DHS privacy office steps up scrutiny of technology projects

The Homeland Security Department's Privacy Office has started scrutinizing information technology projects and research initiatives more intensely, according to the office's recently released report to Congress.

In an effort to establish privacy protections during initial planning and development of IT systems, Privacy Office officials have strengthened their working relationship with the department's chief information officer and officials in the Science and Technology Directorate, the report stated.

Hugo Teufel, the recently appointed DHS chief privacy officer, said the office is reviewing more than 500 threshold analyses, which determine whether a more formal privacy impact assessment should be performed for a given project. The office also is looking at 171 privacy impact assessments, which ensure that a project does not unnecessarily or unlawfully collect or store personally identifiable information.

For the fiscal 2006 and fiscal 2007 budget process, privacy officials reviewed nearly 100 IT budget submissions to the Office of Management and Budget and determined that 54 privacy impact assessments needed to be performed. Between June 2004 and July 2006, 44 such assessments were approved and published, according to the report.

The report also stated that the office has trained more than 500 federal employees in the privacy impact assessment process. Since DHS was created in March 2003, the department has published 28 new or revised public "system of records notices," which describe agency operations that involve the collection and use of personal information.

The report covered July 2004 to July 2006 and is 38 pages long. Privacy advocates have said it lacks detail and they still are waiting to see if Teufel, who previously served as the department's associate general counsel, will demonstrate a commitment to privacy.

In an interview Wednesday, Teufel said he sees the DHS office as a "vanguard for privacy in the 21st century." He said the report is substantially the work of his predecessors.

The release of the report has been postponed twice. A report covering activities from July 2004 to June 2005 was set to be published last year, but the resignation of the office's first chief, Nuala O'Connor Kelly, held up those plans.

Maureen Cooney, who succeeded O'Connor Kelly in an acting capacity, decided to merge the report with one covering the next period, but retired before the combined report was ready.

Ari Schwartz, deputy director of the Center for Democracy and Technology, a privacy advocacy organization in Washington, questioned why a report covering two years would contain so few details.

"Part of that has to do with having three chief privacy officers over that time period," Schwartz said. "We would expect now that there is a [permanent] chief privacy officer that next year's report will be much more in-depth."

While Teufel knows the ins and outs of DHS and the report's opening letter gives a commitment to privacy, the office's actions will tell whether the department is truly committed, Schwartz said.

In a related matter, Teufel said he has received his credentials as a Certified Information Privacy Professional, which demonstrates the mastery of a standard body of knowledge relating to privacy law. When Teufel was appointed to the job in July 2006, privacy advocates questioned whether he had the necessary privacy experience to succeed.