PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE DEPARTMENT OF HOMELAND SECURITY TUESDAY, FEBRUARY 10, 2004 HOUSE OF REPRESENTATIVES, The Subcommittee met, pursuant to notice, at 3:02 p.m., in Room 2141, Rayburn House Office Building, Hon. Chris Cannon (Chair of the Subcommittee) presiding. Mr. CANNON. Thank you all for coming out. Let me begin by hereby welcoming our esteemed witnesses, some of whom I've had the pleasure of working with on privacy issues and other matters over the years. I also want to note that immediately following the hearing we have scheduled a markup of H.R. 338, the "Defense of Privacy Act." Indeed, if we have a critical mass of Members to report that bill, we may recess this hearing briefly to accomplish that task. The title of today's hearing, Privacy in the Hands of Government: The Privacy Officer for the Department of Homeland Security, clearly sets out what we plan to examine this afternoon. We will review the work and responsibility of the Department's Privacy Officer and consider whether the statute creating this position sufficiently addresses concerns about the Department's handling of personally identifiable information. We will also examine how the Department has met the rather daunting challenge of detecting and deterring terrorism while safeguarding Americans from unwanted or unwarranted Governmental intrusion. I suppose all intrusion is unwanted. A lot of it is, in fact, unwarranted. For those of you don't know, the creation of the Privacy Officer Position in the Department of Homeland Security marked the first time that Congress statutorily mandated a Federal agency to appoint a senior official to be primarily responsible for privacy policy and compliance matters. Indeed, this Subcommittee, with the support of our Chairman, Jim Sensenbrenner, played a major role in ensuring that the legislation establishing the Department of Homeland Security not only mandated the appointment of a Privacy Officer, but specified the officer's responsibilities. This was done in response to concerns expressed on a bipartisan basis about the antici (1) pated agency's ability to collect, manage, share, and secure personally identifiable information. One of the principal statutory responsibilities of the DHS Privacy Officer, as set out by statute, is the duty to assure to assure that the use of technologies sustain and do not erode privacy protections relating to the use, collection, and disclosure of personal information. In addition, the Privacy Officer must assure that personal information is handled in full compliance with the Privacy Act and assess the effect on privacy of the Department's proposed rules. These are two of the areas that we hope to focus on during the course of today's hearing. Pursuant to this legislation, Department of Homeland Security Tom Ridge last April appointed Nuala O'Connor Kelly to serve as the Department's Privacy Officer. Since her appointment, Ms. O'Connor Kelly has played an active role in various terrorist detective initiatives undertaken by DHS. One of those projects has been the Computer-Assisted Passenger Prescreening System, also known as CAPPS II, which is intended to improve airline security. In addition, Ms. O'Connor Kelly prepared a privacy impact assessment for the United States Visitor and Immigration Status Indicator Technology Program, also known as the US-VISIT program. This program consists of an integrated entry and exit data system designed to record the entry into and exit out of the United States by noncitizens. Last month, US-VISIT entry procedures became operational at 115 airports and 14 seaports together with a pilot test of biometric identification procedures at one airport and one seaport I should note that today's hearing is one in a series the Subcommittee will hold on the issue of privacy in the hands of Government. I now turn to my colleague, Mr. Watt, the distinguished Ranking Member of the Subcommittee and ask him if he has any opening remarks? Mr. WATT. Thank you, Mr. Chairman. Mr. CANNON. The gentleman is recognized for 5 minutes. Mr. WATT. Thank you, Mr. Chairman, for convening this hearing today. It must be my day to deal with privacy and identity theft issues. I'll tell you what has transpired today. I was seated in a meeting with representatives from various Government agencies, one of which was Social Security. And one of their complaints was that Government work is being contracted out to private companies who don't have the kind of responsibility for overseeing privacy and preventing identity left. That meeting lasted for about 20, 30 minutes. During that meeting three things happened. One, I got placed on my desk the comments for this meeting here this afternoon, which I haven't had a chance to review very thoroughly but I'm going to take a stab at them when I get back to the formal part of this presentation. Second, I got placed on my desk a message from a newspaper reporter at the Charlotte Observer-which is in my Congressional district in Charlotte, North Carolina-with an attached article which says a Charlotte temporary employment agency left more than 20 boxes filled with hundreds of job applications on the curbside for the better part of a day Sunday and Monday. And goes on to ask me if I have any comments to make about that. Then I got placed on my desk, during that same meeting, a letter from our minority leader asking me to join in a letter to the president expressing concerns about the way the CAPPS II program is being playing itself out and asking the Administration to pay more attention to the dissemination of personal information. This is a multidimensional problem, not only Government information that we are gathering but private information. We've tried to attack it in various compartmentalized ways through Fair Credit Reporting Act in the Financial Services Committee on which I sit, through various things in this Judiciary Committee, but this isthis already difficult issue has been complicated by the events of September 11. And since then our country has been confronted with the dual aspiration of ensuring the security of our homeland and at the same time preserving and securing the Civil Rights and liberties that make our homeland free and unique. The creation of the Department of Homeland Security was historic. Homeland Security Act of 2002 created an agency with the primary responsibility of preventing terrorist attacks in the United States, reducing our vulnerability to such attacks, minimizing damage due to any attack, and assisting in our ability to recover from those attacks. My concern here today however is that the Department not be so vigilant in its terrorist prevention and terrorist detection duties that it undermines our individual freedoms. Just last May the GAO described the Department of Homeland Security's responsibilities to include "the coordination and sharing of information related to threats of domestic terrorism within the Department and with and between other Federal agencies, State and local governments, the private sector, and other entities". The report recognized that to accomplish this mission the Department of Homeland Security must access, receive and analyze law enforcement information, intelligence information, and other threat incident and vulnerability information from Federal and non-Federal sources. Recent newspaper reports indicate that questionable information sharing occurred between JetBlue and Northwest Airlines and law enforcement in order to implement the CAPPS II Computer-Assisted Passenger Prescreening System designed to prescreen airline passengers. Despite the existence of a Privacy Officer within the Department of Homeland Security, the JetBlue and Northwest Airline collaboration with the Government raises serious privacy issues because although these private entities may have their own privacy policies they are not subject to the constraints of the Privacy Act. This circumstance may lead to a gaping hole in safeguarding the improper dissemination of personal information. This is a hole that I personally tried to plug last year during the Judiciary Committee's consideration of H.R. 4598, the Homeland Security Information Sharing Act. That bill, which did pass the House and has not passed the Senate, would have authorized Federal, State and local entities, including private actors, to share information to the fullest extent possible in the interest of national security. During its consideration I offered an amendment to the bill that would have placed constraints on the dissemination of personal information which would have prohibited any unauthorized use and that amendment passed in this Committee. As we listen to the testimony today, I am interested in determining whether it would be useful to resurrect at least the spirit of H.R. 4598 by ensuring that American citizens and those traveling within our borders are fully aware of how their personal information will be collected, used, and disseminated by whatever source in the name of national security. And that, coincidentally, is exactly what the letter from our minority leadership is encouraging the president to focus his attention on and I'm sure that new Privacy Officer will be-it will filter to you at some point. So we are delighted to have you here and I appreciate the Chairman calling this hearing. He's known for getting on top of these things when they are topical and interesting and covering many fronts and being in front of the curve, not only reactive but being proactive. So I appreciate the Chairman getting this convened today, look forward to the witnesses' testimony and to the markup. Mr. CANNON. I thank the gentleman for those kind comments and I appreciate his bipartisan support. These are important issues that we need to actually move on. Without objection, the gentleman's entire statement will be placed in the record. Also, without objection, all Members may place their statements in the record at this point. Any objection? Hearing none, so ordered. Without objection, the Chair will be authorized to declare recesses of the Subcommittee today at any point. Hearing none, so ordered. I also ask unanimous consent that Members have five legislative days to submit written statements for inclusion in today's hearing record. So ordered. Are there further opening statements? Mr. Coble? Mr. COBLE. No opening statement, Mr. Chairman. Mr. CANNON. Thank you. I'm pleased to introduce the witnesses for today's hearing. Our first witness is Nuala O'Connor Kelly, the Chief Privacy Officer of the Department of Homeland Security. Ms. O'Connor Kelly was appointed to her current position on April 16, 2003. Just prior to her appointment she served as the Chief Privacy Officer at the Commerce Department. Before entering public service, Ms. O'Connor Kelly was the Vice President for Data Protection and Chief Privacy Officer for Doubleclick, an online media services company, that she rescued with her privacy policies. I add that as a personal note. In that capacity, Ms. O'Connor Kelly established that company's first data protection department and was responsible for instituting privacy protection policies and procedures for Doubleclick, its clients and partners. Ms. O'Connor Kelly received her undergraduate degree from Princeton University and masters degree in education from Harvard University and a law degree from Georgetown University Law Center. Our second witness is the Honorable James Gilmore, the former Governor of the Commonwealth of Virginia. Governor Gilmore, as you will recall, has previously shared with this Subcommittee his vast expertise on technology and Internet policy matters for which we are deeply grateful. Today Governor Gilmore appears on behalf of USA Secure Corporation, a nonpartisan, not-for-profit think tank which he founded. USA Secure is comprised of technology and infrastructure companies that are affected by and participate in homeland security. It provides a forum for its members to develop integrated solutions regarding homeland security issues. Of particular relevance to today's hearing is Governor Gilmore's service as the Chairman of the Congressional Advisory Panel to Assess the Capabilities for Domestic Response to Terrorism Involving Weapons of Mass Destruction, all also known as the Gilmore Commission. The Commission was established by Congress to assess Federal, State and local Government's capabilities to respond to the consequences of a terrorist attack. The Gilmore Commission, which recently submitted its final report to the President and Congress, was influential in developing the Department of Homeland Security. Governor Gilmore received his undergraduate degree in foreign affairs from the University of Virginia and, after a 3-year tour as a U.S. Army counterintelligence agent in West Germany, obtained his law degree at the University of Virginia Law School. He continues to demonstrate his dedication to homeland security and technology issues as a partner of the law firm of Kelley, Drye, Warren here in Washington, D.C. Our next witness is Professor Sally Katzen of the University of Michigan Law School. We understand the Professor Katzen appears today solely in her personal capacity and not on behalf of the University of Michigan or any other entity. Prior to joining academia in 2001, Professor Katzen was responsible for developing privacy policy for the Clinton administration for nearly a decade. As the Administrator of the Office of Information and Regulatory Affairs of the Office of Management and Budget, she was effectively the chief information policy official for the Federal Government. Her responsibilities included developing the Federal privacy policies, including implementation of the 1974 Privacy Act. Professor Katzen later served as Deputy Assistant to the President for Economic Policy and Deputy Director of the National Economic Counsel in the White House. Thereafter she became the Deputy Director for Management at OMB. Before embarking on her public service career, Professor Katzen was a partner in the Washington, D.C. law firm of Wilmer, Cutler and Pickering, where she specialized in regulatory and legislative matters. Professor Katzen graduated magna cum laude from Smith College and magna cum laude from the University of Michigan Law |