Before Marc Groman, CIPP/US, was appointed back in June to his position as senior advisor for privacy at the Office of Management and Budget, there were any number of discussions about exactly where he should sit in the administration.
Senior officials all across the Executive Office of the President “were realizing that privacy issues were increasingly touching everything,” Groman said in reflecting on his first conversations about coming back to the federal government. “And they were becoming more challenging. … It was important that the new senior advisor have a 360-degree view."
What better place, then, than the Office of Management and Budget, which oversees so many of the areas where privacy issues pop up? OMB handles procurement (vendor management!), e-government and IT (cybersecurity!), and personnel management (HR!), not to mention coordination and review of all significant federal regulations (talk about privacy by design…). Best of all, OMB reports directly to the president – Director Shaun Donovan is a member of President Obama’s cabinet – and every privacy professional knows that getting CEO buy-in is key.
Thus far, Groman says things are working out just as planned. “I’m constantly meeting with the most senior leaders in the White House,” he said. “I’m constantly in situations and rooms having deep-dive discussions and weighing in on important issues. I’ve had nothing but complete support from leadership here. The support has been tremendous.”
And that’s something Groman wants to emphasize as news of Obama’s executive order establishing the Federal Privacy Council spreads: “The president of the United States cares about privacy!” Groman nearly shouts, in the energetic way that has brought him from chief privacy officer at the Federal Trade Commission to CEO of the Network Advertising Initiative to the White House. “It’s one thing for me to give a speech, or for the OMB director to give a speech, but this is the president of the United States doubling down on privacy and sending an unambiguous message that privacy is important.”
Further, the instruction to agencies heads to re-evaluate their senior agency official for privacy, and for OMB Director Donovan to issue new criteria for that position, is a clear indication to the federal government, said Groman, that this is a high-profile effort that the president cares deeply about.
Nor did that focus just magically begin with Groman. Already, talks were underway about how to emphasize privacy appropriately in the federal government, and Obama had already made his famous visit to the Federal Trade Commission. It didn’t start with Safe Harbor and the negotiations with Europe either, by the way. “In all candor, that issue didn’t factor into this at all,” Groman said. “This is about good government; this is about effective and efficient privacy programs. We were working on this well before the October decisions and we didn’t take our foot off the pedal or change course at all.”
However, “the piece I really brought was the notion of the Federal Privacy Council,” Groman said, “and reevaluating the roles and responsibilities of senior agency officials for privacy.” Previously, there had only been a privacy “community of practice,” which was embedded in the Federal CIO Council, and “it really was moving at a very slow pace; it wasn’t actively engaged, and rather anemic.”
“My recommendation,” Groman said, “was to remove that and create a standalone, permanent council that would give the privacy profession its own council, raise its profile, and send the message that privacy is not just a subset of IT or security, but is rather its own independent discipline. They are interdependent, for sure, and they are required to stay in close collaboration, but many privacy professionals are often trying to explain that they are not the same.”
Having their own council helps make this point much more clearly.
Best of all, said Groman, the CIO Council was in complete agreement. “One of the strongest advocates was Tony Scott,” he noted, “the federal CIO, along with his staff. And leadership across OMB were really supportive of this idea for an independent council for this separate discipline and expertise, and with a deep recognition that the two councils would have to coordinate, and that’s reflected in the executive order.”
It reads, in fact:
The Chair and the Privacy Council shall coordinate with the Federal Chief Information Officers Council (CIO Council) to promote consistency and efficiency across the executive branch when addressing privacy and information security issues. In addition, the Chairs of the Privacy Council and the CIO Council shall coordinate to ensure that the work of the two councils is complementary and not duplicative.
Groman also pointed to something that might seem like a small thing in the executive order, but which is actually quite important: Yes, the order lists the 24 major agenices as members of the council, but “it also gives, quite intentionally, discretion to the chair to invite in other agencies and experts, so this is not going to be a small group of privacy leaders, but rather we’re going to take a big tent approach and encourage robust participation by agencies large and small, even if they’re not listed on the executive order. I fully expect the FTC and the FCC to be active participants, and the NTIA and other agenices that are not listed there. … We’ll encourage as much participation as possible.”
Further, while the council has no mandate to tackle consumer-privacy issues, it will still likely engage privacy industry stakeholders, academics, and advocates as it goes through its work.
“In many respects, being a chief privacy officer in the government, I would suggest, is more similar than different from being a chief privacy officer in the private sector,” Groman said. “I think that might surprise people.” Sure, there are different legal regimes, but “when I was a chief privacy officer in an agency, my agency had a mission. … And when I come in as a CPO, ultimately I need to help enable that mission and I need to be embedded in processes to ensure privacy by design, to get needed resources for privacy, to work with the lines of business to help them make better decisions. It’s really quite similar.”
Just look at vendor management, he offered, or bring your own device, the proliferation of mobile devices, cloud computing, telecommuting – “we’re dealing with those issues in the government, too.”
“I think in any federal government initiative,” he said, “it’s critical that we adopt and learn from best practices, and as we develop and improve this there’s no doubt that we’ll be looking at best practices in the private sector. I fully expect to be engaging them as we stand this up. And I would also hope that there’s an opportunity for the council to produce documents that will help to influence privacy more generally.”
It also might affect a career path or two. One of the mandates for the council is to look at how the federal government can attract and retain top privacy professional talent. That means new looks at job descriptions and mandates, getting privacy into the president’s management fellowship program, and looking for ways to bring students into the government in privacy roles.
All of which is to say: Groman’s just getting started. “I’m not someone you hire because you want a hood ornament or you’re looking to have the optics of privacy,” he said. “Don’t hire me for that. But that’s not what they wanted. They wanted someone with deep experience in privacy, both in the public and private sector, who would roll up sleeves and engage.”
The Federal Privacy Council is but an early signal that that’s just what they got.
If you want to comment on this post, you need to login.