Like your toothbrush or air filter in your furnace or even the oil in your car, federal policy needs to be replaced once in a while too.
The Office of Management and Budget is taking on this sometimes herculean effort. The administration already updated the 16-year-old Circular A-130 in July. There’s discussion about some of the identity management and access control guidance from the mid-2000s needing to be refreshed. Cybersecurity guidance is constantly changed and modified to meet the ever-evolving threats.
And then there is privacy. It’s been 11 years since OMB last addressed the role of the chief privacy officer. Back in 2005, OMB released M-05-08, Designation of Senior Agency Officials for Privacy, in February.
Back then, the idea of having chief privacy officers (CPO) in every agency was been a point of contention. OMB under the President George W. Bush administration didn’t want a CPO in every agency. Some lawmakers did, pushing a provision in the 2005 appropriations bill, requiring agencies to name chief privacy officers and perform a number of privacy oversight functions, according to a story I wrote back in 2005. Other lawmakers and the administration pushed to repeal the provision.
In the end, the two sides worked out a compromise whereby agencies named a senior accountable official for privacy, which could or couldn’t be called a chief privacy officer.
Now, 11 years later, President Barack Obama OMB issued new guidance that still doesn’t call for a CPO in every agency, but does significantly raise the stature and influence of the senior privacy officials.
“[T]he revised guidance updates the role and responsibilities of SAOPs in light of recent innovations in technology and advancements in information analytics so that agencies are better positioned to address the new and complex challenges of the information age,” wrote Marc Groman, the Senior Advisor for Privacy at OMB, in a Sept. 15 blog post. “The guidance released today recognizes that the success of an agency’s privacy program depends upon its leadership.”
Specifically, the guidance requires agencies to take multiple steps to raise the level of privacy across the department.
The secretary must name a deputy assistant secretary or someone at the equivalent level as the senior privacy official. This person must have the expertise and authority to lead and direct the agency’s privacy program and carry out the privacy-related functions described in law and OMB policies. “When determining whom to designate as the SAOP, agencies should be aware of applicable law. Moreover, agencies should recognize that privacy and security are independent and separate disciplines. While privacy and security require coordination, they often raise distinct concerns and require different expertise and different approaches,” the memo stated.
The memo called for agencies to identify and plan for the financial, human, information, and infrastructural resources to carry out the privacy functions. These include the size and structure of the office, the mission and volume of personal data, and associated risks with storing and managing data. “The SAOP’s review of privacy risks shall begin at the earliest planning and development stages of agency actions and policies that involve PII, and continue throughout the lifecycle of the programs or information systems. Appropriately managing privacy risks may require agencies to take steps beyond those required in law, regulation and policy,” the memo stated.
Agencies have 60 days to assess the management, structure and operation of the privacy office as well as name a senior accountable official. OMB wants agencies to report back with these details.
The new guidance follows an active year for the administration in regards to privacy. In December 2015, OMB Director Shaun Donovanannounced three major efforts to bring privacy out of the shadow of cybersecurity.
Then in February, the President signed an executive order creating the Federal Privacy Council. The council has held its first meeting in March.
The real challenge with federal privacy is the need to update the Privacy Act of 1974. While there have been some updates around the edges, a total overhaul of the law by Congress is needed. It’s not going to happen during this administration, but OMB’s efforts provide some much-needed changes to how the government protects citizen and business data.