Survey: Agency programs to protect privacy inadequate

Most government agencies have made little progress in addressing privacy concerns, and the issue needs to be elevated, according to a new survey of members of the federal information technology community.

While IT security has been at the top of federal chief information officers' agendas for several years, privacy programs are slipping through the cracks and fewer agencies treat them as a priority, said Paul Wohlleben, a partner at Grant Thornton and chairman of the group that conducted the Information Technology Association of America's 16th annual Federal CIO survey.

Privacy is primarily receiving attention in a handful of agencies where public concerns have raised the issue, the survey indicated.

"We found that privacy is a much less mature area in government, and there is less progress to report," Wohlleben said. "Fewer agencies have addressed [privacy programs] as a priority … the security programs [are] a bit more mature [and have been] addressed over a long period of time."

In some agencies, the CIO was charged with privacy leadership and in a smaller number of agencies, the general counsel's office was assigned the responsibility, the survey found.

Meanwhile, several CIOs included in the survey stated that they wanted to focus IT security efforts on areas that would "clearly increase security" while "minimizing requirements that lacked clear benefits." One respondent stated that the law governing agency IT security, the 2002 Federal Information Security Management Act, is a paper exercise and a "forced march without value."

The survey was based on confidential interviews with 39 federal IT officials, including 20 CIOs and five deputy CIOs. Twenty-five of the interviews were with civilian agency officials, while others were with House Government Reform Committee staffers and officials representing Defense Department agencies. Interviews were conducted between August and December 2005.

The survey focused on the 10-year anniversary of the 1996 Clinger-Cohen Act -- which established the chief information officer title and required agencies to develop enterprise architectures and perform due diligence before purchasing information systems. In addition to the privacy and security issues identified, it found that the average CIO tenure is shortening, indicating an increasing number of political appointees filling the position, Wohlleben said.

While none of the CIOs interviewed reported fully completing and implementing an enterprise architecture -- a technique for describing the structure of an organization's processes, IT systems and personnel organization -- a majority said they have completed the "as-is" component, giving agencies a baseline for determining gaps in IT systems' performance.

CIOs reported increased involvement in governmentwide IT consolidation projects, stating that the initiatives had the potential to save money. But they were concerned about losing control of the systems and an inability to deliver on the projects' projected benefits.

According to the survey, agency IT leadership remains "very much fixated" on the President's Management Agenda and the red-yellow-green score card reports, but some CIOs are questioning the grading system's ability to benefit agencies.

Other priorities cited by the CIOs interviewed for the survey included portfolio management, strategies for managing data and information sharing.