| Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security & Procedures | Immigration |
| About the Department | Open for Business | Press Room |
The threat level in the airline sector is High or Orange. Read more.
Rayburn House Office Building
(Remarks as Prepared)
March 21, 2007
Chairman Price, Ranking Member Rogers, and Members of the Subcommittee, it is an honor to testify before you today.
Because this is my first time appearing before the Subcommittee, I would like to introduce myself. I was appointed Chief Privacy Officer of the U.S. Department of Homeland Security by Secretary Michael Chertoff on July 23, 2006. In this capacity and pursuant to Section 222 of the Homeland Security Act of 2002, 6 U.S.C. § 142, my office has primary responsibility for privacy policy at the Department. I also serve as the Department's Chief Freedom of Information Act (FOIA) Officer. In this role, I assure consistent and appropriate department-wide statutory compliance and harmonized program and policy implementation.
Prior to joining the Privacy Office, I served as the first Associate General Counsel for General Law at the Department of Homeland Security. Before joining the Department of Homeland Security, I served as the Associate Solicitor for General Law at the Department of the Interior. Therefore, I have had the honor of providing advice and counsel on freedom of information, privacy, and civil rights issues at two cabinet level agencies. As Associate General Counsel for General Law at DHS, Dan and my predecessor as Chief Privacy Officer, Nuala O'Connor Kelly, were my clients, which provided me with the opportunity to understand the issues both offices faced.
There are two other things I should mention. I currently serve as a judge advocate in the Army National Guard, within the Legal Support Office, attached to the District of Columbia Army National Guard. Additionally, in my spare time I have been working on a master's degree in National Security Studies through the Naval War College. My studies have aided me in understanding decision-making in the areas of homeland defense and security.
The responsibilities of the Privacy Office are set forth in Section 222 of the Homeland Security Act of 2002, as amended. They are: (1) assuring that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information; (2) assuring that personal information contained in Privacy Act systems of records is handled in full compliance with fair information practices as set out in the Privacy Act of 1974; (3) evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government; (4) conducting a privacy impact assessment of proposed rules of the Department on the privacy of personal information, including the type of personal information collected and the number of people affected; (5) coordinating with the Officer for Civil Rights and Civil Liberties to ensure that programs, policies, and procedures involving civil rights, civil liberties, and privacy considerations are addressed in an integrated and comprehensive manner and Congress receives appropriate reports on such programs, policies, and procedures; and (6) preparing a report to Congress on an annual basis on activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 1974, internal controls, and other matters.
Additionally, the Privacy Office has other general statutory and policy-based responsibilities, including implementation of Section 208 of the E-Government Act and serving as the primary point of contact for DHS in connection with the development of privacy policy connected to the implementation of the Information Sharing Environment (the Chief Privacy Officer serves as the DHS Information Sharing Environment Privacy Official) as set forth in Guideline 5 of Executive Order 13388.
The office is structured into two functional components: privacy and freedom of information.
The privacy component is structured to carry out its statutory and policy-based responsibilities in a collaborative environment, to ensure all privacy issues receive appropriate coverage. It is broken into four divisions: Compliance; International Privacy Policy; Legislative and Regulatory Affairs; and Technology. Each division is led by a director.
The majority of tangible work product comes from the Director of Privacy Compliance and her staff. Programmatic responsibilities for Compliance include all privacy impact assessments (PIAs) and system of records notices (SORNs). Additionally, Compliance assists on investigations into possible data breaches.
As part of the compliance process, the Privacy Compliance Group works with a number of existing DHS-wide programs to ensure that privacy is integrated into the Department. In particular, we review all OMB-300 budget submissions to determine whether privacy has been appropriately addressed with new and existing programs. During the FY 08 budget process, the Privacy Compliance group failed four investments because of insufficient privacy protections and privacy documentations. The Privacy Compliance group is now working with the failed programs to embed privacy into their development and operation to provide appropriate protective measures.
In addition to the budget process, the Privacy Compliance team has incorporated its requirements into the security process through the certification and accreditation (C&A) process required under the Federal Information Security Management Act (FISMA). The Privacy Office developed the Privacy Threshold Analysis (PTA) document which has allowed the Privacy Office the opportunity to review all IT systems that are going through C&A and determine whether the system collects, uses, disseminates, or maintains personally identifiable information, and if so whether a PIA or SORN is required. The PTA has been key tool in allowing us to scope how many systems have PII and how many need documentation. To date, the Privacy Office has reviewed 684 of the total 764 IT systems. Of the remaining 80 systems, we are actively working with the programs on 78 to complete the PTAs.
Of the 684 IT systems reviewed, we have identified 527 that maintain personally identifiable information. Only 258 of these systems require PIAs, however, because E-Government Act does not require PIAs on National Security Systems or systems with information about federal employees and contractors. To date we have published PIAs to cover 71 of those 258 IT systems.
A key goal for Compliance over the next year will be updating the various operational components' SORNs to reflect their status as components of DHS. The U.S. Coast Guard and U.S. Citizenship and Immigration Services are the first two components to revise their legacy agency-era SORNs.
The Director of International Privacy Policy works to ensure the protection of individuals' personal information that may be shared with the Department's international partners. As such, the Director provides advice on information sharing opportunities with international partners needed to protect U.S. borders while respecting privacy; counsels DHS leadership on global challenges in privacy; engages in dialogue with international privacy bodies such the Organization for Economic Cooperation and Development, the European Union, and the Asia Pacific Economic Cooperation (APEC) group, as well as bilateral partners; and serves as a point of contact for privacy questions from international partners. In addition, he assists the office in understanding the myriad privacy issues and their complexities within the international arena and works with other parts of the Department, including the Policy Directorate, to represent the Privacy Office in international areas impacting on the Department.
The Director for Legislative and Regulatory Affairs is responsible for addressing the statutory responsibility of evaluating legislative and regulatory proposals involving collection, use, and disclosure of personal information by the federal government. The review of current privacy legislation and regulatory activity throughout the federal government and, in fact, throughout any government, including state and local as well as international, is essential given the interactive nature of the Department's mission. Additionally, the Director for Legislative and Regulatory Affairs serves as the Executive Director for one of the Department's advisory committees, the DHS Data Privacy and Integrity Advisory Committee (DPIAC), for which he coordinates the interaction between the Department and Committee, including organizing the Committee's quarterly meetings, arranging meetings between the Committee members and appropriate DHS officials to understand agency operations and policy, and administering the operations of the Committee. He is also the Secretary for the internal Data Integrity Board, which is required under the Privacy Act for the agency review of all computer matching agreements entered into by the Department. Finally, he serves as a liaison for the Privacy Office to the DHS Inspector General and the General Accountability Office.
The Director of Privacy Technology, who assists with the technical review and understanding of programs and systems throughout the Department, performs five discrete roles for the Privacy Office. First, he provides investigatory and analytical evaluations on privacy sensitive and privacy enhancing technologies for use by the Department. This includes providing subject matter expert advice on privacy and technology issues through participation on multiple boards, working groups, and committees both internal and external to the Department. Second, he provides representation for the Privacy Office in the technology alignment process of the Department as the privacy subject matter expert. Third, he provides technology analysis for Privacy Office compliance process operations, including the integration of technological developments into the understanding of the Privacy Threshold Analysis and PIA. Fourth, he provides privacy expertise as the Privacy Office interface to DHS Office of the Chief Information Officer and DHS Science & Technology Directorate. Lastly, he provides strategic technology coordination for the Privacy Office.
The FOIA side of the office is divided into two functional areas: Disclosure and FOIA Operations, and the Disclosure and FOIA Program Development. Each of these functional areas report to me through the Deputy Chief Freedom of Information Act Officer. I created this position to assure vigorous disclosure program oversight and absolute statutory compliance within all of the DHS offices and components.
The Deputy Chief FOIA Officer also performs the supervisory functions carried out by the former Director of Departmental Disclosure, who leads the headquarters FOIA operation and team.
I also added two FOIA subject matter experts to the office. The first, the Associate Director for Disclosure and FOIA Operations, administers the headquarters request processing, multi-component request coordination, and component backlog recovery plan development. The second, the Associate Director of Policy and Program Development, is responsible for disclosure policy development, technology improvements, education, and training. Within the components, FOIA officers are responsible for compliance with DHS FOIA policy guidance and operationally determining whether to establish a centralized or decentralized FOIA program at the component or office level. However, the Associate Director of Policy and Program Development is responsible for developing disclosure policy and ensuring Department-wide compliance. In addition, the position develops specialized FOIA training for FOIA professionals and DHS employees, assures the DHS FOIA website is updated on a regular basis, and resolves FOIA requesters' concerns.
The last two goals of the statutory responsibilities of the Privacy Office require (1) coordination with the Office of Civil Rights and Civil Liberties given the close ties of privacy to the underlying equities of that office and (2) reporting to Congress, including the Privacy Office Annual Report. To support these, the Privacy Office employs two senior policy advisors with a broad range and many years of privacy expertise to navigate the office through the development of policy effectuating appropriate privacy policy and protections within the scope of the mission of the Department.
The President's FY 08 budget request of $5.122M would increase the Privacy Office's current year budget by $675,000. This increase breaks down as follows:
The $137,000 adjustment to base will allow the Privacy Office to continue providing the same level of services as in the current year. The $501,000 requested would fund an increase of seven positions within the Privacy Office. Currently, the office has 16 full-time federal employees and 10 full-time contract employees. If the staffing projections contained in the FY08 budget request are funded fully, there will be 14 FTEs addressing privacy issues and 6 FTEs addressing freedom of information issues, to include FOIA and Privacy Act requests and appeals, and FOIA policy and regulations.
Both the privacy and FOIA sides of the office have experienced significant growth over the four years of the office's existence. Thus, on the privacy side, additional positions are needed in order to conduct the increasing number of PIAs, SORNs, and internal privacy audits, as required under the E-Government Act and Homeland Security Act. As such, the resources currently allocated to the Privacy Office must be increased sufficiently to match the expanded reach and operation of both of the Privacy Office's functions.
On the FOIA side, the additional positions will provide the necessary support to administer a sufficiently compliant FOIA program, which the Department now lacks. With contractor support, the Privacy Office was able to clear up our own FOIA backlog in less than one year. Now it is time for the Privacy Office to turn its attention to the department-wide backlog. Extra staff will ensure the office will be able to facilitate this without sacrificing our other responsibilities.
The $38,000 requested for program increases will fund additional travel. This will allow the Privacy Office to continue expanding its mission to provide international awareness and outreach, to expand working with the DPIAC, and attend various privacy and FOIA events across the nation.
Each of these is critical. The global mission of the Privacy Office is growing. In order to support current DHS initiatives like the Western Hemisphere Travel Initiative, Regional Movement Alert List, and the Identity Theft/Data Protection initiatives, my office will need to establish new relationships with our counterparts in India, South Africa, additional countries within the Asia Pacific Economic Cooperation forum, and in a number of South American Countries.
Participation with the DPIAC will also require additional travel. The members of this committee have diverse expertise in privacy, security, and emerging technologies. Together they provide invaluable recommendations and advice to the Secretary and Chief Privacy Officer on programmatic, policy, operational, and technological issues that affect privacy, data integrity, and data interoperability in DHS programs. We try to hold these meetings at locations across the nation. This permits transparency and public participation for citizens outside the Washington Beltway.
Additionally, travel money will support Privacy Office training and education to ensure that Privacy Office member can attend important events not only in DC and close to home, but wherever they may be held. All privacy members of the Privacy Office, including the Chief Privacy Officer,¹ sit for the accreditation examination of the International Association of Privacy Professionals (IAPP) to receive both the Certified Information Privacy Profession (CIPP) accreditation and the Government privacy accreditation (CIPP/G). In addition to the examination preparatory course, the maintenance of the CIPP and CIPP/G accreditations requires each member of the Privacy Office to participate in at least ten (10) hours of continuing professional education in the privacy field each year.
In support of the continuing education, the Privacy Office budgeted $1,600 per member of the Privacy Office for training, which each member is encouraged to use to the fullest in order to ensure their privacy skills are kept up to date.
In addition to participating in educational programs, the Privacy Office maintains a high level of awareness of the current state of privacy law and policy through the development and operation of educational programs and the workshops hosted by the Privacy Office. The pedagogical effects of training and workshops are effective for not only the participants and audience, but for the trainers and presenters as well, and these activities help promote growth in the Privacy Office's knowledge and understanding of the privacy issues that need to be addressed.
Finally, the Privacy Office stands ready to address the next set of challenges. The Department's privacy program was just reviewed by the Government Accountability Office, for instance. And although the report has not been published yet, our conversations with the audit team suggests they will recommend that the Privacy Office begin developing department-wide policies on privacy protections appropriate for (1) the various uses of Radio Frequency Identification within the Department; and (2) the uses of personally identifiable information within the Information Sharing Environment. With the FY 08 funding in place, my office stands ready to examine these and other issues, without sacrificing our other responsibilities.
I thank the Subcommittee for this opportunity to testify about the Privacy Office, our mission, and our priorities for the coming year.
I look forward to hearing my colleagues' testimony and to answering your questions.
###
This page was last modified on June 18, 2007