Federal privacy law faces review from data advisers

Experts from two federal advisory committees are embarking on a review of critical privacy and policy issues, with a particular focus on implications of the decades-old Privacy Act and other legislation.

The Data Privacy and Integrity Advisory Committee at the Homeland Security Department and the Information Security Privacy Advisory Board at the National Institute of Standards and Technology plan on publishing a report on the topic next year, John Sabo, a member of the Homeland Security panel, said Friday.

Sabo, who directs security and privacy initiatives for Computer Associates, said new uses of technology and computer networks may not have been envisioned in current laws and regulations. The panels have a spectrum of knowledge and will better inform the dialogue, he said.

The report is expected to discuss how changes in the nature and use of information technology by agencies have created the need for revision of the legal and policy framework -- but not necessarily laws -- affecting privacy in the 21st century, Sabo said. Participants hope to identify gaps in statutes, rules and guidance but will not analyze specific programs.

"The goal is not to rewrite legislation; the goal is to examine the intent of the law and determine whether the use of new technologies may have outstripped the ability of some laws and statutes to be effective," Sabo said.

On Friday, Sabo joined NIST project lead Leslie Reis of the John Marshall Law School in Chicago, Maureen Cooney, the head Hunton & Williams' privacy practice, and Center for Democracy and Technology Staff Counsel Paula Bruening on a panel to discuss the effort.

The study should not look only at "technologies 'du jour'" such as radio-frequency identification technology but instead address issues in ways that will be usable irrespective of a specific technologies or uses of them, Sabo said.

Cooney, previously Homeland Security's acting chief privacy officer, encouraged NIST's advisory panel to focus its work on networked information collection and sharing; data collection from third parties such as commercial data aggregators; and data collection through programs like data mining, which do not amass information by individual names or personal identifiers.

Each area suffers from gaps in the application of the Privacy Act or "gray areas" that impede usage of the 1974 law's protections in a harmonized manner by federal employees and agencies, Cooney said.

The NIST body also may begin working with the White House's fledgling Privacy and Civil Liberties Oversight Board. The board's executive director, Mark Robbins, spoke to the NIST group about "potential areas of overlap" with his team, which is charged with ensuring that new laws, statutes and polices have appropriate privacy and civil-liberties safeguards.

Data mining, which is a key component of "quite a few war on terror activities," is one topic that could be addressed jointly, Robbins said. He said his board could "learn from them about the technology behind data mining. You can't understand a policy if you can't understand how it works."