b"<html>\n<title> - PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE DEPARTMENT OF HOMELAND SECURITY AND THE PRIVACY OFFICER FOR THE DEPARTMENT OF JUSTICE</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n  PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE \n    DEPARTMENT OF HOMELAND SECURITY AND THE PRIVACY OFFICER FOR THE \n                         DEPARTMENT OF JUSTICE\n\n=======================================================================\n\n\n                                HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                   COMMERCIAL AND ADMINISTRATIVE LAW\n\n                                 OF THE\n\n                       COMMITTEE ON THE JUDICIARY\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED NINTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                              MAY 17, 2006\n\n                               __________\n\n                           Serial No. 109-155\n\n                               __________\n\n         Printed for the use of the Committee on the Judiciary\n\n\n      Available via the World Wide Web: http://judiciary.house.gov\n\n\n\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n\n27-606 PDF                  WASHINGTON : 2006\n------------------------------------------------------------------\nFor sale by Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800;\nDC area (202) 512-1800 Fax:  (202) 512-2250. Mail:  Stop SSOP, \nWashington, DC 20402-0001\n\n\n\n                       COMMITTEE ON THE JUDICIARY\n\n            F. JAMES SENSENBRENNER, Jr., Wisconsin, Chairman\nHENRY J. HYDE, Illinois              JOHN CONYERS, Jr., Michigan\nHOWARD COBLE, North Carolina         HOWARD L. BERMAN, California\nLAMAR SMITH, Texas                   RICK BOUCHER, Virginia\nELTON GALLEGLY, California           JERROLD NADLER, New York\nBOB GOODLATTE, Virginia              ROBERT C. SCOTT, Virginia\nSTEVE CHABOT, Ohio                   MELVIN L. WATT, North Carolina\nDANIEL E. LUNGREN, California        ZOE LOFGREN, California\nWILLIAM L. JENKINS, Tennessee        SHEILA JACKSON LEE, Texas\nCHRIS CANNON, Utah                   MAXINE WATERS, California\nSPENCER BACHUS, Alabama              MARTIN T. MEEHAN, Massachusetts\nBOB INGLIS, South Carolina           WILLIAM D. DELAHUNT, Massachusetts\nJOHN N. HOSTETTLER, Indiana          ROBERT WEXLER, Florida\nMARK GREEN, Wisconsin                ANTHONY D. WEINER, New York\nRIC KELLER, Florida                  ADAM B. SCHIFF, California\nDARRELL ISSA, California             LINDA T. SANCHEZ, California\nJEFF FLAKE, Arizona                  CHRIS VAN HOLLEN, Maryland\nMIKE PENCE, Indiana                  DEBBIE WASSERMAN SCHULTZ, Florida\nJ. RANDY FORBES, Virginia\nSTEVE KING, Iowa\nTOM FEENEY, Florida\nTRENT FRANKS, Arizona\nLOUIE GOHMERT, Texas\n\n             Philip G. Kiko, Chief of Staff-General Counsel\n               Perry H. Apelbaum, Minority Chief Counsel\n                                 ------                                \n\n           Subcommittee on Commercial and Administrative Law\n\n                      CHRIS CANNON, Utah Chairman\n\nHOWARD COBLE, North Carolina         MELVIN L. WATT, North Carolina\nTRENT FRANKS, Arizona                WILLIAM D. DELAHUNT, Massachusetts\nSTEVE CHABOT, Ohio                   CHRIS VAN HOLLEN, Maryland\nMARK GREEN, Wisconsin                JERROLD NADLER, New York\nJ. RANDY FORBES, Virginia            DEBBIE WASSERMAN SCHULTZ, Florida\nLOUIE GOHMERT, Texas\n\n                  Raymond V. Smietanka, Chief Counsel\n\n                        Susan A. Jensen, Counsel\n\n                        Brenda Hankins, Counsel\n\n                   Mike Lenn, Full Committee Counsel\n\n                   Stephanie Moore, Minority Counsel\n\n\n                            C O N T E N T S\n\n                              ----------                              \n\n                              MAY 17, 2006\n\n                           OPENING STATEMENT\n\n                                                                   Page\nThe Honorable Chris Cannon, a Representative in Congress from the \n  State of Utah, and Chairman, Subcommittee on Commercial and \n  Administrative Law.............................................     1\nThe Honorable Melvin L. Watt, a Representative in Congress from \n  the State of North Carolina, and Ranking Member, Subcommittee \n  on Commercial and Administrative Law...........................     6\n\n                               WITNESSES\n\nMs. Maureen Cooney, Acting Chief Privacy Officer, U.S. Department \n  of Homeland Security, Washington, DC\n  Oral Testimony.................................................     9\n  Prepared Statement.............................................    11\nMs. Jane C. Horvath, Chief Privacy and Civil Liberties Officer, \n  U.S. Department of Justice, Washington, DC\n  Oral Testimony.................................................    15\n  Prepared Statement.............................................    17\nMs. Sally Katzen, Professor, George Mason University Law School, \n  Arlington, VA\n  Oral Testimony.................................................    25\n  Prepared Statement.............................................    26\nMs. Linda D. Koontz, Director, Information Management Issues, \n  U.S. Government Accountability Office, Washington, DC\n  Oral Testimony.................................................    31\n  Prepared Statement.............................................    33\n\n          LETTERS, STATEMENTS, ETC., SUBMITTED FOR THE HEARING\n\nPrepared Statement of the Honorable Chris Cannon, a \n  Representative in Congress from the State of Utah, and \n  Chairman, Subcommittee on Commercial and Administrative Law....     2\nPrepared Statement of the Honorable Melvin L. Watt, a \n  Representative in Congress from the State of North Carolina, \n  and Ranking Member, Subcommittee on Commercial and \n  Administrative Law.............................................     4\n\n                                APPENDIX\n               Material Submitted for the Hearing Record\n\nResponse to Post-Hearing Questions from Maureen Cooney, Acting \n  Chief Privacy Officer, U.S. Department of Homeland Security, \n  Washington, DC.................................................    64\nResponse to Post-Hearing Questions from Sally Katzen, Professor, \n  George Mason University Law School, Arlington, VA..............    68\nResponse to Post-Hearing Questions from Linda D. Koontz, \n  Director, Information Management Issues, U.S. Government \n  Accountability Office, Washington, DC..........................    70\n\n\n  PRIVACY IN THE HANDS OF THE GOVERNMENT: THE PRIVACY OFFICER FOR THE \n    DEPARTMENT OF HOMELAND SECURITY AND THE PRIVACY OFFICER FOR THE \n                         DEPARTMENT OF JUSTICE\n\n                              ----------                              \n\n\n                        WEDNESDAY, MAY 17, 2006\n\n                  House of Representatives,\n                         Subcommittee on Commercial\n                            and Administrative Law,\n                                Committee on the Judiciary,\n                                                    Washington, DC.\n    The Subcommittee met, pursuant to notice, at 2:06 p.m., in \nRoom 2141, Rayburn House Office Building, the Honorable Chris \nCannon (Chairman of the Subcommittee) presiding.\n    Mr. Cannon. The Subcommittee will please come to order.\n    At the outset I want to note that immediately following the \nhearing, we have scheduled the markup of H.R. 2840, the \n``Federal Agency Protection of Privacy Act.''\n    Let me begin this hearing with an observation written in \n1787 by Alexander Hamilton, one of our Founding Fathers, and \none of the more interesting of them. He wrote: ``Safety from \nexternal danger is the most powerful director of national \nconduct. Even the ardent love of liberty will, after a time, \ngive way to its dictates. The violent destruction of life and \nproperty incident to war, the continual effort and alarm \nattendant on a state of continual danger, will compel nations \nthe most attached to liberty to resort for repose and security \nto institutions which have a tendency to destroy their civil \nand political rights. To be more safe, they at length become \nwilling to run the risk of being less free.''\n    Mr. Hamilton's comments are as insightful today as they \nwere when he wrote them more than two centuries ago.\n    In this post-9/11 world, it is no easy task to balance the \ncompeting goals of keeping our Nation secure while at the same \ntime protecting the privacy rights of our Nation's citizens.\n    As many of you know, the protection of personal information \nin the hands of the Federal Government has long been a top \npriority for my Subcommittee, the Subcommittee on Commercial \nand Administrative Law. Under the leadership of House Judiciary \nCommittee Chairman Sensenbrenner, our Subcommittee has played a \nmajor role in protecting personal privacy and civil liberties.\n    Our accomplishments to date include the establishment of \nthe first statutorily created privacy office in a Federal \nagency, namely, the Department of Homeland Security. That \noffice has since earned plaudits from both the private and \npublic sectors, including the GAO.\n    Just this week, the DHS Privacy Office submitted to \nCongress a comprehensive assessment of the impact of automatic \nselectee and so-called no-fly lists for airline passengers on \nprivacy and civil liberties. While these lists can be useful \ntools for preventing terrorist activity endangering the safety \nof airline passengers and others, the collection of personal \ninformation to create these tools could raise concerns about \ntheir impact on privacy and civil liberties. I think we will be \ninterested to hear Ms. Cooney's summary of this report as part \nof today's hearing.\n    Inspired by the successes of the DHS Privacy Office, our \nSubcommittee also spearheaded the creation of a similar \nfunction in the Justice Department, which was signed into law \nin January of this year. Ms. Horvath, another of our witnesses, \nwas appointed to fill this important position on February 21. \nWe also look forward to hearing from Ms. Horvath about her \nviews and goals as the Chief Privacy and Civil Liberties \nOfficer for the Justice Department.\n    To supplement these efforts, our Subcommittee has also \nconducted oversight hearings on the subject of the Government's \nuse of personal information. These include a hearing held on \nthe 9/11 Commission's privacy-related recommendations as well \nas a hearing held just last month on the respective roles that \nthe Federal Government and information resellers have with \nrespect to personal information collected in commercial \ndatabases.\n    As technological devices increasingly facilitate the \ncollection, use, and dissemination of personally identifiable \ninformation, the potential for misuse of such information \nescalates. Five years ago, the GAO warned: ``Our Nation has an \nincreasing ability to accumulate, store, retrieve, cross-\nreference, analyze, and link vast numbers of electronic records \nin an ever faster and more cost-efficient manner. These \nadvances bring substantial Federal information benefits as well \nas increasing responsibilities and concerns.''\n    Unfortunately, the GAO continues to find, as we learned \nfrom our hearing last month, that Federal agencies' compliance \nwith the Privacy Act and other requirements is, to quote, \n``uneven.''\n    It is against this complex but exceedingly interesting \nbackdrop that we are holding this hearing today.\n    I now turn to my colleague, Mr. Watt, the Ranking Member of \nthe Subcommittee, and ask him if he has any opening remarks. \nBut before I recognize him, I just want to say that we \nappreciate working with Mr. Watt on these issues. He has been \na--this Committee has worked well together, and he has been a \ngreat support and addition. And with that, Mr. Watt, I \nrecognize you for an opening statement for 5 minutes.\n    [The prepared statement of Mr. Cannon follows:]\n Prepared Statement of the Honorable Chris Cannon, a Representative in \n    Congress from the State of Utah, and Chairman, Subcommittee on \n                   Commercial and Administrative Law\n    Let me begin this hearing with an observation written in 1787 by \nAlexander Hamilton, one of our Founding Fathers. He wrote:\n\n        ``Safety from external danger is the most powerful director of \n        national conduct. Even the ardent love of liberty will, after a \n        time, give way to its dictates. The violent destruction of life \n        and property incident to war, the continual effort and alarm \n        attendant on a state of continual danger, will compel nations \n        the most attached to liberty to resort for repose and security \n        to institutions which have a tendency to destroy their civil \n        and political rights. To be more safe, they at length become \n        willing to run the risk of being less free.''\n\n    Mr. Hamilton's comments are as insightful today as they were when \nhe wrote them more than two centuries ago.\n    In this post-September 11th world, it is no easy task to balance \nthe competing goals of keeping our nation secure while at the same time \nprotecting the privacy rights of our nation's citizens.\n    As many of you know, the protection of personal information in the \nhands of the federal government has long been a top priority for my \nSubcommittee--the Subcommittee on Commercial and Administrative Law. \nUnder the leadership of House Judiciary Committee Chairman \nSensenbrenner, our Subcommittee has played a major role in protecting \npersonal privacy and civil liberties.\n    Our accomplishments to date include the establishment of the first \nstatutorily-created privacy office in a federal agency, namely the \nDepartment of Homeland Security. That office has since earned plaudits \nfrom both the private and public sectors, including the GAO.\n    Just this week, the DHS Privacy Office submitted to Congress a \ncomprehensive assessment of the impact of automatic selectee and so-\ncalled ``no-fly'' lists for airline passengers on privacy and civil \nliberties. While these lists can be useful tools for preventing \nterrorist activity endangering the safety of airline passengers and \nothers, the collection of personal information to create these tools \ncould raise concerns about their impact on privacy and civil liberties. \nI think we will be very interested to hear Ms. Cooney's summary of this \nreport as part of today's hearing.\n    Inspired by the successes of the DHS Privacy Office, our \nSubcommittee also spearheaded the creation of a similar function in the \nJustice Department, which was signed into law in January of this year. \nMs. Horvath, another of our witnesses, was appointed to fill this \nimportant position on February 21st. We also look forward to hearing \nfrom Ms. Horvath about her views and goals as the Chief Privacy and \nCivil Liberties Officer for the Justice Department.\n    To supplement these efforts, our Subcommittee has also conducted \noversight hearings on the subject of the government's use of personal \ninformation. These include a hearing held on the 9/11 Commission's \nprivacy-related recommendations as well as a hearing held just last \nmonth on the respective roles that the federal government and \ninformation resellers have with respect to personal information \ncollected in commercial databases.\n    As technological developments increasingly facilitate the \ncollection, use, and dissemination of personally identifiable \ninformation, the potential for misuse of such information escalates. \nFive years ago, the GAO warned:\n\n        ``Our nation has an increasing ability to accumulate, store, \n        retrieve, cross-reference, analyze, and link vast numbers of \n        electronic records in an ever faster and more cost-efficient \n        manner. These advances bring substantial federal information \n        benefits as well as increasing responsibilities and concerns.''\n\n    Unfortunately, the GAO continues to find--as we learned from our \nhearing last month--that federal agencies' compliance with the Privacy \nAct and other requirements is ``uneven.''\n    It is against this complex, but exceedingly interesting backdrop \nthat we are holding this hearing today.\n\n    Mr. Watt. Thank you, Mr. Chairman, and I am going to ask \nthat my civil written statement be put in the record.\n    Mr. Cannon. Without objection, so ordered.\n    [The prepared statement of Mr. Watt follows:]\nPrepared Statement of the Honorable Melvin L. Watt, a Representative in \n    Congress from the State of North Carolina, and Ranking Member, \n           Subcommittee on Commercial and Administrative Law\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Watt. Thank you, sir, and then I'm going to stray to \nmake some less civil remarks, so you might have bragged too \nearly because I'm feeling a sense of frustration here.\n    I'm reflecting back to a point several terms ago when \neyebrows were raised by the fact that Representative Bob Barr, \none of the, quote-unquote, more conservative Members of this \nCommittee, and Representative Mel Watt, quote-unquote, one of \nthe more liberal Members of this Committee, met out here in \nfront of the Capitol and had a press conference about a bill \nthat is this bill.\n    Well, we marked it up, and Mr. Barr is now gone on into the \nprivate sector. The year after he left, we marked it up again. \nAnd, you know, at some point we're going to have to do \nsomething on this issue more than mark up this bill in the \nSubcommittee if we are going to begin to be serious about doing \nwhat we need to do, it seems to me.\n    And so it is from that that I am feeling this great sense \nof frustration that I am beginning to get the feeling that any \ntime some of my colleagues want to feel like they want to say \npublicly that they are doing oversight over our Government or \ninterested in protecting privacy rights, the way to do that is \nto put this bill back on for another hearing and another \nmarkup, and then next term of Congress we'll be back doing the \nsame thing over and over again as we now have been doing--\nwhat?--two or three, maybe--I don't know how many terms of \nCongress we've marked this bill up and had hearings on it.\n    So if I'm feeling a little frustrated, it's not because I \ndon't think this is something important. It is more important \ntoday than it was when we started three or four terms of \nCongress ago.\n    Yeah, we thought the Government was doing some things to \ninvade the privacy rights of individuals, but we certainly--our \nGovernment wasn't getting a list of everybody's phone numbers \nand monitoring phone calls within the United States. So this \nhas gone to a level that is so far beyond what we anticipated \nor thought about or thought we were addressing at the time we \noriginally introduced this bill. And yet here we are having \nanother hearing, marking up the bill in our Subcommittee, and \nso I guess maybe I should make a commitment not to be back here \nnext term of Congress doing the same thing that we've done now \nseveral times. Unless we are going to be serious about pushing \nthis legislation and getting it considered in the full \nCommittee in the House, in the Senate, this may be just another \nshow that some of our Members think is time to make another \npublic demonstration that we are concerned about the privacy \nrights of our citizens and the possibility that the \nGovernment--the probability--the reality that the Government is \nway over there beyond where they ought to be on invading those \nprivacy rights.\n    So I will--I've put my civilized statement in the record, \nMr. Chairman. I've made my uncivilized statement. But believe \nme, I'm just frustrated about where we are on this issue \nbecause we've had hearing after hearing, we've had markup after \nmarkup, but we still don't have any real results to show for \nit.\n    So, with that, I yield back.\n    Mr. Cannon. The record of this hearing should reflect the \nChairman's view that even when Mr. Watt intends to be uncivil, \nhe is an awfully civil human being.\n    I hope that the gentleman is not suggesting that there is \nany lack of commitment on my part to this bill, and I point out \nthat actually we've changed the rules recently that allows us \nnow on this side of the Hill to criticize the other side of the \nHill for its lack of action. We've actually passed this bill on \nthe House side from the whole--the House of Representatives has \npassed it out. It has not been acted on by the Senate. The \nSenate is a complicated body, and we hope that by passing this \nagain, and maybe again and again--we actually passed the \nBankruptcy Act eight times before they passed it on the other \nside. So I agree with the gentleman and his concerns and wish \nthat this issue were actually behind us. And hopefully we'll \ntake that step today to do that.\n    I just might also point out that there's a difference \nbetween monitoring phone calls and comparing numbers that \npeople are calling to connect those phone calls to our enemies \noutside the country, without arguing for the rightness of any \nof that, just to make the distinction on the record here.\n    Without objection, all Members may place their statements \nin the record at this point. Hearing no objection, so ordered.\n    Without objection, the Chair will be authorized to declare \nrecesses of the hearing at any point. Hearing no objection, so \nordered.\n    I ask unanimous consent that the Members have 5 legislative \ndays to submit written statements for inclusion in today's \nrecord. Hearing no objection, so ordered.\n    I'm now pleased to introduce the witnesses for today's \nhearing, three of whom have previously testified before our \nSubcommittee. We welcome you back and appreciate your continued \nassistance to our Subcommittee.\n    Our first witness is Maureen Cooney, the Acting Chief \nPrivacy Officer for the Department of Homeland Security. As I \npreviously noted, the Subcommittee played a major role in \nestablishing Ms. Cooney's office at DHS. The legislation \ncreating her office not only mandated the appointment of a \nPrivacy Officer, but specified the officer's responsibilities.\n    One of the principal responsibilities of the DHS Privacy \nOfficer as set out by statute is the duty to assure that ``the \nuse of technologies sustain, and do not erode, privacy \nprotections relating to the use, collection, and disclosure of \npersonal information.'' In addition, the Privacy Officer must \nassure that personal information is handled in full compliance \nwith the Privacy Act and assess the privacy impact of the \nDepartment's proposed rules.\n    Before joining DHS' Privacy Office, Ms. Cooney worked on \ninternational privacy and security issues at the U.S. Federal \nTrade Commission where she served as a principal liaison to the \nEuropean Commission for privacy issues, a very difficult and \nburdensome task, I'm sure, especially eating in French \nrestaurants on occasion. I hope you had that opportunity. You \ndon't need to--no incriminating statement is due on that.\n    She also played a major role in the revision of the \nguidelines for information systems and networks for the \nOrganization of Economic Cooperation and Development. Prior to \nthat assignment, Ms. Cooney worked on privacy and security \nissues with the Treasury Department and at the Office of the \nComptroller of the Currency. Ms. Cooney received her bachelor's \ndegree in American Studies from Georgetown University and her \nlaw degree from Georgetown University Law Center.\n    Our next witness is Jane Horvath, the recently appointed \nChief Privacy Officer and Civil Liberties Officer for the \nDepartment of Justice. In this capacity, Ms. Horvath is \nresponsible for reviewing the Justice Department's compliance \nwith the privacy laws and with developing the Department's \nprivacy policies. In addition to safeguarding privacy, Ms. \nHorvath oversees the Department's policies relating to the \nprotection of individual civil liberties, specifically in the \ncontext of DOJ's counterterrorism and law enforcement efforts. \nThese are really awesome responsibilities. Before joining the \nJustice Department, Ms. Horvath was the Director of the \nWashington, D.C., Office of Privacy Laws and Business, a \nprivacy consulting firm. While there, she focused on advising \nU.S. companies on international privacy trends among other \nmatters. Ms. Horvath received her undergraduate degree from the \nCollege of William and Mary and her law degree from the \nUniversity of Virginia.\n    Professor Sally Katzen is our next witness. Ms. Katzen is a \nvisiting professor at George Mason University Law School as \nwell as the Sachs Scholar at Johns Hopkins University. Next \nyear, she will be a Public Interest, Public Service Faculty \nFellow at the University of Michigan Law School. Prior to \njoining academia in 2001, Professor Katzen was responsible for \ndeveloping privacy policy for the Clinton administration for \nnearly a decade. As the Administrator of the Office of \nInformation and Regulatory Affairs at the Office of Management \nand Budget, she was effectively the chief information office--\npolicy official for the Federal Government. Her \nresponsibilities included developing Federal privacy policies. \nProfessor Katzen later served as the Deputy Assistant to the \nPresident for Economic Policy and Deputy Director of the \nNational Economic Council in the White House. Thereafter, she \nbecame the Deputy Director for Management at OMB. Before \nembarking on her public service career, Professor Katzen was a \npartner in the Washington, DC, law firm of Wilmer, Cutler and \nPickering, where she specialized in regulatory and legislative \nmatters. Professor Katzen graduated magna cum laude from Smith \nCollege and magna cum laude from the University of Michigan Law \nSchool, where she was editor in chief of the Law Review. \nFollowing her graduation from law school, she clerked for Judge \nJ. Skelly Wright of the United States Court of Appeals for the \nDistrict of Columbia Circuit.\n    Our final witness is Linda Koontz, who is the Director of \nGAO's Information Management Issues Division. In that capacity, \nshe is responsible for issues regarding the collection and use \nand dissemination of Government information. Ms. Koontz has led \nGAO's investigations into the Government's data-mining \nactivities as well as e-Government initiatives. In addition to \nobtaining her bachelor's degree from Michigan State University, \nMs. Koontz received certification as a Government financial \nmanager.\n    I extend to each of you my warm regards and appreciation \nfor your willingness to participate in today's hearing. In \nlight of the fact that your written statements will be included \nin the hearing record, I request that you limit your oral \nremarks to 5 minutes. Accordingly, please feel free to \nsummarize highlights of your--or highlight the salient points \nof your testimony. You will note that we have a lighting system \nthat starts with a green light. After 4 minutes, it turns to a \nyellow light, and then at 5 minutes, it turns to a red light. \nIt is my habit to tap the gavel at 5 minutes. We'd appreciate \nit if you'd finish up your thoughts within that time frame. We \ndon't like to cut people off in their thinking, but I find that \nit works much better if everybody knows that 5 minutes is 5 \nminutes. So if you could wrap it up by that time, the time we \nget there, I would appreciate that, and I will try to be \nconsistent in my tapping, and that includes for other Members \nof the Committee, who are given 5 minutes to ask questions. \nThis is not like an ironclad rule, by the way. Just we actually \nare interested in what you have to say, not in the clock.\n    After you've presented your remarks, the Subcommittee \nMembers, in the order they arrived, will be permitted to ask \nquestions of the witnesses, subject to the 5-minute limit.\n    Pursuant to the direction of the Chairman of the Judiciary \nCommittee, I ask the witnesses to please stand and raise your \nright hand to take the oath.\n    [Witnesses sworn.]\n    Mr. Cannon. The record should reflect that each of the \nwitnesses answered in the affirmative, and you may be seated.\n    Ms. Cooney, would you now please proceed with your \ntestimony?\n\nTESTIMONY OF MAUREEN COONEY, ACTING CHIEF PRIVACY OFFICER, U.S. \n        DEPARTMENT OF HOMELAND SECURITY, WASHINGTON, DC\n\n    Ms. Cooney. Thank you. Chairman Cannon, Ranking Member \nWatt, and Members of the Committee, good afternoon. Thank you \nfor the opportunity to speak to the issue of privacy in the \nhands of the Federal Government and most specifically on \nactivities at the Department of Homeland Security, the role of \nthe Chief Privacy Officer, and initiatives led by the \nDepartment's Privacy Office.\n    As the Subcommittee well knows, the Department of Homeland \nSecurity was the first Federal agency to have a statutorily \nrequired Privacy Officer. We appreciate the support of this \nCommittee. The inclusion of a senior official accountable for \nprivacy policy and protections honors the value placed on \nprivacy as an underpinning of our American freedoms and \ndemocracy. It also reflects Congress' understanding of the \ngrowing sensitivity and awareness of the ubiquitous nature of \npersonal data, flows in both private and public sectors, and a \nrecognition of the impact of those data flows upon our \ncitizens' lives.\n    At the most recent meeting of the Department's Data Privacy \nand Integrity Advisory Committee, which was created to advise \nthe Secretary and the Chief Privacy Officer on significant \nprivacy issues, Secretary Chertoff noted that the Department \nhas the opportunity to build into the sinews of this \norganization respect for privacy and a thoughtful approach to \nprivacy.\n    Secretary Chertoff expressed a belief that I share. We want \nthe Government to be a protector of privacy, and we want to \nbuild security regimes that maximize privacy protection and \nthat do it in a thoughtful and meaningful way. If done right, \nit will be not only a long-lasting ingredient of what we do in \nHomeland Security but a very good template for what Government \nought to do in general when it comes to protecting people's \npersonal autonomy and privacy.\n    The Chief Privacy Officer and the DHS Privacy Office have a \nspecial role working in partnership and collaboration across \nthe Department to integrate privacy into the consideration of \nthe ways in which the Department assesses its programs and uses \ntechnologies, handles information, and carries out our \nprotective mission.\n    The Privacy Office has oversight of privacy policy matters \nand information disclosure policy, including compliance with \nthe Privacy Act of 1974, the Freedom of Information Act, and \nthe completion of privacy impact assessments on all new \nprograms or new collections of personal information as required \nby the E-Government Act of 2002 and section 222 of the Homeland \nSecurity Act of 2002.\n    The Privacy Office also evaluates new technologies used by \nthe Department for their impact on personal privacy. Further, \nthe Chief Privacy Officer reports directly to the Secretary and \nis required to report to Congress on these matters, as well as \non complaints about possible privacy violations.\n    At this point, if I may, I would like to amplify my written \ntestimony by speaking for a few minutes about the U.S. privacy \nframework that applies to the Federal space. In tandem, the \nPrivacy Act of 1974, the Freedom of Information Act that \npromotes transparency of Government operations and \naccountability, a significant privacy principle, and the E-\nGovernment Act of 2002 that augmented the Privacy Act by \noperationalizing privacy reviews for all new major data \ncollection systems or significant changes to information \nsystems provide a robust umbrella of privacy protections for \nwhich the United States can be proud and which I believe is \nsecond to none in the Government space. Notice, transparency, \nand accountability are key to our work in the privacy area.\n    Today, I'm very happy to address our efforts in this regard \nwith respect to the activities of the Department of Homeland \nSecurity from a seat at the table during the investment review \nprocess at DHS for technology acquisitions and program funding, \nthrough all steps of the technology and program lifecycle \ndevelopment process, the use of PIAs to integrate privacy \nconsiderations into standards, strategic planning for programs \nat the Department, and notice to the public through systems of \nrecord notices, to audits and oversight and the development of \npolicy guidance and implementation on key data issues.\n    I thank you again for the opportunity to share the \naccomplishments of the DHS Privacy Office, which I have noted \nin our written testimony, and hope to demonstrate through both \nthe written and oral testimony the importance of privacy in the \nhands of the Department of Homeland Security and how important \nit is as a part of our culture. We appreciate the support this \nSubcommittee has given to our office and look forward to \nworking with you on matters of mutual interest and concern.\n    Thank you again.\n    [The prepared statement of Ms. Cooney follows:]\n                  Prepared Statement of Maureen Cooney\n    Chairman Cannon, Ranking Member Watt, and Members of the \nSubcommittee, I am delighted to be back before you today to discuss \nPrivacy in the Hands of the Government as it pertains to activities of \nthe Department of Homeland Security and the efforts of the Privacy \nOffice. Building privacy attentiveness into the very sinews of our \nstill young agency is a responsibility that we take seriously at DHS.\n    In the eight months that I have served as Acting Chief Privacy \nOfficer, within the Privacy Office we have continued to develop and \noperationalize privacy policy for the Department, consistent with our \nstatutory mission in Section 222 of the Homeland Security Act and with \nsupport and partnership throughout the Department. And as I hope the \nfollowing testimony will demonstrate, we have been actively \nimplementing our statutory responsibilities as part of the larger \nmission of the Department. By ensuring that the Department's programs, \npolicies, personnel, and technologies account for and embrace fair \ninformation principles--the use of personal information for legitimate, \ntailored, and sound purposes--the Privacy Office has worked to enhance \npublic trust in the Department and to ensure the protection of an \nessential right of our people.\n    My predecessor, Nuala O'Connor Kelly, testified before this \nSubcommittee in February 2004, and outlined the first year activities \nof the DHS Privacy Office. I would like to update the Subcommittee on \nour continued work since that time and our plans for future \ninitiatives.\n    The Privacy Office has focused on making privacy an integral part \nof DHS operations. We often use the phrase ``operationalizing privacy'' \nto describe these efforts. We want DHS personnel to think about privacy \nevery time they consider the collection, use, maintenance or disclosure \nof personally identifiable information. Our efforts to operationalize \nprivacy have encompassed a number of activities.\n              operationalizing privacy through compliance\n    One way to operationalize privacy is to ensure that DHS is fully \ncompliant with statutory privacy requirements and the DHS Privacy \nOffice has been actively engaged in this effort.\n    In my previous appearance before the Subcommittee, which focused on \nthe use by the government of data from information resellers, I \noutlined for the Subcommittee how we have used the E-Government Act of \n2002's requirement that Privacy Impact Assessments be conducted for new \nor substantially revised information systems to make sure that privacy \nis built into DHS programs and that there is transparency about the \ntypes of information used by DHS as well as the purposes for which the \ninformation is used. PIAs are fundamental in making privacy an \noperational element within the Department and we have fully utilized \nthis tool to embed privacy as part of DHS operations.\n    To do this, we have updated and refined our guidance on conducting \nPrivacy Impact Assessments and have distributed it widely both \ninternally to DHS offices and programs and externally to other \nagencies. Along with the guidance, we also have issued a template for \nDHS offices to follow in drafting Privacy Impact Assessments. We have \nfully utilized our Privacy Office website for transparency purposes and \nhave posted these documents so that the public is also aware of our \nguidance.\n    ``Imitation is the sincerest form of flattery,'' according to an \nold expression, and I am happy to report that the DHS Privacy Office's \nPIA Guidance has served as the basis for other agencies' PIA \nactivities. For example, our PIA template served as the basis for a \nmodel PIA for HSPD-12 (Common Identification Standards for Federal \nEmployees) implementation, which was distributed by the Office of \nManagement and Budget through its Interagency Privacy Committee. In \naddition, other federal agencies have requested to liberally borrow the \nguidance and we are happy to be able to share it and to add to \ngovernment efficiency and harmonization of approaches to privacy in the \ngovernment space.\n    In addition to requiring that DHS programs conduct Privacy Impact \nAssessments for new or substantially revised programs, privacy is one \nof the issues that must be addressed before funding is awarded to a \nprogram that involves the collection, use and maintenance of personally \nidentifiable information. The Privacy Office provides significant \nsupport to the DHS Office of the Chief Information Officer (OCIO) in \nthe budget process by ensuring that all proposed spending on \ninformation technology investments that involve personally identifiable \ninformation meets privacy requirements. Not only are our programs \nrequired to complete a Privacy Threshold Analysis, which helps us to \ndetermine whether a full Privacy Impact Assessment is necessary, but \nfunding for DHS programs through the budget process cannot go forward \nwithout program compliance with privacy mandates. The DHS Privacy \nOffice therefore has a strong ``stick'' to accompany the ``carrot'' of \nfunding to ensure that privacy becomes operationalized in DHS programs.\n    Privacy compliance reviews are another important tool for \noperationalizing privacy into DHS programs, and during this past year, \nthe Privacy Office undertook the first privacy review of what we expect \nto be many when we analyzed compliance by the U.S. Customs and Border \nProtection (CBP) with its Passenger Name Record (PNR) Undertakings. \nThese Undertakings were provided by CBP to the European Commission in \norder to demonstrate that CBP has adequate privacy protocols in place \nto protect personally identifiable information as a condition precedent \nto receiving PNR information about European airline passengers. Based \non the Undertakings, the EU agreed to share passenger name record \ninformation with CBP in order to fight terrorism and other serious \ncrimes as well as to facilitate transatlantic travel.\n    The Privacy Office's compliance review consisted of a full analysis \nof CBP policies and procedures, interviews with key managers and staff \nwho handle PNR, and a technical review of CBP systems and \ndocumentation. This compliance review occurred over a several-month \nperiod and as a result of changes recommended by the Privacy Office or \nmade unilaterally by CBP, we were able to conclude that CBP achieved \nfull compliance with the representations it had made in the \nUndertakings. This finding was the primary factor in the ability of the \nPrivacy Office to conclude a successful joint review, with \nrepresentatives of the EU, of CBP's compliance with the US-EU PNR \nAgreement.\n    We conducted a different kind of compliance review when we examined \nthe use of commercial data by the Transportation Security \nAdministration (TSA) in connection with the Secure Flight Program after \nprivacy concerns were raised by the Government Accountability Office. \nWe analyzed whether TSA's public notices about this use of commercial \ndata for testing purposes matched the actual test protocols and made \nrecommendations, as a result of this review. The Privacy Office \ncontinues to work closely with TSA to implement privacy statutory \nrequirements and best practices in the design and implementation of \nthis as well as other TSA screening programs.\n    In compliance with the requirements of the Computer Matching and \nPrivacy Protection Act, as amended, the Privacy Office established a \nPrivacy and Data Integrity Board to approve matching agreements \nundertaken by DHS components, as required by law, and to weigh in on \nprivacy policy issues of interest and concern to the Department. Our \nBoard held several meetings at which we discussed ideas for responsible \ninformation handling, and the Board was instrumental in assisting the \nPrivacy Office in completing several required reports.\n    Ensuring publication of appropriate Privacy Act systems of records \nnotices (SORNs) rounded out the Privacy Office's compliance activities. \nThese notices, in fact, necessarily are a regular and ongoing part of \nthe Privacy Office's work and of our statutory obligation to ensure \nthat the Department maintains personally identifiable information in \nconformity with the requirements of the Privacy Act.\n               operationalizing privacy through education\n    A significant way to increase privacy awareness and ensure that it \nis embedded in DHS is through education and training. The Privacy \nOffice trains all new DHS employees as part of their overall \norientation to the Department. We continue to develop, moreover, more \nrobust training courses to be provided to all DHS employees and \ncontractors to augment their privacy background and to raise awareness \nand sensitivity about the importance of the respectful use of personal \ninformation by the Department. And we have conducted training on \nPrivacy Impact Assessment requirements for individual DHS offices, \ninformation technology managers, business managers, and systems \nanalysts. Establishing the lines of communication between DHS personnel \nand our office through these training programs helps us to get our \nmessage across and helps employees to be sensitized to proper \ninformation handling techniques.\n    Our component privacy officers also make sure that employees in our \ncomponents and offices are provided robust privacy training. I would be \nremiss, in fact, if I didn't emphasize the close collaboration and \nrapport our office has with other privacy officers in the Department, \nwho were installed at our urging and who help the DHS Privacy Office \ncarry out our important work\n    In addition to our general education and training programs, the \nPrivacy Office has conducted two workshops intended to raise privacy \nawareness among DHS personnel as well as the public. These workshops \nhave drawn subject matter experts together to discuss privacy issues \nraised by homeland security programs. The issues we have explored are \nboth relevant and topical. We have posted both transcripts and \nsummaries of our activities on our website.\n    I mentioned in my April 4, 2006 testimony before this Subcommittee \nthat we had conducted a workshop on the government's use of commercial \ndata for homeland security purposes. The objective of that workshop was \nto look at the policy, legal and technology issues associated with the \ngovernment's use of commercial data in homeland security programs. Just \nlast week our Privacy and Data Integrity Board held preliminary \ndiscussions on development of a policy regarding the use of commercial \ndata by DHS, and the information we gleaned from our workshop will be \nhelpful as we move forward on this vital issue.\n    Last month, we conducted another workshop on the use of personal \ninformation by the government and how we can achieve transparency and \naccountability. This workshop sparked discussions about the utility of \nprivacy notices to accomplish transparency and how those notices can be \nwritten in a way that is comprehensible while it is also comprehensive. \nWe also discussed the utility of the Freedom of Information Act for \nfostering accountability through access to information about \nindividuals that is maintained by the government. We were fortunate to \nhave several panel members from other nations who could contribute a \nglobal perspective on this issue. Again, the workshop complemented our \ninternal training efforts to raise privacy awareness and also served an \nimportant educational function to improve public understanding of DHS \nprograms.\n                    information sharing and outreach\n    Information sharing has become a significant focus of the DHS \nPrivacy Office. The Intelligence Reform and Terrorism Prevention Act \nestablished requirements for an information sharing environment. This \nlegislative mandate augmented Executive Orders and Homeland Security \nDirectives issued by President Bush all aimed at fostering a climate of \nrobust exchanges of terrorism related information in a privacy \nsensitive manner. Executive Order 13356, for example, directed all \ndepartments and agencies to enhance the interchange of terrorism-\nrelated information within the Federal government and between the \nFederal government and appropriate authorities of state and local \ngovernments. The DHS Privacy Office led the effort to integrate privacy \nprotections into the planning process supporting the implementation of \nthis Executive Order.\n    Similarly, the DHS Privacy Office led the effort within DHS to \nintegrate privacy protections at the earliest stages of implementing \nHSPD-11, a Presidential directive that concerns terrorist-related \nscreening procedures. Within DHS, moreover, the Privacy Office has \nsupported the work of the Information Sharing and Collaboration Office \n(ISCO), which was established to lead the creation of a DHS information \nsharing environment. The Privacy Office provided both resources and \nguidance to ISCO to help create a set of business rules for sharing \npersonal information in a way that minimizes privacy intrusions while \nmaximizing use of the data for homeland security purposes.\n    The Privacy Office also participated in a number of interagency \nactivities designed to foster inter-agency exchanges of information on \nprivacy technologies and other privacy issues. We chair, for example, \nthe Social, Legal and Privacy Subgroup of the National Science and \nTechnology Council's (NSTC) Subcommittee on Biometrics. Established by \nExecutive Order, NSTC is the principal means by which the President \ncoordinates science, space, and technology policy across the \ngovernment. NSTC's Subcommittee on Biometrics has examined issues \nrelated to the development and use of biometric technologies in the \nFederal government and the Social, Legal and Privacy Subgroup was \nresponsible for developing a rich, centralized repository of \ninformation about the social history of biometrics, the legal framework \nthat applies to the collection and use of biometrics, and the privacy \nprinciples that should govern the responsible use of this technology. \nAnalysis of this repository and actual implementations resulted in a \npaper that connects privacy and biometrics at a structural level so \nthat both fields can be understood within a common framework, thus \nenabling federal agencies and public entities to implement privacy-\nprotective biometric systems.\n    We have also begun coordinating with the White House's Privacy and \nCivil Liberties Oversight Board on information sharing and other \nrelevant issues. Through this work, the DHS Privacy Office is able to \nfoster interagency cooperation, coordination and collaboration on \nprivacy matters.\n    The Privacy Office has also reached out to experts in the private \nsector to help us understand programmatic, policy, operational and \ntechnology issues that affect privacy, data integrity, and data \ninteroperability. To that end, in April 2004, the Department chartered \nthe Data Privacy and Integrity Advisory Committee (DPIAC) under the \nauthority of Federal Advisory Committee Act to provide an external and \nexpert perspective to the Secretary and Chief Privacy Officer. The DHS \nPrivacy Office provides administrative and managerial support to the \nDPIAC. In return, the Committee has provided significant advice to the \nChief Privacy Officer and the Secretary on important privacy \nconsiderations. The Committee offered its recommendations on TSA's \nSecure Flight Program, which have helped the DHS Privacy Office to \nformulate its own advice on this significant initiative. The Committee \nalso provided guidance on the Use of Commercial Data to Reduce False \nPositives in Screening Programs, which will help inform any final \npolicy that the Privacy Office recommends on this important topic. We \nexpect to continue to get advice from the Committee on other issues of \ninterest to the Department.\n                       international initiatives\n    Because the work of the Department is both national and \ninternational in scope, the work of the DHS Privacy Office is equally \nbroad. The primary goal of the DHS Privacy Office's international \nactivities has been to convey to the global community the importance of \nfair information practices to our office, the Department and the \nnation. We have devoted significant resources to working with programs \nin multilateral global forums, such as the OECD, as well region-centric \ninternational organizations such as the Asian Pacific Economic \nCooperation forum (APEC). In addition, of course, the Privacy Office \nworks with the European Union and on issues raised by the Joint \nSupervisory Body representatives of Europol and Eurojust.\n    We have had substantial input on a number of international privacy \ninitiatives, including the Enhanced International Travel Security \nInitiative (EITS), under the leadership of DHS's Science and Technology \nDirectorate and US-VISIT, and real-time sharing of lost and stolen \npassports in a way that properly protects privacy, through an APEC-\nsponsored initiative known as the Regional Movement Alert List. The \nPrivacy Office also works more generally within international \norganizations to shift the international privacy dialogue away from \nconflicting laws to compatible privacy principles in order to foster \ninformation sharing for homeland security and other necessary purposes. \nOur work has been helpful in improving international opinion regarding \nthe United States Government's attention to privacy principles in the \ndesign and operation of information systems.\n                           future activities\n    As I hope the foregoing demonstrates, the DHS Privacy Office takes \na comprehensive approach to its statutory mission and has worked on a \nwide range of initiatives to ensure that privacy policy concerns are \npart of the necessary dialogue on the development and implementation of \nhomeland security programs. We have been fortunate that Congress has \nprovided funding to allow us to expand our staff of dedicated privacy \nprofessionals whose credentials rival those of anyone in the government \nor the private sector. And we are energized as we look ahead to some \nfuture activities.\n    We recently completed a draft of a report on data mining, which is \nrequired by the 2005 DHS Appropriations Act, and we expect to continue \nour study of data mining programs at the Department in the coming year. \nData mining can be a useful and important tool in the war against \nterrorism, and we are committed to ensuring that this technique is used \nresponsibly and appropriately at DHS.\n    We have already planned our next privacy workshop to focus on \nPrivacy Impact Assessments. This timely session will enable DHS program \nofficers to comply with the privacy requirements necessary for approval \nof their funding requests. We are also finalizing arrangements for the \nnext DPIAC meeting, which will be held in California, and which will \nfocus on expectations of privacy in public spaces and the use of RFID \ntechnology, two issues that have significant ramifications for \nDepartmental activities.\n    We plan to work closely with the OCIO to build privacy protections \ninto every system across DHS, and we intend to collaborate with the \nScience and Technology Directorate to add privacy protections to the \napproval process for new homeland security research initiatives.\n    Because they are our ``bread and butter'' issues, the DHS Privacy \nOffice will also continue to work to ensure that individual programs \nsustain and enhance privacy protections through strict compliance with \nthe PIA and SORN requirements of federal law. We will continue to \nrefine our privacy guidance and enhance our privacy training \ninitiatives to foster a culture of privacy awareness within the agency.\n    We expect to complete development of a policy for the respectful \nand appropriate use of commercial data for homeland security purposes. \nAnd we anticipate that in the international arena, we will continue to \nbe an important voice for the development of privacy-appropriate cross-\nborder information sharing policies.\n    Thank you for the opportunity to share the accomplishments of the \nDHS Privacy Office and to demonstrate, through this testimony, the \nimportance of privacy ``in the hands'' of the Department of Homeland \nSecurity. We appreciate the support this Subcommittee has given to our \noffice and look forward to working with you on matters of mutual \ninterest and concern.\n\n    Mr. Cannon. Thank you, Ms. Cooney.\n    Ms. Horvath, you are recognized for 5 minutes.\n\nTESTIMONY OF JANE C. HORVATH, CHIEF PRIVACY AND CIVIL LIBERTIES \n      OFFICER, U.S. DEPARTMENT OF JUSTICE, WASHINGTON, DC\n\n    Ms. Horvath. Mr. Chairman and Members of the Subcommittee, \nthank you for inviting me to testify regarding the Department \nof Justice Privacy and Civil Liberties Office in connection \nwith the Committee's hearing.\n    I started as the Department of Justice's Chief Privacy and \nCivil Liberties Officer on February 21, 2006. I am responsible \nfor Department-wide protection of privacy and civil liberties. \nDuring my first 30 days at the Department of Justice, we \nassessed the existing privacy and civil liberties functions at \nthe Department. I met with senior officials of the DOJ \ncomponents that had either privacy or civil liberties \nresponsibilities within the Department. At all of these \nmeetings, I was welcomed with enthusiasm. I received detailed \nbriefings regarding their privacy and civil liberties efforts. \nFrom those meetings, we were able to determine priorities for \nthe Office of Privacy and Civil Liberties.\n    After meeting with the Chief Information Officer, we \ndecided to centralize the privacy impact assessment process. We \ndetermined that the PIA process within the Department would be \nmuch more effective if all the components were working from a \nstandard template with standard guidance. Utilizing some of the \naspects of the DHS model, we drafted official PIA guidance, a \nprivacy threshold analysis to determine whether a PIA is \nrequired, and a new PIA template. Next month, we're going to \nhold a 1-day training session on PIA preparation and Privacy \nAct issues with members of the CIO staff and persons within the \ncomponents who are responsible for Privacy Act issues.\n    In furtherance of our civil liberties missions, we set up \nand launched a DOJ Privacy and Civil Liberties Board on April \n17, 2006. Representatives of the law enforcement, national \nsecurity, and other relevant components are represented on the \nBoard. We have subdivided the Board into three separate \ncommittees: an Outreach Committee, focusing on outreach to the \nArab, Muslim, and other ethnic or religious minority \ncommunities; a Data Committee, examining issues related to \ninformation privacy within the Department; and a Law \nEnforcement Committee, providing a forum for law enforcement to \ndiscuss effort that might have an impact on civil liberties or \nprivacy.\n    Shortly after I arrived, we started to reach out to privacy \nadvocacy and public policy groups. We've met with \nrepresentatives from the ACLU, Center for Democracy and \nTechnology, Cato Institute, Heritage Foundation, the Center for \nInformation Policy Leadership at Hunton and Williams, and Peter \nSwire, the former Chief Counselor for Privacy in the U.S. \nOffice of Management and Budget.\n    We've also been active in intergovernmental groups and \nefforts. We believe that by working together as a group, \nprivacy officers within the Government can utilize each other's \ncollective experience.\n    Our office has also been active in advising the Department \nof information-sharing initiatives. While information sharing \nis an incredibly important initiative for our security, it also \ninvolves important privacy and civil liberties issues. We are \npleased that the Administration and the Attorney General has \nrecognized the importance of addressing these issues at the \ninception of information-sharing programs.\n    Since my arrival, I have co-chaired the President's \nInformation Sharing Environment Guideline 5 Working Group with \nAlex Joel, the Director of National Intelligence Civil \nLiberties Protection Officer. Guideline 5 of the December 16th \nmemorandum from President George W. Bush requires, in relevant \npart, that the Attorney General and the Director of National \nIntelligence develop guidelines designed to be implemented by \nexecutive departments and agencies to ensure that the \ninformation privacy and other legal rights of Americans are \nprotected in the development and use of the ISE, including in \nthe acquisition, access, use, and storage of personally \nidentifiable information. We also look forward to working with \nthe President's Privacy and Civil Liberties Oversight Board on \nthe guidelines.\n    The Privacy and Civil Liberties Office also oversees the \nDepartment's compliance with the Privacy Act of 1974 and plays \nan active role in ensuring that the Department's law \nenforcement, litigation, and anti-terrorism missions are \ncarried out in accordance with its provisions. We also provide \nPrivacy Act guidance within the Department, both in response to \nspecific inquiries raised by the components and through \ntraining programs.\n    Although I have only been at DOJ a short while, my arrival \nhas been greeted with enthusiasm. We have been consulted on \nnumerous initiatives. In the coming year, we hope to launch new \nefforts, such as more extensive privacy and civil liberties \ntraining, that will further the office's mission of protecting \nthe privacy and civil liberties of those who interact with the \nDepartment of Justice.\n    Thank you for the opportunity to speak today.\n    [The prepared statement of Ms. Horvath follows:]\n                 Prepared Statement of Jane C. Horvath\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Cannon. Thank you, Ms. Horvath.\n    Professor Katzen?\n\n TESTIMONY OF SALLY KATZEN, PROFESSOR, GEORGE MASON UNIVERSITY \n                   LAW SCHOOL, ARLINGTON, VA\n\n    Ms. Katzen. Thank you, Mr. Chairman, Ranking Member Watt, \nother Members of the Committee. I appreciate the invitation for \nme to testify today, as I did several years ago, about \nGovernment policies and practices that implicate privacy.\n    As the Chairman noted, privacy is one of the hallmarks of \nour country--cherished, protected, defended throughout our \nhistory. Since September 11, 2001, the debate has changed \nsomewhat as the commitment to privacy has often been spoken in \nthe context of national security and the need for combating \nterrorism. But protecting our privacy and protecting our Nation \nare not mutually exclusive goals, and our challenge is to \nprotect and defend our country in a way that promotes our core \nvalues.\n    Now, I belabor this point because in the 2 years since I \nappeared before this Committee, the concern for privacy and \nwhat many Americans believe to be invasions of their privacy by \nthe Government has increased rather than decreased. More \narticles about privacy policies and practices appear more \nfrequently in the press. There are more stories on radio and \ntelevision, and there is significantly more attention paid to \nprivacy on the Internet than ever before. The time devoted over \nthe last several weeks or months in public discourse to the \nwarrantless wiretaps by the National Security Agency and the \ndecision of some common carriers to release to the Government \ninformation about calls made by millions of Americans is a \nclear indication of Americans' commitment to and concern about \nprivacy.\n    Given the importance of privacy and its persistence in the \nnational debate, it's somewhat surprising that this \nAdministration has seemed so reluctant to take even minimal \nsteps to address these concerns. For example, one of the \nsubjects of today's hearing is the Privacy Officer at DHS. When \nI last testified, I spoke in highly favorable terms of the \nappointment of Ms. Kelly as the first statutorily required \nprivacy official at DHS. I stressed both the beneficial \nattention that was being paid to privacy concerns and the fact \nthat having a privacy officer at DHS in no way diminished the \ncapacity of the Department to pursue its mission.\n    Ms. Kelly resigned from DHS last September, and with \nrespect to Ms. Cooney, we have in place an Acting Privacy \nOfficer. The job is hard enough. To be heard in policy decision \nmeetings, to be listened to when red flags are raised about a \nproposal's privacy implications, to be supported when a hand \ngoes up and says, ``Maybe we should reconsider, maybe we should \ndo it differently,'' that job is not easy even for a tenured \nemployee. It is so much harder for an acting.\n    There may well be legitimate reasons that there has been a \ndelay in finding and installing Ms. Kelly's replacement, but \nthe unexpected and unexplained delay raises unfortunate \nquestions. Is it a lack of interest? Is it a lack of support by \nthe Secretary of DHS or by the White House?\n    In the same vein, I would mention that it has taken a very \nlong time for the White House to nominate and have the Senate \nconfirm the members of the Privacy and Civil Liberties Board \nwhich Ms. Horvath spoke about. That, too, was set up by an Act \nof Congress which was responding to legitimate questions and \nconcerns about Government policies.\n    In light of these examples, I would call for more oversight \nby Congress and, equally more important, more legislation \nconcerning and empowering officials in the Government. In my \nwritten testimony, I remind the Committee that I had urged that \nthere be statutory privacy officers at all major departments. I \nam pleased that the Department of Justice now has one. I hope \nthat you will work with other Members of Congress and other \nCommittees to expand that base. And without being too pushy, I \nwould again renew my suggestion that the Committee support \nestablishing at OMB a statutory office headed by a Chief \nCounselor for Privacy. Such an office was created and staffed \nduring the Clinton administration, and it served us well. The \ncurrent Administration chose not to fill that position when \nthey took office or since. As a result, there is no senior \nofficial in the Executive Office of the President who has \nprivacy in his or her title or who is charged with oversight of \nFederal privacy policies. Yet it's so much better to have \nprivacy considered at the outset rather than after the plans \nare implemented and the stories appear on the front pages.\n    My time is running. I have comments about the markup. \nOtherwise, I think it's a great bill in many respects. I \nsupport the concept. And maybe during the questions and answers \nI could speak to that.\n    I want to thank you again for asking me to participate.\n    [The prepared statement of Ms. Katzen follows:]\n                   Prepared Statement of Sally Katzen\n    Mr. Chairman and other Members of the Committee. Thank you for \ninviting me to testify today on a subject--``Privacy in the Hands of \nthe Government''--that is exceedingly important to the American public \nand on which this Committee has commendably been actively engaged.\n    This hearing is a follow on to one at which I testified on February \n10, 2004. With the permission of the Committee, I would request that \nthe written testimony that I prepared then be appended to my submission \nfor this hearing; much of the background and analysis presented in that \ndocument remain pertinent today and incorporating it by reference will \nenable me to better focus on more recent developments.\n    I have been involved in privacy policy and practices for well over \na decade, having served as the Administrator of the Office of \nInformation and Regulatory Affairs (OIRA) in the Office of Management \nand Budget (OMB) from 1993 to 1998 and as the Chair of the Information \nPolicy Committee of the National Information Infrastructure Task Force, \nwhich produced, among other things, a revision of the 1973 Code of Fair \nInformation Practices, entitled ``Principles for Providing and Using \nPersonal Information.'' During my later tenure as Deputy Director of \nthe National Economic Council and then as Deputy Director for \nManagement at OMB, I was involved in a series of privacy issues, any my \ninterest in the subject has continued during my years in academics.\n    My earlier testimony spoke to the importance of privacy in our \nhistory and culture, and why I believe that privacy is one of the \nhallmarks of America--cherished, protected and defended throughout our \ncountry and throughout the years.\n    The arrival of the Information Age raised privacy concerns to a new \nlevel, although after September 11, 2001, this was tempered by a clear \nrecognition of the importance of security and the need for combating \nterrorism. But protecting our privacy and protecting our nation are not \nmutually exclusive goals. Rather, the challenge for all of us is to \nprotect and defend our country in a way that preserves and promotes our \ncore values.\n    I belabor this point because in the two years since I appeared \nbefore this Committee, the concern for privacy (and what many Americans \nbelieve to be invasions of their privacy) has increased rather than \ndecreased. More articles about privacy policies and practices appear \nmore frequently in the press, there are more stories on the radio and \ntelevision, and there is significantly more attention paid to privacy \non the Internet than ever before. The time devoted over the last \nseveral weeks/months in public discourse to the warrantless wiretaps by \nthe National Security Agency and the decision of some common carriers \nto release to the government information about calls made by millions \nof Americans is a clear indication of Americans' continued commitment \nto, and concern about, privacy.\n    Given the importance of privacy and its persistence in the national \ndebate, it is somewhat surprising that this Administration has seemed \nto be so reluctant to take even minimal steps to address these \nconcerns. For example, when I last testified, I spoke of the generally \nhighly favorable reactions to the tenure of Nuala O'Connor Kelly as the \nfirst statutorily required privacy official at the Department of \nHomeland Security (DHS). I stressed both the beneficial attention that \nwas paid to privacy concerns and the fact that having a privacy officer \nat DHS in no way diminished the capacity of the Department to pursue \nits mission. Ms. Kelly resigned from DHS many months ago, and \nregrettably there is only an Acting privacy officer in place. Is it a \nlack of interest or a lack of support for the position by the current \nSecretary of DHS? Or by the White House? There may well be legitimate \nproblems in finding and installing Ms. Kelly's replacement, but the \nunexplained delay sends a very bad signal to those who follow these \ndevelopments as an indication of the Administration's commitment to \nprivacy. In that same vein, it is worth noting that it took the longest \ntime for the White House to nominate and have the Senate confirm the \nmembers of the Privacy and Civil Liberties Board, which is a committee \nestablished by another act of Congress designed to respond to what were \nperceived as legitimate questions and concerns about government \npolicies with respect to privacy.\n    In light of these examples, I would call for more oversight by the \nCongress and, equally important, more legislation creating and \nempowering officials in the government with responsibility for privacy \npolicy. I had urged in my earlier testimony that the Committee consider \nexpanding the number of statutory privacy offices from one to 24, \ncovering all major Departments (the so-called Chief Financial Officers \nAct agencies) or at least a handful of critical agencies, including the \nDepartment of Justice, the Department of the Treasury (and the Internal \nRevenue Service), the Department of Defense and the Veterans \nAdministration, the Social Security Administration, and the Department \nof Health and Human Services. I was pleased when Congress enacted \nlegislation establishing a privacy officer at the Department of \nJustice. With respect, I would again urge this Committee to work with \nothers in the Congress to expand on this base. OMB guidance from two \nadministrations (issued first during the Clinton Administration and \nrepeated several years ago by the Bush Administration) has called for \nthe creation of such offices in Executive Branch agencies. The \nimprimatur of Congress would enhance the influence and respect that \nthese officers have within their Departments. Equally important, by \nestablishing statutory privacy offices, the Congress would be able to \nengage in systematic oversight of the attention paid to this important \nvalue in the federal government.\n    I would also renew my suggestion that Congress establish at OMB a \nstatutory office headed by a Chief Counselor for Privacy. Such an \noffice was created and staffed during the Clinton Administration, and \nit served us well. The current Administration chose not to fill the \nposition when they took office or since. As a result, there is no \nsenior official in the Executive Office of the President who has \n``privacy'' in his/her title or who is charged with oversight of \nfederal privacy practices, monitoring of interagency processes where \nprivacy is implicated, or developing national privacy polices. Yet it \nis so much better to have privacy implications considered beforehand--\nin the formulation of program or projects--rather than after the plans \nare implemented and the stories about them begin to appear on the front \npages of the national newspapers. And apart from damage control, having \nsomeone on the ``inside'' addressing these issues may provide some \nbrakes on the runaway train of surveillance.\n    Finally, I understand that after this hearing, the Committee will \nmove to mark up H.R. 2840, the ``Federal Agency Protection of Privacy \nAct of 2005.'' That bill reflects a commendable desire to ensure that \nprivacy impact statements are prepared by federal agencies as they \ndevelop regulations that involve the collection of personal \ninformation. Several thoughts occurred to me as I was rereading the \ntext for today's hearing.\n    First, Subsection (c) provides that an agency head may waive the \nrequirements for a privacy impact statement ``for national security \nreasons, or to protect from disclosure classified information, \nconfidential commercial information, or information the disclosure of \nwhich may adversely affect a law enforcement effort . . .'' Apart from \nthe fact that the basis for a waiver goes well beyond national \nsecurity, I recalled that there is a similar provision in the E-\nGovernment Act of 2002, which requires a privacy impact assessment for \nnew federal government computer systems, but instead of giving an \nessentially free pass for national security concerns, Section 208 (b) \n(1) (D) of that Act requires the agency to provide the privacy impact \nassessment to the Director of OMB. I would recommend that such a \nprovision be included in H.R. 2840 and, in addition, that the bill \nprovide that a copy of the analysis be sent to the Congressional \nIntelligence Committees in the case of national security waivers and \nthe Congressional Judiciary Committees in the case of law enforcement \nrelated waivers. In that way, there could be government-wide Executive \nBranch oversight and, equally important, Congressional oversight over \nagency decision-making in this area.\n    Second, the provisions of H.R. 2840 requiring an agency to prepare \na plan for, and carry out, a periodic review of existing regulations \nthat have a significant privacy impact on individuals or a privacy \nimpact on a significant number of individuals are quire detailed and \nquite prescriptive. Rather than specifying all of the factors to be \nconsidered, and the timetable and procedures for each element of the \nreview, it might be preferable to set forth un the bill the objectives \nof a periodic review and task OMB with providing guidance for the \nagencies as to how they should proceed. In this way, the terms are not \ncast in concrete but can be more readily adjusted as changes occur, \neither with respect to content or with respect to technology.\n    With those modest suggestions, I would endorse the bill and once \nagain commend this Committee for its effective and persistent \nleadership on these very important issues.\n    Again, thank you for inviting me to testify today. I would be \npleased to elaborate on these comments or answer any questions that you \nmay have.\n                               __________\n\n                               ATTACHMENT\n\n    Prepared Statement of Sally Katzen before the Committee on the \n   Judiciary, Subcommittee on Commercial and Administrative Law, on \n  February 10, 2004 on ``Privacy in the Hands of the Government: The \n       Privacy Officer for the Department of Homeland Security''\n    Thank you for inviting me to testify today on a vitally important \nsubject--``Privacy in the Hands of the Government.'' This Committee is \nto be congratulated, not only for its leadership in creating a \nstatutory Privacy Officer in the Department of Homeland Security (DHS), \nbut also for being vigilant in its oversight of that office.\n    I am currently a Visiting Professor at the University of Michigan \nLaw School, where one of my courses is a seminar on ``Technology Policy \nin the Information Age''--a significant portion of which is devoted to \nexamining both the government and the private sector's privacy policies \nand practices. I have been involved in privacy policy for over a \ndecade. In early 1993, I began serving as the Administrator of the \nOffice of Information and Regulatory Affairs (OIRA) in the Office of \nManagement and Budget (OMB); the ``I'' in OIRA signaled that I was, in \neffect, the chief information policy official for the federal \ngovernment. Among other responsibilities, my office was charged with \ndeveloping federal privacy policies, including implementation of the \n1974 Privacy Act. Later in 1993, I was asked to chair the Information \nPolicy Committee of the National Information Infrastructure Task Force, \nwhich had been convened by the Vice President and chaired by then \nSecretary of Commerce Ronald Brown. One of the first deliverables we \nproduced was from my committee's Privacy Working Group--a revision of \nthe 1973 Code of Fair Information Practices, entitled ``Principles for \nProviding and Using Personal Information.'' During President Clinton's \nsecond term, I worked with the Vice President's Domestic Policy Advisor \nto create a highly visible and effective office for privacy advocacy in \nOMB; we selected Peter Swire to head that office and be the first Chief \nCounselor for Privacy, and I worked closely with him when I served as \nDeputy Director for Management at OMB during the last two years of the \nClinton Administration. Since leaving government, I have, as indicated \nearlier, been teaching both at the graduate and undergraduate level.\n    Given the Committee's extensive work in this area, it is not \nnecessary to speak at length on the importance of privacy in the \nhistory and culture of our country. Nonetheless, to provide context for \nthe comments that follow, I want to be clear that, from my perspective, \nprivacy is one of the core values of what we are as Americans. Whether \nyou trace its roots from the first settlers and the ``frontier'' \nmentality of the early pioneers, or from the legal doctrines that \nflowed from Justice Brandeis' oft-quoted recognition in the late 19th \ncentury of ``the right to be let alone,'' privacy has been one of the \nhallmarks of America--cherished, prized, protected and defended \nthroughout our country and throughout our history.\n    The ``Information Age'' has brought new opportunities to benefit \nfrom the free flow of information, but at the same time it has also \nraised privacy concerns to a new level. Computers and networks can \nassemble, organize and analyze data from disparate sources at a speed \n(and with an accuracy) that was unimaginable only a few decades ago. \nAnd as the capacity--of both the government and the private sector--to \nobtain and mine data has increased, Americans have felt more \nthreatened--indeed, alarmed--at the potential for invasion (and \nexploitation) of their privacy.\n    Before September 11, 2001, privacy concerns polled off the charts. \nSince then, there has been a recognition of the importance of security \nand the need for combating terrorism. But, as the Pew Internet surveys \n(and others) have found, Americans' commitment to privacy has not \ndiminished, and some would argue (with much force) that if, in \nprotecting our nation, we are not able to preserve a free and open \nsociety for our public lives, with commensurate respect for the privacy \nof our private lives, then the terrorists will have won. For that \nreason, it was both necessary and desirable in creating a Department of \nHomeland Security to statutorily require the Secretary to appoint a \nsenior official with primary responsibility for privacy policy. Ms. \nKelly was selected for that position and took office about six months \nago.\n    We thus have some--albeit limited--operational experience with the \nstatutory scheme, and it is therefore timely to see what we have \nlearned and what more could (and should) be done by this Committee to \nbe responsive to privacy concerns.\n    I would draw two lessons from Ms. Kelly's tenure to date at DHS.\n    First, the existence of a Privacy Officer at DHS, especially \nsomeone who comes to the position with extensive knowledge of the \nissues and practical experience with the federal government, is highly \nbeneficial. We know that some attention is now being paid to privacy \nconcerns and that steps are being taken to advance this important value \nthat might otherwise not have occurred.\n    Consider the CAPPS II project, in which Ms. Kelly has recently been \ninvolved. She inherited a Privacy Act Notice issued last winter that \nwas dreadful. She produced a Second Privacy Act Notice that reflected \nmuch more careful thought about citizens' rights and provided more \ntransparency about the process. Regrettably, there was some \nbacksliding: the initial concept was that the information would be used \nonly to combat terrorism, whereas the second Notice indicated that the \ninformation would be used not only for terrorism but also for any \nviolation of criminal or immigration law. Also, the document was vague \n(at best) on an individual's ability to access the data and to have \ncorrections made. And there was more that should have been said about \nthe manner in which the information is processed through the various \ndata bases. But there is no question that the Second Notice was greatly \nimproved from the first.\n    Ms. Kelly was also involved with the US VISIT program, where she \nproduced a Privacy Impact Analysis (PIA). Some had argued that a PIA \nwas not required because the program did not directly affect American \ncitizens or permanent residents. Nonetheless, to her credit, she \nprepared and issued a PIA that was quite thoughtful and was well \nreceived. Whether one agrees or disagrees with the underlying program, \nat least we know that someone was engaged in the issues that deserve \nattention and the product of that effort was released to the public.\n    As someone outside the government, it is hard to know how \ninfluential Ms. Kelly will be if--and it inevitably will happen--there \nis a direct conflict between what a program office within DHS wants to \ndo and what the Privacy Officer would counsel against for privacy \nreasons. Effectiveness in this type of position depends on autonomy and \nauthority--that is, on the aggressiveness of the office holder to call \nattention to potential problems and on support from the top. We may \ntake some comfort from Secretary Ridge's comments; he has said all the \nright things about supporting the Privacy Officer. But we cannot now \nknow what will happen when the ``rubber meets the road.''\n    This Committee, however, can further empower the Privacy Officer, \nand lay the foundation for remedying any problems that may arise, by \nmaintaining its oversight and inquiring pointedly into how the \nDepartment operates. For example, Ms. Kelly (and Secretary Ridge) \nshould be asked at what stage she is alerted to or brought into new \ninitiatives; what avenues are open for her to raise any questions or \nconcerns; and whether the Secretary will be personally involved in \nresolving any dispute in which she is involved. The timing of the \nrelease of the PIA for the US VISIT program suggests that Ms. Kelly may \nnot always be consulted on a timely basis. As I read the E-Government \nAct of 2002, an agency is to issue a PIA before it develops or procures \ninformation technology that collects, maintains or disseminates \ninformation that is in an identifiable form. In this instance, the PIA \nwas released much further down the road, when the program was about to \ngo on line. Anything that helps the Privacy Officer become involved in \nnew initiatives at the outset, before there is substantial staff (let \nalone money) invested in a project, would be highly salutary.\n    The second lesson that I take from the experience to date with the \nPrivacy Officer at DHS is that there has been no diminution in the \ncapacity of the Department to pursue its mission. Or as a political wag \nwould say, the existence of a Privacy Officer in DHS has not caused the \ncollapse of western civilization as we know it. This is wholly \nconsistent with what most Americans think--that national security and \nprivacy are compatible and are not intrinsically mutually exclusive.\n    The fact that there is no evidence that the existence, or any \nactivity, of the Privacy Officer has caused DHS to falter leads me to \nsuggest that the Committee consider expanding the number of statutory \nprivacy offices from one to 24, covering all major Departments (the so-\ncalled Chief Financial Officers Act agencies) or at least a handful of \ncritical agencies. Imagine the salutary effect that a statutory privacy \noffice could have at the Department of Justice, the Department of the \nTreasury (and the Internal Revenue Service), the Department of Defense \nand the Veterans Administration, the Social Security Administration, \nand the Department of Health and Human Services. All of these agencies \nalready have some form of privacy office in place, although many simply \nprocess Privacy Act complaints, requests, notices, etc. and do not \ninvolve themselves in the privacy implications of activities undertaken \nby their agencies. It is significant, I believe, that OMB guidance from \ntwo administrations (issued first during the Clinton Administration and \nrepeated recently by the Bush Administration) has called for the \ncreation of such offices in Executive Branch agencies. With the \nimprimatur of Congress, these offices can achieve the status (and \nincreased influence) and gain the respect that the Privacy Officer has \nenjoyed at DHS. Equally important, by establishing statutory privacy \noffices, the Congress will be able to engage in systematic oversight of \nthe attention paid to this important value in the federal government--\nsomething which has not occurred before this hearing today.\n    I hope I do not seem presumptuous to suggest--indeed, strongly \nurge--one further step: establishing at OMB a statutory office headed \nby a Chief Counselor for Privacy. As noted above, we had created such a \nposition during the Clinton Administration, and it served us well. \nPeter Swire, the person we selected to head that office, was able to \nbring his knowledge, insights, and sensitivity to privacy concerns to a \nwide range of subjects. In his two years as Chief Counselor, he worked \non a number of difficult issues, including privacy policies (and the \nrole of cookies) on government websites, encryption, medical records \nprivacy regulations, use and abuse of social security numbers, and \ngenetic discrimination in federal hiring and promotion decisions, to \nname just some of the subjects that came from various federal agencies. \nHe was also instrumental in helping us formulate national privacy \npolicies that arose in connection with such matters as the financial \nmodernization bill, proposed legislation to regulate internet privacy, \nand the European Union's Data Protection Directive.\n    I believe it is unfortunate that the current Administration has \nchosen not to fill that position. As a result, there is no senior \nofficial in the Executive Office of the President who has ``privacy'' \nin his/her title or who is charged with oversight of federal privacy \npractices, monitoring of interagency processes where privacy is \nimplicated, or developing national privacy polices. Perhaps it was the \nabsence of such a person that led to the Bush Administration's initial \nlack of support for the designation of a Privacy Officer at the \nDepartment of Homeland Security. Perhaps if someone had been appointed \nto that position, the Administration would not have appeared to be so \ntone deaf to privacy concerns in connection with the Patriot Act or any \nnumber of law enforcement issues that have made headlines over the past \nseveral years. An ``insider'' can provide both institutional memory and \nsensitivity to counterbalance the unfortunate tendency of some within \nthe government to surveil first and think later. At the least, the \nappointment of a highly qualified privacy guru at OMB would mean that \nsomeone in a senior position, with visibility, would be thinking about \nthese issues before--rather than after--policies are announced.\n    Finally, I understand that after this Hearing, the Committee will \nmove to mark up H.R. 338, ``The Defense of Privacy Act.'' That bill \nreflects a commendable desire to ensure that privacy impact statements \nare prepared by federal agencies as they develop regulations which may \nhave a significant privacy impact on an individual or have a privacy \nimpact on a substantial number of individuals. I was struck in \nreviewing the E-Government Act of 2002 for this testimony that it \nrequires an agency to prepare a PIA not only before it develops or \nprocures information technology that implicates privacy concerns, but \nalso before the agency initiates a new collection of information that \nwill use information technology to collect, maintain or disseminate any \ninformation in an identifiable form. This law has gone into effect, OMB \nhas already issued guidance on how to prepare the requisite PIAs, and \nthe agencies are learning how to prepare these PIAs using that model. \nRather than impose another regime on agencies when they are developing \nregulations (which are frequently the basis for the information \ncollection requests referenced in the E-Government Act of 2002), it \nmight be preferable to amend the E-Government Act to expand its \nrequirements to apply to regulations that implicate privacy concerns. \nThat approach would have the added benefit of eliminating the \ninevitable debate over the judicial review provisions of H.R. 338, \nwhich go significantly beyond the judicial review provisions of any of \nthe comparable acts (e.g., Reg.Flex., NEPA, Unfunded Mandates, etc.). \nLastly, if you were to amend the E-Government Act to include privacy-\nrelated regulations, you might also consider including privacy-related \nlegislative proposals from the Administration. As you know, Executive \nBranch proposals for legislation are reviewed by OMB before they are \nsubmitted to the Congress. If there were a Chief Counselor for Privacy \nat OMB, s/he would be able to provide input for the benefit of the \nAdministration, the Congress and the American people.\n    Again, thank you for inviting me to testify today. This Committee \nhas been an effective leader on privacy issues, and it is encouraging \nthat you are continuing the effort. I would be pleased to elaborate on \nthese comments or answer any questions that you may have.\n\n    Mr. Cannon. Thank you, Professor.\n    Ms. Koontz?\n\n  TESTIMONY OF LINDA KOONTZ, DIRECTOR, INFORMATION MANAGEMENT \n ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE, WASHINGTON, DC\n\n    Ms. Koontz. Mr. Chairman and Members of the Subcommittee, I \nappreciate the opportunity to be here today to discuss key \nchallenges facing Federal privacy officers. As you know, \nadvances in information technology make it easier than ever for \nthe Federal Government to acquire data on individuals, analyze \nit for a variety of purposes, and share it with other \ngovernmental and nongovernmental entities. Further, the demands \nof the war on terror put additional pressure on agencies to \nextract as much value as possible from the information \navailable to them, adding to the potential for compromising \nprivacy.\n    This is the context in which agencies must carry out their \ncritical responsibilities for protecting the privacy rights of \nindividuals in accordance with current law. To do so, many \nagencies have designated privacy officers to act as focal \npoints. Recently, these positions have gained greater \nprominence. In response to rising concerns about privacy rights \nin our electronic age, both legislation and guidance have \ndirected agencies to establish chief privacy officers or to \nensure that a senior official takes overall responsibility for \ninformation privacy.\n    Privacy issues have also been at the heart of several \nstudies that the Congress has asked us to perform over the past \nfew years. Our results highlight some of the challenges faced \nby agencies and privacy officials.\n    First, compliance with current law has posed challenges. In \n2003, we reported that agency compliance with the requirements \nof the Privacy Act was uneven. Agencies reviewed generally did \nwell with certain aspects of the requirements, such as issuing \npublic notices about systems containing personal information. \nHowever, they did less well at others, such as ensuring that \ninformation was complete, accurate, relevant, and timely before \nit was disclosed to a non-Federal organization.\n    Agency officials told us that they needed more leadership \nand guidance from the Office of Management and Budget to help \nthem with implementation in a rapidly changing environment. \nSimilarly, agencies have not always complied with the E-\nGovernment Act requirement that agencies perform privacy impact \nassessments, or PIAs, on certain systems containing personal \ninformation. Such assessments are important to ensure that \ninformation is handled in a way that protects privacy.\n    Although we have not yet done a comprehensive assessment of \nagencies' implementation of PIAs, we did determine in recent \nwork on commercial data resellers that many agencies did not \nperform PIAs on systems that used reseller information because \nthey believe that a PIA was not required.\n    Privacy officers also face the challenge of ensuring that \nprivacy protections are not compromised by advances in \ntechnology. For example, Federal agencies are increasingly \nusing data mining, that is, analyzing large amounts of data to \nuncover hidden patterns. Initially, this tool was used mostly \nto detect financial fraud and abuse, but its use has expanded \nto include purposes such as detecting terrorist threats.\n    In 2005, in a review of five different data-mining efforts \nat selected agencies, we reported that these agencies did take \nmany of the steps needed to protect privacy. However, none \nfollowed all key procedures. For instance, although they did \nissue public notices, these notices did not always describe the \nintended uses of personal information as required.\n    Another new technology presenting privacy challenges is \nradio frequency identification, or RFID. This technology uses \nwireless communications to transmit data and electronically \ntrack and store information on tags attached to or embedded in \nobjects. As we reported in 2005, Federal agencies use or \npropose to use RFID for physical access controls and to track \naccess. For example, DOD uses it to track shipments. Although \nthis kind of inventory control application is not likely to \ngenerate privacy concerns, RFID use could raise issues if, for \nexample, people were not aware that the technology is being \nused and that it could be embedded in items they are carrying \nand be used to track them.\n    Agency privacy offices will play a key role in addressing \nthe challenges I have described. They will be instrumental in \nensuring that agencies comply with legislative requirements and \nin ensuring that privacy is fully addressed in agency \napproaches to new technologies. In addition, chief privacy \nofficers are in a position to work with OMB and other agencies \nto identify ambiguities and clarify the applicability of \nprivacy requirements. Not least, they can work to increase \nagency awareness and raise the priority of privacy issues.\n    That concludes my statement. I would be happy to answer \nquestions at the appropriate time.\n    [The prepared statement of Ms. Koontz follows:]\n                 Prepared Statement of Linda D. Koontz\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n    Mr. Cannon. Thank you, Ms. Koontz.\n    I just need to point out that we just had a panel of four \nparticipants who all finished within seconds of the 5 minutes. \nI have never seen that before in my life. Obviously, we have \nsome well-experienced panelists.\n    We have a significant problem here. We are going to try and \nmark this bill up today, and we have six votes probably between \n2:45 and 3:15. And so--yeah, we'll have six votes, so that \nmeans that--let me just suggest that I'm not going to ask \nquestions, and all the Members of the panel can ask written \nquestions.\n    Professor, I suspect you have your comments already \nwritten, and if you could submit those. You suggested you had \nmore that you wanted to say. Do you have that in written form \nalready?\n    Ms. Katzen. Yes, Mr. Chairman. My written testimony \nincludes two modest suggestions, one of which relates to the \nnational security issue, and I think it is important.\n    Mr. Cannon. Thank you. And if any of the panelists have \nother things you would like to make part of the record, we'll \nleave the record open for 5 days.\n    So I ask unanimous consent that the Members of the panel--\nthat we limit questioning to 3 minutes for the panel. Hearing \nno objection, so ordered.\n    Mr. Watt. That is per Member?\n    Mr. Cannon. That is per Member, yes. Pardon me. Hearing no \nobjection, but with that clarification, so ordered. And we'll \nkeep the legislative record open for 5 days for questions. \nWithout objection, so ordered.\n    Thank you, and, Mr. Watt, you are recognized for 5 minutes.\n    Mr. Watt. For 3 minutes--3 minutes, I presume. Thank you, \nsir.\n    Since we're going on to the markup of H.R. 2840 and all of \nthe witnesses heard my opening comments, I guess the most \nappropriate question I could ask in my short period of time is \nto Ms. Cooney and Ms. Horvath, since you all are here \nrepresenting the Administration, or at least your respective \nDepartments.\n    Do you have a clue whether the Administration really \nsupports and wants this bill? Because they haven't done \nanything to try to get it passed that I'm aware of on the \nSenate side, and we're engaging in a futile gesture here \npassing it out of here without the Administration injecting \nitself and saying it wants it.\n    So does either of you know whether the Administration \nreally wants this bill?\n    Ms. Cooney. Mr. Watt, I'd be happy to answer. I don't know \nof a formal position that the Administration has taken on this \nbill. I'm not aware of one. I think in our last appearance I \ndid mention that under section 222 we have very similar \nrequirements at DHS to do PIAs on rulemakings, and we've been \nable to tackle that effort and can improve on it as we----\n    Mr. Watt. But this is a systemwide, governmentwide bill, \nnot a DHS bill. So I guess the question I'm asking is: Is the \nAdministration committed to having this done systemwide, or are \nthey not? If you don't know, I mean, just say you don't know.\n    Ms. Cooney. I know of no formal position on it.\n    Mr. Watt. Okay. I assume you don't know either, Ms. Koontz. \nYou're not here--you're kind of in a different position with \nrespect to the Administration. I understand that. Have you \nheard anything through the grapevine about whether the \nAdministration wants it, Professor Katzen?\n    Ms. Katzen. No.\n    Mr. Watt. Okay. All right. I just keep pointing out that, \nyou know, we've marked this bill up several times. It's gone. \nThe Chairman indicated it went out of the House. Without the \nAdministration doing something to lift a finger to get it, it \nain't going to happen. So we might be back here again next term \nof Congress doing the same thing.\n    I yield back.\n    Mr. Cannon. Thank you.\n    I think Mr. Franks--the gentleman is recognized for 3 \nminutes.\n    Mr. Franks. Mr. Chairman, I have no questions at this time.\n    Mr. Cannon. Thank you, Mr. Franks. We appreciate that \ncandor and directness, and I think--the gentleman from \nMassachusetts, Mr. Delahunt, is recognized for 3 minutes.\n    Mr. Delahunt. Yes, thank you, Mr. Chairman. I'm going to \nmake an effort to answer Mr. Watt's question. I think it's \nclear to me that the Administration--this is not a priority, I \nthink it's fair to say, for the Administration. Otherwise, this \nbill would have been enacted into law last year. And I think \nit's time, particularly given the context of recent revelations \nconcerning the NSA in particular that the Administration weigh \nin in a very significant way. If this bill is to pass, the \nAdministration has to make it a priority. And I don't think any \nof us--and I think I speak for all of us on this panel right \nnow--have not seen evidence of the Administration making it the \nkind of priority that I think it deserves.\n    As my colleagues would remember, myself and Mr. Berman had \nan amendment to the PATRIOT Act involving data mining, and \nthere was great resistance from the Department of Justice \nregarding that particular amendment, which I believed to be \nsomewhat innocuous. Well, now I understand better, after \nreading the USA Today and other revelations that occurred prior \nto that why there would be such resistance. This is simply an \nopportunity for the American people to find out what their \nGovernment was doing.\n    I have to agree with you, Professor Katzen. You know, when \nthere's a lack of privacy afforded the individual citizen, \nwe're on our way to eroding democracy and living I a \ntotalitarian society. It's absolutely essential that this bill \nbecomes a priority.\n    Mr. Cannon. Would the gentleman yield?\n    Mr. Delahunt. I yield.\n    Mr. Cannon. Because I agree with the gentleman. Let me just \npoint out that it is our obligation as the Legislature to set \nthe limits and set the priorities here, and we have to do that \nas Republicans and Democrats and as the House and the Senate. \nThat's sometimes hard. This Administration--no Administration \nis going to focus on these issues like we do because our \nperspective is different, and so I pledge to the gentleman that \nwe will----\n    Mr. Delahunt. I appreciate that, and I would even request--\nthe flip side, Mr. Chairman, is the lack of transparency, \nsecrecy, if you will, that I would suggest has been an earmark \nof this Administration. We've had the National Archivist, Mr. \nLeonard, complain about the ubiquitous classification of public \ndocuments that is going on. And I would hope that you would \nconsider having a hearing into that particular issue. I think \nthat is something that is warranted, particularly given----\n    Mr. Cannon. I'd be happy to speak with the gentleman, whose \ntime has expired.\n    May I ask unanimous consent that we not continue with \nquestions, since we just had a vote called, and that we move \nover to the markup of this bill? Thank you.\n    [Whereupon, at 2:48 p.m., the Subcommittee proceeded to \nother business.]\n                            A P P E N D I X\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n\n Response to Post-Hearing Questions from Maureen Cooney, Acting Chief \n Privacy Officer, U.S. Department of Homeland Security, Washington, DC\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\nResponse to Post-Hearing Questions from Sally Katzen, Professor, George \n               Mason University Law School, Arlington, VA\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n  Response to Post-Hearing Questions from Linda D. Koontz, Director, \n Information Management Issues, U.S. Government Accountability Office, \n                             Washington, DC\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n<GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT>\n\n                                 <all>\n\x1a\n</pre></body></html>\n"