@Info.Policy: Will privacy officers really protect privacy?
- By Robert Gellman
- Feb 02, 2005
Protecting personal info is a laudable goal, but as often happens with laws, the devil's in the details
Did Congress need to mandate the creation of chief privacy officers in agencies?
The idea of more privacy officers is attractive from a policy perspective because privacy needs more attention and because having the officers at some agencies will be useful. But the requirement in the fiscal 2005 omnibus appropriations bill goes a bit too far.
In an earlier column, I addressed the law's requirement for a wasteful independent biennial privacy audit.
The provision demanding that all agencies establish chief privacy officers has problems, too.
The first is that the law sets impossible goals. Privacy officers must assure that technology sustains and does not erode privacy protections. How can anyone assure that technology doesn't erode privacy protections? It sounds great, but it's an impossible mission.
Would you like to be responsible, for example, for assuring the Internet sustains and does not erode privacy? With a standard like that, the Internet might never have gotten out of the starting blocks.
In any event, agencies must use technology for legitimate and essential purposes, and some of those uses erode privacy protections to some degree. The trick is striking a balance between competing goals and interests, but that isn't what the law says. It seemingly elevates privacy above all else.
The new officers are also supposed to establish comprehensive privacy and data protection procedures. But most agencies are only subject to the Privacy Act of 1974, and those procedures have been in place for decades.
If Congress had something else in mind, it might have offered a hint. It's hard to believe privacy officers will have the means to invent or implement additional privacy procedures.
Not all of the legislative requirements are awful. The push for better training and awareness is helpful, for instance.
And assuring compliance with the Privacy Act of 1974 is another worthwhile task often ignored. At many agencies, no one takes overall responsibility. Full compliance with the act occurs fitfully.
But another problem with the law is that while many agencies would benefit from a chief privacy officer, not every agency needs one. Many agencies, especially small ones, do not traffic in personal information other than personnel files. The Postal Rate Commission, for example, does not need a CPO. The government shouldn't go from ignoring privacy to overprescribing it.
Which agencies need privacy officers? Let's use the Commerce Department to illustrate. It's OK to have one at the department level. That is probably true for all Cabinet agencies. What about component agencies? The Census Bureau really needs its own privacy officer, but the National Oceanic and Atmospheric Administration probably does not. The Treasury Department's IRS surely deserves a privacy officer independent of its parent.
Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, hates the idea of chief privacy officers. He thinks CIOs already have privacy responsibilities, but that's not the case. Privacy is not a primary focus. In the right agencies, CIOs and everybody else would benefit from the presence of privacy officers.
It is hard to guess what will happen next. The Office of Management and Budget may slow the implementation of the law to see if anyone in Congress is willing to consider changes. The best of all possible worlds would be that Congress quickly amends the law to fix its many problems. If not, it may be necessary to rent Washington's RFK Stadium to hold the first meeting of federal CPOs. Robert Gellman is a Washington privacy and information policy consultant. E-mail him at firstname.lastname@example.org.