After two years as the chief privacy officer at the U.S. Department of Homeland Security (DHS), Mary Ellen Callahan discusses the importance of privacy and transparency at DHS with her public affairs representative, Steven Richards.

At the U.S. Department of Homeland Security (DHS), privacy law and policy are implemented and enforced through the Privacy Office—the first statutorily mandated privacy office at any U.S. federal agency. The DHS Privacy Office is the largest office of its kind in the federal government, and it has been referred to by many as the leader in public-sector privacy policy.

The office’s mission is to protect privacy—particularly individuals’ personal information and dignity—while serving the DHS mission to secure America. All DHS systems and programs that either collect personally identifiable information (PII) or have a privacy impact are subject to the oversight of the chief privacy officer and the requirements of U.S. data privacy laws.

Richards:  Please tell us why privacy is important to the DHS mission.

Callahan:  In our mission to secure the homeland, we need to collect personal information from citizens, resident and visitors, and DHS is obligated by law to protect this information to prevent identity theft or other adverse consequences of a breach or misuse of data. We also need to ensure that our collection of PII is legally authorized and that we are transparent about how we use personal information.

DHS manages a large amount of PII. My staff and I consistently reinforce the message that, as the steward of this information, the department must do all it can to protect and properly use it. We spread that message by providing training, guidance and oversight across the department. And, we work to “operationalize” privacy throughout the federal government to increase privacy awareness and help reduce privacy incidents. We want all DHS employees to understand and identify privacy risks, mitigate the risks and take steps to safeguard PII.

International information sharing also plays an integral role in carrying out the DHS mission. Over the past two years, I've seen our international partners recognize U. S. privacy accountability practices such as senior privacy officers, privacy impact assessments and access laws as best practices. The privacy office is involved in international information-sharing initiatives from the planning stages through implementation and review, working with our partners directly to ensure optimal protection of individuals' information.

Richards: How do you protect privacy and promote transparency of operations while also supporting the security mission of the department? Is it a balancing act?

Callahan: We work hard to create an environment where privacy and security are not traded or balanced, but merged in a manner that keeps this country safe and honors the principles on which the country was founded. Privacy is embedded into the lifecycle of DHS programs and systems to inform departmental policy making and to ensure effective privacy protections. The full privacy compliance process provides the public with notice of what the department is doing with personal information and why.

We use the DHS Fair Information Practice Principles (FIPPs) as our framework for identifying and mitigating privacy risks. Our FIPPs provide the foundation for all privacy policy development and implementation at the department and must be considered whenever an operational or prospective DHS program or activity raises privacy concerns or involves the collection of PII.

We ask the system development team if the personal information they plan to collect is relevant and necessary. And, we require them to specify their purpose for collecting PII in public notices such as PIAs and SORNs and encourage them to collect only the absolute minimum PII necessary.

We also look at how other agencies have handled a particular issue and seek advice from the CIO Council’s Privacy Committee. We have an external privacy committee set up under the Federal Advisory Committee Act (FACA), which serves to enhance the transparency—and public trust—of DHS programs by publicly discussing privacy issues associated with DHS programs and identifying steps the department can take to mitigate any negative effects those programs may have on privacy. And, we consult with experts from the private sector, advocacy and international groups to help us understand different issues and address them broadly.

My responsibilities include explicit investigative authority, the power to issue subpoenas, the ability to conduct regular reviews of privacy implementation and to coordinate with the inspector general. DHS programs have been canceled or suspended because they did not meet the rigorous requirements of our privacy compliance process.

Richards:  What have been your biggest challenges so far in leading the privacy office?

Callahan:  My goal from the outset has been to “operationalize” privacy throughout the department. We have built a robust privacy program by using a wide variety of policy, compliance and educational tools that together implement the FIPPs across the department. Privacy considerations are now woven directly into business processes throughout the department to ensure that privacy is integrated into decision-making from the very beginning.

I also serve as the department’s chief Freedom of Information Act (FOIA) officer. The ability to oversee both privacy and FOIA management across DHS fosters greater transparency of DHS operations.

I’m proud to say that DHS has significantly reduced its FOIA backlog again this year. Between the end of FY 2008 and FY 2010, we reduced the backlog by 84 percent, from 75,000 to less than 12,000 requests. While accomplishing this reduction, we set a record by processing more than 138,651 FOIA requests in FY 2010 alone—more than any other federal agency. In addition, over the past year we reduced the average time it takes to process FOIA requests across the board, including cutting the response time for complex requests in half.

We have implemented a “pro-active disclosure” policy whereby DHS is publicly posting information and documents that are often requested, including contracts, management directives, calendars and congressional correspondence. Implementing this novel initiative has been time-consuming but very worthwhile.

Richards: What are today’s top trends in public-sector privacy?

Callahan: We are developing appropriate privacy policies to ensure that individual privacy is protected in the use of social media, cloud computing, identity management and personal location devices (GPS). And, we continue to address the challenges inherent in cybersecurity, striving to balance our reliance on technology with the need to protect privacy.

Richards: What advice can you offer other privacy professionals?

Callahan: Begin with a clear mandate from your management. In my case, I report directly to the secretary, who is very supportive of our mission. Next, establish your reputation by creating sound privacy policies within a framework like the FIPPs, and set up a compliance function based upon them. Take a seat at the risk-management table and create allies among key players within and outside of your organization. You will need them! Also, have privacy foot soldiers throughout your organization. They are your “boots on the ground” who are most familiar with your programs and systems and where the potential privacy risks may live. And, you can’t hold staff accountable unless you provide training on privacy policies and raise awareness about safeguarding PII on a regular basis. Finally, encourage your staff to report privacy complaints and incidents and create a process to address them.

I also encourage people to read our Guide to Implementing Privacy, which explains how my office puts theory into practice. It details the office’s responsibilities and scope of authority, and it describes the concrete steps DHS takes to implement privacy policies.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»