The White House budget director’s recent announcement of a coming governmentwide council of chief privacy officers marks the Obama administration’s latest response to last June’s revelation of a data breach at the Office of Personnel Management, a step that at least one privacy expert calls “a moment we will look back on as a major change.”
J. Trevor Hughes, president and CEO of the Portsmouth, N.H.-based International Association of Privacy Professionals, told Government Executive that Budget Director Shaun Donovan’s announcement of the council at an agency privacy summit is a welcome step toward “professionalization” of an agency function for which there is currently no career path.
“We’ve seen professionalization of privacy explode in the private sector, and Donovan’s speech” and promise of new guidance from the Office of Management and Budget “are clear indicators of increasing maturity,” he said, a sign that the federal government is taking seriously the need to build privacy into agency life to protect both cyber hygiene and human rights.
“Organizations around the world are recognizing that anyone who touches data or makes decisions must understand privacy, said Hughes, whose association has 25,000 members in 80 countries—double its roster of two years ago.
The term “privacy” encompasses two related ideas, he added. In the cyber sense, privacy refers to “technology measures we take to protect data,” but in the values sense it refers to “our awareness of how we manage data and what we’re permitted to do.”
Hughes added: “You can’t have privacy without good security. So increasingly we are finding the conversation about privacy melds into the conversation about cyber security.”
That view is shared by Donovan, who told 375 agency privacy specialists on Dec. 2 that “we are a country that created the Internet. But we are also a country that pioneered the Bill of Rights, and we have a belief that our privacy should not only be guarded against unwarranted government intrusion, but also protected.”
His speech laid out the administration’s agenda to prevent data breaches, prevent harm to affected individuals should breaches occur, “enhance the productivity, efficiency and effectiveness of government” and, finally, “build and regain trust in government” at a time when surveys show public faith in agency competence at record lows.
As an example, Donovan cited the Census Bureau, which “has identified Americans’ growing distrust of the government’s ability to responsibly collect and store data as one of the most significant challenges they face in conducting the next census.”
Donovan said: "It's time to stop re-inventing the privacy wheel at agencies and do a better job of leveraging the success of each agency's related efforts. It is time to shift from reactive programs to proactive strategies. And it is time to 'professionalize' the privacy profession."
That means each major agency will be appointing “chief privacy officers” who will meet on a body similar to the Chief Information Officers Council to “serve as an ecosystem for strategic thinking on privacy implementation, bringing together the best minds we have to tackle the cutting-edge privacy issues of the digital era.”
The government needs “chief privacy officers to help continue to identify our high value assets that store sensitive [personally identifiable information], ask tough questions about data minimization, ensure compliance with retention schedules, and evaluate policies for sharing and transferring data,” Donovan said. “If program managers aren’t sure about the sensitivity of a data set or the risk of harm such data may present if compromised, they should ask their CPO,” he added. “Too many projects have been delayed or shelved because of the failure to address responsible data practices up front.”
Having privacy programs run by experts, he said, “will enable innovation, not slow it down. If we don’t invest in privacy today, these issues will only be more challenging tomorrow.”
Donovan praised acting OPM Director Beth Cobert for creating a powerful senior privacy position and the State Department for its coming new career Senior Executive Service chief privacy officer. The Justice and Defense departments also have moved ahead to create high-level privacy officers that deal with civil liberties.
Donovan also promised new OMB guidance, including a long-sought update of the Y2K-era Circular A-130 on “Managing Information in Strategic Decision Making.” As Marc Groman, whom Donovan last spring appointed as the first OMB senior adviser for privacy, said at the summit, Circular A-130 has gone through two rounds of agency review and a public comment period that ended Dec. 5.
Groman has been surveying agency privacy staff, Donovan noted. Among Groman’s findings are that agencies need more training and professional development in privacy, that hiring top talent is tough and that there is “no career path for privacy in the federal government.”
Groman also learned that “much of the government’s privacy guidance should be tailored to reflect recent technological and other changes” and that currently there is too much “reacting to incidents and not enough strategic thinking.”
The next challenge, said Hughes, “will be finding those privacy professionals OPM is calling for.” In the private sector, “we’ve had to build over 10,000 new privacy professionals in the world during the last two years. So for anyone looking for career development or a growth field, stepping into privacy is good choice.”