@Info.Policy: Hill's new privacy requirement is a waste

Robert Gellman

Rather than demand new audits, lawmakers should revise the Privacy Act

There's a major new legislative development on federal privacy, but a key provision is not likely to help agencies or improve privacy much.

The fiscal 2005 omnibus appropriations bill included a requirement that each agency have a chief privacy officer. This provision originated in Section 522 of the Treasury, Transportation and General Government part of the bill. Sen. Richard C. Shelby (R-Ala.) is the suspected author.

I have a lot to say about Section 522, and some of it will spill over into another column. I don't want to focus on the CPO provision itself today.

What I am a bit outraged about is the accompanying language that directs each agency to have an independent review of its use of identifiable information.

The review must be conducted at least every two years. The inspector general of each agency is obliged to contract with an outside organization that is a 'recognized leader' in privacy consulting and other matters, including global privacy.

This means, for example, that the Marine Mammal Commission needs to hire an expert in global privacy to audit its five systems of records. That's a bit silly, to say the least. For a large agency, such an audit could cost millions.

Where did the audit provision come from? I don't have any evidence, but I can make an educated guess. Who benefits from it? It isn't the agencies. The privacy community didn't ask for the audit. The IGs must hate it. I haven't heard that the Office of Management and Budget wanted it.

The only beneficiaries are large government consulting companies.

One of the secrets of the privacy consulting business is that large audit businesses aren't doing well with their privacy practices. Contracts for privacy work worth more than $500,000 are rare. My suspicion is that one of those companies wrote the provision and took it to Shelby or his staff. The provision is filled with detailed audit language.

Given that I am a privacy consultant, you might ask if I could benefit from the provision.

I have expertise in global privacy and the other skills, but I don't compete with big businesses for large contracts. I am a one-man band surviving on small projects and occasional work from small agencies.

So why I am objecting? While it is nice to see congressional interest in privacy, the audit requirement is a notable waste of taxpayer money.

Privacy needs more attention, but spending large sums on audits isn't likely to help much. We need better compliance, but there are better ways. What we really need is a revision of the Privacy Act of 1974 to address gaps in privacy regulation.

Before Section 522 even became law, Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, introduced a bill (H.R. 5424) to repeal it. Davis objected to the Appropriations Committee legislating on his turf. Because of that controversy, as well as the cost and absurdity of the audit language, I suspect that agencies won't begin implementation soon.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@netacc.net.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above