Privacy officers want to go public

Secure information sharing is their goal

It's not that all information sharing is evil and wrong.'

'Barbra Symonds, IRS

(Updated) WILLIAMSBURG, VA.'Federal privacy officers want to move beyond the policy enforcement role they gained under the 2002 E-Government Act and other laws to position themselves as promoters of their agencies' IT missions.

A panel of privacy specialists at last week's Interagency Resources Management Conference discussed how privacy officers' jobs have evolved along with IT managers' understanding of the issues.

Panelists said federal privacy officers shouldn't be typecast in the role of Dr. No, a villain in Ian Fleming's James Bond novels.

Barbra Symonds, director of the IRS' Office of Privacy and Information Protection, and Jim Dempsey, policy director of the Center for Democracy and Technology, described different ways privacy officers can shed the naysayer stereotype.

'I like to call us the friendly auditors,' Symonds said. She emphasized the need to convince IT officials to build privacy controls into systems as they are being developed.

Symonds added that when she talks to private companies that build the software taxpayers use to file tax returns, she emphasizes that they can use their systems' privacy features as a selling point.

'It's not that all information sharing is evil and wrong,' Symonds said. She added that privacy officers can help system designers improve privacy controls by limiting the information shared with a particular group to data they really need.

Kenneth Mortenson, the privacy officer at the Homeland Security Department, described how his agency's privacy operation has shifted to an operational role from the policy advisory function carried out by former privacy officer Nuala O'Connor Kelly.

'We are working to ensure that technology sustains privacy and does not erode it,' Mortenson said. He noted that the right to privacy is not an absolute right, just as the freedom of speech guaranteed by the Constitution is not an absolute right.

Mortenson's office has developed a template for program managers to use as they build privacy controls into their systems. DHS also has evaluated the privacy effects of national security systems and intelligence systems, Mortenson said. The department is looking to attain a situational awareness of privacy issues in the department, similar to the situational awareness that military organizations develop, he said.

Dempsey noted that authentication is one of the most difficult problems for privacy policy specialists'in some cases, there is a need for 100 percent authentication, while in other matters it is important to preserve anonymity.

Dempsey described a recent situation in which one of the companies he deals with personally asked for the last four digits of his Social Security number to authenticate a transaction. While he has at times proposed that Social Security numbers be made public because they are in fact not secure information, he also said, 'The individual retains an interest in how [personal] information is being shared.'

Federal privacy officers can serve as advocates within their agencies to help IT program managers ask the appropriate questions as they design systems, Dempsey added.

Studies this summer

He said his organization is set to publish a new set of studies on privacy policy July 13 that will amplify and refine its analysis of the issues.

In response to a question about how officials in small agencies can learn to comply with federal privacy law and policy, Symonds noted that the Treasury Department's Web site includes a privacy policy guide, and the Defense Department has posted 'Privacy 101' and 'Privacy 201' documents online.

She added that the IRS has been successful in suppressing the pesky 'cookies' that federal Web page policies shun. But about a year-and-a-half ago, when she was with the Veterans Affairs Department, IT managers found instances in which third parties unwittingly appropriated the Web beacons in VA code when they borrowed VA's images.

Web beacons are small images, often transparent, that can be placed on a Web page or e-mail to track site visitors.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above