OneTrust_Square Banner_300x250_DD_ROS_01_19
For Federal Privacy Programs, the Final Fair Information Practice Principle Is Crucial

When I was Chief Privacy Officer at the U.S. Department of Homeland Security from 2009-2012, I was asked frequently how the Department of Homeland Security Privacy Office was able to ascertain whether the privacy protections initially embedded in DHS programs and systems were being applied, and whether they were effective in protecting privacy. As with many things in privacy, the answer is: auditing and accountability, the last Fair Information Practice Principle. In order to be effective, the accountability must be integrated through all parts of the information governance lifecycle, including analyzing the privacy programs at the Department and component level themselves.

Fair Information Practice Principles

For years (starting with my predecessor, Hugo Teufel) the Department of Homeland Security has had robust privacy policy guidance on how to integrate and implement the Fair Information Practice Principles. The FIPPs are part of DHS Policy, and are integrated into the DHS project and system development (as well as being utilized in White House initiatives such as the National Strategy on Trusted Identities in Cyberspace).

The FIPP that is the most amorphous and often difficult to implement is the final principle, accountability and auditing.

  • Accountability and Auditing: DHS should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements.

The National Institute for Standards and Technology (NIST) has created some criteria for integrating auditing and accountability into federal systems with the new Appendix J in its seminal Special Publication 800-53 (revision 4), Security and Privacy Controls for Federal Information Systems and Organizations. Appendix J now includes a Control Family Called “Accountability, Audit, and Risk Management” that elaborates on the Accountability and Audit FIPP. In addition, the FY2012 FISMA Guidance (Q&A No. 53) required federal agencies to comply with App J “when final.”

Given that Appendix J is now final, what should federal agencies do to comply? I can discuss what we did at DHS to integrate the accountability and auditing FIPP.

Privacy Oversight

DHS implemented this FIPP in several ways, in order to close the loop on integrated privacy compliance. First, I created a Privacy Oversight Team within the DHS Privacy Office, led by a Senior Director, to establish a review and investigation process to confirm DHS accountability with its responsibilities. Pursuant to the DHS Privacy Office Strategic Plan, the Privacy Oversight Team provides ad hoc reviews and advice (e.g., privacy incidents, a/k/a data breaches), establishes consistent complaint and redress procedures throughout the Components, and investigates significant privacy incidents and violations.

Privacy Compliance Reviews

The Privacy Office established a practice of performing Privacy Compliance Reviews (by the Privacy Oversight Team) on DHS programs of major significance, or when an Inspector General or the Government Accountability Office recommends such a review.[1] The Privacy Compliance Reviews help confirm that the public statements on embedded privacy protections – often made before the program was started – are still in place, and still make sense. The Reviews often provide some fine-tuning recommendations to make the programs or systems more privacy protective.

Privacy Stewardship Reports

Sometimes other review authorities such as the Government Accountability Office recommend reviews of certain privacy programs. In addition, the Office of Inspector General has been reviewing the privacy stewardship of the DHS Privacy Office and Component Privacy Offices, evaluating compliance with the relevant legislation (Privacy Act, Federal Information Security Management Act of 2002, E-Government Act, Homeland Security Act, Implementing Recommendations of the 9/11 Commission Act), DHS Policy and Guidance (including the FIPPs, reduction of the use of Social Security Numbers, etc.), and data breach notification compliance.[2] The series of Privacy Stewardship reports are useful objective and subjective barometers for how the department’s and Components are doing with integrating privacy and complying with privacy principles. The reports also help identify which Components are not meeting DHS standards.

Privacy Investigations

While the Inspector General continues to review DHS privacy stewardship, I investigated the Office of the Inspector General (OIG) when it did not comply with its own responsibilities with personally identifiable information. On March 30, 2010, contractors working for the Office of the Inspector General lost an unencrypted USB drive containing DHS Financial Records Audit data from DHS Headquarters Management, United States Citizenship and Immigration Services, and Immigration and Customs Enforcement Components. This loss violated a series of laws, DHS policies, and OMB guidance on the collection, use, and storage of sensitive personally identifiable information.

As the DHS Chief Privacy Officer, I had unique investigatory authority. Under Section 222a(1) (as modified) of the Homeland Security Act of 2002, the DHS Chief Privacy Officer can “make such investigation and reports relating to the administration of the programs and operations of the Department as are, in the [Chief Privacy Officer’s] judgment, necessary or desirable.” This is pretty broad authority, and must be used judiciously. Of course, the same statutory reference requires the Chief Privacy Officer to refer any privacy incident to the Inspector General of the Department; if the OIG accepts the referral, the OIG investigates first. With this USB privacy incident, the OIG and Privacy Office worked together; the OIG used its expertise and manpower to determine exactly what happened, including with the contractor. The DHS Privacy Office then took that factual synopsis, and analyzed the event with our privacy expertise, including the impact on privacy laws, policies, and guidance.

The final report provided recommendations and steps forward to help not only the OIG, but other DHS Components who are handling another Component’s information. The goal of the investigation was to solve the problem, but also to identify ways to avoid these problems in the future, and to establish a strict reporting mechanism to make sure the recommendations were implemented in a timely fashion.

During my tenure, my office did two more in-depth investigations, one resulting in a Department-wide Management Directive on the Use of Social Media for Operational Purposes, and one resulting in sanctions at a Component for non-compliance with Department policy and law. The investigatory authority was frequently a very useful “stick” for my office to implement the final FIPP, in addition to the “carrot” encouragement FIPPs such as transparency.

Other Federal Privacy Officers Lack Investigatory Authority

As you can tell, my office used the investigatory authority judiciously, but I believe effectively, to address egregious privacy violations, and to demand production of documents connected to the violation (a related DHS CPO authority). The investigatory and production authorities were provided to the DHS Chief Privacy Officer in the Implementing Recommendations of the 9/11 Commission Act of 2007. However, even though my brethren Privacy Officers in the Departments of Defense, Justice, State, Treasury, Health and Human Services, and the Office of the Director of National Intelligence (along with DHS) received increased authority and responsibilities in Section 803 of the 9/11 Commission Act, the DHS Chief Privacy Officer was singled out for the investigatory authority in Section 802.

The lack of investigatory or enforcement authority among other federal Chief Privacy Officers diminishes their ability to address thorny privacy policy issues and violations. The incentives to admit fault or face consequences are shifted, and the privacy officers cannot force a response or production of documents. Furthermore, to conduct investigations is a laborious process, and privacy offices are often understaffed for their statutory responsibilities, much less able to engage in detailed compliance auditing and investigations.

Although Inspectors General do outstanding jobs in their audits and reports on privacy issues (whether they be the Privacy Stewardship reports from DHS, or the recent OIG reports from the National Security Agency), based on my experience with the lost USB drive investigation, there are elements of privacy compliance that privacy officers are better suited to analyze than an Inspector General who covers an entire Department. The ability to work collaboratively with the Inspector General may impart the best of both worlds – the OIG could do the factual investigation, while the privacy officer provides the analysis and remedies, as we did in the lost USB drive investigation.

Frequently, privacy officers have to rely on self-reporting of privacy violations as the sole mechanism to implement accountability and auditing. Self-reporting is by definition a biased selection, and it does not address malfeasance, inadvertent (or unknowing) violations, or systemic issues.

In order to effectively implement all of the FIPPs in federal government systems, accountability and auditing needs to be prioritized, both by the privacy officers, and by the agencies they serve. The federal government has been instilled with the public’s trust that it will use the information it lawfully collects in appropriate and transparent ways. One way to earn that trust is to analyze the privacy protections – and periodic violations – throughout the entire lifecycle of information governance, whether through Privacy Compliance Reviews, investigations, audits, self-reporting, or working in collaboration with Inspectors General. Having privacy officers and related compliance officials endowed with holistic investigatory authority to assure the public that the embedded privacy protections have been maintained would ameliorate many of the public anxieties now evident regarding the government’s collection and use of information.

Bunches and Bits {Karina} via photopin cc

[1] For example, DHS did Privacy Compliances Reviews on programs such as DHS’s use of Passenger Name Records and compliance with the U.S./EU Passenger Name Records Agreement, the EINSTEIN cybersecurity program, DHS’s use of Social Media for Communications and Outreach, and the Immigration and Customs Enforcement Pattern Analysis and Information Collection Law Enforcement Intelligence Sharing Service, after the Government Accountability Office recommended that I review whether a component of this system should be deactivated until a modified PIA was approved. The DHS Privacy Office has done bi-annual reviews of the National Operations Center’s Situational Awareness Initiative use of publicly available social media since the program was established, to provide transparency on the program does – and does not – do, and to provide fine-tuning recommendations for the initiative, as I testified before Congress.

[2] In Fiscal Year 2013, The Federal Emergency Management Agency was reviewed; in FY 2012, Customs and Border Protection was reviewed; in FY 2011, Citizenship and Immigration Services was reviewed; in FY 2010, Immigration and Customs Enforcement was reviewed; in FY 2009, Transportation Security Administration was reviewed.

Written By

Mary Ellen Callahan, CIPP/US


If you want to comment on this post, you need to login.

  • Antonio F. David Workman, CIPP/G, CIPP/IT Aug 28, 2013

     A comprehensive documentation of proper implementation, utilization and auditing of the Final Fair Information Practice Principle.
    FYI - miss your presence at the Federal CIO Privacy Committee.
  • Allen Brandt, CIPM, CIPP/E, CIPP/US Aug 29, 2013

    Great information, thanks. It should work the same in the private sector: the CPO should implement accountability and auditing, both internally and for external vendors, to fully understand the uses of information and their processing. 
    And while it can be a touchy subject, the CPO office performing an internal audit of another department or business unit within the organization, can be a great learning experience to provide an analysis of information uses and processes and proposed changes, to the benefit of all.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens May 1.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»