Изображения страниц
PDF
EPUB

School where she was editor-in-chief of the Law Review. Following graduation from law school, she clerked for Judge J. Skelly Wright of the United States Court of Appeals for the District of Columbia Circuit

Our final witness is Jim Dempsey, a Judiciary Committee alum who we are pleased to welcome back. Mr. Dempsey is currently the Executive Director of the Center for Democracy and Technology where he specializes in privacy and electronic surveillance issues. Before joining the Center, Mr. Dempsey was the Deputy Director of the Center for National Security Studies and also served as Special Counsel to the National Security Archive, a non-governmental organization that uses the Freedom of Information Act to gain the declassification of documents pertaining U.S. foreign policy.

From 1985 to 1994 Mr. Dempsey was Assistant Counsel to the House Judiciary Committee on Civil and Constitutional Rights. Mr. Dempsey obtained his undergraduate degree from Yale College and his law degree from Harvard Law School.

We have a very distinguished panel. I extend to each of you my warm regards and appreciation for your willingness to participate in today's hearing.

In light of the fact that your written statements will be included in hearing record, I request that you limit your oral remarks to 5 minutes. Accordingly, please feel free to summarize and highlight the salient points of your testimony. And you have a light on-I think you're all familiar with this lighting system. It goes yellow when you have a minute left. When it goes red you don't have to stop, but we'd appreciate it if you'd sort of wrap up, if you could, so that Members have the opportunity of asking questions.

After all the witnesses have presented their remarks, the Subcommittee Members, in the order that they arrive, will be permitted to ask questions of the witnesses subject also to the 5 minute limit.

Ms. O'Connor Kelly, would you now proceed with your testimony?

STATEMENT OF NUALA O'CONNOR KELLY, CHIEF PRIVACY OFFICER, UNITED STATES DEPARTMENT OF HOMELAND SECURITY, WASHINGTON, DC

Ms. O'CONNOR KELLY. Thank you, Mr. Chairman.

Chairman Cannon, Congressman Watt, and Members of the Subcommittee, it is my distinct honor to testify before you today on the activities of the United States Department of Homeland Security's Privacy Office, which I am privileged

Mr. CANNON. Ms. O'Connor Kelly, if you wouldn't mind, we will restart your clock, but I think we have a reporting quorum. So consistent with our earlier orders, we are going to recess this hearing for a period and try and report out this bill. So we will go at this moment to our markup.

Do any of you have I don't think this is going to take a long period of time. Do any of you have significant other obligations that we need to meet?

Thank you. If you don't mind then, we will be recessed from the hearing and we will open our markup.

[Whereupon, at 3:20 p.m., the hearing was recessed, to reconvene this same day at 3:35 p.m.]

Mr. CANNON. And now, Ms. O'Connor Kelly, we appreciate your indulgence and the indulgence of the panel.

I would now like to be informed about what is going on in the new world of privacy. Thank you.

If you would like to proceed, we will reset the clock.

Ms. O'CONNOR KELLY. Thank you, Mr. Chairman, and thank you Congressman Watt and all the Members of the Committee.

It is a great pleasure and an honor to be with you today to talk about the Department of Homeland Security's Privacy Office, which I am privileged to lead as the Department's first Privacy Officer. The creation of the Department of Homeland Security and its many programs raise no shortage of important privacy and civil liberty issues for this Nation to address. The Department, led by Secretary Ridge, and this Administration, led by President Bush, are committed to addressing these critical issues as we seek to strengthen our homeland. A crucial part of this commitment is the mission of the Privacy Office at the Department of Homeland Security.

Before this office officially opened its doors, Secretary Ridge articulated his vision for our office, stating that the Privacy Office will be involved from the very beginning with every policy initiative and every program initiative that we consider, to ensure that our strategy and our actions are consistent with not only the Federal privacy safeguards already on the books but also with the individual rights and civil liberties protected by our laws and our Constitution.

As Members of this Subcommittee are uniquely aware, the enabling statute for the Department of Homeland Security directs the Secretary to appoint a senior official in the Department to assume primary responsibility for privacy policy. That legislation reflects, I believe, a growing sensitivity and awareness on the part of our citizens regarding personal data flows in the public and in the private sector and the particular concerns surrounding this melding of 22 former separate agencies along with the unique mission and data collection activities that each of those agencies brings.

The DHS Privacy Office works to promote best practices with respect to privacy and to infuse fair information principles and practices into the DHS culture. A major goal for my tenure as Chief Privacy Officer is to operationalized privacy throughout the Department. We are doing this not only by working with Secretary Ridge and our senior policy leadership of the various agencies and directorates across the Department but also with our Privacy Act and Freedom of Information Act teams, as well as the operational, policy, and program staff throughout the Department.

Through internal educational outreach and the establishment of internal clearance procedures and milestones for program development we are helping this Department consider privacy whenever developing new programs or revising existing ones. We are evaluating the use of new technologies to ensure that privacy protections are considered in the development and implementation of these programs at each stage.

In this process Departmental professionals have become educated about the need to consider and the framework for considering that privacy impact of technology decisions. We are reviewing Privacy Act systems notices before they are sent forward and ensuring that we collect only those records that are necessary to support the Department's mission.

We also guide Departmental agencies in developing appropriate privacy policies for their programs and serve as a resource for any questions that arise concerning privacy, information collection, or disclosure.

And the Privacy Office, of course, works closely with various Departmental policy teams, the Office of General Counsel, the Chief Information Officers to ensure that the mission of the Privacy Office is reflected in all DHS initiatives.

The Privacy Office also seeks to anticipate and to satisfy public needs and expectations by providing a crucial link between those outside the Department who are concerned about the privacy impact of the Department's initiatives and those inside the Department who are diligently working to achieve the Department's mission.

Our role is not only to inform, to educate, and to lead privacy practice within the Department but also to serve as a receptive audience to those outside the Department who have questions or concerns about the Department's operations. To that end, the Privacy Office has engaged in consistent and substantial outreach efforts to members of the advocacy community, industry representatives, other U.S. agencies, foreign governments, and most importantly, the American public. Our Government and our agency are grounded on principles of openness and accountability tempered, of course, by the need to preserve the confidentiality of the most sensitive personal commercial and Governmental information.

Our work at the Department Privacy Office is proving that it is, in fact, possible to achieve both responsible privacy practices and the critical mission of the Department of Homeland Security.

Issues of privacy and civil liberties are most successfully navigated when the necessary legal, policy, and technological protections are built into the systems or programs from the very beginning. I am often asked whether I view my job as a privacy advocate as at odds with the mission of the Department. And the answer is, without hesitation, no. As Secretary Ridge has articulated on many occasions, the Department of Homeland Security's mission is more than just counterterrorism and more than just the protection of people and places and things. It is the protection of our liberties and our way of life.

That way of life includes the ability to engage in public life with dignity, autonomy, and a general expectation for respect for personal privacy. Thus, the protection of privacy is neither an adjunct nor the antithesis of the mission of the Department of Homeland Security. Privacy protection is, in fact, at the core of that mission. I thank you for your time and the opportunity to testify before this important Committee and I look forward to hearing my colleagues' testimony and to answering your questions.

Thank you.

[The prepared statement of Ms. O'Connor Kelly follows:]

PREPARED STATEMENT OF NUALA O'CONNOR KELLY

Chairman Cannon, Ranking Member Watt, Members of the subcommittee, and distinguished colleagues on this panel, it is an honor to testify before you today on the activities of the United States Department of Homeland Security's Privacy Office, which I am privileged to lead as the first Chief Privacy Officer of the Department of Homeland Security.

The protection of privacy, of the dignity of the individual, is not a value that can be added on to this or any other organization later, and that is why I am so pleased to have been here from almost the very beginning. This value is one that must be embedded in the very culture and structure of the organization. I know that we can and will succeed in this not only because our leadership believes in protecting the sanctity of the individual, but also because our over 180,000 employees are also great Americans, who believe in and act on these values-for themselves, their neighbors, and their children—each day.

ESTABLISHMENT OF THE DHS PRIVACY OFFICE

The creation of the Department of Homeland Security and its many programs raise no shortage of important privacy and civil liberties issues for this nation to address. This Department, led by Secretary Tom Ridge, and this Administration, led by President Bush, are committed to addressing these critical issues as they seek to strengthen our homeland. A crucial part of this commitment is support for the creation and the mission of the Privacy Office at the Department of Homeland Security. Secretary Ridge articulated his vision for this office, stating that the privacy office "will be involved from the very beginning with every policy initiative and every program initiative that we consider," to ensure that our strategy and our actions are consistent with not only the federal privacy safeguards already on the books, but also "with the individual rights and civil liberties protected by our laws and our Constitution."

As Members of this subcommittee are uniquely aware, the enabling statute for the Department of Homeland Security contains Section 222, which directs the Secretary to appoint a senior official in the Department to assume primary responsibility for privacy policy. This includes conducting and oversight of formal Privacy Impact Assessments to "assure that the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information." This office also oversees the Department's compliance with the Privacy Act of 1974 and the Privacy Impact Assessment requirements of the Electronic Government Act of 2002, and is directed to "evaluate legislative and regulatory proposals involving collection, use, and disclosure of personal information by the Federal Government." Uniquely and importantly, under the enabling statute, the DHS Chief Privacy Officer provides an annual report to Congress on the activities of the Department that affect privacy, including complaints of privacy violations, implementation of the Privacy Act, internal controls, and other matters.

KEY LEGAL FRAMEWORKS ENFORCED BY THE PRIVACY OFFICE

One of the primary legal frameworks underlying the mission of the DHS Privacy Office is, obviously, the federal Privacy Act of 1974. The Privacy Act, 5 U.S.C. § 552a, provides a code of fair information practices that governs the collection, maintenance, use, and dissemination of personal information by federal agencies. Emanating from concerns about the ability to aggregate personal information-partly due to new technologies like mainframe computers of that day-this law provides substantial notice, access, and redress rights for citizens and legal residents of the United States whose information is held by some part of the executive branch of the federal government. The law provides robust advance notice, through detailed "system of records" notices, about the creation of new technological or other systems containing personal information. The law also provides the right of access to one's own records, the right to know and to limit other parties with whom the information has been shared, and the right to appeal determinations regarding the accuracy of those records or the disclosure of those records. The Privacy Act is our country's articulation of Fair Information Principles; the Act both protects the information of our citizens and also provides our citizens rights to access that data.

Under the Freedom of Information Act, 5 U.S.C. § 552, the principle that persons have a fundamental right to know what their government is doing is enforced on a daily basis. Almost any person at any time has the right to query a federal agency for documents and records. Our government and our agency are grounded on principles of openness and accountability, tempered, of course, by the need to preserve the confidentiality of sensitive personal, commercial, and governmental information.

The Freedom of Information Act is the primary statute that attempts to balance these countervailing public concerns. A robust FOIA/PA program is a critical part of any agency's fundamental processes; it helps to provide assurance to the public that, in pursuing its mission, an agency will also pursue balanced policies of transparency and accountability while preserving personal privacy. The U.S. federal government will spend hundreds of millions of dollars processing and responding to FOIA requests next year, and thousands of federal workers will spend all or part of their day compiling responses to those requests. Our agency alone has over 300 staff members across the Department who work full or part-time on Privacy Act and FOIA issues.

This past fall, the Office of Management and Budget released its guidance under Section 208 of the E-Government Act of 2002-which mandates Privacy Impact Assessments for all federal agencies when there are new collections of, or new technologies applied to, personally identifiable information. This, really a third pillar of the privacy framework at the federal level reflects, once again, a growing reliance on technology to move data—both in government spaces and on the Internet. With the addition of the privacy provisions of the E-Government Act to existing privacy protections, our citizens now benefit from a comprehensive framework within which government considers privacy in the ordinary course of business. The Act and underlying guidance synthesize numerous prior statements and guidance on privacy practices and notices, and will assist privacy practitioners in prioritizing their efforts. In particular, the guidance provides direction on the content of privacy policies and on the machine-readability of privacy policies.

Further, the act outlines the parameters for privacy impact assessments. Although in use by some agencies already, generally privacy impact assessments are a new and important tool in the toolbelt of privacy practitioners across the federal government. These new requirements formalize an important principle: that data collection by the government should be scrutinized for its impact on the individual and that individual's data . and ideally before that data collection is ever implemented. The process, the very exercise of such scrutiny, is a crucial step towards narrowly tailoring and focusing data collection towards the core missions of government. This practice should provide even greater awareness, both by those seeking to collect the data and those whose data is collected, of the impact on the individual and the purpose of the collection.

I am pleased to have been a small part of the discussions towards the development of guidance on privacy impact assessments. These new requirements set the bar high for privacy practitioners. These requirements also reflect, I believe, a growing sensitivity and awareness on the part of our citizens regarding personal data flows in the public and private sectors. I believe that this guidance will allow federal agencies to respond to citizens' concerns about these activities and also to be current with, or perhaps even slightly ahead of, the evolution of privacy practices in the pri

vate sector.

Under the Privacy Act, in concert with the Freedom of Information Act and the E-Government Act, citizens, legal residents, and visitors to the United States have been afforded almost unequalled transparency into the federal government's activities and the federal government's use of personal information about them. A robust FOIA/PA program is imperative to provide the public with assurances that any information DHS collects is being maintained consistent with all legal and regulatory requirements.

OPERATIONALIZING PRIVACY THROUGHOUT THE DEPARTMENT OF HOMELAND SECURITY

Best Practices through Management Leadership

The DHS Privacy Office works to promote best practices with respect to privacy and infuse respectful information privacy principles and practices for all employees into the DHS culture. A major and substantial goal at the outset for my tenure is to 'operationalize' privacy awareness and best practices throughout DHS, working not only with Secretary Ridge and our senior policy leadership of the various agencies and directorates of the department, but also with our Privacy Act and FOIA teams, as well as operational staff across the Department.

Consistent Policies and Education Efforts

Through internal educational outreach and the establishment of internal clearance procedures, we are sensitizing DHS directorates and components to consider privacy whenever developing new programs or revising existing ones. We are reviewing new technologies to ensure that privacy protections are incorporated in the development and implementation of these new systems. Our headquarters staff has been reviewing all Privacy Impact Assessments being conducted throughout the De

« ПредыдущаяПродолжить »