| Home | Information Sharing & Analysis | Prevention & Protection | Preparedness & Response | Research | Commerce & Trade | Travel Security & Procedures | Immigration |
| About the Department | Open for Business | Press Room |
The threat level in the airline sector is High or Orange. Read more.
Release Date: 05/17/06 00:00:00
Rayburn House Office Building
May 17, 2006
(Remarks as Prepared)
Chairman Cannon, Ranking Member Watt, and Members of the Subcommittee, I am delighted to be back before you today to discuss Privacy in the Hands of the Government as it pertains to activities of the Department of Homeland Security and the efforts of the Privacy Office. Building privacy attentiveness into the very sinews of our still young agency is a responsibility that we take seriously at DHS.
In the eight months that I have served as Acting Chief Privacy Officer, within the Privacy Office we have continued to develop and operationalize privacy policy for the Department, consistent with our statutory mission in Section 222 of the Homeland Security Act and with support and partnership throughout the Department. And as I hope the following testimony will demonstrate, we have been actively implementing our statutory responsibilities as part of the larger mission of the Department. By ensuring that the Department's programs, policies, personnel, and technologies account for and embrace fair information principles -- the use of personal information for legitimate, tailored, and sound purposes -- the Privacy Office has worked to enhance public trust in the Department and to ensure the protection of an essential right of our people.
My predecessor, Nuala O'Connor Kelly, testified before this Subcommittee in February 2004, and outlined the first year activities of the DHS Privacy Office. I would like to update the Subcommittee on our continued work since that time and our plans for future initiatives.
The Privacy Office has focused on making privacy an integral part of DHS operations. We often use the phrase "operationalizing privacy" to describe these efforts. We want DHS personnel to think about privacy every time they consider the collection, use, maintenance or disclosure of personally identifiable information. Our efforts to operationalize privacy have encompassed a number of activities.
One way to operationalize privacy is to ensure that DHS is fully compliant with statutory privacy requirements and the DHS Privacy Office has been actively engaged in this effort.
In my previous appearance before the Subcommittee, which focused on the use by the government of data from information resellers, I outlined for the Subcommittee how we have used the E-Government Act of 2002's requirement that Privacy Impact Assessments be conducted for new or substantially revised information systems to make sure that privacy is built into DHS programs and that there is transparency about the types of information used by DHS as well as the purposes for which the information is used. PIAs are fundamental in making privacy an operational element within the Department and we have fully utilized this tool to embed privacy as part of DHS operations.
To do this, we have updated and refined our guidance on conducting Privacy Impact Assessments and have distributed it widely both internally to DHS offices and programs and externally to other agencies. Along with the guidance, we also have issued a template for DHS offices to follow in drafting Privacy Impact Assessments. We have fully utilized our Privacy Office website for transparency purposes and have posted these documents so that the public is also aware of our guidance.
"Imitation is the sincerest form of flattery," according to an old expression, and I am happy to report that the DHS Privacy Office's PIA Guidance has served as the basis for other agencies' PIA activities. For example, our PIA template served as the basis for a model PIA for HSPD-12 (Common Identification Standards for Federal Employees) implementation, which was distributed by the Office of Management and Budget through its Interagency Privacy Committee. In addition, other federal agencies have requested to liberally borrow the guidance and we are happy to be able to share it and to add to government efficiency and harmonization of approaches to privacy in the government space.
In addition to requiring that DHS programs conduct Privacy Impact Assessments for new or substantially revised programs, privacy is one of the issues that must be addressed before funding is awarded to a program that involves the collection, use and maintenance of personally identifiable information. The Privacy Office provides significant support to the DHS Office of the Chief Information Officer (OCIO) in the budget process by ensuring that all proposed spending on information technology investments that involve personally identifiable information meets privacy requirements. Not only are our programs required to complete a Privacy Threshold Analysis, which helps us to determine whether a full Privacy Impact Assessment is necessary, but funding for DHS programs through the budget process cannot go forward without program compliance with privacy mandates. The DHS Privacy Office therefore has a strong "stick" to accompany the "carrot" of funding to ensure that privacy becomes operationalized in DHS programs.
Privacy compliance reviews are another important tool for operationalizing privacy into DHS programs, and during this past year, the Privacy Office undertook the first privacy review of what we expect to be many when we analyzed compliance by the U.S. Customs and Border Protection (CBP) with its Passenger Name Record (PNR) Undertakings. These Undertakings were provided by CBP to the European Commission in order to demonstrate that CBP has adequate privacy protocols in place to protect personally identifiable information as a condition precedent to receiving PNR information about European airline passengers. Based on the Undertakings, the EU agreed to share passenger name record information with CBP in order to fight terrorism and other serious crimes as well as to facilitate transatlantic travel.
The Privacy Office's compliance review consisted of a full analysis of CBP policies and procedures, interviews with key managers and staff who handle PNR, and a technical review of CBP systems and documentation. This compliance review occurred over a several-month period and as a result of changes recommended by the Privacy Office or made unilaterally by CBP, we were able to conclude that CBP achieved full compliance with the representations it had made in the Undertakings. This finding was the primary factor in the ability of the Privacy Office to conclude a successful joint review, with representatives of the EU, of CBP's compliance with the US-EU PNR Agreement.
We conducted a different kind of compliance review when we examined the use of commercial data by the Transportation Security Administration (TSA) in connection with the Secure Flight Program after privacy concerns were raised by the Government Accountability Office. We analyzed whether TSA's public notices about this use of commercial data for testing purposes matched the actual test protocols and made recommendations, as a result of this review. The Privacy Office continues to work closely with TSA to implement privacy statutory requirements and best practices in the design and implementation of this as well as other TSA screening programs.
In compliance with the requirements of the Computer Matching and Privacy Protection Act, as amended, the Privacy Office established a Privacy and Data Integrity Board to approve matching agreements undertaken by DHS components, as required by law, and to weigh in on privacy policy issues of interest and concern to the Department. Our Board held several meetings at which we discussed ideas for responsible information handling, and the Board was instrumental in assisting the Privacy Office in completing several required reports.
Ensuring publication of appropriate Privacy Act systems of records notices (SORNs) rounded out the Privacy Office's compliance activities. These notices, in fact, necessarily are a regular and ongoing part of the Privacy Office's work and of our statutory obligation to ensure that the Department maintains personally identifiable information in conformity with the requirements of the Privacy Act.
A significant way to increase privacy awareness and ensure that it is embedded in DHS is through education and training. The Privacy Office trains all new DHS employees as part of their overall orientation to the Department. We continue to develop, moreover, more robust training courses to be provided to all DHS employees and contractors to augment their privacy background and to raise awareness and sensitivity about the importance of the respectful use of personal information by the Department. And we have conducted training on Privacy Impact Assessment requirements for individual DHS offices, information technology managers, business managers, and systems analysts. Establishing the lines of communication between DHS personnel and our office through these training programs helps us to get our message across and helps employees to be sensitized to proper information handling techniques.
Our component privacy officers also make sure that employees in our components and offices are provided robust privacy training. I would be remiss, in fact, if I didn't emphasize the close collaboration and rapport our office has with other privacy officers in the Department, who were installed at our urging and who help the DHS Privacy Office carry out our important work
In addition to our general education and training programs, the Privacy Office has conducted two workshops intended to raise privacy awareness among DHS personnel as well as the public. These workshops have drawn subject matter experts together to discuss privacy issues raised by homeland security programs. The issues we have explored are both relevant and topical. We have posted both transcripts and summaries of our activities on our website.
I mentioned in my April 4, 2006 testimony before this Subcommittee that we had conducted a workshop on the government's use of commercial data for homeland security purposes. The objective of that workshop was to look at the policy, legal and technology issues associated with the government's use of commercial data in homeland security programs. Just last week our Privacy and Data Integrity Board held preliminary discussions on development of a policy regarding the use of commercial data by DHS, and the information we gleaned from our workshop will be helpful as we move forward on this vital issue.
Last month, we conducted another workshop on the use of personal information by the government and how we can achieve transparency and accountability. This workshop sparked discussions about the utility of privacy notices to accomplish transparency and how those notices can be written in a way that is comprehensible while it is also comprehensive. We also discussed the utility of the Freedom of Information Act for fostering accountability through access to information about individuals that is maintained by the government. We were fortunate to have several panel members from other nations who could contribute a global perspective on this issue. Again, the workshop complemented our internal training efforts to raise privacy awareness and also served an important educational function to improve public understanding of DHS programs.
Information sharing has become a significant focus of the DHS Privacy Office. The Intelligence Reform and Terrorism Prevention Act established requirements for an information sharing environment. This legislative mandate augmented Executive Orders and Homeland Security Directives issued by President Bush all aimed at fostering a climate of robust exchanges of terrorism related information in a privacy sensitive manner. Executive Order 13356, for example, directed all departments and agencies to enhance the interchange of terrorism-related information within the Federal government and between the Federal government and appropriate authorities of state and local governments. The DHS Privacy Office led the effort to integrate privacy protections into the planning process supporting the implementation of this Executive Order.
Similarly, the DHS Privacy Office led the effort within DHS to integrate privacy protections at the earliest stages of implementing HSPD-11, a Presidential directive that concerns terrorist-related screening procedures. Within DHS, moreover, the Privacy Office has supported the work of the Information Sharing and Collaboration Office (ISCO), which was established to lead the creation of a DHS information sharing environment. The Privacy Office provided both resources and guidance to ISCO to help create a set of business rules for sharing personal information in a way that minimizes privacy intrusions while maximizing use of the data for homeland security purposes.
The Privacy Office also participated in a number of interagency activities designed to foster inter-agency exchanges of information on privacy technologies and other privacy issues. We chair, for example, the Social, Legal and Privacy Subgroup of the National Science and Technology Council's (NSTC) Subcommittee on Biometrics. Established by Executive Order, NSTC is the principal means by which the President coordinates science, space, and technology policy across the government. NSTC's Subcommittee on Biometrics has examined issues related to the development and use of biometric technologies in the Federal government and the Social, Legal and Privacy Subgroup was responsible for developing a rich, centralized repository of information about the social history of biometrics, the legal framework that applies to the collection and use of biometrics, and the privacy principles that should govern the responsible use of this technology. Analysis of this repository and actual implementations resulted in a paper that connects privacy and biometrics at a structural level so that both fields can be understood within a common framework, thus enabling federal agencies and public entities to implement privacy-protective biometric systems.
We have also begun coordinating with the White House's Privacy and Civil Liberties Oversight Board on information sharing and other relevant issues. Through this work, the DHS Privacy Office is able to foster interagency cooperation, coordination and collaboration on privacy matters.
The Privacy Office has also reached out to experts in the private sector to help us understand programmatic, policy, operational and technology issues that affect privacy, data integrity, and data interoperability. To that end, in April 2004, the Department chartered the Data Privacy and Integrity Advisory Committee (DPIAC) under the authority of Federal Advisory Committee Act to provide an external and expert perspective to the Secretary and Chief Privacy Officer. The DHS Privacy Office provides administrative and managerial support to the DPIAC. In return, the Committee has provided significant advice to the Chief Privacy Officer and the Secretary on important privacy considerations. The Committee offered its recommendations on TSA's Secure Flight Program, which have helped the DHS Privacy Office to formulate its own advice on this significant initiative. The Committee also provided guidance on the Use of Commercial Data to Reduce False Positives in Screening Programs, which will help inform any final policy that the Privacy Office recommends on this important topic. We expect to continue to get advice from the Committee on other issues of interest to the Department.
Because the work of the Department is both national and international in scope, the work of the DHS Privacy Office is equally broad. The primary goal of the DHS Privacy Office's international activities has been to convey to the global community the importance of fair information practices to our office, the Department and the nation. We have devoted significant resources to working with programs in multilateral global forums, such as the OECD, as well region-centric international organizations such as the Asian Pacific Economic Cooperation forum (APEC). In addition, of course, the Privacy Office works with the European Union and on issues raised by the Joint Supervisory Body representatives of Europol and Eurojust.
We have had substantial input on a number of international privacy initiatives, including the Enhanced International Travel Security Initiative (EITS), under the leadership of DHS's Science and Technology Directorate and US-VISIT, and real-time sharing of lost and stolen passports in a way that properly protects privacy, through an APEC-sponsored initiative known as the Regional Movement Alert List. The Privacy Office also works more generally within international organizations to shift the international privacy dialogue away from conflicting laws to compatible privacy principles in order to foster information sharing for homeland security and other necessary purposes. Our work has been helpful in improving international opinion regarding the United States Government's attention to privacy principles in the design and operation of information systems.
As I hope the foregoing demonstrates, the DHS Privacy Office takes a comprehensive approach to its statutory mission and has worked on a wide range of initiatives to ensure that privacy policy concerns are part of the necessary dialogue on the development and implementation of homeland security programs. We have been fortunate that Congress has provided funding to allow us to expand our staff of dedicated privacy professionals whose credentials rival those of anyone in the government or the private sector. And we are energized as we look ahead to some future activities.
We recently completed a draft of a report on data mining, which is required by the 2005 DHS Appropriations Act, and we expect to continue our study of data mining programs at the Department in the coming year. Data mining can be a useful and important tool in the war against terrorism, and we are committed to ensuring that this technique is used responsibly and appropriately at DHS.
We have already planned our next privacy workshop to focus on Privacy Impact Assessments. This timely session will enable DHS program officers to comply with the privacy requirements necessary for approval of their funding requests. We are also finalizing arrangements for the next DPIAC meeting, which will be held in California, and which will focus on expectations of privacy in public spaces and the use of RFID technology, two issues that have significant ramifications for Departmental activities.
We plan to work closely with the OCIO to build privacy protections into every system across DHS, and we intend to collaborate with the Science and Technology Directorate to add privacy protections to the approval process for new homeland security research initiatives.
Because they are our "bread and butter" issues, the DHS Privacy Office will also continue to work to ensure that individual programs sustain and enhance privacy protections through strict compliance with the PIA and SORN requirements of federal law. We will continue to refine our privacy guidance and enhance our privacy training initiatives to foster a culture of privacy awareness within the agency.
We expect to complete development of a policy for the respectful and appropriate use of commercial data for homeland security purposes. And we anticipate that in the international arena, we will continue to be an important voice for the development of privacy-appropriate cross-border information sharing policies.
Thank you for the opportunity to share the accomplishments of the DHS Privacy Office and to demonstrate, through this testimony, the importance of privacy "in the hands" of the Department of Homeland Security. We appreciate the support this Subcommittee has given to our office and look forward to working with you on matters of mutual interest and concern.
###
This page was last modified on 05/17/06 00:00:00