The Department of Homeland Security has issued an official policy on its new Privacy Compliance Review process, which aims to help improve the agency's methods for documenting compliance efforts and their efficacy. A PCR might be used, for example, to revisit an already-conducted Privacy Impact Assessment to evaluate how things are working, examine any changes that may have taken place within the privacy program since the PIA was conducted, and ensure the program is still effective.
Jonathan Cantor, CIPP/G, CIPP/US, chief privacy officer at DHS, said PCRs are intended to be an additional mitigation strategy, especially for programs with a higher degree of risk. While DHS's privacy office itself could initiate a PCR, they're meant to be initiated by an individual component's CPO (at DHS, each office is called a "component," i.e., the Secret Service is a component. Immigration and Customs Enforcement is a component). But they're meant to be a collaborative process, too. When the CPO initiates the PCR, a working group might include the component's program manager and the DHS privacy office. If recommendations come out of the PCR, it would be the responsibility of the component's program manager and privacy officer to implement those recommendations. It's essentially a way for components to audit themselves and ensure they're on top of compliance as well as mitigate future risk.
Besides internal recommendations, PCRs could also result in public reports, depending on the program's sensitivity.
Shannon Ballard, CIPP/G, CIPP/US, is director of privacy oversight at DHS. She said PCRs are a way for DHS to make sure its house is in order.
"In my humble opinion, it's better to find out in-house that something may be done better than to have the WaPo find out," she said, adding, "It comes down to accountability and trust. You put out this PIA to the public, a public statement of what you're doing and how you're doing it. The review is just demonstrating our accountability with what we say we'll do. When we publish our findings, we're transparent in that and transparency breeds trust with the public. We are stating, 'This is what we said we were going to do,' and after our review, either, 'Yes, we are doing it the way we said,' or, 'We could do it better by these tweaks.'"
Currently, PCRs aren't being scheduled at regular intervals, but rather at the discretion of components' CPOs.
"Right now, everyone's got limited resources and limited time," Ballard said. "We're trying to be very strategic about when we conduct these PCRs." So for now, it's more likely that the more privacy-sensitive programs undergo PCRs as a priority.
Cantor said while PCRs are DHS's brainchild, he thinks it's a model that can be replicated elsewhere.
"The rest of the government is working on a similar framework. We all have PIAs, we all have Systems of Records Notices under the Privacy Act. Those are the core sorts of materials we're all using that are our launching pad for where we tend to kick off our reviews, our PCRs," he said. "It's an easy model assuming you have the staffing resources."
He said it's especially useful for agencies to consider adopting the process now because in the past several years, many government agencies and departments have grown and developed their privacy offices.
"You don't have to be a law enforcement agency like DHS or have intelligence functions like DHS to be able to copy this," he said. "This is something you can easily carry to any type of organization. It's all about how you implement these core practices, how you implement mitigation strategies and design your program. This is due diligence."
He added it's even something private organizations could and should be doing.
"It's a very consistent practice with what I would hope smart organizations are doing internally," he said.
If you're interested in hearing more about the PCR process, Ballard and Cantor will join Christopher Pierson, CIPP/G, CIPP/US, general counsel and chief security officer at Viewpost, to discuss methods of enforcing privacy compliance at the program level in both the private- and public-sectors on Wednesday, April 19, at the IAPP Global Privacy Summit 2017 in Washington, DC.
If you want to comment on this post, you need to login.