• United States



sarah d_scalet
Senior Editor

Is This Any Job for a Privacy Office?

Apr 01, 20053 mins
CSO and CISOData and Information Security

Nuala O’Connor Kelly is the very model of a modern chief privacy officer. When President Bush signed legislation last November creating CPO positions across the federal government, the new job description was markedly similar to the one that O’Connor Kelly filled as the first-ever CPO of the Department of Homeland Security.

Hired in April 2003, O’Connor Kelly oversees what seems to be a huge operation for other federal departments to emulate. (See our February cover story, “Five Things Every CSO Needs to Know About the Chief Privacy Officer.”) More than 450 people report to her on privacy issues. But the reality is that close to 400 of her staffers spend their days reviewing requests made under both the Privacy Act and the Freedom of Information Act (FOIA), rather than making sure DHS security initiatives protect citizens’ privacy.

Responsibility for the Privacy Act, which allows individuals to access and, if necessary, correct government records about themselves, was part of O’Connor Kelly’s original job description. But responsibility for FOIAa law created as a way for citizens and lawmakers to get a window into possible government chicanerywas not. FOIA was put under the auspices of the privacy office in the summer of 2003 by then-DHS Secretary Tom Ridge.

Now, as other agencies fine-tune the details of their own CPO job descriptions, it seems an appropriate moment to ask: Is the privacy office the right place to respond to FOIA requests, or should they be handled in an independent office? The CPO’s job is about protecting information. FOIAin theory anywayis about sharing information.

O’Connor Kelly acknowledges that, at first glance, the responsibilities may seem opposite. However, she explains, “I see them as two sides of the same coin. It’s about information management and information use.”

Indeed, there is a significant privacy-related component to filling FOIA requests. In FY03 (the most recent year with available statistics), DHS processed 160,902 FOIA requests. In denying all or part of a request for information, FOIA officers invoked exemptions that protected personal privacy a full 61,902 timesalmost twice as often as they invoked all other FOIA exemptions combined.

Still, privacy advocates wonder whether the movement to make FOIA compliance a privacy job doesn’t distract from the real privacy issues that CPOs should be focusing on. “In a way, you get an exaggerated view of the importance of privacy,” says Stephanie Perrin, a senior fellow for the Electronic Privacy Information Center, a watchdog group. “They call [O’Connor Kelly] the CPO, but in fact she’s the chief access officer.”