In Washington, for last week’s IAPP Practical Privacy Series event, there was no missing the looming change of administration. The Ronald Reagan Building, where the event was held, sits just a couple of blocks from the White House, which was largely obscured by temporary seating in preparation for next month’s inauguration.
It would have been easy, then, for Government Day keynoter Marc Groman, CIPP/US, senior advisor for privacy at the White House’s Office of Management and Budget, to give an address full of buttoning things up and winding things down.
“We’re not done,” he assured the audience, after ticking off a list of advances from the revamping of OMB A-130 to the newly released www.fpc.gov. “I have 41 days and I’m still picking up speed. There will be no slowing down, and that’s coming right from the president.”
Next up is a release of the revamped OMB A-108, which outlines federal agency responsibilities for review, reporting, and publication under the dictates of the Privacy Act of 1974. Noting the directive hadn’t been updated since 2000, Groman said, “There was a perception that the Privacy Act made the privacy program. But that’s just the floor.”
“Given the fact that we’re in the information age,” Groman said, “that we’re in the center of the digital economy, that all of your agencies are collecting unprecedented amounts of PII — from sensors and sources we never dreamed about — all of your agencies must have a risk-based notion of privacy.”
In fact, he told them, “The one-time PIA exercise is useless. I’d actually rather you not even do it, rather than see it as a compliance exercise.”
"The one-time PIA exercise is useless. I’d actually rather you not even do it, rather than see it as a compliance exercise.” —Marc Groman, Office of Management and Budget, White House
In a frank exposition on the state of federal privacy programs, Groman made no claims that efforts to modernize privacy in the U.S. government, begun roughly a year ago, were anywhere near completed. There’s still plenty of work to be done.
However, “I’m really thrilled to report that we’re on our way. There are challenges ahead, but we’ve planted trees. They’re now growing and it will be up to you to continue that.”
But is that possible? The first question following Groman’s address got right to the heart of the matter: Will government privacy pros still have Groman’s enthusiasm to lean on after Jan. 21?
No, he assured the crowd, they wouldn’t be seeing his face in late January unless they happened to also be on a ski vacation, but neither was he overly pessimistic about the chances of this progress continuing.
“This was not a small effort and I expect it to continue,” he said. “Everything we do is non-partisan. This is about good government, more effective and efficient government, and the ROI is high.”
And too much progress has already been made. Eight separate agencies have created executive-level privacy officer positions in the last year. Seventeen agencies have added headcount. Fifteen other agencies have named new privacy officers, appointing from within. Groman called these advances in privacy professionalism “astounding.”
“We are seeing enormous shifts and reorganizations in privacy programs,” he said. Just looking around the room, he noticed the Office of Personnel Management’s first chief privacy officer, appointed in the last year, and reporting to the acting director.
Going forward, Groman emphasized the need for accountability and education, if these efforts, these planted trees, are going to bear fruit. Take a look to the reporting required under the Federal Information Security Modernization Act, he urged. The question sets that agencies are asked to answer now are much more detailed and will provide the public with a great deal more information. “It’s the first time we ever asked about the number of privacy staff in federal agencies,” he marveled. “We’re examining that data right now.”
“Is federal privacy where I want it to be ultimately? No. But we’re moving in the right direction.” —Marc Groman, OMB
As for education, well, he’s still trying to get people in the federal government to understand the difference between privacy and security. “When someone suggests that they’re the same and we don’t need separate people, I pull out the FIPPs,” he said. “Hey, there’s security, and it’s second from the bottom, and it’s only one of the seven principles. Let’s go through the other bullet points: What’s your legal authority? How long are you going to keep it? Who do you plan to share it with? Are there secondary uses? When it goes to another agency, how is that agency going to use it? Do we need consent? Have you gotten it?”
Throughout the room, heads nodded. People looked at their neighbors and smirked in mutual recognition.
“Is federal privacy where I want it to be ultimately?” Groman asked the collection of federal privacy professionals, hailing from the Veterans Administration to the Department of Homeland Security to the Department of Energy. “No. But we’re moving in the right direction.”
Government privacy pros can only hope that direction continues after Jan. 21 and doesn’t, like Groman on the ski hill, go downhill instead.
If you want to comment on this post, you need to login.