In November, the Department of Homeland Security’s Privacy Office issued its annual report to Congress. The report, which covers the period from July 2012 through June 2013, was a few months late. The incoming Chief Privacy Officer (CPO), Karen Neuman, announced the release of the report.
Neuman came to the Department from a boutique privacy law firm, having replaced Mary Ellen Callahan, who left DHS to return to private practice in August 2012. In the interim, Deputy Chief Privacy Officer for DHS, Jonathan Cantor, served as acting CPO. The 2013 Annual Report is 89 pages long, and covers Privacy Office’s efforts in five key areas, or goals. From the report, they are:
- Goal 1 (Privacy and Disclosure Policy): Foster a culture of privacy and transparency, and demonstrate leadership through policy and partnerships;
- Goal 2 (Advocacy): Provide outreach, education, training, and reports in order to promote privacy and openness in homeland security;
- Goal 3 (Compliance): Ensure that DHS complies with federal privacy and disclosure laws and policies and adheres to the DHS FIPPs;
- Goal 4 (Oversight): Conduct robust oversight on embedded privacy protections and disclosures in all DHS activities; and
- Goal 5 (Workforce Excellence): Develop and maintain the best privacy and disclosure professionals in the Federal Government.
These goals align, mostly, with the six key functions of a public sector privacy office: policy; compliance; oversight; incidents and breaches; education and training; and engagement and outreach. Workforce excellence, while important at any organization, seems to be a curious goal for the Privacy Office, with barely a page of discussion on the goal in the main body of the report.
Importantly, the annual report makes clear that privacy at DHS is much broader than found in Privacy Act offices at most other Federal agencies. The DHS Privacy Office has been at the forefront on privacy and privacy policy within the Federal Government, often out in front of the Office of Management and Budget, the entity charged with responsibility for the Privacy Act of 1974, the main privacy law applicable to the Federal government.
During the period of the 2013 annual report, the Privacy Office worked on, and issued Department-wide policy, in a number of areas, to include: information sharing with the Intelligence Community; research projects at the Department; and the conduct of Privacy Office investigations under expanded authority from the 9/11 Commission Act. Under “advocacy” – encompassing the key functions of “education and training” and “engagement and outreach” – the Privacy Office set up a working group to consider unmanned aircraft systems (UAS) and worked together with the Civil Rights and Civil Liberties Office to inform civil society of the Department’s efforts with respect to Presidential directives on critical infrastructure. The office also had substantial contact with data protection authorities, members of parliament, and officials from justice and interior ministries from around the Globe.
Compliance, the heart of any agency privacy program, showed significant improvements. During the reporting period, the Privacy Office approved 87 Privacy Impact Assessments (PIA), under Section 208 of the E-Government Act of 2002, and 24 System of Records Notices (SORN), under the Privacy Act of 1974. Among the PIAs was the first ever for a Federal agency on the use of UAS. The Office also reviewed over 200 intelligence products and over 500 intelligence information reports, to assure that the minimum necessary amount of PII is disseminated in these intelligence documents.
On oversight, the Privacy Office conducted a comprehensive review of the Department’s compliance with the Automated Targeting System (ATS) PIA and SORN, and the joint US/EU Passenger Name Record Agreement prior to the European Commission’s 2013 Joint Review of PNR. The Office also completed several Privacy Compliance Review reports on various Departmental programs, to include the use of social media for situational awareness, the E-Verify Self Check Program’s use of a third-party identity proofing service, and information sharing.
It is worth noting that the DHS Privacy Office Annual Report, a statutory requirement under the Homeland Security Act, is critical to the office’s oversight responsibilities. The report also has been the source of friction between Congress and the Executive Branch in the ten years of the Department’s existence. In the first few years, the Privacy Office had difficulty in getting out the annual report in a timely manner, with the second report covering a two-year period. Congress, viewing the annual report as an independent means of receiving objective information from the Privacy Office of Departmental matters affecting the personal privacy of Americans, was concerned with delays in issuance of the annual report and, accordingly, mandated in annual appropriations bills that no appropriated funds be used by anyone outside of the Privacy Office to alter, direct that changes be made to, delay, or prohibit the annual report’s transmission to Congress.
Congress followed up on the appropriations language with an even clearer and stricter limitation on perceived interference with the annual report in the
Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act). Section 802(e)(1) of the Act states that the CPO shall “submit reports directly to the Congress regarding performance of the responsibilities of the senior official under this section [the Chief Privacy Officer], without any prior comment or amendment by the Secretary, Deputy Secretary, or any other officer or employee of the Department or the Office of Management and Budget. . . . ” The 9/11 Commission Act also gave the Privacy Officer greater independence, akin to an agency inspector general, stating that the Privacy Officer reports to, and is under the “general supervision of,” the DHS Secretary.
The 2007 annual report’s issuance was stayed pending an opinion from DOJ’s Office of Legal Counsel on the language of section 802(e)(1). The Office of Legal Counsel eventually published an
opinion, stating section 802 would not preclude DHS or OMB review of the report prior to its release. Since 2007, there have been no further disputes between Congress and the Executive Branch over the CPO’s independence, and the annual report has been released Congress and the public in September of each year.
Contributing Author: Hugo Teufel
Hugo Teufel is the former Chief Privacy Officer of the U.S. Department of Homeland Security. An attorney, he assists public and private sector clients in a wide range of areas including privacy and security; investigations, compliance, and corporate governance; defense and homeland and national security; government contracts formation, administration and litigation.
The International Association for Contract & Commercial Management enables both public and private sector organizations and professionals to achieve world-class standards in their contracting and relationship management process and skills. It provides executives and practitioners with advisory, research and benchmarking services, and worldwide training and certification for contracts, commercial and relationship management professionals. IACCM is a non-profit membership organization that supports innovation and collaboration in meeting the demands of today’s global trading relationships and practices. Through our worldwide presence and networked technology, IACCM members gain access to the thought leadership and practical tools that are essential for competitiveness in today’s fiercely contested global markets. We provide insight to the leading-edge contracting and commercial skills, policies, procedures and methods that are fundamental to managing enterprise and individual risks. This insight equips professionals and their leaders to implement best practice governance of contractual commitments and trading relationships. 
