President Barack Obama issued an executive order Feb. 9 to establish a Federal Privacy Council tasked with the mission of balancing the collection and handling of information, with privacy rights of the American people.
According to the executive order, which was issued hours before the President sent his fiscal 2017 budget request to Congress, the privacy council will among other things:
Develop recommendations for the Office of Management and Budget on federal privacy policies and requirements
Coordinate and share ideas, best practices and approaches for protecting privacy and implementing appropriate privacy safeguards
Assess and recommend how best to address the hiring, training and professional development needs of the federal government with respect to privacy matters
“The establishment of the Privacy Council will help senior agency officials for privacy at agencies better coordinate and collaborate, educate the federal workforce, and exchange best practices,” the order stated. “The activities of the Privacy Council will reinforce the essential work that agency privacy officials undertake every day to protect privacy.”
A fundamental transformation
The executive order is part of a larger administration mission to address the push and pull of privacy rights and national security.
On Feb. 8, Marc Groman, chief privacy officer for OMB, told the Homeland Security Department’s Data Privacy and Integrity Advisory Committee that he was taking a proactive approach along with OMB Director Shaun Donovan that was going “to make a fairly dramatic, if not fundamental transformation about how privacy is implemented across the federal government.”
Groman told the committee that two main efforts are going on simultaneously to improve federal privacy programs.
“One track is focused explicitly on updating most of the significant guidance that OMB issues around privacy implementation in the federal government,” Groman said. “That is a huge effort. The signature document here is the update to OMB Circular A-130.”
OMB released the draft of Circular A-130 in late October. The document addresses how information management is handled across the government, excluding national security, Groman said. The update received more than 1,000 comments.
“That document was last updated in 2000. One or two things have changed in privacy technology since 2000,” Groman said to laughs. “We are doing not a revision, [but] a complete and total overhaul of that document. It is going to force a shift from looking at privacy as a compliant exercise, or a one-time check-the-box type of program, to what we are now requiring as an ongoing, risk-based strategic and continuous program in which an agency will be required to have a privacy continuous monitoring strategy, a privacy continuous monitoring plan that will be documented, looking privacy controls across your agency and deciding when those controls need to be evaluated or re-evaluated. That will be a big shift in thinking for lots of agencies, not all but some.”
Groman said OMB also is continuing to work on Circular A-108, which covers agencies’ responsibilities for the maintenance of records about individuals. He said A-108 used to be included in A-130 but is being pulled out and will be its own circular, which he expected to be put out for comment later this year.
Groman said he also was working on updating the privacy portions of all of OMB’s incident response guidance, that will address how an agency should address an incident that involves personally identifiable information (PII).
Groman was mum on the privacy council executive order Monday, but advised committee members to keep their ears to the ground. He did, however, say the council would be independent from the CIO council.
“Privacy is not a subset of security, it’s not a subset of IT, it is an independent discipline,” Groman said. “It must work with that group, it must be interdependent and move in lockstep with IT security and cybersecurity, but it is not a subset. And so we need to assemble leaders in its own independent council.”
Privacy workforce, digital privacy, best practices metrics
Groman said he was working on a privacy workforce committee, the idea for which came from Jonathan Cantor, DHS’ deputy chief privacy officer.
“We need to take a deep, hard look at the hiring and retention of privacy professionals across the government, because it is just too challenging today,” Groman said. “We need to invest in the privacy profession, we need to make sure privacy professionals have the education and training to stay up to date and help the government address evolving threats and new technologies, a rapidly evolving landscape.”
This effort also includes a “technology curriculum” for privacy professionals, Groman said.
A new digital privacy working group is also included in the privacy council. Groman said the group focuses specifically on issues related to the government’s use of websites, social media, mobile apps and other digital services.
OMB also created an incident response and identity theft group which will work on updating guidance and draw from the experience of members who have been involved with something like a data breach.