Dec 31 2009

Privacy Matters

FISMA offers agencies a road map for addressing privacy challenges and making progress in designing effective programs.

Photo: John Falls
"We don't ever want anyone to think of this as something where you just check the box and that's it," the IRS' Barbra Symonds says.

It's never easy to add new requirements to a single system, much less the full collection of systems that house terabytes of data about the nation's citizens. But the officials creating and implementing privacy programs to protect personal content say that recent efforts to do just that have gone relatively smoothly.

Why? Federal employees in the trenches can relate to the issue.

"This is not just some work-related task they have to do," says Barbra Symonds, director of privacy for the Internal Revenue Service. "They understand because they worry about protecting their own personal information. So I think we've gotten over the hump of having to explain what privacy is, why it matters and why we should put resources into it. There's a lot more understanding and visibility than there used to be."

It may no longer be necessary to explain why it is done, but the challenges of implementing and sustaining an effective privacy program remain immense, Symonds and other government privacy officials acknowledge. This fall, agencies for the first time began working to meet an Office of Management and Budget requirement that they answer questions about their privacy programs as part of the annual systems security reports required under the Federal Information Security Management Act.

Data at Hand

Privacy officers and experts say the reporting mandate, which requires agencies to fill out privacy templates for all systems, is paying off. FISMA doesn't demand any new documentation or work because agencies had to provide the data previously under the E-Government Act's privacy provisions. But as privacy and security go hand in hand, it makes sense for FISMA to include the privacy information.

The change also compiles existing privacy requirements that were scattered in different laws, regulations and OMB memos, including everything related to training, the use of privacy impact assessments (PIAs), internal oversight and information systems.

"From my standpoint, the FISMA template is very practical," says Nuala O'Connor Kelly, who stepped down in September as chief privacy officer for the Homeland Security Department to take over the privacy reins for General Electric. "It provides me with a road map for doing privacy the right way. When I fill it out, I almost feel like I'm being graded. I think, oh good, we got that right."

The templates provide agencies with a tool to identify vulnerabilities and craft strong privacy programs, she says. O'Connor Kelly offers six best practices that DHS uses to ensure success in creating its privacy programs:

• Make privacy a core value. Privacy isn't just a nebulous concept or an add-on. It needs to be embraced at all levels of the agency, considered early and often in every business decision and every new technology initiative, and overseen by a senior official with authority to set policy and implement it.

• Recognize that education never ends. Privacy is a front-line endeavor, so agencies must constantly remind employees of its importance and of their responsibility in ensuring that all privacy policies and practices are carried out. Moreover, privacy officers need to always look for ways to tweak awareness measures and provide clear guidelines.

• Keep the public informed. Privacy programs rise and fall on the level of trust the public places in the agency collecting the data. The best way to build trust, say experts, is to be completely transparent about why you're collecting information, how you're going to use it, who has access to it and how you plan to protect it.

• Use a team approach when making privacy impact assessments. Even though PIAs analyze privacy vulnerabilities, they shouldn't be the strict domain of an agency's privacy office. Get input and buy-in from program managers and system owners or even have them draft the initial analysis. After all, these employees know their business—and who and what it affects—better than anyone.

• Don't reinvent the wheel. Look for what already works well within an agency and then duplicate it in other areas. DHS, for instance, is studying the online training program that its Customs offices use to see what aspects make sense to replicate elsewhere. Also, rather than buy standalone privacy software, find ways to integrate it into security and other programs already in use.

• Go for quick wins. Instead of trying to do everything at once, apply policies to one or two large projects that collect a lot of personal information. This will provide a success model and the visibility needed to encourage others within an agency to adopt the privacy policies.

Dan Chenok, vice president and director of policy and management strategies at SRA International of Fairfax, Va., and a former OMB official, says that FISMA is affecting agencies' privacy work in positive ways. "It basically brings the conversation about privacy up to the senior levels of the agency because the FISMA report has to be signed off on by the head of the agency," he explains.

The FISMA reporting requirement also sheds light on the most difficult tasks in developing and implementing a privacy program, including cultural acceptance and change, the need for top-down leadership and developing technology approaches that support privacy, Chenok says.

"The key to success is setting up a strong privacy policy that's consistent with OMB policies and establishing a senior official with the authority to drive change and work directly with offices throughout the agency to implement those changes," he says.

O'Connor Kelly and Symonds describe the DHS and IRS programs as robust and well-funded. Still, there are hurdles: For example, they point to education and cultural resistance as the toughest challenges—no matter where an agency is in the privacy process. In recognition of this fact, FISMA addresses the issues early on in its template, they add.

Inside Job

"I'd say that 90 percent of what we do is inside the building, making sure that people are considering the privacy impact of what they're doing at the earliest possible stages," O'Connor Kelly says. "That's critical because it's been demonstrated that when the analysis is done early rather than later, you end up avoiding problems and bad press, and still get your programs done right and completed faster."

To meet this challenge, the IRS requires all its employees and contractors to take an annual course on privacy and periodic role-based training for front-line personnel. Meanwhile, Homeland Security is evaluating training programs agencywide to ensure that they all have a privacy component.

Ultimately, Symonds says, an agency has to show throughout its policies and daily operations that it views privacy as a moral duty—not just a legal requirement.

"We don't ever want anyone to think of this as something where you just check the box and that's it," she explains. "We need to show taxpayers that we go above and beyond what the baseline law says that we have to do. That will help us maintain the public trust and enable us to better achieve our mission."