At the Department of Energy (DOE), insider threats are a particularly large concern, said Jerry Hanley, the chief privacy officer, because the department oversees numerous scientific research laboratories and other sensitive departments and facilities. In some parts of the agency, one responsibility includes ensuring that only certain employees can use USB drives, he said.
Social media also presents problems. Many DOE managers use Facebook for work purposes, Hanley said. But with such tools, his office needs to be especially cautious about the risk of data leakage. A large part of his position involves strong informational and “situational awareness,” he said.
Sometimes privacy can be seen as a hindrance to business, according to a few panelists. In some cases “They’ll say, ‘you guys are stopping us from saving lives,’” said Sand. "Sometimes they'll take the ball and go...or they'll leave you with the ball." But "that's not going to work." Developing a program requires some resolution, he said. "The willingness to stay there and figure it out and do it together is crucial." Privacy officers also need to be aggressive at times, he said.
When Sand first started working in privacy at DHS, he said half-jokingly, he sometimes had to struggle to get others’ attention. Now people are much more likely to “come to us" if they have privacy-related questions.
Privacy is less of a "separate topic," he said, and more "just the way we do business."
♦ Photo by rpongsaj/Flickr