@Info.Policy: HSD's privacy officer has a tough job ahead

Robert Gellman

Last year's law establishing the Homeland Security Department has some intriguing privacy provisions. The most visible requires a senior official to assume primary responsibility for privacy policy'the first statutory privacy office in any federal agency.

Nuala O'Connor Kelly was named to the job last month.

On paper, HSD's privacy officer has great authority. One of her duties is to assure that the use of technology sustains, and does not erode, privacy protections relating to the use, collection and disclosure of personal information.

I don't have a clue how anyone can make sure that technology supports privacy. Still, it might help if the privacy officer is involved when decisions are made.

Another responsibility is to assure that personal information is handled in full compliance with fair information practices as set out in the Privacy Act of 1974. As every agency must comply with the act, this provision looks like statutory filler.

Privacy laws in the European Union and just about every other country reflect fair information practices. The express congressional recognition that the Privacy Act reflects fair information practices is a step, albeit the smallest possible one, toward recognition of international norms.

HSD's privacy officer must also prepare an annual report. Annual reports from privacy offices in other countries have provided significant opportunities for waving the privacy flag. It remains to be seen whether Kelly will have a free hand in drafting a report.

Elsewhere, the act gives the department considerable authority to obtain information from other agencies. The secretary'but, interestingly, not the privacy officer'must develop procedures for sharing data. Specific requirements include limiting redissemination, ensuring security, and protecting the constitutional and statutory rights of data subjects. These requirements add little to existing obligations, but the sentiments are nice.

I am more intrigued by the language mandating timely removal and destruction of obsolete or erroneous names and information. I have long believed that erasing data is an effective solution to many privacy concerns. Much depends, of course, on just what you think is obsolete or erroneous.

Can the privacy officer succeed? Much will depend on the secretary's tolerance as well as the privacy officer's aggressiveness. I am tempted to say that we can tell whether she is doing a good job only if she is fired, but that is an unfair test.

A privacy officer can be effective, but probably not in an overly visible way. The sweet spot is somewhere between being an apologist and being a vocal and independent critic. Finding the right balance is a challenge, but not an impossible one.

No matter what happens at HSD, I expect to see other statutory privacy offices established in other agencies over time. Congress loves symbolic responses to hard problems.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@netacc.net.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above