Public Statement I gave to the DHS Privacy and Integrity Advisory Committee on behalf of the DHS Information Sharing and Collaboration Office, June 15, 2005, Harvard Law School.
( The official transcript with follow-on questions and answers is posted on the DHS website: http://www.dhs.gov/interweb/assetlibrary/privacy_advcom_06-2005_trans_am.pdf)
On behalf of myself and the DHS Information Sharing and Collaboration Office, I thank you for the invitation to speak here today. The Information Sharing and Collaboration Office, commonly known as “ISCO”, is working on a number of projects that we believe will have a direct impact on preserving privacy -- while at the same time improving information sharing.
In the late summer and fall of last year, ISCO served as the DHS lead in the drafting of a multi-agency plan for a broad-ranging terrorism Information Sharing Environment. That plan was required by Executive Order 13356 (issued last August) and is now a part of the work under Section 1016 of the Intelligence Reform and Terrorism Prevention Act (passed in December). In its work on the Information Sharing Environment,
In that role,
Now that this information is compiled, and in a spreadsheet, the information from the SORN and Routine Use notices can be cross-matched with the information from a department-wide electronic survey
As we learn more about information sharing in DHS and with our stakeholders, and in particular while doing this project, we note that the terms for describing Routine Uses – the terms and phrases used for the “who, what, and when” of privacy sharing – are not consistent, either internally to DHS or externally around the federal government.
ISCO’s responsibilities include making proposals for “what should be” and how to move DHS there. In part, we derive our ideas from the knowledge we glean about the current (“as-is”) state of information sharing. For example, we know that agencies or components enter into agreements for information sharing, setting forth the mechanics and rules for sharing information. ISCO conducted a brief study and confirmed that there was no standardized methodology for entering into such information sharing agreements with other agencies. Based on its assessment of what appear to be best practices, and as a part of its duties to establish policies and procedures,
The methodology includes the requirements that a Privacy Office representative be contacted and that certain privacy-related questions be answered as part of the creation of each new information sharing agreement. This provides a near-term improvement to the goal of integrating privacy concerns into information sharing.
The facilitation team has been approached to help components that have received many requests for the same information.
A prototype information system that has just been developed collects whole information sharing agreements and ultimately will permit authorized individuals to draft and edit the specific provisions of the agreement over which they have authority. Over time, such individuals also will have the ability to select from the language of earlier agreements. As part of that process, every agreement will have to address privacy requirements, and only a person authorized by the Privacy Office will be able to create those provisions. This will provide mid-term improvement to integrating privacy concerns into information sharing.
We are, perhaps, most proud of the work that
An interactive Information Sharing Environment must have log-on identity management functions that will act as the key to unlock the access and security controls each information provider in the environment will place on their data. At
In that vein, as we work towards an interactive environment,
ISCO has proposed this activity because the Privacy Act appears to provide some of the most complex and diverse rules inside a single rule set and, therefore, a prototype of privacy access could provide great insight into the requirements for all the other rule sets that will need to be added.
ISCO is working collaboratively with the Privacy Office to provide privacy rules that can be used as early use cases for the builders of this technology.
A first draft of this material has been presented to DHS’ Metadata Center of Excellence and to the Federal Enterprise Architecture Data Reference Model working group -- and we have received an enthusiastic response. If we succeed in having this information be a use case for each of these activities, we will have succeeded in placing Privacy Act implementation into the earliest stages of future system development. That would be a significant long-term success.
ISCO works on many information sharing policies, processes, and projects. The scope of