Charles Tompkins III | Incidents point to need for a chief privacy officer
- By Charles E. Tompkins III
- Nov 06, 2006
Charles E. Tompkins III
Among the controversies the federal government faced this year, its handling of personal information continues to be front and center. Consider the following:
- On May 27, the Department of Veterans Affairs announced that personal data of up to 26.5 million veterans had been stolen.
- On May 11, USA Today broke the news that the National Security Agency has secretly been collecting telephone records of 'tens of millions' of Americans.
- On March 27, the Los Angeles Times reported that an American Civil Liberties Union Freedom of Information Act inquiry revealed the FBI had been 'gathering information on anti-war and environmental protesters and on activists who feed vegetarian meals to the homeless.'
An October 2006 report to the Government Reform Committee of the House of Representatives concluded: 'Taken as a whole, the agency reports outline hundreds of instances of data breaches involving sensitive personal information since Jan. 1, 2003. ' The number of individuals affected in each incident ranges from one to millions. However, in many cases, the agency does not know what information was lost or how many individuals potentially could be affected.'
Many instances, all leading to the same question: How can federal agencies assure citizens that their private information is protected appropriately and lawfully?
Back in 2005, in a report to Congress on the implementation of the E-Government Act of 2002, the Office of Management and Budget released Memorandum 05-08, 'Designation of Senior Agency Officials for Privacy.' It directed agencies to appoint a senior official with 'responsibility and accountability for ensuring the agency's implementation of information privacy protections, including full compliance with federal laws, regulations and policies relating to information privacy.'
But it's not working well. Continuing privacy-related news raises serious concerns about whether these privacy officers are sufficiently independent to be effective. Citizens are generally unaware of their rights under the federal Privacy Act and cannot hold agencies accountable. Protection offered from agencies appears to be weak in many instances.
To achieve greater agency accountability and prevent privacy breaches, it is time to consider a federal chief privacy officer with independence and authority to protect citizens from unreasonable and unlawful intrusions upon their privacy.
A good example of this position can be found just north of us in Canada. Its privacy commissioner, currently Jennifer Stoddart, serves for seven years, following approval by the Senate and House of Commons. The privacy commissioner is empowered by statute to investigate complaints arising under the Canadian Privacy Act. She may act upon receiving a complaint or on her own initiative, and she may compel testimony under oath, or demand documentation and other evidence.
However, the powers granted to the Canadian privacy commissioner have been criticized as incomplete, as she may only offer findings and recommendations to the offending agency. In a 2006 opinion, H.J. Heinz Co. of Canada, Ltd v. Canada
, the Canadian Supreme Court concluded that the privacy commissioner is 'is of little help because with no power to make binding orders, she has no teeth.'
To avoid the same trap, a U.S. chief privacy officer would need greater strength in three aspects.
First, the officer should come under jurisdiction of the Justice Department. This would give the position legal authority, resources and other 'teeth.' But to insure the position's independence, the officer should report directly to the appropriate committees of Congress.
A good model for this arrangement might be the statutory protection afforded the director of operational testing and evaluation at the Defense Department. While he is on the staff of the secretary of Defense, he reports to Congress directly as well as to the secretary, who cannot change his reports.
Second, the officer should have the power to issue orders enjoining a federal agency from taking actions he believes as the law until those actions could be considered by a court.
Finally, the officer's authority should extend to national security systems, such as those that collect intelligence information. These systems are exempted from many aspects of federal information technology law, including the requirement that they develop privacy impact assessments.Charles Tompkins, a lawyer and former Defense Department program manager, teaches classes on privacy and information assurance law at the National Defense University's Information Resources Management College. The opinions, conclusions, and recommendations expressed or implied within are those of the author and do not necessarily reflect the views of the Defense Department or any other department or agency of the federal government.