Circular A-130, the government’s policy guidance on managing federal information resources, is undergoing a major re-haul. It’s a big deal, high-ranking government privacy officials agree, both for the government and the citizens it governs, and also for privacy professionals themselves.

The revision of A-130, as well as the establishment of a Federal Privacy Council, mandated in a 2015 executive order by President Barack Obama, puts the government’s prioritization of privacy on a stage it hasn’t yet seen. Sure, cybersecurity has long been important, and recognized as such. But until Obama let the word “privacy” slip from his lips, privacy pros in government agencies went about their work without the high-level recognition that their existence was both essential to and strategic for a democratic government.

That’s changing.

At this time, seven federal agencies are in the process of hiring chief privacy officers, including the Office of Personnel Management, the Department of Health and Human Services, and the Department of Energy. The CIA recently hired its first, which reports directly to Director John Brennan.

... We all have our monsters. We all have our data sets we have to have, and it’s very risky. I think the privacy pros who’ve seen the maturity in the space have started to breathe a sigh of relief that we are moving into an era of government practice here that is becoming much more of a strategic enterprise-wide activity that moves us as a community, as opposed to individual agencies, far beyond just paperwork and into meaningful engagement into how business is done in our agencies. — Jonathan Cantor, DHS

Marc Groman, senior advisor for privacy at the Office of Management and Budget, said the new A-130, a document revised only about once a decade, codifies the role of the privacy professional and signifies a groundbreaking shift in privacy at the federal government level.

Jonathan Cantor, deputy chief privacy officer at the Department of Homeland Security, said A-130’s revision is a “very big deal” for privacy professionals working within the government and a “needed recognition at the OMB level that the work of the federal privacy program is of equivalent importance to IT security for managing government information.”

Indeed, the 88-page document is strong in its descriptors, calling data a “strategic asset subject to risks that must be managed to minimize harm” and citing protecting an individual’s privacy as being of “utmost importance … throughout the life cycle.”

OMB Senior Advisor for Privacy Marc Groman in his office at the White House

Among the most significant changes housed within A-130 are a shift from a compliance-based to a risk-based operational approach and a mandate for a senior agency official for privacy at each federal agency. That SAOP, who may technically already exist at agencies but by another title, is responsible for looking over budget-line IT as well as capital investments; working with the CIO and human resources officer to develop competency requirements for agency staff; assessing and training staff on privacy; and coming up with privacy control management programs and strategies, among other standard tasks like complying with the Federal Privacy Act and other laws.

At the IAPP's recent Privacy. Security. Risk. conference, OMB released specific guidance on the SAOP's role. 

A-130 also calls for "ongoing authorization" processes, meaning the risk determination at each agency isn't static. It's reviewed at "agreed-upon and documented frequencies" in an effort to move to a more dynamic, real-time system. 

But shifting the thinking and the practice from compliance- to risk-based isn’t something that will happen overnight.

“Different agencies will move at different paces,” Cantor said. “There’s no doubt that there are agencies who are far more mature because they’ve had much more complex programs.”

DHS, for example, has comparatively much more integrated and advanced privacy programs than many government agencies because of the data it collects and its mission.

“But there are agencies right now in the process of hiring or even thinking about hiring their very first senior agency official for privacy … and who are thinking about how they are going to build a privacy program. It’s going to take that agency a long time,” Cantor said.

Groman said, understanding that would happen, there’s a “tremendous amount of flexibility” built into A-130 to help agencies construct their privacy programs and position their SAOPs according to needs specific to each agency.

“That is key,” Groman said. “You wouldn’t necessarily want privacy to be addressed in the exact same way at the FBI and at the Department of Agriculture. It’s important in both places, but the concerns, the privacy risks, the resources, the mission, all of those have to be taken into consideration. This goes to the point of thinking about the risk in privacy; the risk will be different.”

Cantor said the shift to risk-based models is a recognition that privacy isn’t a paperwork exercise. Within the old model, he said, “there was a tendency to look at privacy responsibility and say, ‘We have these documents in place, required by law and policy, so once we’ve got these documents, we’ve done privacy, we’re done, that’s all we need to do.'”

But events like the data breach at OPM indicated the government has to go deeper than that to mitigate risk.

“I think for a lot of folks in a lot of agencies, that was a real eye opener,” Cantor said, “because we all have our monsters. We all have our data sets we have to have, and it’s very risky. I think the privacy pros who’ve seen the maturity in the space have started to breathe a sigh of relief that we are moving into an era of government practice here that is becoming much more of a strategic enterprise-wide activity that moves us as a community, as opposed to individual agencies, far beyond just paperwork and into meaningful engagement into how business is done in our agencies.” 

While the idea for SAOPs has floated around the government since around 2005 when Veterans Affairs experienced a data breach, implementation didn’t happen. Now, it’s not an option. The government says someone at each agency must be responsible for privacy, and they must sit at the top of the agency.

“That seniority level is important,” Groman said.

And A-130 makes it clear that’s not an ornamental title. 

“Before, it was a hat a person could wear and it could be one of 25 or 30 hats that people had to wear,” Cantor said. “The idea that changed here … is that now the person who’s the senior agency official actually has to be the person who does that. You could have other responsibilities, but you actually have to take ownership of the things are discussed in A-130. And that’s different because before, you could push it all down. Before, there were mid-level staff, and you could have people responsible for it, and that doesn’t work anymore. Now you actually need to be the one.”

The call for SAOPs within each agency is effectively “professionalizing privacy” within the government, Groman said. That means, like their peers in cybersecurity or IT, for example, government privacy pros will have greater upward mobility.

But will SAOPs, elevated in title and role, be seen as the “no” person, an unwelcome red-flag waver sitting just close enough to the head of the table to slow agency progress?

Groman said no. Both he and OMD Director Shaun Donovan have been very clear, he said, that privacy promotes innovation and a properly resourced privacy program in fact promotes the more rapid adoption of technology.

“When privacy is perceived as a road block, I believe that’s because the privacy program hasn’t been adequately resourced or you don’t have the right team in place,” Groman said. “Privacy is really about efficiency in the government … Ultimately, when we get privacy right, we promote trust. We promote trust in government and that ensures long-term success in all of our initiatives.”

 Cantor said A-130’s call for SAOPs does in fact increase opportunity.

“As someone who’s grown my own career in the federal privacy profession, historically, there have been very few places to go at the executive level in privacy,” he said. “That is changing a lot right now.”

He added the foundation for privacy offices in the federal government is not only clearing a path to high-level positions, but it also will create “a lot of opportunity for new privacy pros to get their foot in the door and really grow a career.”

Given that January is approaching and the Obama administration’s term will expire, some might fear the momentum on revising privacy in the government could leave town with the First Family.

But Groman said the opposite is true. He said privacy is, and has shown to be of late, a bipartisan issue with bipartisan support, and the train isn't going to slow down come January. Even so, before he leaves office himself — a political appointee — he's crossing off agenda lines as quickly as possible.

“We’re not done issuing privacy guidance in this administration,” he said. “We are not taking our foot off the pedal. In fact, we’re probably stepping harder on the pedal and speeding up to make sure we can accomplish everything we need to by the end of the administration.”

He encouraged privacy pros to look over A-130 for an idea of how the government plans to address privacy for years to come.

“And then start applying, because we want you in the federal government,” he said. 

photo credit: Washington DC ~ United States Capitol ~ Historic Building via photopin (license)