Report to OMB outlines the creation of a chief privacy officer role and chief privacy officers at every federal agency that already has a CFO.
Existing privacy laws and policies are outdated, federal leadership on privacy is scattershot, and a significant overhaul is needed to bring government's approach to personal information in line with 21st century realities, an independent government advisory board said Wednesday afternoon in a report to the Office of Management and Budget.
In order to manage government privacy policies, the report recommends the government hire one chief privacy officer in the Office of Management and Budget to provide regular government-wide guidance on privacy, as well as chief privacy officers at every agency that already has a CFO.
The report by the Information Security and Privacy Advisory Board, which advises several government agencies and Congress on the government's approach to cybersecurity and privacy, says that "current law and policy do not reflect the realities of current technologies and do not protect against many important threats to privacy."
The government has been especially lackadaisical in providing privacy direction to federal agencies, the report says. For example, there's been little guidance on government use of private-sector databases to collect and use detailed personal information. Well-publicized security failures like the Veterans Administration's 2006 loss of a laptop containing troves of personal information strengthen the case for change.
In addition to the creation of a chief privacy officer role, the ISPAB is recommending the government take a number of steps to shore up privacy protection, including amending the Privacy Act of 1974 and the E-Government Act of 2002 to cover commercial data and the use -- not just the holding -- of private records as well as to improve privacy notices.
Since 2002, there have been a number of additional developments in policy governing the federal use of privacy data. For example, OMB guidance two years ago required agencies to use access controls like authentication and encryption to render personal records inaccessible to unauthorized users, and just last December the Department of Homeland Security released a framework that said the use of personal information should be limited and retained only as long as necessary.
The ISPAB includes representatives from a number of federal agencies, private companies and other groups, including the National Security Agency, Department of Transportation, Fidelity Investments, Cornell University, the Center for Democracy and Technology, and Google, and it is tasked with advising the National Institute of Standards and Technology, the Department of Commerce and the Office of Management and Budget on cybersecurity and privacy issues, though only in regard to federal systems.
InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).