DHS Privacy Office Releases Report to Congress; Activists Silent
The DHS Privacy Office unveiled its annual report to Congress, a year behind its official due date. Former Acting Chief Privacy Officer Maureen Cooney decided to merge the 2nd (July 2004-June 2005) and 3rd annual report upon taking over for first CPO Nuala Kelly, who left for the private sector when the 2nd report was “substantially complete,” but Cooney’s fall departure (WID July 11 p5) again complicated the release, CPO Hugo Teufel told Congress. Teufel ran the combined document (July 2004-July 2006) through a “standard departmental review process,” further delaying its arrival, but it “made for a better, stronger document,” he said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
DHS has published 28 new or revised system of records notices (SORNs), the agency’s “bread and butter” work that describes DHS components with personally identifiable information, since 2003, Teufel said. The Office reviewed nearly 100 DHS IT budget submissions for privacy compliance, determining 54 PIAs were needed, with 44 PIAs reviewed and published in the reporting period. All employees at hq must go through “privacy awareness training,” the Office designed a half-hour interactive e-learning course on “fundamentals,” and it’s started on 2 more e-learning courses covering Privacy Act basics and “advanced business situations,” with more courses on niche areas expected, the report said.
On Internet-related issues, the Office said it’s working with the National Cyber Security Div. at DHS on “government sector security protocols to safeguard personal information” on computer systems. The Div. also published a PIA for its U.S. Computer Emergency Readiness Team’s EINSTEIN program, which monitors agencies’ information systems, although it didn’t create a system of records, the Office said. The Secure Flight program, which matches passengers against terrorist watch lists, was in its “initial test phase” during the period covered by the report, Teufel said, explaining some mishaps. An Office review found personnel didn’t “fully understand the privacy implications of its testing design,” made “material changes” without updating public notices, and collected commercial data on those who hadn’t been given notice. TSA is “developing its redress program” and the Office has worked with the Secure Flight development team for the past 10 months on privacy guidance for the program.
The Office ran through its information-sharing work, covering executive orders and homeland security directives, the DHS Information Sharing & Collaboration Office, interagency working groups, the Data Privacy & Integrity Advisory Committee and other projects. The report includes at least one mistake, saying President Bush signed an executive order on agency disclosure in Dec. 2006 -- actually Dec. 2005.
National and global challenges for the Office include: (1) Govt. use of commercial data. The Office held a Sept. 2005 workshop to address concerns. (2) Biometric use. (3) Data mining, for which there’s “no set and agreed-upon definition.” The Multistate Anti-Terrorism Information Exchange (MATRIX), reported to use data mining techniques, actually didn’t, the Office found in a review. It simply used a company’s database technology to help state law enforcement access state-owned or public records, although it lacked privacy safeguards, with low public confidence leading to the program getting canned, the report said. The Office sent a 2nd report to Congress on data mining recently. (4) International work, such as the International Conference of Data Protection & Privacy Commissioners in Sept. 2004.
Challenges for 2007: (1) Integrating “privacy attentiveness” and data security into the routine handling of personal information. (2) Using the talents of advocates, academics, researchers and the private sector without compromising privacy. (3) Border security and state-issued identification documents that can be used for federal purposes, which may require “technological assistance” for information sharing and ID management. (4) A “workable information sharing environment” for first responders, law enforcement and intelligence.
Privacy advocates refrained from in-depth analysis of the report for now. Marc Rotenberg, Electronic Privacy Information Center (EPIC) exec. dir., told us EPIC complained to DHS in Sept. that the report was long overdue. It’s important for congressional oversight committees next year to analyze the report carefully, because the agency’s activities have considerable effect on everyday life, he said. There are concerns about the White House role in “sanitizing” the report and “redirecting” the Privacy Office’s focus, and President Bush in Oct. asserted prepublication review of the report, he added. The report didn’t resolve EPIC’s concerns about TSA redress procedures for Secure Flight mishaps, and it didn’t mention an advisory council’s report -- not yet public -- on privacy and security risks that the council found in using RFID technology in ID documents. It’s “urgent” that DHS release the report, he said. Jim Harper, Cato Institute information policy studies dir. and a member of the DHS Data Privacy & Integrity Committee, said the real action will be at the Committee’s Dec. meeting in Miami, where the RFID report is expected to be released. -- Greg Piper
--
Correction: House Intellectual Property Subcommittee Chmn. Smith (R-Tex.) is the sponsor of the Copyright Modernization Act (WID Nov 21 p1).