STATEMENT OF
ROGER W. BAKER
CHIEF INFORMATION OFFICER
UNITED STATES DEPARTMENT OF COMMERCE
SUBMITTED TO
THE SUBCOMMITTEE ON TELECOMMUNICATIONS, TRADE,
AND CONSUMER PROTECTION
COMMITTEE ON COMMERCE
UNITED STATES HOUSE OF REPRESENTATIVES
OCTOBER 11, 2000
Mr. Chairman and members of the Committee:
Thank you for inviting me to testify before the committee today. I am testifying in my role as the Chairman of the Federal Chief Information Officer's Council subcommittee on Privacy. However, as a practicing CIO, I will also include some anecdotal information from my agency, the Department of Commerce.
In my testimony today, I would like to make three points.
· Privacy is an important issue for agency CIOs and the Federal CIO Council.
· Our fundamental guidance on privacy inside the federal government comes from the Privacy Act, other applicable federal laws, and OMB policy.
· In the past two years, we have made substantial progress in both the quantity and quality of privacy policies posted on federal web sites, and significantly raised the awareness of privacy issues within the federal IT community.
Privacy is an important issue for CIOs and the Federal CIO Council.
By creating a subcommittee on privacy, the Federal CIO Council signaled to all federal information technology workers that protecting the personal privacy of the public is one of the key issues facing us today. The American public provides government agencies with the most sensitive of personal information. It is our duty, as federal employees, to protect this information to the best of our ability. This means that our information systems must be secure from intrusion, and that these systems must work in accordance with applicable federal laws.
The CIO Council keeps this issue at the forefront of IT discussions by making it a key part of our strategic plan, by including privacy in the conferences we support and speeches we make, and by providing agencies with "best practices" to provide them with examples of how to improve the privacy and security aspects of their information systems.
There are many examples of these "best practices" for privacy and security on the CIO council web site at www.cio.gov. I would like to submit with my testimony the Privacy Impact Assessment best practice developed by the Internal Revenue Service and recommended by the Security, Privacy, and Critical Infrastructure Committee for use by all federal agencies. The Privacy Impact Assessment best practice provides agencies with a template for evaluating and certifying that an information system has been implemented in accordance with applicable agency policies and federal laws on privacy.
The CIO Council will continue to work with OMB and others to identify further best practices and other useful guidance that can be provided to agencies to help them in their efforts to protect personal privacy on the Internet and other information systems.
Our fundamental guidance on privacy inside the federal government comes from the Privacy Act and other applicable federal laws.
Federal information systems, including Internet web servers, are subject to the provisions of the Privacy Act. In addition, OMB has issued policy directives regarding privacy protections on federal web sites that focus on a number of issues. First, that all major entry points and all points where substantial personal information is collected should have easily accessible privacy policies posted. Second, that those privacy policies be clearly written and reflect actual agency policies with regard to the collected information. Third, that those policies are in accordance with the Privacy Act and other laws and guidance that may be applicable to specific agencies. And fourth, there is a presumption against the use of technologies that allow the tracking of the activities of users over time and across different web sites (for example, persistent cookies) unless high-level approval is obtained. The CIO Council has worked closely with OMB to support the development and implementation of these directives.
As an example of the results of this work, I would like to submit into the record the privacy policy posted on the main page of the Census Bureau's Internet web site, www.census.gov. While somewhat long, this privacy policy clearly conveys the types of information that may be collected, how that information will be used, and the specific legal protections provided that information. I use the Census privacy policy as an example because it involves both the Privacy Act and Title 13 protections.
Mr. Chairman, I believe the following points were made in the GAO report, but they are so important that I will quickly make them again. Federal systems of records are covered by specific laws that give individuals specific rights and remedies if their private information is disclosed. These laws apply whether or not a privacy policy is posted on a federal web site. There are no equivalent laws covering non-governmental systems. The FTC rules regarding privacy policies for private sector web sites are meant to establish a legal basis under which a private sector web site operator can be held responsible for the protection of private information collected on a web site. Once posted, the privacy policy falls under the jurisdiction of the FTC, which uses existing laws to hold companies to the promises they make to consumers.
In short, if a private sector web site does not post a privacy notice, there is no ready legal recourse available to an individual whose privacy has been violated. In contrast, the Privacy Act and other laws apply even if a federal web site does not post a privacy notice.
We can and should do a better job of communicating the protections that the Privacy Act and other federal laws provide users on federal web sites. But I believe we should continue to use existing federal law as our guidance in this area, instead of FTC policies clearly intended to achieve a different purpose.
In the past two years, we have made substantial progress in both the quantity and quality of Privacy Policies posted on federal web sites.
In 1999 the Secretary of Commerce called on private sector web site operators to improve their privacy practices, placing special emphasis on the need for (1) posting privacy policies and (2) policies include the fair information practices of notice, choice, access, and security. We quickly recognized that we, also, needed to make major improvements in our own web site privacy policies, both at Commerce and throughout the federal government. Working with OMB, we raised the profile of the privacy issue with both agency and technical management, and made substantial strides in both the quantity and quality of privacy policies posted on federal web sites. A recent GAO report concluded that 69 out of 70 agency main pages had privacy policies clearly posted. Further, GAO identified 2692 major points of entry to six federal agencies. Of the sites they reviewed, GAO found that only 9 lacked privacy policies. This, clearly, is a major improvement. And, as is evidenced by the example from the Census Bureau, the overall quality of these privacy policies has seen substantial improvement as well.
Closing
Mr. Chairman, in closing I would like to reiterate my main points.
· Privacy is an important issue for agency CIOs and the Federal CIO Council.
· Our fundamental guidance on privacy inside the federal government comes from the Privacy Act, other applicable federal laws, and OMB guidance.
· In the past two years, we have made substantial progress in both the quantity and quality of Privacy Policies posted on federal web sites.
Thank you for your time. I look forward to any questions you may have.