Govt. Data Sharing Needs More Attention, Experts Argue
There’s too much discussion of whether govt. data mining is “good or bad,” and the result is not enough contemplation about “how to do it right,” a senior fellow at the Center for Strategic & International Studies told the Homeland Security Dept. (DHS) Data Privacy & Integrity Advisory Committee Tues. Maria DeRosa urged members to focus on privacy, data quality standards and the resulting analysis rather than whether DHS should engage in the controversial practice, she said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
Access controls and permissions should be required for those using the data and their admittance should be based on legitimate security needs, DeRosa added. Questions abound on how the data are used, she said. There’s a major difference between applying the information to a larger investigation and using the data to make an actual decision about a person on a govt. watch list, DeRosa said.
Use of information technology and commercial data also raised concerns with Center for Democracy & Technology Staff Counsel Nancy Libin. She lauded the group for its attention to the topic but said it neglected key areas, such as when the govt. should institute screening programs and what a given govt. screening initiative aims to find out. The panel sent its first report, The Use of Commercial Data to Reduce False Positives in Screening Programs, to DHS Secy. Chertoff and Acting Chief Privacy Officer Maureen Cooney in Sept. The document was admittedly narrow in purview, panel members said.
The panel’s recommendation that DHS subject itself to Privacy Act provisions when using private sector data, no matter how they will be used, deserves praise, Libin said. As a general principle, the law requires the govt. to notify and obtain consent from individuals before sharing their data, she said. In many instances, it also gives citizens the right to see records the govt. has collected on them. The letter of the 1974 law, which CDT argues is “largely outdated,” doesn’t apply to private sector databases not created for exclusive govt. use, she said.
The report didn’t discuss DHS’s need to publish what the Privacy Act calls a “system of records” notice, to be made available before the agency accesses or collects commercial data for any purpose, Libin said. “Notice is an important component of the Privacy Act, but it doesn’t solve all the problems,” she added. Another area of the report that needs clarifying is its recommendation that DHS disclose what kinds of 3rd parties had access to govt. data and whether they had the right to transfer data to affiliated or non-affiliated parties, she said. Data collected for one purpose should not be used for another, unrelated purpose, Libin argued.
IBM Chief Scientist Jeff Jonas offered anonymization as a surefire way to avoid dual usage of data. He’s studied models of information sharing, finding a directory-based method that works. As in a library, where “you don’t roam the halls to find a book,” each party gets to hold the data and know who’s asking for the information, Jonas said. It’s discoverable, accountable and “it’s a model that can work,” he told the committee. Under his framework, every recordholder in the directory knows its originator but cannot itself express its identity, Jonas said, calling the methodology “the route of the future,” particularly for handling govt. watch lists.
The group’s data sharing and usage subcommittee continues its work in 3 areas -- an analysis of govt. use of commercial data, an examination of the DHS Privacy Office privacy review processes and an assessment of data sharing at DHS and among other agencies, said Intel Privacy Dir. and Subcommittee Chmn. David Hoffman. He and his colleagues will draft and publish an outline eventually to result in a larger paper on uses of commercial data. In coming months, the subcommittee may study govt. data sharing in Hurricane Katrina efforts. Hoffman said that experience could be useful in learning how agencies swap sensitive data under duress.
Former Committee Chmn. Paul Rosenzweig, who recently joined DHS’s new Policy Directorate, assured attendees that DHS understands privacy. “We can’t achieve security without appropriate privacy protections,” he said: “We don’t want security at any price.” Rosenzweig filled in for Secy. Chertoff, who cancelled at the last minute. Effective risk management means obtaining accurate, timely information and embracing new technologies that deliver such data, he said. DHS has to ensure privacy is “integrated into the full spectrum of programs in all stages of development, not just as an afterthought.” Clear guidelines and protocols for how personal information is collected, used, shared and destroyed are vital to bolstering agency transparency and maintaining citizen trust, he said. International cooperation is also key, Rosenzweig said, since privacy “doesn’t end at the water’s edge.”