Home 240-994-4142 SwireBlog Privacy Homepage






                   GOVERNMENT RECORDS



As Chief Counselor for Privacy at the U.S. Office of Management and Budget, one of my primary tasks was to promote good data handling practices within the federal government. My comments here focus on government-wide privacy issues. My unpublished (but now available) article on our 1999 activities gives examples of the way we tried to promote good data handling in individual agency initiatives.

Federal web site privacy. In 1999, we learned that many federal agencies lacked privacy policies on their web sites. OMB Director Jack Lew issued government-wide guidance for such privacy policies in June, 1999. A year later, Director Lew issued a follow-up policy, limiting the use of cookies on federal web sites and also providing that agency compliance with good privacy practices would become part of the OMB budget review process. Clarification of the cookies policy was contained in a 2000 letter from OMB official John Spotila and in OMB testimony by Sally Katzen. My own view is that further updating of that policy is appropriate, especially to make clear that agencies can use cookies where individual users affirmatively consent to have cookies set as part of personalization of a web site.

Privacy impact assessments. While at OMB I strongly supported use of Privacy Impact Assessments (not Privacy Impact Statements as good acronym users might appreciate) in appropriate settings. The IRS has had an effective system of PIAs since at least 1999, and the Chief Information Officers Council's Subcommittee on Privacy voted the IRS program a "best practice" in 2000. President Clinton's budget for 2001 supported making PIAs a regular part of new agency computer systems. Since that time, the idea of PIAs has gained attention in the Congress, in both the House and the Senate. I support the use of PIAs for computer systems and regulations that involve "a significant amount of personal information." An FAA rule about the average weight of plane engines does not need a PIA, but a Department of Transportation database about every traveler who enters an airport does.

Court records. I was very involved in a report on privacy and bankruptcy records, released by the Office of Management and Budget, the Justice Department, and the Treasury Department in January, 2001. There are obvious and substantial advantages to putting litigation and court records on-line, so that litigants, reporters, and the public can avoid the expense and hassle of physically going to a courthouse to check every court records. On the other hand, this study highlights the way that bank account numbers and other sensitive financial data would then be made available to anyone surfing the Internet, becoming a ready target for theft from anywhere in the world. I discussed similar topics in a 2000 speech on privacy and the future of justice system records.

First Amendment and government records. In studying the future of openness of public records, the First Amendment limits the ways that statutes can restrict the flow of information once it is released into the public domain. I have given a speech on my views on this subject, but have not had the chance yet to write about it. We built careful findings concerning constitutionality into a bill on protecting Social Security Numbers, which Vice President Gore announced in a speech in June, 2000.

Privacy, security, and critical infrastructure. These issues intersect with surveillance and wiretap issues, discussed in a separate part of this site. The challenge is some security measures for government systems turn out to have a large surveillance component. I worked extensively on these issues in connection with the Federal Intrusion Detection Network (FIDNet), and spoke to federal agency computer experts about the topic. These issues were discussed in a chapter of the National Plan for critical infrastructure protection. My more recent views on the intersection of privacy and security are discussed in a law review article, co-authored with Lauren Steinfeld in 2000.

Privacy and Homeland Security. In July, 2000 I was asked to testify in the House Judiciary Committe on the issue of how to build privacy protections into the proposed new Department of Homeland Security. In my testimony, I gave detailed recommendations about how to institute better privacy protections both within that Department and more generally in the federal government.

The Privacy Act and the future of government record systems. The Privacy Act was passed in 1974 in the wake of spectacular abuses of government records during the 1960s and 1970s. The history is described in books such as Database Nation by Simson Garfinkel and The Lawless State: The Crimes of the U.S. Intelligence Agencies by Morton Halperin, Jerry Berman, and others.

The Privacy Act responded to the problems of the period, prohibiting secret databases, giving individuals access to records about themselves, and limiting transfers of files to other federal agencies except with consent or a "routine use" published in the Federal Register. OMB was tasked with policy guidance for the Act.

During my time in government, I tried to figure out how to update the Privacy Act, much as the Freedom of Information Act was updated by the Electronic FOIA Act in the 1990s. This is a topic that cries out for more intellectual work -- I wasn't able to figure out what to recommend.

As I write this in the summer of 2002, there are calls by the current leaders at OMB and others for far greater "information sharing" and the end to the "silos" of federal data. Better information sharing undoubtedly will bring benefits in many settings, but how do we protect against abuse if state, local, and federal officials all get to browse around in confidential files with few legal or institutional limits on their actions? It is to study issues such as these that I support a major national Commission on the topic of Privacy, Personal Freedom, and Homeland Security.



  • Freedom of Information Act
  • Copyright (c) 2007 All Rights Reserved.