Privacy needs to be baked into systems, experts say

DHS Privacy Officer Web site

WILLIAMSBURG, Va. – To be as effective as possible, agency privacy officers should not act as a Dr. No. Rather, they should be an important part of the team that helps focus a system, two privacy officials said.

Kenneth Mortensen, senior adviser to the Homeland Security Department’s privacy officer, speaking at the IRMCO conference, said the department is trying to institutionalize privacy by making privacy impact statements part of how the agency does business.

The goal for privacy is to bake it into the system, said Barbara Symonds, director of the Internal Revenue Service’s Office of Privacy and Information Protection. Privacy issues are harder to address when organizations treat them as an afterthought. When they consider privacy throughout a system’s development, they rarely encounter additional costs or slower growth, she said.

The IRS assesses a system’s privacy impact at each of the five development milestones to ensure that all the important issues have been addressed.

“Privacy is your enabler to better business and more business,” Symonds said. The IRS’ e-file system, for example, requires taxpayers to trust that their data is secure and private. If privacy and security are not fully addressed, a program would not be successful.

Many people think that merely having a good security program is an adequate way of addressing privacy issues. But privacy goes beyond security, Symonds said. A good security program will not assess the reasons and purpose of collecting data, she said.

Jim Dempsey, policy director at the Center for Democracy and Technology, a Washington, D.C., advocacy group, said agencies should collect only the data they need. The role of a privacy officer is to ask questions about the agency’s mission and why it is collecting data.

Dempsey, however, was critical of the Bush administration for failing to have a privacy czar who could assess privacy issues governmentwide. “This administration dropped the ball” by failing to follow the Clinton administration’s lead and appoint a senior person at the Office of Management and Budget who would focus on privacy issues. “It has been seven years since there has been centralized OMB guidance,” he said, adding that it is not too late.

Privacy falls under OMB’s Office of Information Regulatory Affairs.