Cannon House Office Building
March 14, 2007
(Remarks as Prepared)
Chairman Harman, Ranking Member Reichert, and Members of the Subcommittee, it is an honor to testify before you today on advancing information sharing while safeguarding privacy within the Department of Homeland Security State and Local Fusion Center Program. I am particularly pleased to be appearing with my colleague, Dan Sutherland. As the Subcommittee knows, his office and mine have a statutory responsibility to work together to address privacy as well as civil liberties issues in an integrated and comprehensive manner.
I also serve as the Department’s Chief Freedom of Information Act (FOIA) Officer. In this role, I assure consistent and appropriate Department-wide statutory compliance and harmonized program and policy implementation. As you know, the three pillars of federal privacy law are the Privacy Act, the Freedom of Information Act, and the E-Government Act.
Prior to joining the Privacy Office, I served as the first Associate General Counsel for General Law at the Department of Homeland Security. Before joining the Department of Homeland Security, I served as the Associate Solicitor for General Law at the Department of the Interior. Therefore, I have had the honor of providing advice and counsel on freedom of information, privacy, and civil rights issues at two cabinet level agencies. As Associate General Counsel for General Law at DHS, Dan and my predecessor as Chief Privacy Officer, Nuala O’Connor Kelly, were my clients, which provided me with the opportunity to understand the issues both offices faced.
There are two other things I should mention. As the Chief Privacy Officer, I currently hold a policy position in the Department, so I limit my practice of law to the weekends, when I serve as a judge advocate in the Army National Guard, within the Legal Support Office, attached to the District of Columbia Army National Guard. Additionally, in my spare time I have been working on a master’s degree in National Security Studies through the Naval War College. My studies have aided me in understanding decision-making in the areas of homeland defense and security.
The Privacy Office
I am determined to continue the process of “operationalizing privacy” within the Department and its programs, a phrase described to this Subcommittee by Maureen Cooney, the Acting Chief Privacy Officer before my tenure.
To achieve this, the office forms close relationships with system owners and program managers, along with IT security officials, and senior DHS officials. By placing privacy into the program development and decision-making processes of the Department, we can ensure that DHS not only meets its legal requirements, but stands as a model of how privacy can complement and work with law enforcement and intelligence agencies.
As part of our ongoing operations, our Compliance group works with IT security, budgeting, procurement, and financial professionals Department-wide to complete privacy impact assessments, system of records notices, and other privacy documentation relevant to and required for DHS systems and programs.
State and local authorities have created 42 fusion centers around the country. Fusion centers blend relevant law enforcement and intelligence information analysis and coordinate security measures in order to reduce threats in local communities. They also represent a method for providing first responders with “actionable intelligence”; that is information useful and relevant to the day-to-day mission of state and local law enforcement personnel. As of the end of FY 06, the Department of Homeland Security has provided more than $380 million to state and local governments in support of these centers.
Intelligence Officers from the Department of Homeland Security Office of Intelligence and Analysis currently work side by side with state and local authorities at twelve fusion centers across the country.
This number is about to grow. On September 12, 2006, Secretary Chertoff told the Senate Committee on Homeland Security and Government Affairs that, “Our goal is to have intelligence and operations personnel at every state and major metropolitan fusion center in the United States, sitting in the same room, sharing and analyzing information and intelligence in real time,” with a “two-way flow [of information], with every level of government pooling intelligence.”
This ramping up of fusion centers and the two-way information flow to accompany it will require additional effort and vigilance to ensure privacy rights are protected. As the DHS Chief Privacy Officer, I will strive to make sure privacy concerns are addressed at the beginning of the process, before information is collected and shared. This process begins, in my opinion, with a proposed fusion center utilizing the Department’s fusion center guidelines.
Privacy and the Fusion Center Guidelines
The Global Justice Information Sharing Initiative, the Department of Homeland Security, and the Department of Justice collaboratively developed and in August 2006 issued “Fusion Center Guidelines: Developing and Sharing Information in a New Era.” These guidelines are intended to ensure that fusion centers are established and operated consistently, resulting in enhanced coordination, strengthened partnerships, and improved crime-fighting and anti-terrorism capabilities. The document offers a comprehensive guide to the development and operation of fusion centers, as well as provides useful resources and document templates to facilitate implementation. I believe this is an excellent first step in ensuring fusion centers integrate privacy protection into their actions.
Implementing these fusion center guidelines provides an important first step in applying appropriate privacy protections as required under the “Guidelines to Ensure that the Information Privacy and other Legal Rights of Americans are Protected in Development and use of the Information Sharing Environment” – otherwise known as the ISE Privacy Guidelines – and is a major focus of the ISE Privacy Guidelines Committee (ISE/PGC), of which I am a member. In fact, the ISE/PGC already formed a working group to deal specifically with privacy issues surrounding the exchange of data with state and local entities. Since the fusion centers will be the primary mechanism for federal government information sharing with our state, local and private sector partners, the successful implementation of appropriate privacy policies will be a critical part of ensuring the success of the Information Sharing Environment.
Privacy concerns and methods of addressing them appear throughout the documents. Fusion Center Guideline 3, for instance, urges the inclusion of a privacy committee in the fusion center governance structure. The purpose of this privacy committee will be to “liaise with community privacy advocacy groups to ensure civil rights and privacy protection.” Fusion center governing bodies, moreover, are encouraged in this Guideline to collaborate with the Department of Homeland Security, including the Privacy Office, to establish their operating processes.
Fusion Center Guideline 5 urges fusion center partners to utilize memorandums of understanding (MOUs) to govern interactions between the participants, and commit the parties to the principles and policies of the fusion center. The guideline advises that adherence to privacy and security principles should be specifically addressed within all such MOUs. Where DHS shares personally identifiable information with fusion center partners, the Privacy Office will review and approve a Privacy Impact Assessment that covers the privacy and security controls that the MOU must address.
- Add introductory language that clearly states the privacy practices of the center;
- Describe the information collected and how the information is stored;
- Establish a common lexicon of terms for dealing with role-based access;
- Define and publish how the information will be used;
- Draft a clear, prominent, and understandable policy;
- Establish a business practice of notifying government agencies of suspected inaccurate data;
- Adhere to applicable state and federal constitutional and statutory civil rights provisions;
- Partner with training centers on privacy protection requirements and conduct periodic privacy security audits;
- Consult with the privacy committee (established pursuant to Guideline 3) to ensure that citizens’ privacy and civil rights are protected;
- When utilizing commercially available databases, ensure that usage is for official business and the information is not commingled with private sector data. To prevent public records disclosure, risk and vulnerability assessments should not be stored with publicly available data; and
- Determine if there are security breach notification laws within the jurisdiction and follow those laws, if applicable.
- What information is to be collected;
- How will be it stored, managed, and used;
- What means of individual access is available;
- What means of redress for informational errors has been provided; and
- What security is in place to protect the information.
The Privacy Office’s official guidance on the writing of privacy impact assessments to shepherd the different system programs safely through the privacy protection process serves as an appropriate addendum to the Fusion Center Guidelines.
Furthermore, it is often said that “security concerns become privacy problems.” Privacy protection principles are only meaningful if they exist in tandem with a robust security regime. Fusion Center Guideline 9 provides a framework for ensuring adequate security measures are in place. This includes, of course, security for facilities, data, and personnel. A fusion center’s Privacy Officer and Civil Rights Officer must have close working relationships with its Chief Information Officer as well as the Chief Security Officer.
As a whole, I believe these guidelines provide an invaluable resource for the principals to utilize when founding and operating a fusion center, and will also be helpful to me, as a member of the ISE Privacy Guidelines Committee, in monitoring how privacy is safeguarded in this crucial aspect of the Information Sharing Environment. The Fusion Center Guidelines encourage consideration of privacy interests from the very moment of formation – a critical step.
Privacy Office’s Review of the MATRIX Program
Information sharing, of course, is at the heart of fusion center activities. The Privacy Office has had an opportunity to review a pilot information sharing program among a number of state governments called MATRIX, the Multistate Anti-Terrorism Information Exchange. The program accessed only state-owned or publicly available records that were already available to law enforcement without a subpoena or court order. DHS became involved in the pilot in July 2003, when (what is now) Grants and Training entered a Cooperative Agreement with a non-profit entity to administer the project. The funding was intended to assist with testing the system for data analysis and integration of terrorist threats and other intelligence information, as well as to provide funding to establish user accounts for MATRIX participants and to create a secure website for each participating state to facilitate information sharing.
The Privacy Office reviewed the program following a request by the American Civil Liberties Union and published its findings in a report entitled, “Matrix Report – DHS Privacy Office Report to the Public Concerning the Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Project,” which is available on the Privacy Office website.
I thank the Subcommittee for this opportunity to testify. My office looks forward to working with the Department and our fusion center partners to ensure they maximize their effectiveness by establishing sound privacy practices.
I look forward to hearing my colleagues’ testimony and to answering your questions.