Nuala O’Connor Kelly is the very model of a modern chief privacy officer. When President Bush signed legislation last November creating CPO positions across the federal government, the new job description was markedly similar to the one that O’Connor Kelly filled as the first-ever CPO of the Department of Homeland Security.Hired in April 2003, O’Connor Kelly oversees what seems to be a huge operation for other federal departments to emulate. (See our February cover story, “Five Things Every CSO Needs to Know About the Chief Privacy Officer.”) More than 450 people report to her on privacy issues. But the reality is that close to 400 of her staffers spend their days reviewing requests made under both the Privacy Act and the Freedom of Information Act (FOIA), rather than making sure DHS security initiatives protect citizens’ privacy.Responsibility for the Privacy Act, which allows individuals to access and, if necessary, correct government records about themselves, was part of O’Connor Kelly’s original job description. But responsibility for FOIAa law created as a way for citizens and lawmakers to get a window into possible government chicanerywas not. FOIA was put under the auspices of the privacy office in the summer of 2003 by then-DHS Secretary Tom Ridge.Now, as other agencies fine-tune the details of their own CPO job descriptions, it seems an appropriate moment to ask: Is the privacy office the right place to respond to FOIA requests, or should they be handled in an independent office? The CPO’s job is about protecting information. FOIAin theory anywayis about sharing information. O’Connor Kelly acknowledges that, at first glance, the responsibilities may seem opposite. However, she explains, “I see them as two sides of the same coin. It’s about information management and information use.”Indeed, there is a significant privacy-related component to filling FOIA requests. In FY03 (the most recent year with available statistics), DHS processed 160,902 FOIA requests. In denying all or part of a request for information, FOIA officers invoked exemptions that protected personal privacy a full 61,902 timesalmost twice as often as they invoked all other FOIA exemptions combined. Still, privacy advocates wonder whether the movement to make FOIA compliance a privacy job doesn’t distract from the real privacy issues that CPOs should be focusing on. “In a way, you get an exaggerated view of the importance of privacy,” says Stephanie Perrin, a senior fellow for the Electronic Privacy Information Center, a watchdog group. “They call [O’Connor Kelly] the CPO, but in fact she’s the chief access officer.” Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe