Group calls for overhaul of privacy regulations

NIST board recommends heightened government leadership on the issue and suggests hiring a full-time chief privacy officer at OMB.

The United States' 35-year-old federal privacy law and related policies should be updated to reflect the realities of modern technologies and information systems, and account for more advanced threats to privacy and security, according to a report sent on Wednesday to Office of Management and Budget Director Peter Orszag.

In its 40-page paper, the National Institute of Standards and Technology's Information Security and Privacy Advisory Board calls for Congress to amend the 1974 Privacy Act and provisions of the 2002 E-Government Act to improve federal privacy notices; clearly cover commercial data sources; and update the definition of "system of records" to encompass relational and distributed systems based on government use of records, not just its possession of them. The panel included technology experts from industry and academia.

The panel wants heightened government leadership on privacy and suggests the hiring of a full-time chief privacy officer at OMB and regular Privacy Act guidance updates from the office. Chief privacy officers should be hired at major agencies and a chief privacy officers' council should be created, much like the Chief Information Officers' Council that is chaired by OMB's e-government and IT administrator.

The federal government's cookie policy, which depends on "bureaucratic speed bumps to protect user privacy," should be updated to let visitors to a government Web site decide whether a cookie is set. One option is to employ a "remember me" check box common on many commercial sites, the report said.

Additionally, OMB should issue privacy guidance for non-law enforcement use of location data by agencies; work with the Homeland Security Department's U.S. Computer Emergency Readiness Team to create interagency information on data loss across the government; and adopt a public reporting structure on how the government uses Social Security numbers. "This could help create incentives and accountability by shining a spotlight on which agencies had failed to limit their SSN use," the report states.

Legislation offered by Senate Homeland Security and Governmental Affairs Committee Chairman Joseph Lieberman, I-Conn., to reauthorize the E-Government Act passed his committee last Congress but was blocked from the floor by Republicans. An amendment by Senate Judiciary Chairman Patrick Leahy, D-Vt., to include new privacy protections caused much of the discontent.

ISPAB Chairman Dan Chenok, who served on President Obama's transition team's technology working group, said his panel's recommendations are consistent with the administration's "forward thinking approach to technology" and will bring privacy law and policy in line with the fast pace of technological change. Chenok will join Center for Democracy and Technology Vice President Art Schwartz, Homeland Security Department Chief Privacy Officer Mary Ellen Callahan, and privacy expert Peter Swire for a Thursday discussion of the report and next steps. The think tank plans to invite public participation in an interactive consultation to craft a legislative proposal based on the board's recommendations.