<DOC> [109th Congress House Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:27606.wais] PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE DEPARTMENT OF HOMELAND SECURITY AND THE PRIVACY OFFICER FOR THE DEPARTMENT OF JUSTICE ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COMMERCIAL AND ADMINISTRATIVE LAW OF THE COMMITTEE ON THE JUDICIARY HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION __________ MAY 17, 2006 __________ Serial No. 109-155 __________ Printed for the use of the Committee on the Judiciary Available via the World Wide Web: http://judiciary.house.gov U.S. GOVERNMENT PRINTING OFFICE 27-606 PDF WASHINGTON : 2006 ------------------------------------------------------------------ For sale by Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250. Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON THE JUDICIARY F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman HENRY J. HYDE, Illinois JOHN CONYERS, Jr., Michigan HOWARD COBLE, North Carolina HOWARD L. BERMAN, California LAMAR SMITH, Texas RICK BOUCHER, Virginia ELTON GALLEGLY, California JERROLD NADLER, New York BOB GOODLATTE, Virginia ROBERT C. SCOTT, Virginia STEVE CHABOT, Ohio MELVIN L. WATT, North Carolina DANIEL E. LUNGREN, California ZOE LOFGREN, California WILLIAM L. JENKINS, Tennessee SHEILA JACKSON LEE, Texas CHRIS CANNON, Utah MAXINE WATERS, California SPENCER BACHUS, Alabama MARTIN T. MEEHAN, Massachusetts BOB INGLIS, South Carolina WILLIAM D. DELAHUNT, Massachusetts JOHN N. HOSTETTLER, Indiana ROBERT WEXLER, Florida MARK GREEN, Wisconsin ANTHONY D. WEINER, New York RIC KELLER, Florida ADAM B. SCHIFF, California DARRELL ISSA, California LINDA T. SANCHEZ, California JEFF FLAKE, Arizona CHRIS VAN HOLLEN, Maryland MIKE PENCE, Indiana DEBBIE WASSERMAN SCHULTZ, Florida J. RANDY FORBES, Virginia STEVE KING, Iowa TOM FEENEY, Florida TRENT FRANKS, Arizona LOUIE GOHMERT, Texas Philip G. Kiko, Chief of Staff-General Counsel Perry H. Apelbaum, Minority Chief Counsel ------ Subcommittee on Commercial and Administrative Law CHRIS CANNON, Utah Chairman HOWARD COBLE, North Carolina MELVIN L. WATT, North Carolina TRENT FRANKS, Arizona WILLIAM D. DELAHUNT, Massachusetts STEVE CHABOT, Ohio CHRIS VAN HOLLEN, Maryland MARK GREEN, Wisconsin JERROLD NADLER, New York J. RANDY FORBES, Virginia DEBBIE WASSERMAN SCHULTZ, Florida LOUIE GOHMERT, Texas Raymond V. Smietanka, Chief Counsel Susan A. Jensen, Counsel Brenda Hankins, Counsel Mike Lenn, Full Committee Counsel Stephanie Moore, Minority Counsel C O N T E N T S ---------- MAY 17, 2006 OPENING STATEMENT Page The Honorable Chris Cannon, a Representative in Congress from the State of Utah, and Chairman, Subcommittee on Commercial and Administrative Law............................................. 1 The Honorable Melvin L. Watt, a Representative in Congress from the State of North Carolina, and Ranking Member, Subcommittee on Commercial and Administrative Law........................... 6 WITNESSES Ms. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department of Homeland Security, Washington, DC Oral Testimony................................................. 9 Prepared Statement............................................. 11 Ms. Jane C. Horvath, Chief Privacy and Civil Liberties Officer, U.S. Department of Justice, Washington, DC Oral Testimony................................................. 15 Prepared Statement............................................. 17 Ms. Sally Katzen, Professor, George Mason University Law School, Arlington, VA Oral Testimony................................................. 25 Prepared Statement............................................. 26 Ms. Linda D. Koontz, Director, Information Management Issues, U.S. Government Accountability Office, Washington, DC Oral Testimony................................................. 31 Prepared Statement............................................. 33 LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING Prepared Statement of the Honorable Chris Cannon, a Representative in Congress from the State of Utah, and Chairman, Subcommittee on Commercial and Administrative Law.... 2 Prepared Statement of the Honorable Melvin L. Watt, a Representative in Congress from the State of North Carolina, and Ranking Member, Subcommittee on Commercial and Administrative Law............................................. 4 APPENDIX Material Submitted for the Hearing Record Response to Post-Hearing Questions from Maureen Cooney, Acting Chief Privacy Officer, U.S. Department of Homeland Security, Washington, DC................................................. 64 Response to Post-Hearing Questions from Sally Katzen, Professor, George Mason University Law School, Arlington, VA.............. 68 Response to Post-Hearing Questions from Linda D. Koontz, Director, Information Management Issues, U.S. Government Accountability Office, Washington, DC.......................... 70 PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE DEPARTMENT OF HOMELAND SECURITY AND THE PRIVACY OFFICER FOR THE DEPARTMENT OF JUSTICE ---------- WEDNESDAY, MAY 17, 2006 House of Representatives, Subcommittee on Commercial and Administrative Law, Committee on the Judiciary, Washington, DC. The Subcommittee met, pursuant to notice, at 2:06 p.m., in Room 2141, Rayburn House Office Building, the Honorable Chris Cannon (Chairman of the Subcommittee) presiding. Mr. Cannon. The Subcommittee will please come to order. At the outset I want to note that immediately following the hearing, we have scheduled the markup of H.R. 2840, the ``Federal Agency Protection of Privacy Act.'' Let me begin this hearing with an observation written in 1787 by Alexander Hamilton, one of our Founding Fathers, and one of the more interesting of them. He wrote: ``Safety from external danger is the most powerful director of national conduct. Even the ardent love of liberty will, after a time, give way to its dictates. The violent destruction of life and property incident to war, the continual effort and alarm attendant on a state of continual danger, will compel nations the most attached to liberty to resort for repose and security to institutions which have a tendency to destroy their civil and political rights. To be more safe, they at length become willing to run the risk of being less free.'' Mr. Hamilton's comments are as insightful today as they were when he wrote them more than two centuries ago. In this post-9/11 world, it is no easy task to balance the competing goals of keeping our Nation secure while at the same time protecting the privacy rights of our Nation's citizens. As many of you know, the protection of personal information in the hands of the Federal Government has long been a top priority for my Subcommittee, the Subcommittee on Commercial and Administrative Law. Under the leadership of House Judiciary Committee Chairman Sensenbrenner, our Subcommittee has played a major role in protecting personal privacy and civil liberties. Our accomplishments to date include the establishment of the first statutorily created privacy office in a Federal agency, namely, the Department of Homeland Security. That office has since earned plaudits from both the private and public sectors, including the GAO. Just this week, the DHS Privacy Office submitted to Congress a comprehensive assessment of the impact of automatic selectee and so-called no-fly lists for airline passengers on privacy and civil liberties. While these lists can be useful tools for preventing terrorist activity endangering the safety of airline passengers and others, the collection of personal information to create these tools could raise concerns about their impact on privacy and civil liberties. I think we will be interested to hear Ms. Cooney's summary of this report as part of today's hearing. Inspired by the successes of the DHS Privacy Office, our Subcommittee also spearheaded the creation of a similar function in the Justice Department, which was signed into law in January of this year. Ms. Horvath, another of our witnesses, was appointed to fill this important position on February 21. We also look forward to hearing from Ms. Horvath about her views and goals as the Chief Privacy and Civil Liberties Officer for the Justice Department. To supplement these efforts, our Subcommittee has also conducted oversight hearings on the subject of the Government's use of personal information. These include a hearing held on the 9/11 Commission's privacy-related recommendations as well as a hearing held just last month on the respective roles that the Federal Government and information resellers have with respect to personal information collected in commercial databases. As technological devices increasingly facilitate the collection, use, and dissemination of personally identifiable information, the potential for misuse of such information escalates. Five years ago, the GAO warned: ``Our Nation has an increasing ability to accumulate, store, retrieve, cross- reference, analyze, and link vast numbers of electronic records in an ever faster and more cost-efficient manner. These advances bring substantial Federal information benefits as well as increasing responsibilities and concerns.'' Unfortunately, the GAO continues to find, as we learned from our hearing last month, that Federal agencies' compliance with the Privacy Act and other requirements is, to quote, ``uneven.'' It is against this complex but exceedingly interesting backdrop that we are holding this hearing today. I now turn to my colleague, Mr. Watt, the Ranking Member of the Subcommittee, and ask him if he has any opening remarks. But before I recognize him, I just want to say that we appreciate working with Mr. Watt on these issues. He has been a--this Committee has worked well together, and he has been a great support and addition. And with that, Mr. Watt, I recognize you for an opening statement for 5 minutes. [The prepared statement of Mr. Cannon follows:] Prepared Statement of the Honorable Chris Cannon, a Representative in Congress from the State of Utah, and Chairman, Subcommittee on Commercial and Administrative Law Let me begin this hearing with an observation written in 1787 by Alexander Hamilton, one of our Founding Fathers. He wrote: ``Safety from external danger is the most powerful director of national conduct. Even the ardent love of liberty will, after a time, give way to its dictates. The violent destruction of life and property incident to war, the continual effort and alarm attendant on a state of continual danger, will compel nations the most attached to liberty to resort for repose and security to institutions which have a tendency to destroy their civil and political rights. To be more safe, they at length become willing to run the risk of being less free.'' Mr. Hamilton's comments are as insightful today as they were when he wrote them more than two centuries ago. In this post-September 11th world, it is no easy task to balance the competing goals of keeping our nation secure while at the same time protecting the privacy rights of our nation's citizens. As many of you know, the protection of personal information in the hands of the federal government has long been a top priority for my Subcommittee--the Subcommittee on Commercial and Administrative Law. Under the leadership of House Judiciary Committee Chairman Sensenbrenner, our Subcommittee has played a major role in protecting personal privacy and civil liberties. Our accomplishments to date include the establishment of the first statutorily-created privacy office in a federal agency, namely the Department of Homeland Security. That office has since earned plaudits from both the private and public sectors, including the GAO. Just this week, the DHS Privacy Office submitted to Congress a comprehensive assessment of the impact of automatic selectee and so- called ``no-fly'' lists for airline passengers on privacy and civil liberties. While these lists can be useful tools for preventing terrorist activity endangering the safety of airline passengers and others, the collection of personal information to create these tools could raise concerns about their impact on privacy and civil liberties. I think we will be very interested to hear Ms. Cooney's summary of this report as part of today's hearing. Inspired by the successes of the DHS Privacy Office, our Subcommittee also spearheaded the creation of a similar function in the Justice Department, which was signed into law in January of this year. Ms. Horvath, another of our witnesses, was appointed to fill this important position on February 21st. We also look forward to hearing from Ms. Horvath about her views and goals as the Chief Privacy and Civil Liberties Officer for the Justice Department. To supplement these efforts, our Subcommittee has also conducted oversight hearings on the subject of the government's use of personal information. These include a hearing held on the 9/11 Commission's privacy-related recommendations as well as a hearing held just last month on the respective roles that the federal government and information resellers have with respect to personal information collected in commercial databases. As technological developments increasingly facilitate the collection, use, and dissemination of personally identifiable information, the potential for misuse of such information escalates. Five years ago, the GAO warned: ``Our nation has an increasing ability to accumulate, store, retrieve, cross-reference, analyze, and link vast numbers of electronic records in an ever faster and more cost-efficient manner. These advances bring substantial federal information benefits as well as increasing responsibilities and concerns.'' Unfortunately, the GAO continues to find--as we learned from our hearing last month--that federal agencies' compliance with the Privacy Act and other requirements is ``uneven.'' It is against this complex, but exceedingly interesting backdrop that we are holding this hearing today. Mr. Watt. Thank you, Mr. Chairman, and I am going to ask that my civil written statement be put in the record. Mr. Cannon. Without objection, so ordered. [The prepared statement of Mr. Watt follows:] Prepared Statement of the Honorable Melvin L. Watt, a Representative in Congress from the State of North Carolina, and Ranking Member, Subcommittee on Commercial and Administrative Law <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Mr. Watt. Thank you, sir, and then I'm going to stray to make some less civil remarks, so you might have bragged too early because I'm feeling a sense of frustration here. I'm reflecting back to a point several terms ago when eyebrows were raised by the fact that Representative Bob Barr, one of the, quote-unquote, more conservative Members of this Committee, and Representative Mel Watt, quote-unquote, one of the more liberal Members of this Committee, met out here in front of the Capitol and had a press conference about a bill that is this bill. Well, we marked it up, and Mr. Barr is now gone on into the private sector. The year after he left, we marked it up again. And, you know, at some point we're going to have to do something on this issue more than mark up this bill in the Subcommittee if we are going to begin to be serious about doing what we need to do, it seems to me. And so it is from that that I am feeling this great sense of frustration that I am beginning to get the feeling that any time some of my colleagues want to feel like they want to say publicly that they are doing oversight over our Government or interested in protecting privacy rights, the way to do that is to put this bill back on for another hearing and another markup, and then next term of Congress we'll be back doing the same thing over and over again as we now have been doing-- what?--two or three, maybe--I don't know how many terms of Congress we've marked this bill up and had hearings on it. So if I'm feeling a little frustrated, it's not because I don't think this is something important. It is more important today than it was when we started three or four terms of Congress ago. Yeah, we thought the Government was doing some things to invade the privacy rights of individuals, but we certainly--our Government wasn't getting a list of everybody's phone numbers and monitoring phone calls within the United States. So this has gone to a level that is so far beyond what we anticipated or thought about or thought we were addressing at the time we originally introduced this bill. And yet here we are having another hearing, marking up the bill in our Subcommittee, and so I guess maybe I should make a commitment not to be back here next term of Congress doing the same thing that we've done now several times. Unless we are going to be serious about pushing this legislation and getting it considered in the full Committee in the House, in the Senate, this may be just another show that some of our Members think is time to make another public demonstration that we are concerned about the privacy rights of our citizens and the possibility that the Government--the probability--the reality that the Government is way over there beyond where they ought to be on invading those privacy rights. So I will--I've put my civilized statement in the record, Mr. Chairman. I've made my uncivilized statement. But believe me, I'm just frustrated about where we are on this issue because we've had hearing after hearing, we've had markup after markup, but we still don't have any real results to show for it. So, with that, I yield back. Mr. Cannon. The record of this hearing should reflect the Chairman's view that even when Mr. Watt intends to be uncivil, he is an awfully civil human being. I hope that the gentleman is not suggesting that there is any lack of commitment on my part to this bill, and I point out that actually we've changed the rules recently that allows us now on this side of the Hill to criticize the other side of the Hill for its lack of action. We've actually passed this bill on the House side from the whole--the House of Representatives has passed it out. It has not been acted on by the Senate. The Senate is a complicated body, and we hope that by passing this again, and maybe again and again--we actually passed the Bankruptcy Act eight times before they passed it on the other side. So I agree with the gentleman and his concerns and wish that this issue were actually behind us. And hopefully we'll take that step today to do that. I just might also point out that there's a difference between monitoring phone calls and comparing numbers that people are calling to connect those phone calls to our enemies outside the country, without arguing for the rightness of any of that, just to make the distinction on the record here. Without objection, all Members may place their statements in the record at this point. Hearing no objection, so ordered. Without objection, the Chair will be authorized to declare recesses of the hearing at any point. Hearing no objection, so ordered. I ask unanimous consent that the Members have 5 legislative days to submit written statements for inclusion in today's record. Hearing no objection, so ordered. I'm now pleased to introduce the witnesses for today's hearing, three of whom have previously testified before our Subcommittee. We welcome you back and appreciate your continued assistance to our Subcommittee. Our first witness is Maureen Cooney, the Acting Chief Privacy Officer for the Department of Homeland Security. As I previously noted, the Subcommittee played a major role in establishing Ms. Cooney's office at DHS. The legislation creating her office not only mandated the appointment of a Privacy Officer, but specified the officer's responsibilities. One of the principal responsibilities of the DHS Privacy Officer as set out by statute is the duty to assure that ``the use of technologies sustain, and do not erode, privacy protections relating to the use, collection, and disclosure of personal information.'' In addition, the Privacy Officer must assure that personal information is handled in full compliance with the Privacy Act and assess the privacy impact of the Department's proposed rules. Before joining DHS' Privacy Office, Ms. Cooney worked on international privacy and security issues at the U.S. Federal Trade Commission where she served as a principal liaison to the European Commission for privacy issues, a very difficult and burdensome task, I'm sure, especially eating in French restaurants on occasion. I hope you had that opportunity. You don't need to--no incriminating statement is due on that. She also played a major role in the revision of the guidelines for information systems and networks for the Organization of Economic Cooperation and Development. Prior to that assignment, Ms. Cooney worked on privacy and security issues with the Treasury Department and at the Office of the Comptroller of the Currency. Ms. Cooney received her bachelor's degree in American Studies from Georgetown University and her law degree from Georgetown University Law Center. Our next witness is Jane Horvath, the recently appointed Chief Privacy Officer and Civil Liberties Officer for the Department of Justice. In this capacity, Ms. Horvath is responsible for reviewing the Justice Department's compliance with the privacy laws and with developing the Department's privacy policies. In addition to safeguarding privacy, Ms. Horvath oversees the Department's policies relating to the protection of individual civil liberties, specifically in the context of DOJ's counterterrorism and law enforcement efforts. These are really awesome responsibilities. Before joining the Justice Department, Ms. Horvath was the Director of the Washington, D.C., Office of Privacy Laws and Business, a privacy consulting firm. While there, she focused on advising U.S. companies on international privacy trends among other matters. Ms. Horvath received her undergraduate degree from the College of William and Mary and her law degree from the University of Virginia. Professor Sally Katzen is our next witness. Ms. Katzen is a visiting professor at George Mason University Law School as well as the Sachs Scholar at Johns Hopkins University. Next year, she will be a Public Interest, Public Service Faculty Fellow at the University of Michigan Law School. Prior to joining academia in 2001, Professor Katzen was responsible for developing privacy policy for the Clinton administration for nearly a decade. As the Administrator of the Office of Information and Regulatory Affairs at the Office of Management and Budget, she was effectively the chief information office-- policy official for the Federal Government. Her responsibilities included developing Federal privacy policies. Professor Katzen later served as the Deputy Assistant to the President for Economic Policy and Deputy Director of the National Economic Council in the White House. Thereafter, she became the Deputy Director for Management at OMB. Before embarking on her public service career, Professor Katzen was a partner in the Washington, DC, law firm of Wilmer, Cutler and Pickering, where she specialized in regulatory and legislative matters. Professor Katzen graduated magna cum laude from Smith College and magna cum laude from the University of Michigan Law School, where she was editor in chief of the Law Review. Following her graduation from law school, she clerked for Judge J. Skelly Wright of the United States Court of Appeals for the District of Columbia Circuit. Our final witness is Linda Koontz, who is the Director of GAO's Information Management Issues Division. In that capacity, she is responsible for issues regarding the collection and use and dissemination of Government information. Ms. Koontz has led GAO's investigations into the Government's data-mining activities as well as e-Government initiatives. In addition to obtaining her bachelor's degree from Michigan State University, Ms. Koontz received certification as a Government financial manager. I extend to each of you my warm regards and appreciation for your willingness to participate in today's hearing. In light of the fact that your written statements will be included in the hearing record, I request that you limit your oral remarks to 5 minutes. Accordingly, please feel free to summarize highlights of your--or highlight the salient points of your testimony. You will note that we have a lighting system that starts with a green light. After 4 minutes, it turns to a yellow light, and then at 5 minutes, it turns to a red light. It is my habit to tap the gavel at 5 minutes. We'd appreciate it if you'd finish up your thoughts within that time frame. We don't like to cut people off in their thinking, but I find that it works much better if everybody knows that 5 minutes is 5 minutes. So if you could wrap it up by that time, the time we get there, I would appreciate that, and I will try to be consistent in my tapping, and that includes for other Members of the Committee, who are given 5 minutes to ask questions. This is not like an ironclad rule, by the way. Just we actually are interested in what you have to say, not in the clock. After you've presented your remarks, the Subcommittee Members, in the order they arrived, will be permitted to ask questions of the witnesses, subject to the 5-minute limit. Pursuant to the direction of the Chairman of the Judiciary Committee, I ask the witnesses to please stand and raise your right hand to take the oath. [Witnesses sworn.] Mr. Cannon. The record should reflect that each of the witnesses answered in the affirmative, and you may be seated. Ms. Cooney, would you now please proceed with your testimony? TESTIMONY OF MAUREEN COONEY, ACTING CHIEF PRIVACY OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY, WASHINGTON, DC Ms. Cooney. Thank you. Chairman Cannon, Ranking Member Watt, and Members of the Committee, good afternoon. Thank you for the opportunity to speak to the issue of privacy in the hands of the Federal Government and most specifically on activities at the Department of Homeland Security, the role of the Chief Privacy Officer, and initiatives led by the Department's Privacy Office. As the Subcommittee well knows, the Department of Homeland Security was the first Federal agency to have a statutorily required Privacy Officer. We appreciate the support of this Committee. The inclusion of a senior official accountable for privacy policy and protections honors the value placed on privacy as an underpinning of our American freedoms and democracy. It also reflects Congress' understanding of the growing sensitivity and awareness of the ubiquitous nature of personal data, flows in both private and public sectors, and a recognition of the impact of those data flows upon our citizens' lives. At the most recent meeting of the Department's Data Privacy and Integrity Advisory Committee, which was created to advise the Secretary and the Chief Privacy Officer on significant privacy issues, Secretary Chertoff noted that the Department has the opportunity to build into the sinews of this organization respect for privacy and a thoughtful approach to privacy. Secretary Chertoff expressed a belief that I share. We want the Government to be a protector of privacy, and we want to build security regimes that maximize privacy protection and that do it in a thoughtful and meaningful way. If done right, it will be not only a long-lasting ingredient of what we do in Homeland Security but a very good template for what Government ought to do in general when it comes to protecting people's personal autonomy and privacy. The Chief Privacy Officer and the DHS Privacy Office have a special role working in partnership and collaboration across the Department to integrate privacy into the consideration of the ways in which the Department assesses its programs and uses technologies, handles information, and carries out our protective mission. The Privacy Office has oversight of privacy policy matters and information disclosure policy, including compliance with the Privacy Act of 1974, the Freedom of Information Act, and the completion of privacy impact assessments on all new programs or new collections of personal information as required by the E-Government Act of 2002 and section 222 of the Homeland Security Act of 2002. The Privacy Office also evaluates new technologies used by the Department for their impact on personal privacy. Further, the Chief Privacy Officer reports directly to the Secretary and is required to report to Congress on these matters, as well as on complaints about possible privacy violations. At this point, if I may, I would like to amplify my written testimony by speaking for a few minutes about the U.S. privacy framework that applies to the Federal space. In tandem, the Privacy Act of 1974, the Freedom of Information Act that promotes transparency of Government operations and accountability, a significant privacy principle, and the E- Government Act of 2002 that augmented the Privacy Act by operationalizing privacy reviews for all new major data collection systems or significant changes to information systems provide a robust umbrella of privacy protections for which the United States can be proud and which I believe is second to none in the Government space. Notice, transparency, and accountability are key to our work in the privacy area. Today, I'm very happy to address our efforts in this regard with respect to the activities of the Department of Homeland Security from a seat at the table during the investment review process at DHS for technology acquisitions and program funding, through all steps of the technology and program lifecycle development process, the use of PIAs to integrate privacy considerations into standards, strategic planning for programs at the Department, and notice to the public through systems of record notices, to audits and oversight and the development of policy guidance and implementation on key data issues. I thank you again for the opportunity to share the accomplishments of the DHS Privacy Office, which I have noted in our written testimony, and hope to demonstrate through both the written and oral testimony the importance of privacy in the hands of the Department of Homeland Security and how important it is as a part of our culture. We appreciate the support this Subcommittee has given to our office and look forward to working with you on matters of mutual interest and concern. Thank you again. [The prepared statement of Ms. Cooney follows:] Prepared Statement of Maureen Cooney Chairman Cannon, Ranking Member Watt, and Members of the Subcommittee, I am delighted to be back before you today to discuss Privacy in the Hands of the Government as it pertains to activities of the Department of Homeland Security and the efforts of the Privacy Office. Building privacy attentiveness into the very sinews of our still young agency is a responsibility that we take seriously at DHS. In the eight months that I have served as Acting Chief Privacy Officer, within the Privacy Office we have continued to develop and operationalize privacy policy for the Department, consistent with our statutory mission in Section 222 of the Homeland Security Act and with support and partnership throughout the Department. And as I hope the following testimony will demonstrate, we have been actively implementing our statutory responsibilities as part of the larger mission of the Department. By ensuring that the Department's programs, policies, personnel, and technologies account for and embrace fair information principles--the use of personal information for legitimate, tailored, and sound purposes--the Privacy Office has worked to enhance public trust in the Department and to ensure the protection of an essential right of our people. My predecessor, Nuala O'Connor Kelly, testified before this Subcommittee in February 2004, and outlined the first year activities of the DHS Privacy Office. I would like to update the Subcommittee on our continued work since that time and our plans for future initiatives. The Privacy Office has focused on making privacy an integral part of DHS operations. We often use the phrase ``operationalizing privacy'' to describe these efforts. We want DHS personnel to think about privacy every time they consider the collection, use, maintenance or disclosure of personally identifiable information. Our efforts to operationalize privacy have encompassed a number of activities. operationalizing privacy through compliance One way to operationalize privacy is to ensure that DHS is fully compliant with statutory privacy requirements and the DHS Privacy Office has been actively engaged in this effort. In my previous appearance before the Subcommittee, which focused on the use by the government of data from information resellers, I outlined for the Subcommittee how we have used the E-Government Act of 2002's requirement that Privacy Impact Assessments be conducted for new or substantially revised information systems to make sure that privacy is built into DHS programs and that there is transparency about the types of information used by DHS as well as the purposes for which the information is used. PIAs are fundamental in making privacy an operational element within the Department and we have fully utilized this tool to embed privacy as part of DHS operations. To do this, we have updated and refined our guidance on conducting Privacy Impact Assessments and have distributed it widely both internally to DHS offices and programs and externally to other agencies. Along with the guidance, we also have issued a template for DHS offices to follow in drafting Privacy Impact Assessments. We have fully utilized our Privacy Office website for transparency purposes and have posted these documents so that the public is also aware of our guidance. ``Imitation is the sincerest form of flattery,'' according to an old expression, and I am happy to report that the DHS Privacy Office's PIA Guidance has served as the basis for other agencies' PIA activities. For example, our PIA template served as the basis for a model PIA for HSPD-12 (Common Identification Standards for Federal Employees) implementation, which was distributed by the Office of Management and Budget through its Interagency Privacy Committee. In addition, other federal agencies have requested to liberally borrow the guidance and we are happy to be able to share it and to add to government efficiency and harmonization of approaches to privacy in the government space. In addition to requiring that DHS programs conduct Privacy Impact Assessments for new or substantially revised programs, privacy is one of the issues that must be addressed before funding is awarded to a program that involves the collection, use and maintenance of personally identifiable information. The Privacy Office provides significant support to the DHS Office of the Chief Information Officer (OCIO) in the budget process by ensuring that all proposed spending on information technology investments that involve personally identifiable information meets privacy requirements. Not only are our programs required to complete a Privacy Threshold Analysis, which helps us to determine whether a full Privacy Impact Assessment is necessary, but funding for DHS programs through the budget process cannot go forward without program compliance with privacy mandates. The DHS Privacy Office therefore has a strong ``stick'' to accompany the ``carrot'' of funding to ensure that privacy becomes operationalized in DHS programs. Privacy compliance reviews are another important tool for operationalizing privacy into DHS programs, and during this past year, the Privacy Office undertook the first privacy review of what we expect to be many when we analyzed compliance by the U.S. Customs and Border Protection (CBP) with its Passenger Name Record (PNR) Undertakings. These Undertakings were provided by CBP to the European Commission in order to demonstrate that CBP has adequate privacy protocols in place to protect personally identifiable information as a condition precedent to receiving PNR information about European airline passengers. Based on the Undertakings, the EU agreed to share passenger name record information with CBP in order to fight terrorism and other serious crimes as well as to facilitate transatlantic travel. The Privacy Office's compliance review consisted of a full analysis of CBP policies and procedures, interviews with key managers and staff who handle PNR, and a technical review of CBP systems and documentation. This compliance review occurred over a several-month period and as a result of changes recommended by the Privacy Office or made unilaterally by CBP, we were able to conclude that CBP achieved full compliance with the representations it had made in the Undertakings. This finding was the primary factor in the ability of the Privacy Office to conclude a successful joint review, with representatives of the EU, of CBP's compliance with the US-EU PNR Agreement. We conducted a different kind of compliance review when we examined the use of commercial data by the Transportation Security Administration (TSA) in connection with the Secure Flight Program after privacy concerns were raised by the Government Accountability Office. We analyzed whether TSA's public notices about this use of commercial data for testing purposes matched the actual test protocols and made recommendations, as a result of this review. The Privacy Office continues to work closely with TSA to implement privacy statutory requirements and best practices in the design and implementation of this as well as other TSA screening programs. In compliance with the requirements of the Computer Matching and Privacy Protection Act, as amended, the Privacy Office established a Privacy and Data Integrity Board to approve matching agreements undertaken by DHS components, as required by law, and to weigh in on privacy policy issues of interest and concern to the Department. Our Board held several meetings at which we discussed ideas for responsible information handling, and the Board was instrumental in assisting the Privacy Office in completing several required reports. Ensuring publication of appropriate Privacy Act systems of records notices (SORNs) rounded out the Privacy Office's compliance activities. These notices, in fact, necessarily are a regular and ongoing part of the Privacy Office's work and of our statutory obligation to ensure that the Department maintains personally identifiable information in conformity with the requirements of the Privacy Act. operationalizing privacy through education A significant way to increase privacy awareness and ensure that it is embedded in DHS is through education and training. The Privacy Office trains all new DHS employees as part of their overall orientation to the Department. We continue to develop, moreover, more robust training courses to be provided to all DHS employees and contractors to augment their privacy background and to raise awareness and sensitivity about the importance of the respectful use of personal information by the Department. And we have conducted training on Privacy Impact Assessment requirements for individual DHS offices, information technology managers, business managers, and systems analysts. Establishing the lines of communication between DHS personnel and our office through these training programs helps us to get our message across and helps employees to be sensitized to proper information handling techniques. Our component privacy officers also make sure that employees in our components and offices are provided robust privacy training. I would be remiss, in fact, if I didn't emphasize the close collaboration and rapport our office has with other privacy officers in the Department, who were installed at our urging and who help the DHS Privacy Office carry out our important work In addition to our general education and training programs, the Privacy Office has conducted two workshops intended to raise privacy awareness among DHS personnel as well as the public. These workshops have drawn subject matter experts together to discuss privacy issues raised by homeland security programs. The issues we have explored are both relevant and topical. We have posted both transcripts and summaries of our activities on our website. I mentioned in my April 4, 2006 testimony before this Subcommittee that we had conducted a workshop on the government's use of commercial data for homeland security purposes. The objective of that workshop was to look at the policy, legal and technology issues associated with the government's use of commercial data in homeland security programs. Just last week our Privacy and Data Integrity Board held preliminary discussions on development of a policy regarding the use of commercial data by DHS, and the information we gleaned from our workshop will be helpful as we move forward on this vital issue. Last month, we conducted another workshop on the use of personal information by the government and how we can achieve transparency and accountability. This workshop sparked discussions about the utility of privacy notices to accomplish transparency and how those notices can be written in a way that is comprehensible while it is also comprehensive. We also discussed the utility of the Freedom of Information Act for fostering accountability through access to information about individuals that is maintained by the government. We were fortunate to have several panel members from other nations who could contribute a global perspective on this issue. Again, the workshop complemented our internal training efforts to raise privacy awareness and also served an important educational function to improve public understanding of DHS programs. information sharing and outreach Information sharing has become a significant focus of the DHS Privacy Office. The Intelligence Reform and Terrorism Prevention Act established requirements for an information sharing environment. This legislative mandate augmented Executive Orders and Homeland Security Directives issued by President Bush all aimed at fostering a climate of robust exchanges of terrorism related information in a privacy sensitive manner. Executive Order 13356, for example, directed all departments and agencies to enhance the interchange of terrorism- related information within the Federal government and between the Federal government and appropriate authorities of state and local governments. The DHS Privacy Office led the effort to integrate privacy protections into the planning process supporting the implementation of this Executive Order. Similarly, the DHS Privacy Office led the effort within DHS to integrate privacy protections at the earliest stages of implementing HSPD-11, a Presidential directive that concerns terrorist-related screening procedures. Within DHS, moreover, the Privacy Office has supported the work of the Information Sharing and Collaboration Office (ISCO), which was established to lead the creation of a DHS information sharing environment. The Privacy Office provided both resources and guidance to ISCO to help create a set of business rules for sharing personal information in a way that minimizes privacy intrusions while maximizing use of the data for homeland security purposes. The Privacy Office also participated in a number of interagency activities designed to foster inter-agency exchanges of information on privacy technologies and other privacy issues. We chair, for example, the Social, Legal and Privacy Subgroup of the National Science and Technology Council's (NSTC) Subcommittee on Biometrics. Established by Executive Order, NSTC is the principal means by which the President coordinates science, space, and technology policy across the government. NSTC's Subcommittee on Biometrics has examined issues related to the development and use of biometric technologies in the Federal government and the Social, Legal and Privacy Subgroup was responsible for developing a rich, centralized repository of information about the social history of biometrics, the legal framework that applies to the collection and use of biometrics, and the privacy principles that should govern the responsible use of this technology. Analysis of this repository and actual implementations resulted in a paper that connects privacy and biometrics at a structural level so that both fields can be understood within a common framework, thus enabling federal agencies and public entities to implement privacy- protective biometric systems. We have also begun coordinating with the White House's Privacy and Civil Liberties Oversight Board on information sharing and other relevant issues. Through this work, the DHS Privacy Office is able to foster interagency cooperation, coordination and collaboration on privacy matters. The Privacy Office has also reached out to experts in the private sector to help us understand programmatic, policy, operational and technology issues that affect privacy, data integrity, and data interoperability. To that end, in April 2004, the Department chartered the Data Privacy and Integrity Advisory Committee (DPIAC) under the authority of Federal Advisory Committee Act to provide an external and expert perspective to the Secretary and Chief Privacy Officer. The DHS Privacy Office provides administrative and managerial support to the DPIAC. In return, the Committee has provided significant advice to the Chief Privacy Officer and the Secretary on important privacy considerations. The Committee offered its recommendations on TSA's Secure Flight Program, which have helped the DHS Privacy Office to formulate its own advice on this significant initiative. The Committee also provided guidance on the Use of Commercial Data to Reduce False Positives in Screening Programs, which will help inform any final policy that the Privacy Office recommends on this important topic. We expect to continue to get advice from the Committee on other issues of interest to the Department. international initiatives Because the work of the Department is both national and international in scope, the work of the DHS Privacy Office is equally broad. The primary goal of the DHS Privacy Office's international activities has been to convey to the global community the importance of fair information practices to our office, the Department and the nation. We have devoted significant resources to working with programs in multilateral global forums, such as the OECD, as well region-centric international organizations such as the Asian Pacific Economic Cooperation forum (APEC). In addition, of course, the Privacy Office works with the European Union and on issues raised by the Joint Supervisory Body representatives of Europol and Eurojust. We have had substantial input on a number of international privacy initiatives, including the Enhanced International Travel Security Initiative (EITS), under the leadership of DHS's Science and Technology Directorate and US-VISIT, and real-time sharing of lost and stolen passports in a way that properly protects privacy, through an APEC- sponsored initiative known as the Regional Movement Alert List. The Privacy Office also works more generally within international organizations to shift the international privacy dialogue away from conflicting laws to compatible privacy principles in order to foster information sharing for homeland security and other necessary purposes. Our work has been helpful in improving international opinion regarding the United States Government's attention to privacy principles in the design and operation of information systems. future activities As I hope the foregoing demonstrates, the DHS Privacy Office takes a comprehensive approach to its statutory mission and has worked on a wide range of initiatives to ensure that privacy policy concerns are part of the necessary dialogue on the development and implementation of homeland security programs. We have been fortunate that Congress has provided funding to allow us to expand our staff of dedicated privacy professionals whose credentials rival those of anyone in the government or the private sector. And we are energized as we look ahead to some future activities. We recently completed a draft of a report on data mining, which is required by the 2005 DHS Appropriations Act, and we expect to continue our study of data mining programs at the Department in the coming year. Data mining can be a useful and important tool in the war against terrorism, and we are committed to ensuring that this technique is used responsibly and appropriately at DHS. We have already planned our next privacy workshop to focus on Privacy Impact Assessments. This timely session will enable DHS program officers to comply with the privacy requirements necessary for approval of their funding requests. We are also finalizing arrangements for the next DPIAC meeting, which will be held in California, and which will focus on expectations of privacy in public spaces and the use of RFID technology, two issues that have significant ramifications for Departmental activities. We plan to work closely with the OCIO to build privacy protections into every system across DHS, and we intend to collaborate with the Science and Technology Directorate to add privacy protections to the approval process for new homeland security research initiatives. Because they are our ``bread and butter'' issues, the DHS Privacy Office will also continue to work to ensure that individual programs sustain and enhance privacy protections through strict compliance with the PIA and SORN requirements of federal law. We will continue to refine our privacy guidance and enhance our privacy training initiatives to foster a culture of privacy awareness within the agency. We expect to complete development of a policy for the respectful and appropriate use of commercial data for homeland security purposes. And we anticipate that in the international arena, we will continue to be an important voice for the development of privacy-appropriate cross- border information sharing policies. Thank you for the opportunity to share the accomplishments of the DHS Privacy Office and to demonstrate, through this testimony, the importance of privacy ``in the hands'' of the Department of Homeland Security. We appreciate the support this Subcommittee has given to our office and look forward to working with you on matters of mutual interest and concern. Mr. Cannon. Thank you, Ms. Cooney. Ms. Horvath, you are recognized for 5 minutes. TESTIMONY OF JANE C. HORVATH, CHIEF PRIVACY AND CIVIL LIBERTIES OFFICER, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC Ms. Horvath. Mr. Chairman and Members of the Subcommittee, thank you for inviting me to testify regarding the Department of Justice Privacy and Civil Liberties Office in connection with the Committee's hearing. I started as the Department of Justice's Chief Privacy and Civil Liberties Officer on February 21, 2006. I am responsible for Department-wide protection of privacy and civil liberties. During my first 30 days at the Department of Justice, we assessed the existing privacy and civil liberties functions at the Department. I met with senior officials of the DOJ components that had either privacy or civil liberties responsibilities within the Department. At all of these meetings, I was welcomed with enthusiasm. I received detailed briefings regarding their privacy and civil liberties efforts. From those meetings, we were able to determine priorities for the Office of Privacy and Civil Liberties. After meeting with the Chief Information Officer, we decided to centralize the privacy impact assessment process. We determined that the PIA process within the Department would be much more effective if all the components were working from a standard template with standard guidance. Utilizing some of the aspects of the DHS model, we drafted official PIA guidance, a privacy threshold analysis to determine whether a PIA is required, and a new PIA template. Next month, we're going to hold a 1-day training session on PIA preparation and Privacy Act issues with members of the CIO staff and persons within the components who are responsible for Privacy Act issues. In furtherance of our civil liberties missions, we set up and launched a DOJ Privacy and Civil Liberties Board on April 17, 2006. Representatives of the law enforcement, national security, and other relevant components are represented on the Board. We have subdivided the Board into three separate committees: an Outreach Committee, focusing on outreach to the Arab, Muslim, and other ethnic or religious minority communities; a Data Committee, examining issues related to information privacy within the Department; and a Law Enforcement Committee, providing a forum for law enforcement to discuss effort that might have an impact on civil liberties or privacy. Shortly after I arrived, we started to reach out to privacy advocacy and public policy groups. We've met with representatives from the ACLU, Center for Democracy and Technology, Cato Institute, Heritage Foundation, the Center for Information Policy Leadership at Hunton and Williams, and Peter Swire, the former Chief Counselor for Privacy in the U.S. Office of Management and Budget. We've also been active in intergovernmental groups and efforts. We believe that by working together as a group, privacy officers within the Government can utilize each other's collective experience. Our office has also been active in advising the Department of information-sharing initiatives. While information sharing is an incredibly important initiative for our security, it also involves important privacy and civil liberties issues. We are pleased that the Administration and the Attorney General has recognized the importance of addressing these issues at the inception of information-sharing programs. Since my arrival, I have co-chaired the President's Information Sharing Environment Guideline 5 Working Group with Alex Joel, the Director of National Intelligence Civil Liberties Protection Officer. Guideline 5 of the December 16th memorandum from President George W. Bush requires, in relevant part, that the Attorney General and the Director of National Intelligence develop guidelines designed to be implemented by executive departments and agencies to ensure that the information privacy and other legal rights of Americans are protected in the development and use of the ISE, including in the acquisition, access, use, and storage of personally identifiable information. We also look forward to working with the President's Privacy and Civil Liberties Oversight Board on the guidelines. The Privacy and Civil Liberties Office also oversees the Department's compliance with the Privacy Act of 1974 and plays an active role in ensuring that the Department's law enforcement, litigation, and anti-terrorism missions are carried out in accordance with its provisions. We also provide Privacy Act guidance within the Department, both in response to specific inquiries raised by the components and through training programs. Although I have only been at DOJ a short while, my arrival has been greeted with enthusiasm. We have been consulted on numerous initiatives. In the coming year, we hope to launch new efforts, such as more extensive privacy and civil liberties training, that will further the office's mission of protecting the privacy and civil liberties of those who interact with the Department of Justice. Thank you for the opportunity to speak today. [The prepared statement of Ms. Horvath follows:] Prepared Statement of Jane C. Horvath <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Mr. Cannon. Thank you, Ms. Horvath. Professor Katzen? TESTIMONY OF SALLY KATZEN, PROFESSOR, GEORGE MASON UNIVERSITY LAW SCHOOL, ARLINGTON, VA Ms. Katzen. Thank you, Mr. Chairman, Ranking Member Watt, other Members of the Committee. I appreciate the invitation for me to testify today, as I did several years ago, about Government policies and practices that implicate privacy. As the Chairman noted, privacy is one of the hallmarks of our country--cherished, protected, defended throughout our history. Since September 11, 2001, the debate has changed somewhat as the commitment to privacy has often been spoken in the context of national security and the need for combating terrorism. But protecting our privacy and protecting our Nation are not mutually exclusive goals, and our challenge is to protect and defend our country in a way that promotes our core values. Now, I belabor this point because in the 2 years since I appeared before this Committee, the concern for privacy and what many Americans believe to be invasions of their privacy by the Government has increased rather than decreased. More articles about privacy policies and practices appear more frequently in the press. There are more stories on radio and television, and there is significantly more attention paid to privacy on the Internet than ever before. The time devoted over the last several weeks or months in public discourse to the warrantless wiretaps by the National Security Agency and the decision of some common carriers to release to the Government information about calls made by millions of Americans is a clear indication of Americans' commitment to and concern about privacy. Given the importance of privacy and its persistence in the national debate, it's somewhat surprising that this Administration has seemed so reluctant to take even minimal steps to address these concerns. For example, one of the subjects of today's hearing is the Privacy Officer at DHS. When I last testified, I spoke in highly favorable terms of the appointment of Ms. Kelly as the first statutorily required privacy official at DHS. I stressed both the beneficial attention that was being paid to privacy concerns and the fact that having a privacy officer at DHS in no way diminished the capacity of the Department to pursue its mission. Ms. Kelly resigned from DHS last September, and with respect to Ms. Cooney, we have in place an Acting Privacy Officer. The job is hard enough. To be heard in policy decision meetings, to be listened to when red flags are raised about a proposal's privacy implications, to be supported when a hand goes up and says, ``Maybe we should reconsider, maybe we should do it differently,'' that job is not easy even for a tenured employee. It is so much harder for an acting. There may well be legitimate reasons that there has been a delay in finding and installing Ms. Kelly's replacement, but the unexpected and unexplained delay raises unfortunate questions. Is it a lack of interest? Is it a lack of support by the Secretary of DHS or by the White House? In the same vein, I would mention that it has taken a very long time for the White House to nominate and have the Senate confirm the members of the Privacy and Civil Liberties Board which Ms. Horvath spoke about. That, too, was set up by an Act of Congress which was responding to legitimate questions and concerns about Government policies. In light of these examples, I would call for more oversight by Congress and, equally more important, more legislation concerning and empowering officials in the Government. In my written testimony, I remind the Committee that I had urged that there be statutory privacy officers at all major departments. I am pleased that the Department of Justice now has one. I hope that you will work with other Members of Congress and other Committees to expand that base. And without being too pushy, I would again renew my suggestion that the Committee support establishing at OMB a statutory office headed by a Chief Counselor for Privacy. Such an office was created and staffed during the Clinton administration, and it served us well. The current Administration chose not to fill that position when they took office or since. As a result, there is no senior official in the Executive Office of the President who has privacy in his or her title or who is charged with oversight of Federal privacy policies. Yet it's so much better to have privacy considered at the outset rather than after the plans are implemented and the stories appear on the front pages. My time is running. I have comments about the markup. Otherwise, I think it's a great bill in many respects. I support the concept. And maybe during the questions and answers I could speak to that. I want to thank you again for asking me to participate. [The prepared statement of Ms. Katzen follows:] Prepared Statement of Sally Katzen Mr. Chairman and other Members of the Committee. Thank you for inviting me to testify today on a subject--``Privacy in the Hands of the Government''--that is exceedingly important to the American public and on which this Committee has commendably been actively engaged. This hearing is a follow on to one at which I testified on February 10, 2004. With the permission of the Committee, I would request that the written testimony that I prepared then be appended to my submission for this hearing; much of the background and analysis presented in that document remain pertinent today and incorporating it by reference will enable me to better focus on more recent developments. I have been involved in privacy policy and practices for well over a decade, having served as the Administrator of the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget (OMB) from 1993 to 1998 and as the Chair of the Information Policy Committee of the National Information Infrastructure Task Force, which produced, among other things, a revision of the 1973 Code of Fair Information Practices, entitled ``Principles for Providing and Using Personal Information.'' During my later tenure as Deputy Director of the National Economic Council and then as Deputy Director for Management at OMB, I was involved in a series of privacy issues, any my interest in the subject has continued during my years in academics. My earlier testimony spoke to the importance of privacy in our history and culture, and why I believe that privacy is one of the hallmarks of America--cherished, protected and defended throughout our country and throughout the years. The arrival of the Information Age raised privacy concerns to a new level, although after September 11, 2001, this was tempered by a clear recognition of the importance of security and the need for combating terrorism. But protecting our privacy and protecting our nation are not mutually exclusive goals. Rather, the challenge for all of us is to protect and defend our country in a way that preserves and promotes our core values. I belabor this point because in the two years since I appeared before this Committee, the concern for privacy (and what many Americans believe to be invasions of their privacy) has increased rather than decreased. More articles about privacy policies and practices appear more frequently in the press, there are more stories on the radio and television, and there is significantly more attention paid to privacy on the Internet than ever before. The time devoted over the last several weeks/months in public discourse to the warrantless wiretaps by the National Security Agency and the decision of some common carriers to release to the government information about calls made by millions of Americans is a clear indication of Americans' continued commitment to, and concern about, privacy. Given the importance of privacy and its persistence in the national debate, it is somewhat surprising that this Administration has seemed to be so reluctant to take even minimal steps to address these concerns. For example, when I last testified, I spoke of the generally highly favorable reactions to the tenure of Nuala O'Connor Kelly as the first statutorily required privacy official at the Department of Homeland Security (DHS). I stressed both the beneficial attention that was paid to privacy concerns and the fact that having a privacy officer at DHS in no way diminished the capacity of the Department to pursue its mission. Ms. Kelly resigned from DHS many months ago, and regrettably there is only an Acting privacy officer in place. Is it a lack of interest or a lack of support for the position by the current Secretary of DHS? Or by the White House? There may well be legitimate problems in finding and installing Ms. Kelly's replacement, but the unexplained delay sends a very bad signal to those who follow these developments as an indication of the Administration's commitment to privacy. In that same vein, it is worth noting that it took the longest time for the White House to nominate and have the Senate confirm the members of the Privacy and Civil Liberties Board, which is a committee established by another act of Congress designed to respond to what were perceived as legitimate questions and concerns about government policies with respect to privacy. In light of these examples, I would call for more oversight by the Congress and, equally important, more legislation creating and empowering officials in the government with responsibility for privacy policy. I had urged in my earlier testimony that the Committee consider expanding the number of statutory privacy offices from one to 24, covering all major Departments (the so-called Chief Financial Officers Act agencies) or at least a handful of critical agencies, including the Department of Justice, the Department of the Treasury (and the Internal Revenue Service), the Department of Defense and the Veterans Administration, the Social Security Administration, and the Department of Health and Human Services. I was pleased when Congress enacted legislation establishing a privacy officer at the Department of Justice. With respect, I would again urge this Committee to work with others in the Congress to expand on this base. OMB guidance from two administrations (issued first during the Clinton Administration and repeated several years ago by the Bush Administration) has called for the creation of such offices in Executive Branch agencies. The imprimatur of Congress would enhance the influence and respect that these officers have within their Departments. Equally important, by establishing statutory privacy offices, the Congress would be able to engage in systematic oversight of the attention paid to this important value in the federal government. I would also renew my suggestion that Congress establish at OMB a statutory office headed by a Chief Counselor for Privacy. Such an office was created and staffed during the Clinton Administration, and it served us well. The current Administration chose not to fill the position when they took office or since. As a result, there is no senior official in the Executive Office of the President who has ``privacy'' in his/her title or who is charged with oversight of federal privacy practices, monitoring of interagency processes where privacy is implicated, or developing national privacy polices. Yet it is so much better to have privacy implications considered beforehand-- in the formulation of program or projects--rather than after the plans are implemented and the stories about them begin to appear on the front pages of the national newspapers. And apart from damage control, having someone on the ``inside'' addressing these issues may provide some brakes on the runaway train of surveillance. Finally, I understand that after this hearing, the Committee will move to mark up H.R. 2840, the ``Federal Agency Protection of Privacy Act of 2005.'' That bill reflects a commendable desire to ensure that privacy impact statements are prepared by federal agencies as they develop regulations that involve the collection of personal information. Several thoughts occurred to me as I was rereading the text for today's hearing. First, Subsection (c) provides that an agency head may waive the requirements for a privacy impact statement ``for national security reasons, or to protect from disclosure classified information, confidential commercial information, or information the disclosure of which may adversely affect a law enforcement effort . . .'' Apart from the fact that the basis for a waiver goes well beyond national security, I recalled that there is a similar provision in the E- Government Act of 2002, which requires a privacy impact assessment for new federal government computer systems, but instead of giving an essentially free pass for national security concerns, Section 208 (b) (1) (D) of that Act requires the agency to provide the privacy impact assessment to the Director of OMB. I would recommend that such a provision be included in H.R. 2840 and, in addition, that the bill provide that a copy of the analysis be sent to the Congressional Intelligence Committees in the case of national security waivers and the Congressional Judiciary Committees in the case of law enforcement related waivers. In that way, there could be government-wide Executive Branch oversight and, equally important, Congressional oversight over agency decision-making in this area. Second, the provisions of H.R. 2840 requiring an agency to prepare a plan for, and carry out, a periodic review of existing regulations that have a significant privacy impact on individuals or a privacy impact on a significant number of individuals are quire detailed and quite prescriptive. Rather than specifying all of the factors to be considered, and the timetable and procedures for each element of the review, it might be preferable to set forth un the bill the objectives of a periodic review and task OMB with providing guidance for the agencies as to how they should proceed. In this way, the terms are not cast in concrete but can be more readily adjusted as changes occur, either with respect to content or with respect to technology. With those modest suggestions, I would endorse the bill and once again commend this Committee for its effective and persistent leadership on these very important issues. Again, thank you for inviting me to testify today. I would be pleased to elaborate on these comments or answer any questions that you may have. __________ ATTACHMENT Prepared Statement of Sally Katzen before the Committee on the Judiciary, Subcommittee on Commercial and Administrative Law, on February 10, 2004 on ``Privacy in the Hands of the Government: The Privacy Officer for the Department of Homeland Security'' Thank you for inviting me to testify today on a vitally important subject--``Privacy in the Hands of the Government.'' This Committee is to be congratulated, not only for its leadership in creating a statutory Privacy Officer in the Department of Homeland Security (DHS), but also for being vigilant in its oversight of that office. I am currently a Visiting Professor at the University of Michigan Law School, where one of my courses is a seminar on ``Technology Policy in the Information Age''--a significant portion of which is devoted to examining both the government and the private sector's privacy policies and practices. I have been involved in privacy policy for over a decade. In early 1993, I began serving as the Administrator of the Office of Information and Regulatory Affairs (OIRA) in the Office of Management and Budget (OMB); the ``I'' in OIRA signaled that I was, in effect, the chief information policy official for the federal government. Among other responsibilities, my office was charged with developing federal privacy policies, including implementation of the 1974 Privacy Act. Later in 1993, I was asked to chair the Information Policy Committee of the National Information Infrastructure Task Force, which had been convened by the Vice President and chaired by then Secretary of Commerce Ronald Brown. One of the first deliverables we produced was from my committee's Privacy Working Group--a revision of the 1973 Code of Fair Information Practices, entitled ``Principles for Providing and Using Personal Information.'' During President Clinton's second term, I worked with the Vice President's Domestic Policy Advisor to create a highly visible and effective office for privacy advocacy in OMB; we selected Peter Swire to head that office and be the first Chief Counselor for Privacy, and I worked closely with him when I served as Deputy Director for Management at OMB during the last two years of the Clinton Administration. Since leaving government, I have, as indicated earlier, been teaching both at the graduate and undergraduate level. Given the Committee's extensive work in this area, it is not necessary to speak at length on the importance of privacy in the history and culture of our country. Nonetheless, to provide context for the comments that follow, I want to be clear that, from my perspective, privacy is one of the core values of what we are as Americans. Whether you trace its roots from the first settlers and the ``frontier'' mentality of the early pioneers, or from the legal doctrines that flowed from Justice Brandeis' oft-quoted recognition in the late 19th century of ``the right to be let alone,'' privacy has been one of the hallmarks of America--cherished, prized, protected and defended throughout our country and throughout our history. The ``Information Age'' has brought new opportunities to benefit from the free flow of information, but at the same time it has also raised privacy concerns to a new level. Computers and networks can assemble, organize and analyze data from disparate sources at a speed (and with an accuracy) that was unimaginable only a few decades ago. And as the capacity--of both the government and the private sector--to obtain and mine data has increased, Americans have felt more threatened--indeed, alarmed--at the potential for invasion (and exploitation) of their privacy. Before September 11, 2001, privacy concerns polled off the charts. Since then, there has been a recognition of the importance of security and the need for combating terrorism. But, as the Pew Internet surveys (and others) have found, Americans' commitment to privacy has not diminished, and some would argue (with much force) that if, in protecting our nation, we are not able to preserve a free and open society for our public lives, with commensurate respect for the privacy of our private lives, then the terrorists will have won. For that reason, it was both necessary and desirable in creating a Department of Homeland Security to statutorily require the Secretary to appoint a senior official with primary responsibility for privacy policy. Ms. Kelly was selected for that position and took office about six months ago. We thus have some--albeit limited--operational experience with the statutory scheme, and it is therefore timely to see what we have learned and what more could (and should) be done by this Committee to be responsive to privacy concerns. I would draw two lessons from Ms. Kelly's tenure to date at DHS. First, the existence of a Privacy Officer at DHS, especially someone who comes to the position with extensive knowledge of the issues and practical experience with the federal government, is highly beneficial. We know that some attention is now being paid to privacy concerns and that steps are being taken to advance this important value that might otherwise not have occurred. Consider the CAPPS II project, in which Ms. Kelly has recently been involved. She inherited a Privacy Act Notice issued last winter that was dreadful. She produced a Second Privacy Act Notice that reflected much more careful thought about citizens' rights and provided more transparency about the process. Regrettably, there was some backsliding: the initial concept was that the information would be used only to combat terrorism, whereas the second Notice indicated that the information would be used not only for terrorism but also for any violation of criminal or immigration law. Also, the document was vague (at best) on an individual's ability to access the data and to have corrections made. And there was more that should have been said about the manner in which the information is processed through the various data bases. But there is no question that the Second Notice was greatly improved from the first. Ms. Kelly was also involved with the US VISIT program, where she produced a Privacy Impact Analysis (PIA). Some had argued that a PIA was not required because the program did not directly affect American citizens or permanent residents. Nonetheless, to her credit, she prepared and issued a PIA that was quite thoughtful and was well received. Whether one agrees or disagrees with the underlying program, at least we know that someone was engaged in the issues that deserve attention and the product of that effort was released to the public. As someone outside the government, it is hard to know how influential Ms. Kelly will be if--and it inevitably will happen--there is a direct conflict between what a program office within DHS wants to do and what the Privacy Officer would counsel against for privacy reasons. Effectiveness in this type of position depends on autonomy and authority--that is, on the aggressiveness of the office holder to call attention to potential problems and on support from the top. We may take some comfort from Secretary Ridge's comments; he has said all the right things about supporting the Privacy Officer. But we cannot now know what will happen when the ``rubber meets the road.'' This Committee, however, can further empower the Privacy Officer, and lay the foundation for remedying any problems that may arise, by maintaining its oversight and inquiring pointedly into how the Department operates. For example, Ms. Kelly (and Secretary Ridge) should be asked at what stage she is alerted to or brought into new initiatives; what avenues are open for her to raise any questions or concerns; and whether the Secretary will be personally involved in resolving any dispute in which she is involved. The timing of the release of the PIA for the US VISIT program suggests that Ms. Kelly may not always be consulted on a timely basis. As I read the E-Government Act of 2002, an agency is to issue a PIA before it develops or procures information technology that collects, maintains or disseminates information that is in an identifiable form. In this instance, the PIA was released much further down the road, when the program was about to go on line. Anything that helps the Privacy Officer become involved in new initiatives at the outset, before there is substantial staff (let alone money) invested in a project, would be highly salutary. The second lesson that I take from the experience to date with the Privacy Officer at DHS is that there has been no diminution in the capacity of the Department to pursue its mission. Or as a political wag would say, the existence of a Privacy Officer in DHS has not caused the collapse of western civilization as we know it. This is wholly consistent with what most Americans think--that national security and privacy are compatible and are not intrinsically mutually exclusive. The fact that there is no evidence that the existence, or any activity, of the Privacy Officer has caused DHS to falter leads me to suggest that the Committee consider expanding the number of statutory privacy offices from one to 24, covering all major Departments (the so- called Chief Financial Officers Act agencies) or at least a handful of critical agencies. Imagine the salutary effect that a statutory privacy office could have at the Department of Justice, the Department of the Treasury (and the Internal Revenue Service), the Department of Defense and the Veterans Administration, the Social Security Administration, and the Department of Health and Human Services. All of these agencies already have some form of privacy office in place, although many simply process Privacy Act complaints, requests, notices, etc. and do not involve themselves in the privacy implications of activities undertaken by their agencies. It is significant, I believe, that OMB guidance from two administrations (issued first during the Clinton Administration and repeated recently by the Bush Administration) has called for the creation of such offices in Executive Branch agencies. With the imprimatur of Congress, these offices can achieve the status (and increased influence) and gain the respect that the Privacy Officer has enjoyed at DHS. Equally important, by establishing statutory privacy offices, the Congress will be able to engage in systematic oversight of the attention paid to this important value in the federal government-- something which has not occurred before this hearing today. I hope I do not seem presumptuous to suggest--indeed, strongly urge--one further step: establishing at OMB a statutory office headed by a Chief Counselor for Privacy. As noted above, we had created such a position during the Clinton Administration, and it served us well. Peter Swire, the person we selected to head that office, was able to bring his knowledge, insights, and sensitivity to privacy concerns to a wide range of subjects. In his two years as Chief Counselor, he worked on a number of difficult issues, including privacy policies (and the role of cookies) on government websites, encryption, medical records privacy regulations, use and abuse of social security numbers, and genetic discrimination in federal hiring and promotion decisions, to name just some of the subjects that came from various federal agencies. He was also instrumental in helping us formulate national privacy policies that arose in connection with such matters as the financial modernization bill, proposed legislation to regulate internet privacy, and the European Union's Data Protection Directive. I believe it is unfortunate that the current Administration has chosen not to fill that position. As a result, there is no senior official in the Executive Office of the President who has ``privacy'' in his/her title or who is charged with oversight of federal privacy practices, monitoring of interagency processes where privacy is implicated, or developing national privacy polices. Perhaps it was the absence of such a person that led to the Bush Administration's initial lack of support for the designation of a Privacy Officer at the Department of Homeland Security. Perhaps if someone had been appointed to that position, the Administration would not have appeared to be so tone deaf to privacy concerns in connection with the Patriot Act or any number of law enforcement issues that have made headlines over the past several years. An ``insider'' can provide both institutional memory and sensitivity to counterbalance the unfortunate tendency of some within the government to surveil first and think later. At the least, the appointment of a highly qualified privacy guru at OMB would mean that someone in a senior position, with visibility, would be thinking about these issues before--rather than after--policies are announced. Finally, I understand that after this Hearing, the Committee will move to mark up H.R. 338, ``The Defense of Privacy Act.'' That bill reflects a commendable desire to ensure that privacy impact statements are prepared by federal agencies as they develop regulations which may have a significant privacy impact on an individual or have a privacy impact on a substantial number of individuals. I was struck in reviewing the E-Government Act of 2002 for this testimony that it requires an agency to prepare a PIA not only before it develops or procures information technology that implicates privacy concerns, but also before the agency initiates a new collection of information that will use information technology to collect, maintain or disseminate any information in an identifiable form. This law has gone into effect, OMB has already issued guidance on how to prepare the requisite PIAs, and the agencies are learning how to prepare these PIAs using that model. Rather than impose another regime on agencies when they are developing regulations (which are frequently the basis for the information collection requests referenced in the E-Government Act of 2002), it might be preferable to amend the E-Government Act to expand its requirements to apply to regulations that implicate privacy concerns. That approach would have the added benefit of eliminating the inevitable debate over the judicial review provisions of H.R. 338, which go significantly beyond the judicial review provisions of any of the comparable acts (e.g., Reg.Flex., NEPA, Unfunded Mandates, etc.). Lastly, if you were to amend the E-Government Act to include privacy- related regulations, you might also consider including privacy-related legislative proposals from the Administration. As you know, Executive Branch proposals for legislation are reviewed by OMB before they are submitted to the Congress. If there were a Chief Counselor for Privacy at OMB, s/he would be able to provide input for the benefit of the Administration, the Congress and the American people. Again, thank you for inviting me to testify today. This Committee has been an effective leader on privacy issues, and it is encouraging that you are continuing the effort. I would be pleased to elaborate on these comments or answer any questions that you may have. Mr. Cannon. Thank you, Professor. Ms. Koontz? TESTIMONY OF LINDA KOONTZ, DIRECTOR, INFORMATION MANAGEMENT ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE, WASHINGTON, DC Ms. Koontz. Mr. Chairman and Members of the Subcommittee, I appreciate the opportunity to be here today to discuss key challenges facing Federal privacy officers. As you know, advances in information technology make it easier than ever for the Federal Government to acquire data on individuals, analyze it for a variety of purposes, and share it with other governmental and nongovernmental entities. Further, the demands of the war on terror put additional pressure on agencies to extract as much value as possible from the information available to them, adding to the potential for compromising privacy. This is the context in which agencies must carry out their critical responsibilities for protecting the privacy rights of individuals in accordance with current law. To do so, many agencies have designated privacy officers to act as focal points. Recently, these positions have gained greater prominence. In response to rising concerns about privacy rights in our electronic age, both legislation and guidance have directed agencies to establish chief privacy officers or to ensure that a senior official takes overall responsibility for information privacy. Privacy issues have also been at the heart of several studies that the Congress has asked us to perform over the past few years. Our results highlight some of the challenges faced by agencies and privacy officials. First, compliance with current law has posed challenges. In 2003, we reported that agency compliance with the requirements of the Privacy Act was uneven. Agencies reviewed generally did well with certain aspects of the requirements, such as issuing public notices about systems containing personal information. However, they did less well at others, such as ensuring that information was complete, accurate, relevant, and timely before it was disclosed to a non-Federal organization. Agency officials told us that they needed more leadership and guidance from the Office of Management and Budget to help them with implementation in a rapidly changing environment. Similarly, agencies have not always complied with the E- Government Act requirement that agencies perform privacy impact assessments, or PIAs, on certain systems containing personal information. Such assessments are important to ensure that information is handled in a way that protects privacy. Although we have not yet done a comprehensive assessment of agencies' implementation of PIAs, we did determine in recent work on commercial data resellers that many agencies did not perform PIAs on systems that used reseller information because they believe that a PIA was not required. Privacy officers also face the challenge of ensuring that privacy protections are not compromised by advances in technology. For example, Federal agencies are increasingly using data mining, that is, analyzing large amounts of data to uncover hidden patterns. Initially, this tool was used mostly to detect financial fraud and abuse, but its use has expanded to include purposes such as detecting terrorist threats. In 2005, in a review of five different data-mining efforts at selected agencies, we reported that these agencies did take many of the steps needed to protect privacy. However, none followed all key procedures. For instance, although they did issue public notices, these notices did not always describe the intended uses of personal information as required. Another new technology presenting privacy challenges is radio frequency identification, or RFID. This technology uses wireless communications to transmit data and electronically track and store information on tags attached to or embedded in objects. As we reported in 2005, Federal agencies use or propose to use RFID for physical access controls and to track access. For example, DOD uses it to track shipments. Although this kind of inventory control application is not likely to generate privacy concerns, RFID use could raise issues if, for example, people were not aware that the technology is being used and that it could be embedded in items they are carrying and be used to track them. Agency privacy offices will play a key role in addressing the challenges I have described. They will be instrumental in ensuring that agencies comply with legislative requirements and in ensuring that privacy is fully addressed in agency approaches to new technologies. In addition, chief privacy officers are in a position to work with OMB and other agencies to identify ambiguities and clarify the applicability of privacy requirements. Not least, they can work to increase agency awareness and raise the priority of privacy issues. That concludes my statement. I would be happy to answer questions at the appropriate time. [The prepared statement of Ms. Koontz follows:] Prepared Statement of Linda D. Koontz <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Mr. Cannon. Thank you, Ms. Koontz. I just need to point out that we just had a panel of four participants who all finished within seconds of the 5 minutes. I have never seen that before in my life. Obviously, we have some well-experienced panelists. We have a significant problem here. We are going to try and mark this bill up today, and we have six votes probably between 2:45 and 3:15. And so--yeah, we'll have six votes, so that means that--let me just suggest that I'm not going to ask questions, and all the Members of the panel can ask written questions. Professor, I suspect you have your comments already written, and if you could submit those. You suggested you had more that you wanted to say. Do you have that in written form already? Ms. Katzen. Yes, Mr. Chairman. My written testimony includes two modest suggestions, one of which relates to the national security issue, and I think it is important. Mr. Cannon. Thank you. And if any of the panelists have other things you would like to make part of the record, we'll leave the record open for 5 days. So I ask unanimous consent that the Members of the panel-- that we limit questioning to 3 minutes for the panel. Hearing no objection, so ordered. Mr. Watt. That is per Member? Mr. Cannon. That is per Member, yes. Pardon me. Hearing no objection, but with that clarification, so ordered. And we'll keep the legislative record open for 5 days for questions. Without objection, so ordered. Thank you, and, Mr. Watt, you are recognized for 5 minutes. Mr. Watt. For 3 minutes--3 minutes, I presume. Thank you, sir. Since we're going on to the markup of H.R. 2840 and all of the witnesses heard my opening comments, I guess the most appropriate question I could ask in my short period of time is to Ms. Cooney and Ms. Horvath, since you all are here representing the Administration, or at least your respective Departments. Do you have a clue whether the Administration really supports and wants this bill? Because they haven't done anything to try to get it passed that I'm aware of on the Senate side, and we're engaging in a futile gesture here passing it out of here without the Administration injecting itself and saying it wants it. So does either of you know whether the Administration really wants this bill? Ms. Cooney. Mr. Watt, I'd be happy to answer. I don't know of a formal position that the Administration has taken on this bill. I'm not aware of one. I think in our last appearance I did mention that under section 222 we have very similar requirements at DHS to do PIAs on rulemakings, and we've been able to tackle that effort and can improve on it as we---- Mr. Watt. But this is a systemwide, governmentwide bill, not a DHS bill. So I guess the question I'm asking is: Is the Administration committed to having this done systemwide, or are they not? If you don't know, I mean, just say you don't know. Ms. Cooney. I know of no formal position on it. Mr. Watt. Okay. I assume you don't know either, Ms. Koontz. You're not here--you're kind of in a different position with respect to the Administration. I understand that. Have you heard anything through the grapevine about whether the Administration wants it, Professor Katzen? Ms. Katzen. No. Mr. Watt. Okay. All right. I just keep pointing out that, you know, we've marked this bill up several times. It's gone. The Chairman indicated it went out of the House. Without the Administration doing something to lift a finger to get it, it ain't going to happen. So we might be back here again next term of Congress doing the same thing. I yield back. Mr. Cannon. Thank you. I think Mr. Franks--the gentleman is recognized for 3 minutes. Mr. Franks. Mr. Chairman, I have no questions at this time. Mr. Cannon. Thank you, Mr. Franks. We appreciate that candor and directness, and I think--the gentleman from Massachusetts, Mr. Delahunt, is recognized for 3 minutes. Mr. Delahunt. Yes, thank you, Mr. Chairman. I'm going to make an effort to answer Mr. Watt's question. I think it's clear to me that the Administration--this is not a priority, I think it's fair to say, for the Administration. Otherwise, this bill would have been enacted into law last year. And I think it's time, particularly given the context of recent revelations concerning the NSA in particular that the Administration weigh in in a very significant way. If this bill is to pass, the Administration has to make it a priority. And I don't think any of us--and I think I speak for all of us on this panel right now--have not seen evidence of the Administration making it the kind of priority that I think it deserves. As my colleagues would remember, myself and Mr. Berman had an amendment to the PATRIOT Act involving data mining, and there was great resistance from the Department of Justice regarding that particular amendment, which I believed to be somewhat innocuous. Well, now I understand better, after reading the USA Today and other revelations that occurred prior to that why there would be such resistance. This is simply an opportunity for the American people to find out what their Government was doing. I have to agree with you, Professor Katzen. You know, when there's a lack of privacy afforded the individual citizen, we're on our way to eroding democracy and living I a totalitarian society. It's absolutely essential that this bill becomes a priority. Mr. Cannon. Would the gentleman yield? Mr. Delahunt. I yield. Mr. Cannon. Because I agree with the gentleman. Let me just point out that it is our obligation as the Legislature to set the limits and set the priorities here, and we have to do that as Republicans and Democrats and as the House and the Senate. That's sometimes hard. This Administration--no Administration is going to focus on these issues like we do because our perspective is different, and so I pledge to the gentleman that we will---- Mr. Delahunt. I appreciate that, and I would even request-- the flip side, Mr. Chairman, is the lack of transparency, secrecy, if you will, that I would suggest has been an earmark of this Administration. We've had the National Archivist, Mr. Leonard, complain about the ubiquitous classification of public documents that is going on. And I would hope that you would consider having a hearing into that particular issue. I think that is something that is warranted, particularly given---- Mr. Cannon. I'd be happy to speak with the gentleman, whose time has expired. May I ask unanimous consent that we not continue with questions, since we just had a vote called, and that we move over to the markup of this bill? Thank you. [Whereupon, at 2:48 p.m., the Subcommittee proceeded to other business.] A P P E N D I X ---------- Material Submitted for the Hearing Record Response to Post-Hearing Questions from Maureen Cooney, Acting Chief Privacy Officer, U.S. Department of Homeland Security, Washington, DC <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Response to Post-Hearing Questions from Sally Katzen, Professor, George Mason University Law School, Arlington, VA <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> Response to Post-Hearing Questions from Linda D. Koontz, Director, Information Management Issues, U.S. Government Accountability Office, Washington, DC <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT> <all>