Editor’s Note – The following prepared remarks were originally delivered by OMB Director Shaun Donovan at the Federal Privacy Summit on December 2, 2015. Director Donovan spoke about the Administration's continued efforts to protect privacy and civil liberties and announced a series of new efforts to ensure that the Government’s privacy practices evolve to reflect ever-changing technologies, while also maintaining America’s position as a leader in innovation.
Thank you. It is an honor to be here this morning at the Federal Privacy Summit. First, I would like to congratulate the organizers of this year’s Summit on a very exciting event. Today’s event and the standing-room only audience here in this room are a testament to your commitment to privacy. By any measure, this is very impressive.
On behalf of President Obama, I would also like to thank the privacy professionals here today, and the hundreds of other men and women who are part of privacy teams across the Federal Government. You work tirelessly and passionately to help ensure that as we seek to carry out the many diverse missions of the Federal Government, we do so in a manner that honors and respects the sensitive information entrusted to us by the American people.
At the heart of today’s Summit is a fundamental belief we hold dear as a country: that Government has a critical role in enforcing and ensuring protections for the privacy of its citizens. Indeed, as Americans we’ve always believed that our personal information should be guarded against improper use and against threats to the security of that information.
Never has privacy been more important than today. Today, we are in the midst of a revolution of innovation and opportunity. The digital economy has changed how citizens interact with their Government. With the click of a button, you can gain information about a job, receive health insurance, qualify for a student loan, seek immigration services or veterans’ benefits, or file your taxes. This digital revolution creates enormous opportunities for our ability to search, connect and discover, but it also creates enormous challenges for our economy and our people.
That is why all of you in this room have worked to ensure that the Governments’ privacy practices evolve to reflect these ever-changing technologies, while also maintaining America’s position as a leader in innovation. Since the start of this Administration, we’ve advanced significant efforts in this arena while protecting privacy and civil liberties. Among those efforts include:
While these are important efforts, there is more to be done. As Government continues to innovate for the 21st century, we must also continue to invest in the resources and capabilities to protect the information entrusted to us and carry out Government’s mission.
The question, though, is how should we proceed in doing so?
As the Director of the White House Office of Management and Budget, I am very focused on the return on investment – or ROI – of government initiatives. I’m guessing that some of you in this room are asked to defend the ROI on privacy as well. Although it may not always be apparent or easy to articulate, it is clear that there is a significant ROI for privacy programs in the Federal Government. If we do this right, our efforts will pay off down the road.
There are many reasons why privacy is important, but there are four key areas I want to discuss today:
First, and perhaps most obvious, Federal agencies must stem the rising tide of incidents involving the loss of personally identifiable information and ensure effective responses when they do occur. We need capable privacy professionals on the ground and at the table to evaluate privacy risks on an ongoing basis and to help ensure the protection of PII at all times. We need Chief Privacy Officers to help continue to identify our high value assets that store sensitive PII, ask tough questions about data minimization, ensure compliance with retention schedules, and evaluate policies for sharing and transferring data. If program managers aren’t sure about the sensitivity of a data set or the risk of harm such data may present if compromised, they should ask their CPO. Guessing will lead to poor decisions.
Second, when an incident involving the loss of PII occurs, experienced privacy teams need to lead the efforts to prevent the risk of harm to impacted individuals. These efforts are about evaluating the sensitivity of PII compromised and the risk of identity theft or other harm to individuals, making decisions about notification to people potentially impacted by the incident, helping agencies share data when it will help mitigate risk, and coordinating with other offices in an agency to ensure accurate and consistent practices. Incident response in the context of these efforts isn’t about network security or computer forensics to assess the scope of an intrusion. That’s the job of the CIO or CISO and other cybersecurity experts. There may be one incident, but there are two roles and the advantage of this should be clear: you don’t have the same person being responsible for securing the network and assessing the impact on agency systems as well as being responsible for legal and policy decisions about breach notification letters, applying the Privacy Act, and drafting MOUs to share data.
Third, the implementation of comprehensive privacy programs should improve the efficiency and effectiveness of Government. A robust privacy program – like a comprehensive risk management program – should help agency heads make better decisions, use accurate and timely data more effectively, avoid risks, reduce costs, and improve the efficiency of government programs. Too many projects have been delayed or shelved because of the failure to address responsible data practices up front. In addition, the existence of robust privacy programs at all agencies will help ensure complete and effective information sharing among those agencies.
More than any previous Administration, this Administration is all about technology and innovation. But to responsibly deploy cutting-edge technologies, use social media, leverage big data, publish more data sets, and embrace the cloud, we need strategic privacy programs led by capable experts. This will enable innovation, not slow it down. If we don’t invest in privacy today, these issues will only be more challenging tomorrow.
Finally, trust in government is critical and protecting privacy is essential to maintaining that trust. Yet, surveys show that many Americans don’t trust the Government with their data. Unfortunately many of you – the employees of the Federal Government – share that concern. This isn’t just a theoretical harm. The Census Bureau, for example, has identified Americans’ growing distrust of the Government’s ability to responsibly collect and store data as one of the most significant challenges they face in conducting the next census. We need to turn that around.
So let me reiterate what I said earlier, there is a significant ROI “If we do this right.” Getting it right means developing a comprehensive, strategic and continuous privacy program supported by experienced leaders, a strong and dedicated team of professionals, and practical guidance.
Now, the success of an agency’s privacy program depends upon its leadership. That is why this past spring I created the new position at OMB of Senior Advisor for Privacy led by Marc Groman. A lot of you know Marc. Few people are as passionate about privacy as Marc and he brings a tremendous amount of experience, energy and enthusiasm to the position. He is also practical and solution oriented, which is critical for privacy professionals today. And equally important, as we all know, Marc is not shy.
Just as we took a hard look at privacy resources and privacy leadership within OMB, OMB is going to ask each agency to take a hard look at the structure of its privacy program and then answer the tough question “Is the right person the senior agency official for privacy at our agency?” If not, we want you to develop a plan to get to the right place. I anticipate that you’ll be seeing OMB guidance on this in the near future.
And several agencies are not waiting for that guidance. OPM’s Acting Director Beth Cobert has created a new senior privacy position in the Director’s Office with the authority and access to build a robust, strategic, agency-wide program. Similarly, the Department of State is creating a new career SES Chief Privacy Officer position to lead the Department’s privacy efforts. The Department of Justice just posted a new career SES position for the Director of the Department’s Office of Privacy and Civil Liberties. In addition, earlier this year, the Department of Defense reorganized its privacy and civil liberties functions and brought on a top privacy lawyer to serve as the Director of Oversight and Compliance and Senior Agency Official for Privacy. This is a great trend that I look forward to seeing grow across the Federal Government.
Over the past four months, Marc has been meeting with CPOs, privacy teams, and other managers from across the Government. That includes many of the people in the room today. Let me share with you some of the things Marc has heard from you:
We hear you. Today I am announcing plans to establish a new Federal Privacy Council, which will model the successful Federal CIO Council. It is time to stop re-inventing the privacy wheel at agencies and do a better job of leveraging the success of each agency’s related efforts. It is time to shift from reactive programs to proactive strategies. And it is time to “professionalize” the privacy profession.
The Privacy Council will serve as an ecosystem for strategic thinking on privacy implementation, bringing together the best minds we have to tackle the cutting-edge privacy issues of the digital era. This will be the place to coordinate and share ideas, best practices, and successful approaches for protecting privacy across the Government. And like the CIO Council, this Council will assess and develop recommendations for the attracting and hiring top talent in privacy programs across the Federal Government.
Implementing a comprehensive, risk-based and strategic privacy program across a department or agency in the information age is no easy task. To do your jobs, you often rely on guidance, standards and best practices to serve as a road map to successful implementation. Those documents must be current, accurate, practical and scalable.
That’s why we are doubling down on updating privacy guidance at OMB over the next several months.
Now I don’t think there’s any other venue where I can say the words OMB Circular A-130, OMB Circular A-108, or OMB Memorandum M-07-16 and the audience wouldn’t look confused and perplexed. But as everyone in this room knows, these documents serve as our government-wide policy for managing Federal information resources, implementing the Privacy Act, and responding to data breaches that impact PII. The two Circulars, however, haven’t been updated since 2000. Our guidance on incident response is nearly a decade old. In that timespan, we’ve seen a proliferation of tools and digital technologies that have reshaped our global economy including cloud computing, social media, mobile devices, biometrics and electronic health records.
These technologies allow the Government to maintain, process and analyze vast quantities of personal information in order to provide basic services to citizens. This data includes information about people seeking benefits from the Government, foreigners seeking to travel, work in, or immigrate to the US, consumers filing complaints, targets of law enforcement investigations, and even your information as employees or contractors working in the Federal Government. Policies that ensure the proper protection of an individual’s privacy interests when handling all of this information is essential to the successful accomplishment of the Government’s mission. On top of this, we face an ever-evolving threat landscape.
As technology and threats evolve, so must our policies. In order to meet today’s complex challenges, we must continue to double down on this Administration’s broad strategy to enhance privacy practices and fundamentally overhaul information security practices, policies, and governance.
That is why we have revised and will soon publish an updated Circular A-130, to include a new approach for developing and maintaining a continuous privacy monitoring strategy and ensuring that agencies take a coordinated approach to addressing privacy and information security.
OMB will also update government-wide policy to assist agencies when responding to a cybersecurity incident or other data breach involving personally identifiable information, as highlighted in the recently released Cybersecurity Strategy and Implementation Plan.
And in the coming months, the Administration will publish for public comment Circular A-108 which will help agencies promote transparency and successfully implement the Privacy Act in today’s digital age.
OMB’s revised policy documents make one point very clear – privacy and security may be two different disciplines requiring two separate skill sets but they must be part of one coordinated risk management framework.
Often when we talk about privacy, many people seem to believe that it’s at odds with security. But in fact, privacy and security go together. When privacy and IT security are coordinated, both programs benefit and your agencies benefit.
Under U.S. CIO Tony Scott’s leadership, the CIO Council has been a great partner for the privacy community. Indeed, it is the CIO Council’s Privacy Community of Practice that developed and sponsored today’s outstanding event. I expect – and I know that Marc and Tony expect – that the work of the two councils will complement each other and promote more efficient and effective programs for both privacy and IT Security.
As we work to advance these efforts, I’m reminded that we are a country that created the Internet. But we are also a country that pioneered the Bill of Rights, and we have a belief that our privacy should not only be guarded against unwarranted government intrusion, but also protected. In a world where Government can build technologies to provide healthcare, student loan relief, immigration services, or veterans’ benefits, we can also build the architecture to protect the information Government maintains to provide these services, and the information we value so dearly as a society.
As the President once said:
“Never has privacy been more important than today, in the age of the Internet, the World Wide Web and smart phones…. [E]ven though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.”
Thank you for having me here today.
###