100 likes | 217 Views
“The Need for Government-Wide Privacy Policyâ€. Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee April 6, 2004. Overview. Observations from my time as Chief Counselor for Privacy in OMB, 1999 to early 2001
E N D
“The Need for Government-Wide Privacy Policy” Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee April 6, 2004
Overview • Observations from my time as Chief Counselor for Privacy in OMB, 1999 to early 2001 • How to build privacy in a world of information sharing? • Create institutions for appropriate privacy protection • Improving the agency CPO law from 12/04 • Implementing the Privacy & Civil Liberties Oversight Board from 12/04 intelligence reform bill
Appropriate Institutions • Much policy debate is on the substantive rules for privacy, such as types of notice and choice • As the Privacy Advisory Board, you can also advise on the institutions that will build appropriate privacy into government action • Look for specific recommendations that will improve the institutional response
Agency CPOs Can Help • Nuala Kelly’s actions, including creation of this advisory committee, show the effects of an agency CPO office • 12/04 appropriations bill required a CPO for each federal agency • A positive development, especially for agencies with substantial privacy issues
Rep. Davis Criticism of CPOs • Chairman Tom Davis has criticized the law, and stated that the CPO functions should be placed under the CIO • He says this will promote unified responsibility/accountability over information flows • Based on my government experience, I strongly disagree with having CIOs supervise these issues
CIOs Not the Right Answer • 1999 process for federal Web privacy policies • We included one CIO on the committee, and her contributions were very helpful • Overwhelmingly, we faced policy issues rather than technical issues • What to say in notices • Which types of sites should have notices • Many CIOs do not feel comfortable or expert at making those policy choices – they look for leadership from policy experts
Flaws in the CPO Statute • Some bad drafting, and too large an emphasis on expensive outside audits of agency privacy activities • More importantly, the law uses a “silo” approach, with privacy policy only agency-by-agency • That’s a very bad match with modern information sharing, which emphasizes multi-agency, multi-function systems • How produce good government-wide policy?
White House Privacy Policy • Intelligence Reform bill established 5 person “Privacy and Civil Liberties Board” • In the Executive Office of the President, and can thus address multi-agency issues • Limited to intelligence-related issues, so not a full answer to the need for coordination of privacy policy across agencies
Privacy & Civil Liberties Board • Board was an explicit part of the legislative package • Get new info-sharing for intelligence • Have the Board as effective watchdog • Today, no appointees or staff for the Board • My proposal to you: no contracts for the information sharing systems until the Board is in place
Conclusions • The Advisory Committee should consider what institutions will improve privacy policy • Agency CPOs are good, but we should not make agency-by-agency privacy policy when the information systems are multi-agency • Don’t make the mistake that privacy is a technical issue that should be managed only by CIOs • Do insist that the Privacy & Civil Liberties Board be implemented, as a pre-requisite to information sharing • Build government-wide privacy policy, to achieve national security as well as privacy and civil liberties