When I was Chief Privacy Officer at the U.S. Department of Homeland Security from 2009-2012, I was asked frequently how the Department of Homeland Security Privacy Office was able to ascertain whether the privacy protections initially embedded in DHS programs and systems were being applied, and whether they were effective in protecting privacy. As with many things in privacy, the answer is: auditing and accountability, the last Fair Information Practice Principle. In order to be effective, the accountability must be integrated through all parts of the information governance lifecycle, including analyzing the privacy programs at the Department and component level themselves.
Fair Information Practice Principles
The FIPP that is the most amorphous and often difficult to implement is the final principle, accountability and auditing.
- Accountability and Auditing: DHS should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.
The National Institute for Standards and Technology (NIST) has created some criteria for integrating auditing and accountability into federal systems with the new Appendix J in its seminal Special Publication 800-53 (revision 4), Security and Privacy Controls for Federal Information Systems and Organizations. Appendix J now includes a Control Family Called “Accountability, Audit, and Risk Management” that elaborates on the Accountability and Audit FIPP. In addition, the FY2012 FISMA Guidance (Q&A No. 53) required federal agencies to comply with App J “when final.”
Given that Appendix J is now final, what should federal agencies do to comply? I can discuss what we did at DHS to integrate the accountability and auditing FIPP.
DHS implemented this FIPP in several ways, in order to close the loop on integrated privacy compliance. First, I created a Privacy Oversight Team within the DHS Privacy Office, led by a Senior Director, to establish a review and investigation process to confirm DHS accountability with its responsibilities. Pursuant to the DHS Privacy Office Strategic Plan, the Privacy Oversight Team provides ad hoc reviews and advice (e.g., privacy incidents, a/k/a data breaches), establishes consistent complaint and redress procedures throughout the Components, and investigates significant privacy incidents and violations.
Privacy Compliance Reviews
The Privacy Office established a practice of performing Privacy Compliance Reviews (by the Privacy Oversight Team) on DHS programs of major significance, or when an Inspector General or the Government Accountability Office recommends such a review. The Privacy Compliance Reviews help confirm that the public statements on embedded privacy protections – often made before the program was started – are still in place, and still make sense. The Reviews often provide some fine-tuning recommendations to make the programs or systems more privacy protective.
Privacy Stewardship Reports
Sometimes other review authorities such as the Government Accountability Office recommend reviews of certain privacy programs. In addition, the Office of Inspector General has been reviewing the privacy stewardship of the DHS Privacy Office and Component Privacy Offices, evaluating compliance with the relevant legislation (Privacy Act, Federal Information Security Management Act of 2002, E-Government Act, Homeland Security Act, Implementing Recommendations of the 9/11 Commission Act), DHS Policy and Guidance (including the FIPPs, reduction of the use of Social Security Numbers, etc.), and data breach notification compliance. The series of Privacy Stewardship reports are useful objective and subjective barometers for how the department’s and Components are doing with integrating privacy and complying with privacy principles. The reports also help identify which Components are not meeting DHS standards.
While the Inspector General continues to review DHS privacy stewardship, I investigated the Office of the Inspector General (OIG) when it did not comply with its own responsibilities with personally identifiable information. On March 30, 2010, contractors working for the Office of the Inspector General lost an unencrypted USB drive containing DHS Financial Records Audit data from DHS Headquarters Management, United States Citizenship and Immigration Services, and Immigration and Customs Enforcement Components. This loss violated a series of laws, DHS policies, and OMB guidance on the collection, use, and storage of sensitive personally identifiable information.
As the DHS Chief Privacy Officer, I had unique investigatory authority. Under Section 222a(1) (as modified) of the Homeland Security Act of 2002, the DHS Chief Privacy Officer can “make such investigation and reports relating to the administration of the programs and operations of the Department as are, in the [Chief Privacy Officer’s] judgment, necessary or desirable.” This is pretty broad authority, and must be used judiciously. Of course, the same statutory reference requires the Chief Privacy Officer to refer any privacy incident to the Inspector General of the Department; if the OIG accepts the referral, the OIG investigates first. With this USB privacy incident, the OIG and Privacy Office worked together; the OIG used its expertise and manpower to determine exactly what happened, including with the contractor. The DHS Privacy Office then took that factual synopsis, and analyzed the event with our privacy expertise, including the impact on privacy laws, policies, and guidance.
The final report provided recommendations and steps forward to help not only the OIG, but other DHS Components who are handling another Component’s information. The goal of the investigation was to solve the problem, but also to identify ways to avoid these problems in the future, and to establish a strict reporting mechanism to make sure the recommendations were implemented in a timely fashion.
During my tenure, my office did two more in-depth investigations, one resulting in a Department-wide Management Directive on the Use of Social Media for Operational Purposes, and one resulting in sanctions at a Component for non-compliance with Department policy and law. The investigatory authority was frequently a very useful “stick” for my office to implement the final FIPP, in addition to the “carrot” encouragement FIPPs such as transparency.
Other Federal Privacy Officers Lack Investigatory Authority
As you can tell, my office used the investigatory authority judiciously, but I believe effectively, to address egregious privacy violations, and to demand production of documents connected to the violation (a related DHS CPO authority). The investigatory and production authorities were provided to the DHS Chief Privacy Officer in the Implementing Recommendations of the 9/11 Commission Act of 2007. However, even though my brethren Privacy Officers in the Departments of Defense, Justice, State, Treasury, Health and Human Services, and the Office of the Director of National Intelligence (along with DHS) received increased authority and responsibilities in Section 803 of the 9/11 Commission Act, the DHS Chief Privacy Officer was singled out for the investigatory authority in Section 802.
Although Inspectors General do outstanding jobs in their audits and reports on privacy issues (whether they be the Privacy Stewardship reports from DHS, or the recent OIG reports from the National Security Agency), based on my experience with the lost USB drive investigation, there are elements of privacy compliance that privacy officers are better suited to analyze than an Inspector General who covers an entire Department. The ability to work collaboratively with the Inspector General may impart the best of both worlds – the OIG could do the factual investigation, while the privacy officer provides the analysis and remedies, as we did in the lost USB drive investigation.
Frequently, privacy officers have to rely on self-reporting of privacy violations as the sole mechanism to implement accountability and auditing. Self-reporting is by definition a biased selection, and it does not address malfeasance, inadvertent (or unknowing) violations, or systemic issues.
In order to effectively implement all of the FIPPs in federal government systems, accountability and auditing needs to be prioritized, both by the privacy officers, and by the agencies they serve. The federal government has been instilled with the public’s trust that it will use the information it lawfully collects in appropriate and transparent ways. One way to earn that trust is to analyze the privacy protections – and periodic violations – throughout the entire lifecycle of information governance, whether through Privacy Compliance Reviews, investigations, audits, self-reporting, or working in collaboration with Inspectors General. Having privacy officers and related compliance officials endowed with holistic investigatory authority to assure the public that the embedded privacy protections have been maintained would ameliorate many of the public anxieties now evident regarding the government’s collection and use of information.
 For example, DHS did Privacy Compliances Reviews on programs such as DHS’s use of Passenger Name Records and compliance with the U.S./EU Passenger Name Records Agreement, the EINSTEIN cybersecurity program, DHS’s use of Social Media for Communications and Outreach, and the Immigration and Customs Enforcement Pattern Analysis and Information Collection Law Enforcement Intelligence Sharing Service, after the Government Accountability Office recommended that I review whether a component of this system should be deactivated until a modified PIA was approved. The DHS Privacy Office has done bi-annual reviews of the National Operations Center’s Situational Awareness Initiative use of publicly available social media since the program was established, to provide transparency on the program does – and does not – do, and to provide fine-tuning recommendations for the initiative, as I testified before Congress.
 In Fiscal Year 2013, The Federal Emergency Management Agency was reviewed; in FY 2012, Customs and Border Protection was reviewed; in FY 2011, Citizenship and Immigration Services was reviewed; in FY 2010, Immigration and Customs Enforcement was reviewed; in FY 2009, Transportation Security Administration was reviewed.