The U.S. federal government has released updated guidance on the role of the senior agency official for privacy. Unveiled at yesterday's Privacy. Security. Risk. conference in San Jose, California, the Office of Management and Budget's guidance asserts the SAOP has to serve in a "central leadership position" and have the "necessary authority and expertise" to lead the agency on all things privacy.
The establishment of SAOPs at every agency comes as part of an update to Circular A-130 — the resource for government agencies' information-management protocols — and follows the establishment of a Federal Privacy Council via U.S. President Barack Obama's Executive Order, issued in February.
In a blog post, Marc Groman, senior advisor for privacy at OMB, said the guidance "recognizes that the success of an agency's privacy program depends upon its leadership. Further, the guidance joins a growing list of actions this administration has taken to support the federal government's protection of privacy ... to help ensure that agencies take a coordinated approach to addressing privacy and information security."
Most importantly, the U.S. federal government now recognizes the vital role that privacy professionals play in evaluating legislative and regulatory efforts that involve and depend upon personal data. "The SAOP shall ensure that the agency considers and addresses the privacy implications of all agency regulations and policies," the memo reads, "and shall lead the agency’s evaluation of the privacy implications of legislative proposals, congressional testimony, and other materials."
Time is of the essence. Each agency now has 60 days to look at who's handling privacy at their agency and then either designate that person to be the SAOP, officially, or choose another person to serve that role. Further, the guidance requires the SAOP to "take a central role at the agency in policy development and evaluation, privacy compliance, and privacy risk management."
Most importantly, however, "agencies should recognize that privacy and security are independent and separate disciplines. While privacy and security require coordination, they often raise distinct concerns and require different expertise and different approaches." In fact, "the distinction between privacy and security is one of the reasons that the Executive Branch has established a Federal Privacy Council independent from the Chief Information Officers Council," the memo states.
In a session on the news at P.S.R., Groman said the news indicates privacy professionals are being elevated to senior executive levels "at a pace and scale we haven't seen before" within the government. He also said the SAOP's role within the agency is senior enough, given the change, that he or she will have the authority to escalate risks to leadership. The job is to identify risk, mitigate it, and then identify residual risk.
"The discussion has to be: What is the objective of your program. What are you seeking to collect? How does it promote the mission? Then evaluate alternatives," Groman said. "It's not about stopping a program, it's about making sure analysis takes place and the privacy person has a seat at the table."
If you want to comment on this post, you need to login.