The Obama administration is pulling privacy and civil liberties out of the shadows of cybersecurity.
The Office of Management and Budget is developing new guidance, updating existing policy and creating a council to raise the prominence of privacy issues across government.
OMB Director Shaun Donovan announced three major efforts Dec. 2. First he said OMB is following the model of the federal chief information officers’ council by creating a federal privacy council.
“It’s time to stop reinventing the privacy wheel at agencies and do a better job of leveraging the success of each agency’s related efforts,” said Donovan, who spoke Wednesday at the federal privacy summit in Washington. “It’s time to shift from reactive programs to proactive strategies. It’s time to professionalize the privacy profession. The privacy council will serve as an ecosystem for strategic thinking on privacy implementation, bringing together the best minds we have to tackle cutting edge issues in the digital area. It will be the place to coordinate and share ideas, best practices and successful practices for protecting privacy across the government. And like the CIO Council, this council will assess and develop recommendations for the attracting and hiring of top talent in privacy programs across the federal government.”
Marc Groman, OMB’s chief privacy officer, said the administration will create an executive charter over the next few months detailing exactly what the body will do.
“There already is a foundation in place. There is a privacy committee that is already doing some ongoing work, and there are eight working groups already up and running. We will build on that foundation to create the permanent federal privacy council,” Groman said in a briefing with reporters after Donovan’s speech. “I think that list of priorities will include a number of things. I think the director teed many of them off. One of the top priorities is we will be looking at issues around the talent pool in the federal government and making sure that we can attract the right talent, and that we are able to hire and bring in more qualified privacy professionals. The second goal, which the director also mentioned, will be expanding education, training and professional development for privacy professionals, and making sure as risks evolve and as technology evolves, we want our privacy professionals in the government to continue to train on an ongoing basis.”
A third goal of the council, Groman said, is to build a community of privacy professionals in the government to encourage better collaboration and more efficient processes.
Donovan also said OMB will release guidance in the coming month or so updating the 2006 memo for handling breaches including personal identifiable information (PII).
Additionally, OMB is in the final stages of rewriting Circular A-130 and is just beginning to work on a rewrite of Circular A-108, which covers agencies’ responsibilities for the maintenance of records about individuals. OMB rescinded A-108 back in 1996 and folded it into A-130.
OMB released the draft of Circular A-130 in late October and comments on the document close in the next week or so. So far, industry and other stakeholders have offered about 49 comments.
Donovan said all of these efforts are part of how the administration is fundamentally overhauling information security practices and governance.
“OMB’s revised policy documents make one point very clear: privacy and security may be two different disciplines, requiring two separate skill sets, but they must be part of one coordinated risk management framework,” he said.
Finally, Donovan is also asking agencies to ensure the best person is overseeing privacy within their organization. Too often, the chief privacy officer also was the CIO or CFO or someone wearing multiple hats. Groman said OMB wants agencies to review how they are set up and ensure the management and oversight of privacy is priority.
Agencies and Congress have sparred over privacy for some time. Both say they support it, but over the years there has been little agreement on how best to ensure privacy and civil liberties.
Back in the mid-2000s there was a move by lawmakers to create a chief privacy officer in every agency. OMB pushed back saying it wasn’t necessary.
In the end, a few agencies, such as the departments of Homeland Security and Justice, and the Office of the Director for National Intelligence, created full-time CPOs.
But Donovan said there are four agencies already raising the stature of privacy in their organization.
“OPM’s acting Director Beth Cobert has created a new senior privacy position in the director’s office at OPM with the authority and the access to build a robust, strategic agencywide program. Similarly, the Department of State is creating a new career SES chief privacy officer position to lead the department’s privacy efforts,” he said. “The Department of Justice just posted a new career SES position for the director of the department’s office of privacy and civil liberties. In addition earlier this year, the Department of Defense reorganized its privacy and civil liberties functions and brought on a top privacy lawyer to serve as the director of oversight and compliance and senior agency official for privacy. This is a great trend that I look forward to seeing grow across the federal government.”
Despite the efforts to update and modernize policy and regulations in the face of new and evolving technologies, agencies still must abide by the Privacy Act of 1974, which really hasn’t been updated in decades and was written well before anyone thought of computers on desks let alone the Internet and cloud and social media.
Groman said there are challenges because of the law. He said he’s not involved in any discussions to update the law right now. At the same time, however, he said agencies can improve how they address privacy issues and still abide by the law.
OMB plans to launch the new privacy council in January.
Groman said there are still specifics that need to be addressed such as the participation of the Defense Department and Intelligence community. He said those agencies will be partners, but it’s unclear whether they will be formal members or whether this council will focus mainly on civilian agency issues.
At the same time, the privacy and CIO Councils’ relationship is clearer already, Groman said.
“Tony Scott and I have discussed that, and so it’s very important to both of us that the council’s closely coordinate. We make sure the efforts are consistent and we don’t duplicate work,” he said. “Exactly how that plays out, I’m not sure. But I would contemplate that some type of privacy group would remain within the CIO committee, and we will most definitely be having a technology and security group within the privacy committee, and there will be a tremendous amount of communication between the two.”
Groman said he has met several times with federal CIO Tony Scott and has worked with the CIO Council over the last few months in updating the circulars. In fact, Groman’s position also is new. He came to OMB earlier this summer after spending time at the FTC and on Capitol Hill.