The privacy framework proposed by the Office of Management and Budget (OMB) is a “big, bold statement” by an influential government body, Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), told SCMagazine.com Wednesday, that will hold federal agencies to some very specific and critical requirements to safeguard privacy.
In the first update in 15 years to the government's Circular A-130, Managing Information as a Strategic Resource, OMB has proposed revisions to “enable OMB to provide timely and relevant guidance to agencies and will ensure that the Federal IT ecosystem operates more securely and more efficiently,” the Circular said, with Appendix I to the document placing particular emphasis on protecting personally identifiable information (PII).
Three requirements bring privacy to the forefront, Hughes explained. “They need a privacy leader inside every agency in government,” he said. “It's not a recommendation it's a requirement.”
Likewise, that privacy leader, called a Senior Agency Officer of Privacy (SAOP), is not meant to be simply a figurehead, but must implement a workable privacy management program. The SAOP “has actually got to do something,” Hughes said.
Critical among the SAOP's responsibilities is to implement a privacy training program.
“This is not just an expectation of someone as an ombudsman or watcher,” said Hughes. “His position must develop and manage the agency-wide training of workers and contractors.”
Requiring agencies to loop in contractors is significant, considering that many of the high profile breaches or data exposures have come through third-parties. The revised circular attempts to ensure that privacy training extends to “everyone that touches an agency,” Hughes said.
OMB released the proposals and has opened up a 30-day comment period that extends to Nov. 20.
How quickly and successfully an agency eventually implements the finalized requirements of the framework, Hughes explained, “depends on the agency, its sophistication and how much it has been paying attention to privacy.” Some agencies already have chief privacy officers (CPO) and privacy plans in place. The Department of Homeland Security (DHS), for example, has a CPO nominated by the President and approved by Congress.
Other agencies aren't quite as mature.
But Hughes cautioned against thinking that “this is complete green fields stuff,” noting that “there's a lot of infrastructure in place.”
How agencies will establish and enforce the incentives and consequences of their privacy programs, once the comment period ends and the finalized OMB requirements are released, remains to be seen. “Clearly, there will be some combination of carrots and sticks for this to have life,” said Hughes.