Agencies' privacy advocates are paper tigers
How well do federal agencies consider the privacy implications of their activities? I mean really. In too many cases, privacy remains a stepchild. But a few agencies, recognizing its importance, have established privacy advocates.
More agencies have Privacy Act officers. But often their responsibilities are limited to managing compliance with the act'typically a boring, administrative function. Few have the clout, stature or vision to provide comprehensive advice to their agencies.
The notion of a privacy advocate remains a refreshing concept. At the Health and Human Services Department, the privacy advocate sits in the Office of the Assistant Secretary for Planning and Evaluation. HHS' advocate is John Fanning, an experienced manager with a long and distinguished record of accomplishment in privacy and a commensurately good reputation.
But Fanning's is a one-man operation in a far-flung department with privacy issues popping up all the time. The function needs more resources.
The IRS also has an Office of the Privacy Advocate, and it's larger than the one at HHS. Still, its staffing level has been highly variable over the last few years. Unfortunately, the IRS advocate remains buried deep within the bureaucracy, reporting to the chief information officer. In my opinion, the long-term ability of the privacy advocate to produce change remains to be seen.
The advocates at HHS and the IRS are not responsible for routine Privacy Act matters. This is the most desirable allocation of responsibility. The privacy advocate must be able to independently review internal activities. When management proposes new systems of records or routine uses of records, an effective advocate must be able to comment publicly on the proposals.Independent access
One reason a privacy advocate needs both independence and access to the agency's top echelon is illustrated by the Outcome and Assessment Information Set. OASIS is a program set up by the Health Care Financing Administration to collect information on home health care activities.
In its original form, OASIS called for the collection of detailed financial and psychological information about patients. The intrusive data collection instrument became a target of the privacy community. In March 1999, OASIS was the subject of a major Washington Post story that intensified the controversy and resulted in high-level attention to implications that had been ignored.
The administrator of HCFA recently said that the strong objections to OASIS came as a surprise because the program received considerable testing and review. The problem, however, was that HCFA's outreach only found the usual suspects, namely people in the health data establishment. They value research more highly than privacy. That community should have a voice, of course, but program managers must actively solicit other points of view, too.
A privacy advocate should be able to identify potential problems and broaden an agency's focus to make sure that it hears dissenting voices. An advocate should have enough independence so that his or her views won't be squelched by program proponents inside the agency.
HCFA reacted to the OASIS controversy by establishing an internal committee to consider privacy. That's a start, but agencies need to seek more perspectives. If nothing else, they need to listen to people who have a better ear for what will attract press attention.
The Clinton administration's privacy counselor at the Office of Management and Budget is worth acknowledging, but a tiny OMB office can only serve as a backstop now and again. Still, the counselor has proved to be useful in some ways.
How does the Justice Department handle privacy? It has a single person who covers both health care fraud and privacy. That's a sick joke. Health care fraud investigators are among the biggest violators of privacy.
Does every agency need a privacy advocate? A simple, two-question test may help. First, has your agency been the subject of a front-page expose in the Washington Post, New York Times or other major newspaper? Second, can you think of something that your agency is doing that might interest the press, such as operating a large database or participating in an active computer matching program?
If you can answer either question positively, then your agency must think about establishing a privacy advocate.Robert Gellman is a Washington privacy and information policy consultant. E-mail him at email@example.com.