There are numerous challenges involved in creating and running a strong privacy department.
There are numerous challenges involved in creating and running a strong privacy program. Some challenges can be alleviated, however, if the top privacy officer is given a role high up in the organization’s structure.
That’s according to Peter Sand, director of privacy technology at the Department of Homeland Security (DHS). Sand spoke on a panel along with several other privacy and compliance directors at the recent AFCEA Homeland Security conference in Washington.
There are two main components to a successful privacy program, said Sand. One is the program itself and the other is where “the program sits within an organization.” Many organizations “tuck privacy into an IT department” or some other area when it should be higher up in an organization's structure.
Although Sand says he understands why organizations would place privacy programs in their IT department, as technology can be important in the privacy field, working at a higher “leadership level” provides benefits including access to top managers.
“That’s crucial when you want to have a frank discussion with people,” he said.
DHS’s privacy program consists of several main components, Sand said. One is compliance, an area in which his office puts “the most attention and resources.” Responsibilities include “figuring out what the rules ought to be.” Another main component is education and outreach, he said. “Once you figure out what the rules are you educate…your internal people” as well as “external people who are interested.”
Another job function centers around technology, he said, an area in which “a lot of the exciting stuff actually happens.” Responsibilities frequently include looking at compliance and technology. His office has developed privacy impact assessments to evaluate technological solutions, he said.
The position also involves “writing up and publicizing” the rules “after they’ve been decided on.” One aim is to make the rules more institutionalized, he said.
Other panelists also described some of their experiences as well as some of the challenges they face in their organizations.
At the Department of Energy (DOE), insider threats are a particularly large concern, said Jerry Hanley, the chief privacy officer, because the department oversees numerous scientific research laboratories and other sensitive departments and facilities. In some parts of the agency, one responsibility includes ensuring that only certain employees can use USB drives, he said.
Social media also presents problems. Many DOE managers use Facebook for work purposes, Hanley said. But with such tools, his office needs to be especially cautious about the risk of data leakage. A large part of his position involves strong informational and “situational awareness,” he said.
Sometimes privacy can be seen as a hindrance to business, according to a few panelists. In some cases “They’ll say, ‘you guys are stopping us from saving lives,’” said Sand. "Sometimes they'll take the ball and go...or they'll leave you with the ball." But "that's not going to work." Developing a program requires some resolution, he said. "The willingness to stay there and figure it out and do it together is crucial." Privacy officers also need to be aggressive at times, he said.
When Sand first started working in privacy at DHS, he said half-jokingly, he sometimes had to struggle to get others’ attention. Now people are much more likely to “come to us" if they have privacy-related questions.
Privacy is less of a "separate topic," he said, and more "just the way we do business."
♦ Photo by rpongsaj/Flickr