Industry officials question mandate for chief privacy officers

A panel of information security officials and engineers spent Tuesday morning quizzing chief privacy officers (CPOs) from the private sector in tentative preparation for a report to advise the Bush administration on "best practices" for federal chief privacy officers.

The recommendations could call for rejecting mandatory, third-party audits of the activities of the government's privacy officers.

A provision in the 2005 appropriations law for the Transportation and Treasury departments mandates the establishment of chief privacy officers in every department. The provision also requires department inspectors general to hire independent auditors to report on the CPOs' activities and to issue reports to Congress.

"It's another Beltway Bandit Full Employment Act," Franklin Reeder of The Reeder Group said of the language. Reeder is the chairman of the National Institute of Standards and Technology's advisory board on information security and privacy, which held a forum on privacy officers. He emphasized that he spoke for himself and not on behalf of the committee.

Other members of the committee and another former government official also expressed concerns about the mandate for third-party auditors.

Rebecca Leng, deputy assistant inspector general for information technology and computer security at the Transportation Department, said the appropriations language does not outline the criteria for such audits. The law simply says inspectors general must hire auditors to check the CPOs' activities.

"At this point in time, nobody knows what good practices are in the field [of privacy,]" she said.

During the panel discussion, she asked the privacy executives from America Online, IBM and Marriott for guidance on what might constitute best practices.

They said notification of individuals about what information is collected and how their personal information is handled is important, as are the choices people have about data collection. Telling people how the information is stored is also an element of best practices, they said.

But Harriet Pearson, IBM's chief privacy officer, said it is also important for companies to inform customers about their business strategies and how the strategies interact with the use of customer information to provide customized products.

Douglas Miller, AOL's executive director of integrity assurance, said it is crucial for privacy officials to understand how databases work, how they are used, how information is secured and how it is stored.

John Fanning, who is not on the committee but who is a former privacy advocate at the Health and Human Services Department, provided written testimony. He said the requirement for independent reviews is not appropriate because privacy officers should be seen by their departments as a resource rather than "a potential tattletale."

Virginia Republican Tom Davis, chairman of the House Government Reform Committee, earlier this year introduced legislation to repeal the language establishing the CPO positions. If Congress does not pass the legislation by the end of the year, the inspectors general of each department must start hiring the independent auditors in January.

A group of inspectors general called the Presidential Council on Integrity and Efficiency is working with the White House Office of Management and Budget to establish auditing guidelines, Leng said.