628 Dirksen Senate Office Building
Good morning, Chairman Akaka, Ranking Member Johnson, and Members of the Subcommittee. I appreciate the opportunity to appear before you today to discuss my role as the Department of Homeland Security’s (DHS) Chief Privacy Officer, the Privacy Act, and the collaborative achievements of the Privacy Committee of the Federal Chief Information Officers Council.
Role of the DHS Chief Privacy Officer
As you know, the Department of Homeland Security (DHS) is the first department in the federal government to have a statutorily mandated privacy officer. I have had the pleasure of serving in this role since March 2009. The Homeland Security Act grants the Chief Privacy Officer primary responsibility for ensuring that privacy considerations and protections are comprehensively integrated into all DHS programs, policies, and procedures.1 Pursuant to my statutory authority, I am tasked with assuring that the Department’s use of technologies sustains and does not erode privacy protections relating to the use, collection, and disclosure of personal information. I also ensure that personal information contained in Privacy Act systems of record is handled in full compliance with fair information practices, as set forth in the Privacy Act of 1974, as amended.2 To achieve this mandate, I lead a dedicated staff of privacy professionals who comprise the DHS Privacy Office.
The mission of the DHS Privacy Office is to protect all individuals by embedding and enforcing privacy protections and transparency in all DHS activities. My staff work to achieve its mission by fostering a culture of privacy and transparency; demonstrating leadership through policy and partnerships; providing outreach, education, training, and reports; conducting robust oversight; and ensuring that DHS complies with federal privacy, confidentiality, and disclosure laws, policies, and principles.
It is my pleasure to share with you today a few examples of the DHS Privacy Office’s many recent achievements in privacy protection. Last year, we issued Department Directive 047-01, which formalizes the privacy-related responsibilities of DHS personnel and the processes in place to ensure compliance with applicable laws and policies. Two weeks ago, we hosted a successful public meeting of the DHS Data Privacy and Integrity Advisory Committee, which provides advice on privacy-related matters to the Chief Privacy Officer and the Secretary of Homeland Security. In addition, we engage in ongoing collaboration with the DHS Office for Civil Rights and Civil Liberties to provide comprehensive, on-site training to fusion centers from Alaska to Tennessee.
One specific example of my office’s privacy efforts that you requested I discuss today is our response to the Office of Management and Budget’s (OMB) guidance on safeguarding personally identifiable information (PII). OMB Memorandum M-07-16 required agencies to develop and implement a policy on breach notifications, which DHS refers to as privacy incidents.5 In September 2007, in response to the OMB memo, the DHS Privacy Office distributed its Privacy Incident Handling Guidance throughout the Department to inform employees of their responsibilities to safeguard PII, regardless of format.6 In addition, the Privacy Incident Handling Guidance provided detailed information on how to handle all stages of privacy incidents, including reporting, escalation, investigation, mitigation, notification, and closure.
The Department continues to actively implement OMB Memorandum M-07-16. Earlier this year, my Office revised its Privacy Incident Handling Guidance to better reflect privacy incident handling procedures based on observed best practices.7 We also issued a Handbook for Safeguarding Sensitive Personally Identifiable Information, which establishes minimum standards for how Department personnel should protect Sensitive PII.8 To ensure that staff are cognizant of PII protections, we also updated our annual online training, which is mandatory for all DHS employees and contractors.
1 6 U.S.C. § 142.
2 5 U.S.C. § 552a.
3 U.S. Department of Homeland Security, Privacy Office, OIG Privacy Incident Report and Assessment (February 2011), http://www.dhs.gov/xlibrary/assets/privacy/priv-oig-privacy-incident-report-assessment-022011.pdf.
5 OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007).
6 Information may exist in paper, electronic, web-based, or other formats, for example.
7 U.S. Department of Homeland Security, Privacy Incident Handling Guidance (Revised January 26, 2012), http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_pihg.pdf.
8 U.S. Department of Homeland Security, Handbook for Safeguarding Sensitive Personally Identifiable Information (March 2012), http://www.dhs.gov/xlibrary/assets/privacy/dhs-privacy-safeguardingsensitivepiihandbook-march2012.pdf.
The Privacy Act of 1974
The Privacy Act was passed in an era before electronic communications and databases were the norm at federal agencies. As such, the Act did not fully contemplate that multiple entities within the Executive Branch may use the same types of records or operate similar systems. Nonetheless, many of the concepts embedded in the original Act are flexible enough to permit similar records to be treated consistently, regardless of whether they are located at one agency or another. One example of this is the government-wide Systems of Records Notices (SORN), which was developed by the Office of Personnel Management to cover all personnel records across the Executive Branch and ensure that they are treated consistently. DHS employs a similar practice of treating like records consistently under the Privacy Act. For security personnel records, for example, DHS has a single SORN to ensure consistent treatment, regardless of which component maintains the record. DHS also has a single SORN for all Department contact lists regardless of the list’s location or format. The practices described above promote efficiency and Privacy Act compliance, while ensuring that the public understands how information is used and stored.
Privacy Committee of the Federal Chief Information Officers Council
One method to address modern challenges of implementing the Privacy Act is to share best practices among federal privacy officials. Formal Council-level bodies exist for many federal chief officers, including the Chief Financial Officers, Chief Information Officers, and Chief Human Capital Officers. Though no formal Council-level body exists for Chief Privacy Officers, I am proud to serve as Co-chair of the Privacy Committee of the Federal Chief Information Officers Council.
One example of how the Committee has benefited the federal privacy community at large is through its interagency training sessions. In the first year of the Administration, the Committee hosted a privacy training “boot camp” for new senior privacy officials to enhance their ability to promote privacy protection in their respective agencies. The Committee has shared additional knowledge and first-hand experience with the privacy community, including public stakeholders, through three plenary Summits and focused events on international privacy and other timely topics.
9 U.S. Department of Commerce, National Institute of Standards and Technology. Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication 800-53, Revision 4, Initial Public Draft (February 2012), http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf.
The efforts of the Privacy Committee and of the DHS Privacy Office benefit greatly from the support of this subcommittee and its members. Going forward, I am confident that the Department will continue to embed privacy and confidentiality protections throughout its programs and systems. I am happy to answer any questions you may have.