Beverly Walker, CIPP/G, CIPM, is the first chief privacy officer the U.S. Centers for Disease Control and Prevention has ever had, a post she has held since 2011. And for a very long time, it was a pretty quiet office, if steadily busy. That's because it was only herself and an IT analyst in charge of privacy. The two of them managed everything from education and awareness to compliance at the agency, which, "you can imagine, is quite a struggle," Walker said.
Each day was a ball toss over which priority to tackle.
"We were just up to our necks in paperwork, completing privacy impact assessments, and doing policy and education. Those were the three top priorities, and we’re trying to juggle these on a daily basis."
But then COVID-19 hit.
As of last week, Walker finally hired the last of her now-complete staff, and it's a good thing she did. That's because the CDC is playing a critical role in managing the COVID-19 pandemic by tracking the disease, preparing communities and hospitals for transmission surges, and launching special investigations teams on the ground to study still-unknowns about the virus's behavior. Perhaps most importantly, the CDC will soon once again be the main governmental repository for COVID-19 data from hospitals across the U.S., though the Department of Health and Human Services took over the task earlier this summer — a move highly criticized by pundits who said it was political rather than practical and inciting a letter from 22 state attorneys general demanding the CDC be given back control. As The Wall Street Journal reported recently, the CDC is in the process of building a data collection repository and will, in fact, be charged with the responsibility.
As the woman in charge of ensuring data collection and maintenance is done according to the letter of the law, these are important times to be on your own game.
And the game itself is fast-moving.
"Anything that’s COVID-related gets priority," Walker said, without the ability to specifically disclose the projects the CDC's privacy team is working on now. "It could be an IT system that’s going to be stood up that might be related to that data collected or a contractual matter. All procurements have to have certain standard IT security- and privacy-related language in them. I have to review that to make sure it has the appropriate privacy language if necessary. As you can imagine, with the current environment, there's a lot of that."
Walker said she is grateful she was able to get her full team in place — five full-time employees and two contractors — before the global crises, when work on data collection would become of utmost importance.
"It would have been difficult to do all of these things if we didn’t have the resources we have now," she said, adding she now has the ability to delegate, and that's a beautiful thing. "If I get something at 2 p.m., I can then plan, and we can be attacking it by 2:15, and I’ve got the resource in place, recognizing who has the skill set to bring to that particular initiative and can work at that initiative at the pace it needs to be worked on with a reasonable margin of error given the timeline."
Now, Walker said her office's reviews have to happen "faster than ASAP because we're not just talking about something that's regular; we're talking a pandemic now." And that's at the forefront of her team's mind. In addition, this is government work, so every documentation prepared becomes a public record.
"So making sure those i's are dotted and t's are crossed, and it's presented in a manner the public can understand but that's thorough and comprehensive and meets all the requirements (the Office of Management and Budget) and HHS has set out."
Under its mandate, HHS must sign its approval on CDC approved documents before they can go public.
Beyond the privacy work itself, Walker and her team have had to adapt to working remotely and still protecting the information they're working with. For example, it's important employees avoid printing documents and creating a paper trail at home; like many of us, some have had to convert bedrooms into offices.
So, is it difficult to be the CPO, the position often self-described as the "no" person, at a time when the government is pushing fast to catch a virus beating it at every turn? Walker said most of the time it is a matter of asking questions of the approval-seeker to adequately assess risk or compliance.
"Here’s what we like to say," Walker explained. "Sometimes the answer is legitimately no. But ideally it is, 'No, but, here’s what I can do.' And we always look for the 'No; but.' That’s our first go-to. But realizing that sometimes that 'but' has to be taken out of the equation, and it’s just an emphatic no."
Noting that she's not the only privacy professional to ever have to argue for the budget to hire a staff, Walker said she succeeded by speaking up and making herself visible. She said it is about "going to meetings and not being afraid to insert yourself into areas that you're shut out of virtually, and getting those meetings with people are decision-makers."
She added that she has the team she has now by stressing the importance of the privacy program as a whole as part of the agency's entire risk-management framework and making it personal.
She poses the question, "How would you feel if your information was breached? How would you feel if your information was disclosed in a manner it should not have been?"
She also made it a priority to hold privacy trainings and create opportunities to do so if necessary for groups within her agency.
"Eventually it’s gonna work its way up to management, and then they’ll wonder, 'Why don’t you have staff?'" she said. "That was a question that was asked of me. Come in with your strategy and start to get that buy-in early on. In this case, the privacy program has been built over the last nine years, been built to where it is today. And I’m pretty proud of what we’re going and what we’re doing."
On Aug. 27, IAPP CEO and President J. Trevor Hughes, CIPP, will host Walker during the IAPP's inaugural "Profiles in Privacy" series, which you can attend by following this link.
Photo by CDC on Unsplash
