After two years as the chief privacy officer at the U.S. Department of Homeland Security (DHS), Mary Ellen Callahan discusses the importance of privacy and transparency at DHS with her public affairs representative, Steven Richards.
The office’s mission is to protect privacy—particularly individuals’ personal information and dignity—while serving the DHS mission to secure America. All DHS systems and programs that either collect personally identifiable information (PII) or have a privacy impact are subject to the oversight of the chief privacy officer and the requirements of U.S. data privacy laws.
Richards: Please tell us why privacy is important to the DHS mission.
Callahan: In our mission to secure the homeland, we need to collect personal information from citizens, resident and visitors, and DHS is obligated by law to protect this information to prevent identity theft or other adverse consequences of a breach or misuse of data. We also need to ensure that our collection of PII is legally authorized and that we are transparent about how we use personal information.
DHS manages a large amount of PII. My staff and I consistently reinforce the message that, as the steward of this information, the department must do all it can to protect and properly use it. We spread that message by providing training, guidance and oversight across the department. And, we work to “operationalize” privacy throughout the federal government to increase privacy awareness and help reduce privacy incidents. We want all DHS employees to understand and identify privacy risks, mitigate the risks and take steps to safeguard PII.
International information sharing also plays an integral role in carrying out the DHS mission. Over the past two years, I've seen our international partners recognize U. S. privacy accountability practices such as senior privacy officers, privacy impact assessments and access laws as best practices. The privacy office is involved in international information-sharing initiatives from the planning stages through implementation and review, working with our partners directly to ensure optimal protection of individuals' information.
Richards: How do you protect privacy and promote transparency of operations while also supporting the security mission of the department? Is it a balancing act?
Callahan: We work hard to create an environment where privacy and security are not traded or balanced, but merged in a manner that keeps this country safe and honors the principles on which the country was founded. Privacy is embedded into the lifecycle of DHS programs and systems to inform departmental policy making and to ensure effective privacy protections. The full privacy compliance process provides the public with notice of what the department is doing with personal information and why.
We ask the system development team if the personal information they plan to collect is relevant and necessary. And, we require them to specify their purpose for collecting PII in public notices such as PIAs and SORNs and encourage them to collect only the absolute minimum PII necessary.
We also look at how other agencies have handled a particular issue and seek advice from the CIO Council’s Privacy Committee. We have an external privacy committee set up under the Federal Advisory Committee Act (FACA), which serves to enhance the transparency—and public trust—of DHS programs by publicly discussing privacy issues associated with DHS programs and identifying steps the department can take to mitigate any negative effects those programs may have on privacy. And, we consult with experts from the private sector, advocacy and international groups to help us understand different issues and address them broadly.
My responsibilities include explicit investigative authority, the power to issue subpoenas, the ability to conduct regular reviews of privacy implementation and to coordinate with the inspector general. DHS programs have been canceled or suspended because they did not meet the rigorous requirements of our privacy compliance process.
Richards: What have been your biggest challenges so far in leading the privacy office?
Callahan: My goal from the outset has been to “operationalize” privacy throughout the department. We have built a robust privacy program by using a wide variety of policy, compliance and educational tools that together implement the FIPPs across the department. Privacy considerations are now woven directly into business processes throughout the department to ensure that privacy is integrated into decision-making from the very beginning.
I also serve as the department’s chief Freedom of Information Act (FOIA) officer. The ability to oversee both privacy and FOIA management across DHS fosters greater transparency of DHS operations.
I’m proud to say that DHS has significantly reduced its FOIA backlog again this year. Between the end of FY 2008 and FY 2010, we reduced the backlog by 84 percent, from 75,000 to less than 12,000 requests. While accomplishing this reduction, we set a record by processing more than 138,651 FOIA requests in FY 2010 alone—more than any other federal agency. In addition, over the past year we reduced the average time it takes to process FOIA requests across the board, including cutting the response time for complex requests in half.
We have implemented a “pro-active disclosure” policy whereby DHS is publicly posting information and documents that are often requested, including contracts, management directives, calendars and congressional correspondence. Implementing this novel initiative has been time-consuming but very worthwhile.
Richards: What are today’s top trends in public-sector privacy?
Callahan: We are developing appropriate privacy policies to ensure that individual privacy is protected in the use of social media, cloud computing, identity management and personal location devices (GPS). And, we continue to address the challenges inherent in cybersecurity, striving to balance our reliance on technology with the need to protect privacy.
Richards: What advice can you offer other privacy professionals?
Callahan: Begin with a clear mandate from your management. In my case, I report directly to the secretary, who is very supportive of our mission. Next, establish your reputation by creating sound privacy policies within a framework like the FIPPs, and set up a compliance function based upon them. Take a seat at the risk-management table and create allies among key players within and outside of your organization. You will need them! Also, have privacy foot soldiers throughout your organization. They are your “boots on the ground” who are most familiar with your programs and systems and where the potential privacy risks may live. And, you can’t hold staff accountable unless you provide training on privacy policies and raise awareness about safeguarding PII on a regular basis. Finally, encourage your staff to report privacy complaints and incidents and create a process to address them.
I also encourage people to read our Guide to Implementing Privacy, which explains how my office puts theory into practice. It details the office’s responsibilities and scope of authority, and it describes the concrete steps DHS takes to implement privacy policies.