Page KF 27 5856 J 2004 Copy 2 CONTENTS FEBRUARY 10, 2004 OPENING STATEMENT The Honorable Chris Cannon, a Representative in Congress From the State WITNESSES Ms. Nuala O'Connor Kelly, Chief Privacy Officer, United States Department of Homeland Security, Washington, DC Oral Testimony Prepared Statement The Honorable James S. Gilmore, III, President, USA Secure Corporation, Washington, DC 1. 2 69 Oral Testimony 13 Prepared Statement 188 16 Ms. Sally Katzen, Visiting Professor, University of Michigan Law School, Ann Arbor, MI Oral Testimony 21 Prepared Statement James Dempsey, Esquire, Executive Director, Center for Democracy and 223 MATERIAL SUBMITTED FOR THE HEARING RECORD Letter and questions submitted by the Honorable Chris Cannon, to Ms. Nuala O'Connor Kelly, Chief Privacy Officer, U.S. Department of Homeland Security 43 PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE DEPARTMENT OF HOMELAND SECURITY TUESDAY, FEBRUARY 10, 2004 HOUSE OF REPRESENTATIVES, The Subcommittee met, pursuant to notice, at 3:02 p.m., in Room 2141, Rayburn House Office Building, Hon. Chris Cannon (Chair of the Subcommittee) presiding. Mr. CANNON. Thank you all for coming out. Let me begin by hereby welcoming our esteemed witnesses, some of whom I've had the pleasure of working with on privacy issues and other matters over the years. I also want to note that immediately following the hearing we have scheduled a markup of H.R. 338, the "Defense of Privacy Act." Indeed, if we have a critical mass of Members to report that bill, we may recess this hearing briefly to accomplish that task. The title of today's hearing, Privacy in the Hands of Government: The Privacy Officer for the Department of Homeland Security, clearly sets out what we plan to examine this afternoon. We will review the work and responsibility of the Department's Privacy Officer and consider whether the statute creating this position sufficiently addresses concerns about the Department's handling of personally identifiable information. We will also examine how the Department has met the rather daunting challenge of detecting and deterring terrorism while safeguarding Americans from unwanted or unwarranted Governmental intrusion. I suppose all intrusion is unwanted. A lot of it is, in fact, unwarranted. For those of you don't know, the creation of the Privacy Officer Position in the Department of Homeland Security marked the first time that Congress statutorily mandated a Federal agency to appoint a senior official to be primarily responsible for privacy policy and compliance matters. Indeed, this Subcommittee, with the support of our Chairman, Jim Sensenbrenner, played a major role in ensuring that the legislation establishing the Department of Homeland Security not only mandated the appointment of a Privacy Officer, but specified the officer's responsibilities. This was done in response to concerns expressed on a bipartisan basis about the antici pated agency's ability to collect, manage, share, and secure personally identifiable information. One of the principal statutory responsibilities of the DHS Privacy Officer, as set out by statute, is the duty to assure to assure that the use of technologies sustain and do not erode privacy protections relating to the use, collection, and disclosure of personal information. In addition, the Privacy Officer must assure that personal information is handled in full compliance with the Privacy Act and assess the effect on privacy of the Department's proposed rules. These are two of the areas that we hope to focus on during the course of today's hearing. Pursuant to this legislation, Department of Homeland Security Tom Ridge last April appointed Nuala O'Connor Kelly to serve as the Department's Privacy Officer. Since her appointment, Ms. O'Connor Kelly has played an active role in various terrorist detective initiatives undertaken by DHS. One of those projects has been the Computer-Assisted Passenger Prescreening System, also known as CAPPS II, which is intended to improve airline security. In addition, Ms. O'Connor Kelly prepared a privacy impact assessment for the United States Visitor and Immigration Status Indicator Technology Program, also known as the US-VISIT program. This program consists of an integrated entry and exit data system designed to record the entry into and exit out of the United States by noncitizens. Last month, US-VISIT entry procedures became operational at 115 airports and 14 seaports together with a pilot test of biometric identification procedures at one airport and one seaport I should note that today's hearing is one in a series the Subcommittee will hold on the issue of privacy in the hands of Government. I now turn to my colleague, Mr. Watt, the distinguished Ranking Member of the Subcommittee and ask him if he has any opening remarks? Mr. WATT. Thank you, Mr. Chairman. Mr. CANNON. The gentleman is recognized for 5 minutes. Mr. WATT. Thank you, Mr. Chairman, for convening this hearing today. It must be my day to deal with privacy and identity theft issues. I'll tell you what has transpired today. I was seated in a meeting with representatives from various Government agencies, one of which was Social Security. And one of their complaints was that Government work is being contracted out to private companies who don't have the kind of responsibility for overseeing privacy and preventing identity left. That meeting lasted for about 20, 30 minutes. During that meeting three things happened. Öne, I got placed on my desk the comments for this meeting here this afternoon, which I haven't had a chance to review very thoroughly but I'm going to take a stab at them when I get back to the formal part of this presentation. Second, I got placed on my desk a message from a newspaper reporter at the Charlotte Observer-which is in my Congressional district in Charlotte, North Carolina-with an attached article which says a Charlotte temporary employment agency left more than 20 boxes filled with hundreds of job applications on the curbside for the better part of a day Sunday and Monday. And goes on to ask me if I have any comments to make about that. Then I got placed on my desk, during that same meeting, a letter from our minority leader asking me to join in a letter to the president expressing concerns about the way the CAPPS II program is being-playing itself out and asking the Administration to pay more attention to the dissemination of personal information. This is a multidimensional problem, not only Government information that we are gathering but private information. We've tried to attack it in various compartmentalized ways through Fair Credit Reporting Act in the Financial Services Committee on which I sit, through various things in this Judiciary Committee, but this isthis already difficult issue has been complicated by the events of September 11. And since then our country has been confronted with the dual aspiration of ensuring the security of our homeland and at the same time preserving and securing the Civil Rights and liberties that make our homeland free and unique. The creation of the Department of Homeland Security was historic. Homeland Security Act of 2002 created an agency with the primary responsibility of preventing terrorist attacks in the United States, reducing our vulnerability to such attacks, minimizing damage due to any attack, and assisting in our ability to recover from those attacks. My concern here today however is that the Department not be so vigilant in its terrorist prevention and terrorist detection duties that it undermines our individual freedoms. Just last May the GAO described the Department of Homeland Security's responsibilities to include "the coordination and sharing of information related to threats of domestic terrorism within the Department and with and between other Federal agencies, State and local governments, the private sector, and other entities". The report recognized that to accomplish this mission the Department of Homeland Security must access, receive and analyze law enforcement information, intelligence information, and other threat incident and vulnerability information from Federal and non-Federal sources. Recent newspaper reports indicate that questionable information sharing occurred between JetBlue and Northwest Airlines and law enforcement in order to implement the CAPPS II Computer-Assisted Passenger Prescreening System designed to prescreen airline passengers. Despite the existence of a Privacy Officer within the Department of Homeland Security, the JetBlue and Northwest Airline collaboration with the Government raises serious privacy issues because although these private entities may have their own privacy policies they are not subject to the constraints of the Privacy Act. This circumstance may lead to a gaping hole in safeguarding the improper dissemination of personal information. This is a hole that I personally tried to plug last year during the Judiciary Committee's consideration of H.R. 4598, the Homeland Security Information Sharing Act. That bill, which did pass the House and has not passed the Senate, would have authorized Federal, State and local entities, including private actors, to share information to the fullest |