With the exploding volumes of data collected by the federal government; the multiplying power of the analytic tools that parse and crunch it; and the increasingly fractious policy environment, Office of Management and Budget is looking to privacy professionals to help out as legacy systems are modernized departmental IT is upgraded. To help agencies share best practices, swap ideas and craft better policies, OMB Director Shaun Donovan has appointed his senior privacy officer, Marc Groman, to head a new Federal Privacy Council.
Groman sat down with FedScoop Thursday to talk about how he sees the council pushing the federal government forward, what’s needed in the future, and how privacy guidelines are like “planting trees.”
Editor’s note: This transcript has been edited for length and clarity.
FS: So OMB Director Shaun Donovan said in his speech Wednesday that you are one of the most passionate people he knows when it comes to privacy. Where does that passion come from?
MG: What I’m passionate about is the responsible use of information, whether it’s by the government or the private sector. It’s about finding really practical tailored solutions to challenging issues. The thing I love about the privacy profession is that privacy truly is the intersection of technology, law and policy in one job. That’s what I’m so passionate about. I love technology, and I think that surprised Shaun when he hired me. I’m on the Internet, I’m on Facebook, I have 11 devices. I love tech, but I also believe there is truly a right way to approach it.
FS: He also said, “If we do this right, our efforts will pay off down the road.” What needs to be done to get this right?
MG: One is leadership. I think every privacy program at a federal agency needs to have somebody who is in charge of that program, with the right expertise and situated in an agency to tee up issues as appropriate. I want every agency to evaluate privacy for themselves, but to ensure they actually have a chief privacy officer with the experience and authority to lead the program.
The second piece is to have talented privacy professionals who can support that leader. That varies today. Where we’ve had a big focus in the past on upscaling talent for cyber, [OMB Director Shaun Donovan] wants to do that for privacy, with professionals that are really equipped to handle the challenges going forward, be it data in the cloud or social media. We need privacy professionals to know the technology, know the law and policy, so they can work on those issues.
The third point is making sure our guidance stays current and able to be applied as new technology evolves. I’ve been on Capitol Hill, I’ve drafted regulation at the FTC, now I’m working here and making sure that we stay current. We want to issue practical, rational guidance that can stand the test of time. Consider the A-130 revisions. That’s long been overdue and I am particularly excited about that.
FS: So with the A-130 revisions: There has been some pushback from some people inside the government with respect to how it combines privacy and security, forcing people to clear more hurdles as they try to complete the checklist towards modernizing their systems. What you think about those privacy efforts?
MG: A strategic, comprehensive and continuous privacy program does not stand in the way of innovation, it enables innovation. That is a incredibly important point. That term in your question, “checklist” — privacy should never be viewed as a checklist. To the extent that there are privacy officials approaching it as a compliance hurdle, that is not what we want from a privacy program in the government. That goes to my point about how we need to have the professionals who can understand cloud computing and can ask the right questions, engage with a CIO or CISO and with a program manager, and streamline the process to get to the right results more quickly.
FS: How are you working with agencies to implement this new strategy?
MG: This has been an ongoing process. I have been meeting with managers across the federal government, the CIO Council, the President’s Management Council. People have called me and said,” we are really enthusiastic about this, we think these initiatives are dead on, can you come over and meet with us and talk about our privacy program and where we should go?” The reception has been great.
FS: What about the reception from CIOs?
MG: It’s been varied. At one agency, CIOs and other senior officials will be meeting with me so I can work with them and facilitate a conversation about what a privacy framework for their department will look like. That has been really gratifying and interesting.
FS: How has your past role at the Federal Trade Commission factored into your work at OMB?
MG: Tremendously. Privacy is a multifaceted issue. I’ve had the opportunity to see it from six different angles. That has truly influenced my perception of the issues on what’s practical and scalable. I’ve been a chief privacy officer. I’ve done privacy on the ground. I’ve done FISMA reports. I’ve drafted privacy impact assessments. I’ve done system of records notices. I’ve worked on incident response. I’ve worked on contracting. I can bring that experience and background to what we are doing here.
FS: So with incident response — explain to me how a privacy officer factors into an agency’s response to a data breach.
MG: Let’s look a cybersecurity incident, there are distinct roles to be played. The CIO, in the wake of an incident, obviously step one is to stop the attack, contain harm. Step two is to assess the damage. Then the privacy piece is if the data set potentially compromised involved [Personally Identifiable Information].
To the extent this is a hypothetical incident in which, say, a DOD weapons system was breached — you’re not going to bring in a chief privacy officer. To the extent it involves PII, you need the privacy officer involved immediately to help you evaluate the sensitivity of the PII that was compromised.
FS: So moving forward, what’s one thing agencies could do better with respect to privacy?
MG: It varies agency to agency. There are some agencies that have robust privacy programs that are baked in. I think that making sure we have the right leaders at every agency, evaluating your talent pool and following the new guidance are three things I’d like to see.
FS: How long do you see it taking for your vision for the privacy council to pay off dividends within the federal government?
MG: We’re starting from a decent foundation. At the Federal Privacy Summit, we had 375 privacy professionals from a very wide range of agencies who are really excited about what’s coming down the pike. I am fairly excited with the progress we are making already in that agencies are embracing this. But I view this as more of a marathon than a sprint. I view this like planting trees. I want to know what we leave behind is going to be in much better shape than we found it and we are building the foundation for the future.