1. The Need for Government-Wide Privacy Policy Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee April 6, 2004

2. Overview n Observations from my time as Chief Counselor for Privacy in OMB, 1999 to early 2001 n How to build privacy in a world of information sharing? n Create institutions for appropriate privacy protection – Improving the agency CPO law from 12/04 – Implementing the Privacy & Civil Liberties Oversight Board from 12/04 intelligence reform bill

3. Appropriate Institutions n Much policy debate is on the substantive rules for privacy, such as types of notice and choice n As the Privacy Advisory Board, you can also advise on the institutions that will build appropriate privacy into government action n Look for specific recommendations that will improve the institutional response

4. Agency CPOs Can Help n Nuala Kellys actions, including creation of this advisory committee, show the effects of an agency CPO office n 12/04 appropriations bill required a CPO for each federal agency n A positive development, especially for agencies with substantial privacy issues

5. Rep. Davis Criticism of CPOs n Chairman Tom Davis has criticized the law, and stated that the CPO functions should be placed under the CIO n He says this will promote unified responsibility/accountability over information flows n Based on my government experience, I strongly disagree with having CIOs supervise these issues

6. CIOs Not the Right Answer n 1999 process for federal Web privacy policies – We included one CIO on the committee, and her contributions were very helpful – Overwhelmingly, we faced policy issues rather than technical issues n What to say in notices n Which types of sites should have notices – Many CIOs do not feel comfortable or expert at making those policy choices – they look for leadership from policy experts

7. Flaws in the CPO Statute n Some bad drafting, and too large an emphasis on expensive outside audits of agency privacy activities n More importantly, the law uses a silo approach, with privacy policy only agency-by-agency n Thats a very bad match with modern information sharing, which emphasizes multi-agency, multi- function systems n How produce good government-wide policy?

8. White House Privacy Policy n Intelligence Reform bill established 5 person Privacy and Civil Liberties Board n In the Executive Office of the President, and can thus address multi-agency issues n Limited to intelligence-related issues, so not a full answer to the need for coordination of privacy policy across agencies

9. Privacy & Civil Liberties Board n Board was an explicit part of the legislative package – Get new info-sharing for intelligence – Have the Board as effective watchdog n Today, no appointees or staff for the Board n My proposal to you: no contracts for the information sharing systems until the Board is in place

10. Conclusions n The Advisory Committee should consider what institutions will improve privacy policy n Agency CPOs are good, but we should not make agency-by-agency privacy policy when the information systems are multi-agency n Dont make the mistake that privacy is a technical issue that should be managed only by CIOs n Do insist that the Privacy & Civil Liberties Board be implemented, as a pre-requisite to information sharing n Build government-wide privacy policy, to achieve national security as well as privacy and civil liberties