WRITTEN STATEMENT
OF
NUALA O’CONNOR KELLY
CHIEF PRIVACY OFFICER
U.S.
DEPARTMENT OF HOMELAND SECURITY
BEFORE THE
SUBCOMMITTEE ON ADMINISTRATIVE
LAW OF THE
JUDICIARY COMMITTEE
OF THE U.S.
HOUSE OF REPRESENTATIVES
August 20, 2004
________________________________________________________________________
Chairman Cannon,
Ranking Member Watt, Members of the Subcommittee, and distinguished colleagues
on this panel, it is an honor to testify before you today regarding the 9/11
Commission on behalf of the United States Department of Homeland Security’s Privacy
Office, which I am privileged to lead as the first Chief Privacy
Officer.
I am pleased to
offer my reflections on the findings and recommendations of the
9/11 Commission’s report. That Commission was charged by Congress and
our President with the important yet daunting task of investigating this tragic
event in our history with an eye toward implementing future changes. As the first statutorily-mandated Privacy
Officer in the Federal Government, and as someone who
provides both investigative oversight and policy advice, I am keenly aware of the
challenges presented by the Commission’s role.
It is a role that requires both tenacity and discretion,
persistent determination and unyielding patience, meticulous attention to
detail and perceptive understanding of the “bigger picture”. In every respect, the 9/11 Commission has met
those daunting challenges admirably, and I know that I join every American when
I commend and thank them for their fine work.
We have heard from
the Commission’s Report that among the many reasons for the United
States government’s failure to prevent those
dreadful attacks was a failure to think creatively about the challenges we
faced and to act upon information we received. In the words of the Commission, we
suffered a “failure of imagination”. Looking
forward, it is clear from the Commission’s work that the years ahead will
require new and creative modes of thinking and will demand that we
“institutionalize” new, imaginative mindsets within the very culture and structures
of our government. Most importantly, we
must perform these tasks in a manner that respects the privacy, dignity, and
personal freedoms of every individual who lives in and visits the United
States.
Indeed, years from now, we will be said to have suffered yet another tragic
“failure of imagination” if, while undertaking efforts to reform our
intelligence community and protect our security, we fail to think and act creatively
to protect privacy as well.
One Year Onward: Protecting Privacy Within DHS
My firm belief, which
has been affirmed by my experiences during the past year, is that protecting
both privacy and security is well within the grasp of our collective
imagination. In fact, during my first
year as the Chief Privacy Officer of our
Department, I have operated under that very premise, and have worked to ensure
that privacy and security go hand-in-hand as we carry out our protective
mission. In much the same way that the 9/11 Commission
recommends “institutionalizing imagination”, we at the Department of Homeland
Security have begun instituting and operationalizing privacy awareness within
the very culture of our organization. We
have done so by working side-by-side with senior leadership and by ensuring that
as programs move forward to implementation, they have been carefully and
thoroughly analyzed for their impact on personal privacy. This has meant responding to privacy
complaints from inside and outside the Department and actively raising awareness
of privacy across all of our directorates.
We have crafted privacy training and privacy policies for many of our programs,
ensured that statutorily-required Privacy Impact Assessments and System of
Records Notices are written and reviewed, and counseled DHS officials regarding
the effective and responsible use of technology. Beyond our organization, we have reached out to
advocacy groups and the general public for input and guidance. Moreover, on the international level, we have
reached important agreements with our partners in the EU and elsewhere, and
have participated in fruitful discussions with organizations like the
International Association of Data Protection and Privacy Commissioners. In short, my office is vigorously pursuing its
statutory missions, including ensuring that DHS technologies “sustain, and do
not erode, privacy protections relating to the use, collection, and disclosure
of personal information.”
It is not an
accident that DHS in its very first year began linking the values of homeland security
and privacy protection as being compatible rather than opposing goals. It was a well thought out legislative design,
firmly embedded in Section 222 of the Homeland Security Act, to reflect
fundamental American values. No one has
been a greater champion of this pairing of values than Secretary
Tom Ridge,
who from the very beginning has set the direction “from the top” that privacy,
matters of individual dignity, and civil liberties define
the fabric of America
that we seek to protect in all of our endeavors at DHS. Today, I wish to thank Secretary Ridge publicly
and commend him for his leadership and active support for the role and efforts of
the Privacy Office at DHS and the entire
Privacy team, which includes more than 430 Privacy Act and Freedom of
Information specialists who work throughout the Department.
Looking Forward: Privacy Across the Federal
Government
The wisdom
Congress demonstrated when it mandated a Privacy Officer within DHS represents
precisely the kind of bold and creative thinking that will be demanded of our
leaders and policy-makers in a post 9/11 world.
As the United States
transforms its federal intelligence and law enforcement communities, operationalizing
privacy protections across all of government will be more imperative, and more
challenging, than ever. It will require,
first and foremost, sustained dialogue among policy makers, technologists, intelligence
professionals, law enforcement officials, and the private sector. The Commission’s Report has provided an excellent
starting point for that dialogue. Their
recommendations raise a number of points that are crucial to bear in mind as we
move ahead in this process.
First, as the Commission
quite correctly points out, “the choice between security and liberty is a false
choice”. We as a nation must abandon,
once and for all, the notion that in order to be safe, we must give up our
right to keep our personal information private. As the recent TAPAC Report concluded, “The
stakes on both sides – guarding against attacks and protecting privacy – could
not be higher. We must not sacrifice one
for the other . . . .” Within DHS, the Privacy
Office has worked tirelessly to prove this point, and to
demonstrate that the sometimes perceived dichotomy between liberty and security
is a false one. As I have said on
numerous occasions, the protection of privacy is neither an adjunct, nor the
antithesis to, the mission of the Department of Homeland Security. Rather, privacy protection is, in fact, at
the core of that mission. Likewise,
privacy protection must also be at the core of our national mission as we
devise ways to reform and improve our intelligence and anti-terrorist efforts.
One way that we as
a nation can put to rest the perceived dichotomy between liberty and security
is by unleashing the vast potential of our technology. Too often, advances in technology are met
with concern and trepidation. Yet, just
as our technology can be misused to suppress privacy, so too can it be used to
enhance and protect it. During my time
as Chief Privacy Officer, I have observed first-hand
how technology solutions can greatly enhance the privacy of individuals. Technical features such as encryption, audit
trails, one-way hash functions, and tiered access control modules, among
others, make it possible to analyze information in a way that protects people’s
safety while limiting access to personal information and preserving the
integrity of data. Moreover, as technologists know quite well, information
security is paramount to protecting privacy. Therefore, the key to ensuring that
technologies used by our government sustain and do not erode privacy will be to
harness the creative energy of those who design and implement our technical
infrastructures, challenging them to devise new solutions that secure and
protect our personal information.
Oversight and Guidelines
Technology and
privacy awareness, while important, will not be enough to address our current
challenges. As we move forward, we will
also need to establish and enforce concrete safeguards that prevent government from
exceeding its proper bounds. As the Commission
correctly points out, the burden should be on policy-makers to prove that any
new power granted to government is accompanied by “adequate guidelines and
oversight to properly confine its use.” The
idea here is an important one - privacy protections must be put in place at the
front-end of our governmental processes when programs are in their infancy, rather
than later, after privacy abuses and mistakes have already taken place.
The United
States has a firm foundation upon which to
build additional privacy protections. Existing
laws such as the Privacy Act of 1974, the Freedom of Information Act, and the
E-Government Act all seek to embed “fair information practices” and a general
respect for privacy into the daily operations of our government. Coupled with our Constitutional provisions, these
statutes form an essential part of a privacy culture that will only become more
relevant in the years to come. As we
build upon this legacy of privacy protection, we must find ways to embed these values
within the new statutory frameworks that will govern the collection, use,
sharing, and retention of intelligence and other personal information.
Much of the 9/11 Commission
Report’s comments in this area address the need to integrate and coordinate the
data that are collected for our antiterrorism efforts more effectively. The Report’s findings underscore the need to
abandon the compartmentalized structure of our intelligence bureaucracy that
existed before 9/11 and move to a more integrated system. It is my view that Congress should permit
agencies to establish clear parameters for sharing information to protect
privacy. As some have said, we must move
from a “need to know” to a “need to share”. Establishing reasonable limits on access and
embedding fair use principles will be important, not only because it will
protect individuals, but also because it will engender the kind of trust in
government that is necessary to achieve the cooperation of both the public and
private sectors. In failing to abide by
these principles, we risk replacing the problem of “stove-pipes”, in which disparate
pieces of information are never adequately integrated, with one of “leaky
pipes”, in which personal information is exposed for all to see.
Creating an Oversight Body for Privacy and Civil Liberties
I would like to
address, as a final matter, the recommendation of the Commission that the
President appoint “a board within the executive branch to oversee adherence to
the guidelines we recommend and the commitment the government makes to defend
our civil liberties.”
I am keenly aware
of the benefits of having a central, coordinating privacy authority that is both
knowledgeable enough about organizational structures to obtain information and yet
independent enough to act as an effective privacy advocate. It has been one of the greatest advantages of
my position at DHS that I serve concomitant roles both inside and outside the
structures of our agency. The Chief
Privacy officer is appointed by the Secretary, but is a position created by statute
and required to report to Congress. The
dual aspects of this role have allowed me to turn a critical eye on the most
controversial and the most ordinary aspects of the Department’s operations,
while also offering a supportive hand to key decision-makers. I do not see my office as the enemy of the
missions of the Department. Rather, I
see it as crucial to achieving that mission successfully.
Implementing such
an oversight position for the entire federal government is admittedly a
different task, one that would require attention to matters of a completely
different nature and scale. Since the
government’s response to the 9/11 Commission’s recommendations is still being
formulated, it is too early to say precisely what type of body will best
address the privacy needs of our Federal Government. While the challenges and responsibilities faced
by the person or persons who undertake this responsibility will be distinct
from those faced by the Chief Privacy Officer
at DHS, I look forward to sharing my own experiences and participating in the
public dialogue on this matter in the coming months.
Conclusion
Each and every one
of the issues raised by the 9/11 Commission regarding the upholding of personal
privacy presents a unique but highly important challenge to our nation. Facing these challenges will require
extraordinary imagination. The exercise of
that imagination and the implementation of the resulting changes certainly will
not be easy. And yet as Thomas Jefferson
wisely noted, "It is part of the American character to consider nothing as
desperate; to surmount every difficulty with resolution . . . ." If there is any over-arching lesson to be
learned from the fine work of the 9/11 Commission, it is precisely that. Three years after the 9/11 attacks on New
York and Washington,
and in the memory of those who passed in the fields of Pennsylvania,
our nation is united in its desire to learn from the past by re-organizing and
reforming antiterrorism efforts. At the
same time, we seek to renew our foundational commitment to respecting the
privacy of each individual, as a matter of law and policy. As the DHS Privacy Officer,
I work daily to ensure that this sacred commitment - our unwavering determination
to secure both our liberty and our
land – is a guiding force behind every decision at the Department of Homeland
Security. Thanks to the fine work of
this Subcommittee, I am quite confident that our commitment to the protection
of individual privacy will continue to guide anti-terrorism efforts not only
within DHS, but across our entire Federal Government.
I would like to
extend my deepest gratitude to you, Chairman Cannon and to the Members of the
Subcommittee for your tireless work and enduring contribution to our
nation. Thank you today for your time
and attention. I would be happy to
respond to your questions.