Board proposes annual privacy report, agency coordination

Federal privacy policies are so inconsistent from agency to agency that they need to be systematically documented through an annual report and by creating stronger relationships among government privacy officers, according to the draft report of a government advisory board on computer security and privacy released Tuesday.

The draft report, whose details are being ironed out at the quarterly meeting of an advisory board chartered by the Commerce Department's National Institute of Standards and Technology, recommends an array of changes to federal privacy practices. Although the board's members acknowledged the outdated nature of the 1974 Privacy Act that governs those practices, they said there is room to improve privacy practices within constraints of the law.

The draft report, compiled by the Computer System Security and Privacy Advisory Board (CSSPAB), currently includes four recommendations, with the most detailed suggestions being in the area of documenting and strengthening privacy practices. The annual report contemplated by the board would identify and categorize privacy officers' positions and responsibilities, and "explain any apparent inconsistencies from agency to agency."

The report then could be the springboard to establishing a federal privacy officers' committee--analogous to the existing Federal CIO Council for chief information officers--and enhance the stature of privacy officers within their agencies.

Franklin Reeder, chairman of the CSSPAB and a former Office of Management and Budget executive in the Clinton administration, said the recommendations seek to answer questions about "government's use of personal information about individuals, and specifically whether the Privacy Act is administered properly and how [enforcement] can be improved."

Although the act's requirements for disclosures about government use of information were intended to strengthen citizens' confidence about their personal information, "it is not clear that those disclosures mean anything anymore," Reeder said, adding that he wants to stimulate debate about whether the act needs to be changed.

He also said the tendency for federal agencies to share information--the practice that the Privacy Act was designed to regulate--"has been exacerbated by the [post-terrorism] demand for even more interchange of information under the guise of finding potential wrongdoers."

The other three CSSPAB recommendations include exploring ways to balance the threat and benefit of open Internet access to public records, beginning to study the ways that government utilizes private-sector databases, and creating a mechanism for evaluating how the government could utilize privacy tools such as the Platform for Privacy Preferences (P3P) technology.

The 12-member committee was created in 1987 to examine issues arising from the growing interchange between corporate and government computer technology. It consists of four representatives from the government, four from the technology industry and four from non-technology businesses.

At Tuesday's CSSPAB meeting, Al Stapleton of the General Accounting Office's information technology group, apprised the committee of a GAO study of executive branch privacy being conducted at the request of Senate Governmental Affairs Committee Chairman Joseph Lieberman, D-Conn., and House Government Reform Subcommittee on Government Efficiency Chairman Steve Horn, R-Calif.