There's information security and there's privacy. And Marc Groman, senior adviser for privacy at the Office of Management and Budget, is the first to say that they're not mutually exclusive. But imply that they're one in the same, or even that management of one dictates management of the other, and he'll stop you in your tracks.
In fact, that notion of interdependence can impede agencies from establishing an effective security or privacy program, Groman argues. Less than a year into the job as top White House privacy official, he sat down with Executive Editor Jill Aitoro to set the record straight.
Talk to me a little bit about how well personally identifiable information (PII) is protected in government.
I've been in the privacy space for over 15 years, and I've had the opportunity to see privacy from many different angles both in the public sector as the FTC's first chief privacy officer and as committee staff in the House of Representatives, as well as in the private sector working with high-tech companies in Silicon Valley on privacy issues. And the great thing is, it is an amazingly exciting time to be in the privacy space today, and it's really exciting to be in the privacy space in the federal government. I came in June of 2015, and since I arrived I've seen a tremendous amount of progress in the way we are handling, protecting, and managing PII across the entire government. Even more exciting is that OMB and the White House are implementing a number of ground-breaking initiatives to further improve how the federal government manages privacy and protects personal information.
What are some of the most important steps you're taking to improve the state of privacy right now?
As we look to improve the state of privacy across the federal government, we have a number of initiatives that are taking place. One, which has already been announced and about which I am personally very excited, is the new Federal Privacy Council, which President Obama established in February through an executive order. The council itself is incredibly important, but I just can't emphasize enough how important it is that the president of the United States demonstrated his personal commitment to privacy and is putting the weight of his office behind it. The federal privacy council really is going to focus on people and programs helping our employees who are in privacy programs, do their jobs well, more effectively and more efficiently, which will ultimately help every agency with their mission.
In the future OMB is going to be issuing and updating some of the most significant privacy guidance that we have at OMB. Most importantly will be reissuing OMB circular A-130. The overall objective of this update is to shift the focus in privacy away from a compliance program, toward a privacy program that is strategic, that is continuous, comprehensive and manages risk over time.
Whose job at an agency is it to ensure privacy is properly protected?
When we think about the protection of personal information and privacy across the federal government, the first point is that it's really everyone's obligation and everyone's responsibility to protect PII and to make sure that it is handled and managed properly. But of course, any privacy program requires leadership, and every agency does have a senior official for privacy who is appointed and designated by the head of the agency [to] implement the department or agency-wide privacy program. That person, the senior privacy official, is supported by privacy teams across the government who have specific expertise in specific areas and then help implement the program across the agency.
Should there be an official chief privacy officer in each agency, or is it more like you mentioned that someone just needs to be designated to take on the responsibilities?
In 2016 I believe that it's critically important for agencies to all have chief privacy officers, and in fact, OMB Director Shaun Donovan raised this issue at the Federal Privacy Summit back in December when he talked about every agency reexamining privacy programs, taking a hard look at who leads that program and resources, and coming up with an approach or a strategic plan to address any shortfalls.
As he noted at that meeting, many agencies have already done just that. State Department, for example, has announced that they intend to create a career SES CPO, as has the Department of Energy; the Department of Justice is on track to do that, and OPM. And so, given how much data we have in the government, evolving technology, big data analytics and the like, we think it's very important that every agency has a chief privacy officer to own and be responsible for the issue, and to work with the CIO, the chief information security officer, the chief technology officer, and others in the C-suite. That kind of coordination and collaboration will be incredibly important to the success of all of those programs.
So often, in technology in particular, it's about finding a balance — ensuring agencies can accomplish the tasks that they want to accomplish with technology without compromising privacy, without compromising security. What advice would you have for striking that balance?
There is a lot of discussion about balancing privacy/security or balancing privacy and an agency's mission. I want to challenge the fundamental principle there because I simply don't agree with it. My perspective, the OMB director's perspective, is that if you have a well-resourced, well-functioning privacy program, that program will promote innovation, will actually foster and enable more information sharing and allow agencies to expand to new technologies such as the cloud or mobile or the like. I really challenge the notion we're trying to balance that. They all work in concert, and if you have the right talent in a privacy program, then all initiatives and the agency's mission ultimately will be improved and will be able to accomplish more things and better things for the American people.
When you consider the OPM hack, it's certainly a cybersecurity issue; but you could also view as a privacy issue in terms of the information that was exposed. Any kind of retrospective lessons that could be pulled from that scenario in terms of how agencies need to maintain the information moving forward?
I'm not going to comment on any particular incident, but I want to share some higher-level observations for federal agencies. The first point I would make is that we need to distinguish between cybersecurity and privacy, and we need to all acknowledge that they are separate and independent disciplines and, therefore, need separate expertise and separate people to address them. Security on one hand really is focused on the confidentiality, the integrity and the availability of data. Of course, that's critically important, and it's fundamental to privacy, but any privacy program is concerned with far more than just the confidentiality, integrity and availability of data.
A privacy program has to be concerned with the use of the data. Once collected, how is the agency using it? We're concerned about transparency. Has the agency, where appropriate, been transparent with the American public about the kinds of data we're collecting and the uses? The CPO and the privacy program is concerned with sharing information. With whom are we sharing it? How will that agency or individual use the data, and can they protect it? So it's really a much bigger discipline and analysis that we need to do, and I think the important lesson is that we need both comprehensive security programs and comprehensive privacy programs. When we do, both of them are actually better and more efficient.
Do agencies consider when personal information — a person's address or Social Security number — are even required in a particular system? Is that being looked at?
A fundamental principle of privacy, and it's actually baked into our laws [and] privacy across the world is a notion of data minimization; that concept really is critical in the government and in the private sector where we want to ask those hard questions. We should ask, do we need all of the data we originally thought we needed, or could we accomplish the same mission, perhaps, with less data or with less sensitive data?
Over time, you want to continually reevaluate that, you want to look at retention schedules for your data, you want to make sure that agencies honor retention schedules that are set centrally by the [National Archive and Records Administration] and the like. So that's a fundamental part of privacy. It's a fundamental part of what we call a privacy-impact assessment, which is an analysis of an IT system at the point the system is launched, but [also] a continuous analysis over time.
Would you say that government is a leader in terms of ensuring the privacy of information, or is government trying to tap the expertise in the private sector? Who's ahead?
When we talk about privacy, it is important that we can break down the issue. While there are general principles that apply across the public and private sectors, there are certainly some very different laws, very different legal regimes that apply, and so we don't want to always lump it all together. But I will say up front that, of course, American citizens need to provide data to the government. You can't opt out. I know that the entire administration feels that we have that obligation to the American people who provide their data to us to take our responsibilities to protect it very, very seriously, and we work very hard to do just that. The private sector has similar responsibilities when they receive data from customers. But certainly it's different.