privacy Office plays a role in
performing that independent review and appeal process for our directorates and
citizens.
The Defense of Privacy Act
The DHS Privacy
Office applauds the subcommittee for its interest in privacy issues, and even
more, privacy practices across the federal government. We in government are often quick to point to
private-sector lapses in privacy policy, and we should be equally vigilant
about our own use of personal data.
While the federal government benefits from the requirements of the Privacy
Act of 1974, it is also true that new technologies have allowed data sharing in
new and perhaps unexpected ways. The Privacy
Impact Assessment requirements of the E-Government Act of 2002 recognize these
new technological challenges and seek to provide reader-friendly information
about such data collections in a new and perhaps more technologically savvy
fashion.
The proposed Defense
of Privacy Act shares many similarities with
the PIA requirements under the E-Government Act, ones that are worth noting,
such as the need for a "senior agency official with primary responsibility for
privacy policy." While the need for a
statutory privacy officer at DHS may be virtually unique in the federal
government, given the agency's size and the co-mingling of parts of more than
22 former federal agencies, the need for senior policy leadership at any agency
that affects public data is certainly recognized.
Further, the Act
does clarify the timing of PIAs, to be both a prospective document, issued at
the NPRM stage, and a final document, issued in response to public
comments. We at DHS have, and fully
intend to continue to publish PIAs for public comment and we believe that this
public dialogue is essential to our understanding of public concerns about DHS
programs. I should note that the
Administration continues to review this legislation, and we may have additional
comments at a later time.
Internal and External Role
I am often asked
whether I view my job as a privacy advocate and thus at odds with the
activities of the Department. The answer
is absolutely not. As Secretary Ridge
has articulated on many occasions, the Department of Homeland Security's
mission is more than just counter-terrorism, more than just the protection of
people and places and things. It is also
the protection of our liberties and our way of life, and that includes the
ability to engage in public life with dignity, autonomy, and a general
expectation of respect for personal
privacy. Thus, the protection of privacy
is neither an adjunct nor the antithesis to the mission of the Department of
Homeland Security. Privacy
protection, in fact, is at the core of that mission.
I am very much in
agreement with the statutory definition of my office's position as being both
"within" and "without" the Department of Homeland Security.
As part of the department, we are able to serve as educators, as leaders, and
as full participants in the policy direction of important programs. And as
outsiders, we are able to turn a critical eye on the most controversial and the
most mundane aspects of the Department's operations. But I do not position my
office as the enemy of the mission of this department. Rather, I see it as
crucial, fundamental to successfully achieving that mission.
On a daily basis,
I am aware of what it means to set parameters for the federal government's use
of personal information-information that has been given to us in our capacity
as the provider of services, as the caretaker of the public's physical
security, and, most importantly, the custodian of the public's trust. Secretary Ridge has said that "Fear of
government abuse of information.is understandable, but we cannot let it stop us
from doing what is right and responsible." The antidote to fear, as he has
said, "is an open, fair, and transparent process that guarantees the protection
and the privacy of that data." I commit
to this Committee, to the American people whom we serve, and to our neighbors around the globe, that
the Privacy Office is implementing this
philosophy on a daily basis at the Department of Homeland Security.
I thank you for
your time, and for your interest in and support of the Department of Homeland
Security Privacy Office.