Privacy Act Update Could Occur This Congress; ISPAB Has Suggestions

The board is recommending updating the definition of “system of records,” to focus on government use of information rather than government holding of information; improving privacy notices; changing the “routine use” exemption, which CDT Vice President and ISPAB member Ari Schwartz said has been recognized as a giant loophole since 1977; covering commercial data under both the Privacy Act and E-Government Act; hiring a chief privacy officer; having privacy officers at the 24 “CFO” agencies, rather than the mere 10 that exist now; and disclosing use of Social Security numbers.

Peter Swire, the chief counselor for privacy in the Clinton administration said he “found it hard to know how to rewrite the Privacy Act.” He agreed it’s “blindingly obvious” the definition of system of records must be changed, because it’s “wildly out-of-touch with the way modern computing works.” But the benefits of such a change aren’t immediately clear from the board’s recommendations, he said. The end result could simply be an avalanche of new system of records notices (SORNs), he said. Perhaps, he said, Privacy Impact Assessments could be substituted for SORNs. He also suggested writing into the law that data collected and used for authentication purposes should be strictly off-limits for any other use.

Mary Ellen Callahan, DHS chief privacy officer, liked some of the ideas, like the board’s endorsement of GAO’s recommendation to create a Privacy.gov site that holds all SORNs and PIAs. She wasn’t as excited about the recommendation to create a Chief Privacy Officers’ Council, though she said it could be a goal for the future. Right now, though, there’s a privacy committee within the CIO Council that is very active and has created useful dialogue between the agencies, she said.

The European Union would like the Privacy Act extended to cover its people, since it now covers only U.S. citizens and legal residents. An EU questioner in the audience raised the question, clearly part of an ongoing dialogue, with Callahan, saying an expansion would ease the exchange of data across the Atlantic. But Callahan said the focus on details of the Privacy Act misses the larger picture: That DHS, the agency with the most non-citizen data mixed with citizen data, has developed policies for databases with co-mingled information that use Privacy Act principles to treat all data equally. Evan Cash, a professional staff member on the Senate Government Affairs subcommittee on oversight and government management, said attempting to expand the scope of the Privacy Act would get more committees involved and make it more cumbersome to shepherd through to passage.

Most of the problems with reusing data stem from the “routine use” exemption, Schwartz said. The report said the exemption is confusing and recommended deleting it in favor of a primary/secondary, internal/external classification system. “It’s very hard to write a law that says ‘Collect less data,'” Schwartz said.

Hugo Teufel, former CPO at DHS, asked from the audience how the board expected to improve the quality of SORNs and PIAs. The board recommends that OMB disseminate best practices, Schwartz said. Dan Chenok, senior vice president at Pragmatics and chair of ISPAB, said the board didn’t spend a lot of time discussing a single notice, but the bigger issue is clarity of notices. That, he said, doesn’t require legislation but can be fixed by a change in approach.

Schwartz also introduced a CDT wiki at www.eprivacyact.org designed to help tweak CDT’s draft legislation. He thinks it’s the first time anyone has tried to craft legislation with a wiki.