Written Statement of
Susan E. Dudley, Administrator, Office of Information and Regulatory Affairs
Karen Evans, Administrator, Office of E-Government and Information Technology
Office of Management and Budget
Committee on Homeland Security and Governmental Affairs
"Protecting Personal Information: Is the Federal Government Doing Enough?"
June 18, 2008
Chairman Lieberman and Ranking Member Collins, thank your for the opportunity to provide this statement for the record for your hearing on the privacy safeguards federal agencies place on individuals’ information and the adequacy of the current statutory privacy framework.
This Administration shares this Committee’s goal of safeguarding the privacy of individuals and has made it a priority. The Administration has made considerable progress implementing the recommendations of the President’s Identity Theft Task Force, issued new guidance based on the Task Force findings and the lessons of the past two years, and worked diligently to execute the statutory requirements of the Privacy Act of 1974, the Paperwork Reduction Act of 1981, and E-Government Act of 2002. Safeguarding personally identifiable information in the possession of the government and preventing its breach are essential to ensure the government retains the trust of the American public. This is a responsibility shared by officials accountable for administering operational and privacy and security programs, legal counsel, Agencies’ Inspectors General and other law enforcement, and public and legislative affairs.
The U.S. Government Accountability Office’s (GAO’s) draft report, "Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information" (GAO-08-536), identifies as a matter for congressional consideration revising the Privacy Act and the E-Government Act.
As we stated in our comments to GAO over the past year, we urge Congress to consider any revisions in the broader context of the privacy statutes Congress has already enacted and the privacy protections agencies have implemented within the current statutory framework. The Privacy Act and E-Government Act, along with the Paperwork Reduction Act, provide a government-wide statutory foundation for protecting individuals’ privacy. Congress has also enacted legislation tailored to meet individuals’ privacy needs in specific policy areas, such as healthcare, statistical research, tax administration, intelligence, law enforcement, and homeland security.
Through OMB’s Office of Information and Regulatory Affairs, we ensure agencies are aware of Federal policies governing the information they are collecting, maintaining, and transmitting through regulatory actions. When a significant regulatory action undergoes interagency review under Executive Order 12866, OMB analysts consider existing privacy and security laws and policies throughout the review process. Specifically, review of proposed regulations can include the following – appropriate information handling and protection for sensitive information within agencies (including personal information), appropriate mechanisms for contractor oversight and review, and coordinated incident handling and response (as well as corrective actions) when something does go wrong. In addition, OMB analysts work with representatives from other agencies on matters arising from new statutory privacy protections on an as needed basis (e.g., the HHS HIPAA regulations and financial privacy notices,) and in developing Administration policy on current privacy issues such as identity theft, social security number (SSN) protection, and do-not-call efforts.
Through the President’s Management Agenda (PMA) and the electronic government scorecard, OMB quarterly examines agency progress. In order to "maintain green" on this scorecard, agencies must complete privacy impact statements (PIA) for 90% of applicable systems. In addition, agencies must ensure 90% of systems with personally identifiable information have systems of records notices (SORN). In addition, OMB policy requires agencies to submit a capital asset plan and business case justification for all major information technology investments. In this justification, agencies must answer a series of privacy management questions and describe how the investment meets the requirements of law and policy. In particular, OMB asks if there is a PIA or a SORN covering each system and if so the agency provides the internet link to it as part of the capital asset plan.
As part of our work on the Identity Theft Task Force, OMB and the Department of Homeland Security developed a paper identifying common risks (or "mistakes") and best practices to help improve agency security and privacy programs. Each risk is associated with selected best practices and important resources to help agencies mitigate and avoid these risks. All of the best practices and important resources are inter-related and complementary, and they can be broadly applied when administering agency information security and privacy programs.
A copy of this paper can be found at http://csrc.nist.gov/pcig/document/Common-Risks-Impeding- Adequate-
Building on the findings of the Task Force, OMB issued Memorandum M-07-16 of May 22, 2007, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. In addition to providing a framework for reducing the risk of PII breaches, M-07-16 required agencies to:
- establish breach notification policies;
- emphasized the importance of establishing rules of conduct for users, developers, or operators of Privacy Act systems of records, which has been a long-standing requirement under the Privacy Act of 1974;
- review and reduce the volume of PII handled "to the minimum necessary for the proper performance of a documented agency function;"
- encrypt all sensitive information on mobile computers/devices carrying agency data, unless the Deputy Secretary makes a written determination stating the data are not sensitive.
In order to support agencies responding to PII breaches, the General Services Administration created a government-wide vehicle for acquisition of independent risk analysis services. It focuses on an agency’s need for independent risk analysis documenting the level of risk for potential misuse of sensitive information associated with a particular data breach by offering a variety of services, including metadata analysis, pattern analysis, and reports on the probability compromised data has been used to cause harm.
OMB recently released the FY 2007 Report to Congress on Implementation of the Federal Information Security Management Act of 2002 (FISMA), which reports on key measures of agency privacy programs, including SORNs and PIAs. In OMB Memorandum M-08-09 of January 18, 2008, New FISMA Privacy Reporting Requirements for FY 2008, we outlined increased reporting of key privacy measures for next year’s FISMA report to provide more information to the public on agency privacy efforts.
OMB is continuously striving to improve government practices regarding personal information. We provide guidance and oversight to the agencies through many channels at both the staff and executive levels. We regularly engage in formal and informal communications, both written and oral, with agency CIOs and Senior Agency Officials for Privacy. We also hold regular staff-level meetings with members of the federal privacy community to facilitate interagency discussion of relevant issues as well as provide an open forum for direct communications with OMB as part of the Privacy Committee co-chaired by OMB and Justice as part of the CIO Council.
As Congress considers fundamental revisions to the privacy laws, we would like to highlight the importance of fully evaluating the full range of potential implications for such changes. This guidance, reporting and other transparency requirements, and the underlying statutory framework has been developed over the past three decades and provides an intricate and operationalized system for federal privacy protection. As OMB noted in its comments on the draft GAO report, "We believe that it would be important for Congress, in considering such a fundamental change to the Privacy Act, to consider the full range of implications flowing from that change. It may be that, based on this consideration, other legislative alternatives might be identified that would be more desirable in terms of strengthening privacy protections in the most effective and efficient manner."
Thank you for the opportunity to provide testimony on these important issues. We look forward to partnering with you as you consider these issues and to working to fully execute current statutory privacy protections. We would be happy to answer questions for the record.