Nonetheless, to her credit, she prepared and issued a PIA that was quite thoughtful and was well received. Whether one agrees or disagrees with the underlying program, at least we know that someone was engaged in the issues that deserve attention and the product of that effort was released to the public.

As someone outside the government, it is hard to know how influential Ms. Kelly will be if-and it inevitably will happen-there is a direct conflict between what a program office within DHS wants to do and what the Privacy Officer would counsel against for privacy reasons. Effectiveness in this type of position depends on autonomy and authority-that is, on the aggressiveness of the office holder to call attention to potential problems and on support from the top. We may take some comfort from Secretary Ridge's comments; he has said all the right things about supporting the Privacy Officer. But we cannot now know what will happen when the "rubber meets the road."

This Committee, however, can further empower the Privacy Officer, and lay the foundation for remedying any problems that may arise, by maintaining its oversight and inquiring pointedly into how the Department operates. For example, Ms. Kelly (and Secretary Ridge) should be asked at what stage she is alerted to or brought into new initiatives; what avenues are open for her to raise any questions or concerns; and whether the Secretary will be personally involved in resolving any dispute in which she is involved. The timing of the release of the PIA for the US VISIT program suggests that Ms. Kelly may not always be consulted on a timely basis. As I read the E-Government Act of 2002, an agency is to issue a PIA before it develops or procures information technology that collects, maintains or disseminates information that is in an identifiable form. In this instance, the PIA was released much further down the road, when the program was about to go on line. Anything that helps the Privacy Officer become involved in new initiatives at the outset, before there is substantial staff (let alone money) invested in a project, would be highly salutary.

The second lesson that I take from the experience to date with the Privacy Officer at DHS is that there has been no diminution in the capacity of the Department to pursue its mission. Or as a political wag would say, the existence of a Privacy Officer in DHS has not caused the collapse of western civilization as we know it. This is wholly consistent with what most Americans think—that national security and privacy are compatible and are not intrinsically mutually exclusive.

The fact that there is no evidence that the existence, or any activity, of the Privacy Officer has caused DHS to falter leads me to suggest that the Committee consider expanding the number of statutory privacy offices from one to 24, covering all major Departments (the so-called Chief Financial Officers Act agencies) or at least a handful of critical agencies. Imagine the salutary effect that a statutory privacy office could have at the Department of Justice, the Department of the Treasury (and the Internal Revenue Service), the Department of Defense and the Veterans Administration, the Social Security Administration, and the Department of Health and Human Services. All of these agencies already have some form of privacy office in place, although many simply process Privacy Act complaints, requests, notices, etc. and do not involve themselves in the privacy implications of activities undertaken by their agencies. It is significant, I believe, that OMB guidance from two administrations (issued first during the Clinton Administration and repeated recently by the Bush Administration) has called for the creation of such offices in Executive Branch agencies. With the imprimatur of Congress, these offices can achieve the status (and increased influence) and gain the respect that the Privacy Officer has enjoyed at DHS. Equally important, by establishing statutory privacy offices, the Congress will be able to engage in systematic oversight of the attention paid to this important value in the federal government-something which has not occurred before this hearing today.

I hope I do not seem presumptuous to suggest-indeed, strongly urge-one further step: establishing at OMB a statutory office headed by a Chief Counselor for Privacy. As noted above, we had created such a position during the Clinton Administration, and it served us well. Peter Swire, the person we selected to head that office, was able to bring his knowledge, insights, and sensitivity to privacy concerns to a wide range of subjects. In his two years as Chief Counselor, he worked on a number of difficult issues, including privacy policies (and the role of cookies) on government websites, encryption, medical records privacy regulations, use and abuse of social security numbers, and genetic discrimination in federal hiring and promotion decisions, to name just some of the subjects that came from various federal agencies. He was also instrumental in helping us formulate national privacy policies that arose in connection with such matters as the financial modernization bill, proposed legislation to regulate internet privacy, and the European Union's Data Protection Directive.

I believe it is unfortunate that the current Administration has chosen not to fill that position. As a result, there is no senior official in the Executive Office of the President who has "privacy" in his/her title or who is charged with oversight of federal privacy practices, monitoring of interagency processes where privacy is implicated, or developing national privacy polices. Perhaps it was the absence of such a person that led to the Bush Administration's initial lack of support for the designation of a Privacy Officer at the Department of Homeland Security. Perhaps if someone had been appointed to that position, the Administration would not have appeared to be so tone deaf to privacy concerns in connection with the Patriot Act or any number of law enforcement issues that have made headlines over the past several years. An "insider" can provide both institutional memory and sensitivity to counterbalance the unfortunate tendency of some within the government to surveil first and think later. At the least, the appointment of a highly qualified privacy guru at OMB would mean that someone in a senior position, with visibility, would be thinking about these issues before rather than after-policies are announced. Finally, I understand that after this Hearing, the Committee will move to mark up H.R. 338, "The Defense of Privacy Act." That bill reflects a commendable desire to ensure that privacy impact statements are prepared by federal agencies as they develop regulations which may have a significant privacy impact on an individual or have a privacy impact on a substantial number of individuals. I was struck in reviewing the E-Government Act of 2002 for this testimony that it requires an agency to prepare a PIA not only before it develops or procures information technology that implicates privacy concerns, but also before the agency initiates a new collection of information that will use information technology to collect, maintain or disseminate any information in an identifiable form. This law has gone into effect, OMB has already issued guidance on how to prepare the requisite PIAS, and the agencies are learning how to prepare these PIAS using that model. Rather than impose another regime on agencies when they are developing regulations (which_are frequently the basis for the information collection requests referenced in the E-Government Act of 2002), it might be preferable to amend the E-Government Act to expand its requirements to apply to regulations that implicate privacy concerns. That approach would have the added benefit of eliminating the inevitable debate over the judicial review provisions of H.R. 338, which go significantly beyond the judicial review provisions of any of the comparable acts (e.g., Reg.Flex., NEPA, Unfunded Mandates, etc.). Lastly, if you were to amend the E-Government Act to include privacy-related regulations, you might also consider including privacy-related legislative proposals from the Administration. As you know, Executive Branch proposals for legislation are reviewed by OMB before they are submitted to the Congress. If there were a Chief Counselor for Privacy at OMB, s/he would be able to provide input for the benefit of the Administration, the Congress and the American people. Again, thank you for inviting me to testify today. This Committee has been an effective leader on privacy issues, and it is encouraging that you are continuing the effort. I would be pleased to elaborate on these comments or answer any questions that you may have.

Mr. CANNON. Thank you Ms. Katzen.

Mr. Dempsey, you're recognized for 5 minutes.

STATEMENT OF JAMES DEMPSEY, ESQUIRE, EXECUTIVE DIRECTOR, CENTER FOR DEMOCRACY AND TECHNOLOGY, WASHINGTON, DC

Mr. DEMPSEY. Chairman Cannon, Ranking Member Watt, Members of the Subcommittee, thank you for this opportunity to testify today about the Privacy Officer at the Department of Homeland Security. It's always a privilege to appear before the Subcommittee, and especially today on a panel with three of the most serious and insightful public officials-public servants that I know.

Based on the record of the Department of Homeland Security Privacy Office to date, it is clear that a statutory Privacy Officer participating in senior level policy deliberations and using tools like the Privacy Act notice and privacy impact assessments can be an important mechanism for raising and mitigating privacy concerns surrounding the Government's use of personal information.

Certainly the Department of Homeland Security Privacy Officer legislation should be a model for other agencies including the Department of Justice.

With proper laws and policies, statutory privacy officers can be an important element of the overall approach to meeting the public's interest in privacy protection even as the Government pursues urgent missions like counterterrorism. And there's no more persuasive spokesperson and no more persuasive source for the proposition that we can and must protect privacy at the same time that we are pursuing the mission of counterterrorism than the five reports that Governor Gilmore has submitted to this Congress and his overall advocacy for the need to both preserve privacy and enhance our national security.

One of the best ways to protect privacy is to raise privacy concerns early in the development of any new program so that those concerns can be addressed and mitigated in advance. We call this privacy by design, building in the privacy protections from the ground up before a system is implemented and before it's too late to avoid the problem. That's one of the roles that the chief privacy officer plays, perhaps one of the primary roles that person plays. Congress and this Committee were very foresightful when you insisted on creating a statutory Privacy Officer in the Homeland Security Act of 2002, but that so far is the only privacy officer statutorily created in the entire Government.

While this is a new position, Nuala O'Connor Kelly has set the benchmark and it is now clear that we can extend the model to other agencies.

It seems, based upon the evidence so far and the experience, that there are four elements of an effective privacy officer. One is a statutory basis. As Ms. Katzen has referenced, there are Privacy Act officers and privacy officers in other Federal agencies, but they don't have the stature that comes from a statutory basis and a statutory charter.

Second, adequate staff.

Third, inclusion in the senior level policy deliberations, which partly flows from the statutory charter.

And finally, legislative tools like the privacy impact assessment. And on the fourth point, we should all recognize that privacy officers are part of the answer but that they cannot be effective unless the laws and policies are in place. One of those tools is the privacy impact assessment. The E-Government Act of 2002 requires that Federal agencies conduct privacy impact assessments whenever they are initiating a new collection of personal information or purchasing new technology. And one of the first PIAS was performed by the Department of Homeland Security Privacy Officer on the US-VISIT program.

Mr. Chairman, if I may, we have-the Center for Democracy and Technology filed some written comments on that privacy impact assessment and I'd like to ask that those be entered into the record. Mr. CANNON. You can certainly just include those with your written statement.

Mr. DEMPSEY. Thank you, Mr. Chairman.

A further step is the bill that was just reported favorably by the Committee, H.R. 338. And just to second some of the comments

made by Congressman Coble and by Mr. Watt, this was not a surprise that this was going to be marked up. It was long overdue. It is legislation that I personally testified in favor of at an earlier hearing of this Subcommittee. It's time to get that moving and hopefully get it through the Senate as well.

We had some specific suggestions on improving that bill as it moves through the process and I understand the pressure to move that bill as it has previously passed the Committee, but by the time the legislative process is completed on that, I hope that you can reconcile the language in this privacy impact assessment legislation for regulations with the privacy impact assessment requirements that are in the E-Government Act. It's been hard enough getting the E-Government Act PIAS going. There's no need to have two separate sets of requirements or definitions and you really need to mesh H.R. 338 with section 208 of the E-Government Act. Other issues Congressman Watt and other Members have alluded to need to be addressed. The Privacy Act of 1974 has not really kept pace with changing technology, particularly as we're seeing the Government increasingly turn to commercial databases in carrying out particularly its counterterrorism activities. We need to have strong guidelines on use of that kind of information, and on the sharing of that information.

And finally, we need the continued involvement of the Subcommittee through the oversight process. So with H.R. 338 you've taken another incremental step with the Privacy Officer at the Department of Homeland Security and hopefully proliferating that model through the Government is another step. And the question of the continued currency of the Privacy Act should be another issue that I believe the Committee and the Congress will need to address.

Thank you, Mr. Chairman.

[The prepared statement of Mr. Dempsey follows:]

PREPARED STATEMENT OF JAMES X. DEMPSEY

Chairman Cannon, Ranking Member Watt, Members of the Subcommittee, thank you for the opportunity to testify today about the Privacy Officer for the Department of Homeland Security. Based upon the short but significant record of that office to date, it is clear that a statutory Privacy Officer, participating in senior level policy deliberations and using the tools of Privacy Act notices and Privacy Impact Assessments, can be an important mechanism for raising and mitigating privacy concerns surrounding the government's use of personal information. Certainly, the DHS Privacy Officer legislation is a model for other agencies, including the Department of Justice. With some further reforms we support, including enactment of the Defense of Privacy Act and improvements to the Privacy Act of 1974, statutory Privacy Officers should be an important element of the overall approach to meeting the public's deeply-held and constitutionally-based interest in privacy protection even in the pursuit of urgent governmental missions like counterterrorism.

The Center for Democracy and Technology is a non-profit, public interest organization dedicated to promoting civil liberties and democratic values for the Internet. Our core goals include enhancing privacy protections both in consumer transactions and between citizens and their government. We are also strong supporters of electronic government, having worked closely with key Members of the House and Senate for enactment of the E-Government Act of 2002. We commend you for your sustained attention to the important privacy issues associated with the government's collection and use of personal information. We look forward to ongoing work with you on these matters.

I. SUMMARY

The federal government has many legitimate needs for collection and use of personal information, ranging from administration of benefits programs to tax collection to winning the war on terrorism. Especially in light of the digital revolution, this government demand for information brings with it heightened risk to privacy and the associated values of Fair Information Practices-including notice; limits on collection, use, disclosure and retention; data quality; security; and the citizen's right to review and correct information held about himself.

One of the best ways to protect privacy, while facilitating the effective collection and use of information where necessary to carry out a governmental function, is to raise privacy concerns early in the development of a new program, so that those concerns can be addressed and mitigated in advance. We call this "privacy by design"building in privacy protections from the ground up. Watchdog groups like CDT and even Members of Congress often find out about a privacy problem only after a system has been implemented. Then, it is often difficult to correct the problem. To ensure that privacy issues are addressed early on, many private companies and some government agencies have created a Chief Privacy Officer position-someone inside the organization, who can be consulted during the conceptualization phase of a new project involving collection of personal information.

In the Federal government, the Department of Homeland Security (DHS) has a statutorily created Privacy Officer-the only such statutory position in the U.S. government today. While this is a new position, CDT has been impressed with the role that Nuala O'Connor Kelly has assumed within the Department. We believe that the DHS experience should serve a model for agencies across the government.

We would also like to take this time to again voice our support for the Defense of Privacy Act (DOPA), which will require agencies to publish Privacy Impact Assessments (PIAs) for all regulations. DOPA will serve as a sound complement to Section 208 of the E-Government Act of 2002, which requires that federal agencies conduct PIAS whenever they purchase a new information technology or initiate a new collection of personally identifiable information. One of the first published PIAS was the one written by the DHS Privacy Officer on the US-VISIT (United States Visitor and Immigrant Status Indicator Technology) program. It is an important document and has served to bring greater transparency to that program. PÍAs can be especially effective if they are published before the system design or regulatory process is completed.

II. CHIEF PRIVACY OFFICERS

A. History of Chief Privacy Officers in the Federal Government

For years, many federal agencies have had "Privacy Act Officers." In some agencies, this has actually been a part-time job. Privacy Act Officers often spend much of their time not on privacy issues per se, but in dealing with requests from individuals who want to see their government records under the access provisions of the Privacy Act. In addition, these officers usually are also responsible for the other major records disclosure law, the Freedom of Information Act. Privacy Act Officers, despite their title, have no statutory basis in the Privacy Act. There is no mechanism for including them in internal deliberations on matters affecting privacy. They are often mid-level career officials and do not have the ability to intervene at a policy level even when a major privacy issue comes to their attention. They are often brought into discussions about a program only at the last minute to draft a notice required under the Privacy Act when the government creates or changes a "system of records," but that notice generally serves no role in shaping policy.

Realizing that this system was not effective, the Clinton Administration in 1998 required all agencies to "designate a senior official within the agency to assume primary responsibility for privacy policy." 1 The Clinton Administration used these "privacy leaders" to review Privacy Act compliance within each agency. The next year, Peter Swire was named Chief Privacy Counselor for the Administration within the Office of Management and Budget. Mr. Swire worked on both commercial and government privacy issues and had a voice in deliberations concerning agencies across the government. Among his accomplishments was requiring all government Web sites to include privacy notices.

At the same time, many companies in the private sector began to hire or promote employees to be "Chief Privacy Officers." The CPO position is now very common in the e-commerce, banking and health care industries. Several membership organiza

1 William J. Clinton, "Memorandum for the Heads of Executive Departments and Agencies," May 14, 1998, <http://www.cdt.org/privacy/survey/presmemo.html>.