In a keynote speech at the Federal Privacy Summit yesterday, Office of Management and Budget (OMB) Director Shaun Donovan announced the government will establish a Federal Privacy Council in an effort to coordinate the privacy policies, strategies and strategic thinking across government agencies, modeled after the federal CIO Council.
Donovan said he's a big return-on-investment guy, and if the government does this right, the returns will be significant. The long game is to prevent data breaches, limit harm when they occur, improve efficiency and regain trust in government. The Federal Privacy Council is a step in that direction.
"It's time to stop re-inventing the privacy wheel at agencies and do a better job of leveraging the success of each agency's related efforts," Donovan said. "It is time to shift from reactive programs to proactive strategies. And it is time to 'professionalize' the privacy profession."
Donovan said the Obama administration is "all about" technology and innovation, but recognizes that the threat landscape is more dangerous than ever given not only advances in tech like the cloud and big data but also cyber-attacks. That's why it's acting now.
Its actions are in line with recent moves by the Department of State, which is creating a new position to lead the department in privacy, the Department of Justice, which just posted a job vacancy for a senior executive at the Office of Privacy and Civil Liberties, and the Department of Defense, which has brought on a privacy lawyer to lead its oversight and compliance function.
Donovan is asking all agencies to follow suit, to an extent, by looking at the current structure of their privacy office. He wants agencies to "answer the tough question, 'Is the right person the senior agency official for privacy at our agency?' If not, we want you to develop a plan to get to the right place," Donovan said.
The OMB will deliver guidance on this in the near future, he added.
In an interview with The Privacy Advisor, OMB Senior Privacy Advisor Marc Groman, CIPP/US, said having the "right" person as the privacy lead means someone who's got access to government leadership and can elevate issues as needed. But it's also someone "with experience and background in privacy. It doesn't have to be all privacy ... but someone who can bring to the table some level of experience as the privacy agency's response or the like."
The person should also have some level of independence or authority to raise issues as appropriate, he said.
In addition to creating a formal privacy council, Donovan announced several other imperatives decided upon following Groman's meetings with privacy pros across various agencies, who've told him their departments need more privacy training, that the government's guidance documents are outdated and there isn't enough strategic thinking about how to handle privacy.
As a result, OMB will soon release updates to the documents agencies rely upon in decision-making.
"Implementing a comprehensive, risk-based and strategic privacy program across a department or agency in the information age is no easy task," Donovan said to the privacy pros in the room. "To do your jobs, you often rely on guidance, standards and best practices to serve as a road map to successful implementation. Those documents must be current, accurate, practical and scalable."
Groman said Circular A130, "Managing Information in Strategic Decision Making," has gone through two rounds of agency review and its public comment period ends December 5. Circular A108, which aims to help agencies implement the Privacy Act, and Memorandum 716, on incidence response, will go through similar processes in months to come.
But how can the government expect to stay nimble as tech advances race forward in ways unimagined today?
Groman said the circulars' forthcoming guidances are tech-agnostic, focusing more on high-level processes and helping privacy pros make decisions on the inherent privacy and security risks they're dealing with in any given context.
But another problem Groman heard from privacy pros, he said, is an inability for agencies to attract top talent. He said that could be the result of any number of factors. For example, privacy pros are—now more than ever before—in high demand from the private sector.
"Salaries are only increasing. Every law firm now has a privacy group, so we're competing with that," he said.
The creation of a privacy council will, in part, look at that issue and aim to find ways to bring in better people, Groman said. He pointed to recent moves by the State Department and the Department of Defense as investments that will usher in top talent and create career paths for pros, another issue identified by the government pros he spoke with.
Finally, Groman said OMB wants to make it easier for government privacy pros to collaborate. The agency aims to create a framework that will enable pros to network. What shape that will take remains to be seen, but Groman envisions regular subcommittee meetings that focus on the particular challenges of the day, as well as communication methods such as list serves that would allow for communication and the cross-pollination of best practices.
Donovan said that we're both a country that created the Internet and the Bill of Rights and the federal government's approach to privacy should reflect that.
"In a world where government can build technologies to provide healthcare, student loan relief, immigration services or veterans' benefits, we can also build the architecture to protect the information government maintains to provide these services, and the information we value so dearly as a society," he said.
Will the new privacy council help answer that call? At this point, it's still a concept and in early 2016 will need to go through standard government processes before its existence is formalized, members are appointed, a mission is stated and other details are worked out. If Donovan and Groman have anything to say about it, though, you can bet it will have an impact.
Photo credit: U.S. Office of Management and Budget
If you want to comment on this post, you need to login.