Copyright 2000 Federal News Service, Inc.
Federal News Service
October 11, 2000, Wednesday
SECTION: PREPARED TESTIMONY
LENGTH: 2222 words
HEADLINE:
PREPARED TESTIMONY OF SALLY KATZEN DEPUTY DIRECTOR FOR MANAGEMENT OFFICE OF
MANAGEMENT AND BUDGET
BEFORE THE HOUSE COMMITTEE
ON COMMERCE SUBCOMMITTEE ON TELECOMMUNICATIONS, TRADE, AND CONSUMER PROTECTION
BODY:
Mr. Chairman and members of the Committee, I
thank you for inviting me here today to discuss the important topic of privacy
on government web-sites. As you know, protecting the privacy of American
citizens is a very high priority for this Administration. We have worked hard to
ensure that fundamental privacy protections are properly safeguarded as our
government, and society at large, moves into the Digital Age. Nowhere is this
task more important than in the federal government's obligation to continue to
protect the privacy and confidentiality of the personal
information that it maintains, and, now, to protect the
privacy of individuals in their interactions with the
government over the Internet. Today the federal government is increasingly
becoming an electronic government, full of new opportunities to provide services
and information to the public quickly, easily, and when the public wants them.
But as you, Mr. Chairman, and so many others here have noted, we must be
vigilant to ensure that personal privacy protections remain constant or are
improved in the process of this transformation. I am proud to be able to testify
today about the success of this Administration in meeting this challenge - in
taking major steps to boost the level of privacy afforded to American citizens
when they access the government electronically. Without doubt, we have more to
learn as a government. In this time of revolutionary changes in technology and
information flows, all organizations do, no matter their size. But I am
confident that we have achieved significant progress, and are clearly heading in
the right direction in this critical area.
To understand the recent
General Accounting Office reports on the privacy practices of federal agencies
on-line, it is helpful to put them in their proper context and history. First,
there is the Privacy Act of 1974, which for over a quarter of a century has
afforded Americans strong legal protections for personal information stored in
government systems of records -o no matter if they exist in paper or electronic
form. These protections include notice, prohibitions on the unauthorized release
of your personal information, the ability to access your own records, the
ability to change errors in your records, and security safeguards, among other
protections.
While this Act provides the bedrock privacy protections for
Americans in their relations with the government, changes in technology -- most
notably the dramatic increase in Internet access to the government -- have
produced a different world than existed in 1974. To keep current with meaningful
privacy protections, the Office of Management and Budget has augmented the
Privacy Act provisions with policy guidance, and the agencies' response, I
believe, has been outstanding.
For example, in April 1999, a study
revealed that just over one-third of federal agencies had privacy policies
clearly posted on their main web pages. In June 1999, OMB Director Jacob J. Lew
issued a memorandum to all agency heads directing them to post clearly labeled
and clearly written privacy policies on their web-sites by September 1, 1999.
Director Lew told agencies then, "We cannot realize the full potential of the
web until people are confident we protect their privacy when they visit our
sites."
The message was received by federal agencies. The General
Accounting Office confirmed this result in a review conducted in April of 2000
and released on September 5, 2000 ("the first GAO report"). This GAO study found
that 69 of 70 principal agency web-sites had a privacy policy posted on their
sites -- and all 70 did within days of the report's release. Even more
impressive, the GAO identified 2,692 major Web-site points of entry to six
federal government agencies. These are sites where the largest number of
citizens interact with the Federal government. Of the sites they reviewed, GAO
found that only nine lacked privacy policies. This record of progress is
impressive, and, I believe, it is an accurate picture of the state of Federal
privacy policies on-line. It is a story of working rapidly, across the expansive
federal government and across thousands of web-pages, to ensure that citizens'
privacy is protected when they choose to visit the federal government over the
Internet.
As part of our continuing efforts in the area, OMB Director
Lew issued another memorandum this June to further enhance privacy protections
on federal web-sites. Director Lew directed that cookies will not be used on
Federal web-sites, except under very limited conditions. He also made clear, as
a matter of Federal policy, that agencies are to comply with the standards of
the Children's Online Privacy Protection Act, even though Congress did not
include the Federal Government within the scope of that law. In addition, he
directed each agency to describe its privacy practices and the steps taken to
comply with Administration privacy policies in its budget submissions this fall
to OMB. In this way, good privacy protection gets built into the budget process,
emphasizing to everyone in the Government the importance of assuring citizen
privacy.
These efforts to boost privacy safeguards have extended to
areas beyond the federal government's practices on-line, as the Administration
has supported strengthening citizens' legal privacy protections in such areas as
medical information, financial records, genetic information, and Social Security
numbers. These are categories of sensitive data that require protection in both
the public and private sectors.
In light of this record of significant
achievement, you may well ask why GAO reached the conclusions that it did about
the Federal agencies' compliance with the fair information practices written by
the Federal Trade Commission for commercial web-sites (the second GAO report).
The answer, I believe, has more to do with the questions that were asked than
the practices reported. Specifically, the Administration pointed out to GAO
staff in the course of that study that the study was misdirected and that the
answers to the study's questions would be misleading.
GAO also has
reported that the FTC independently expressed concern that its methodology was
"inappropriate for use in evaluating federal web site privacy policies."
The central premise of this particular study was apparently that the FTC
formulation of fair information practices for commercial web-sites could
appropriately be used to measure the privacy protections of government
web-sites. We think it cannot. As noted, the FTC practices were designed for the
private sector, where the Privacy Act and OMB policy do not apply. This is an
important difference between commercial companies and federal agencies, even
though both the government and businesses often use web-sites for the same core
purposes: to provide information to consumers and to provide services to the
public. The fact that there is no law establishing privacy protections for
individuals in the commercial arena led the FTC to stress the need for those
web-sites to make clear statements as to their privacy protections. The FTC does
the same -- that is, require clear statements -- about commercial web-site
policies with respect to access and security practices. It is through these
statements that these companies can be held accountable.
Government
web-sites, by contrast, do not have to make any representations to be held
accountable. The Privacy Act establishes - in the most public way possible - the
standards to which citizens can hold federal agencies accountable and exactly
how they can hold agencies accountable. Thus, the test of whether a federal
web-site provides privacy protection is not whether it includes statements that
make it compatible with commercial practices, but rather whether good privacy
protections are in place. The first GAO report confirmed that they are:
When government web-sites were measured against government privacy
standards, the results were impressive.
In this Information Age, it is
critical that the federal government continues to use technology to keep the
public informed and to provide services for the public. The launch of the
Federal government's FirstGov web-site on September 22 was a major step to
enable easy access to government resources on-line. In this and many other ways,
the need for privacy protection on-line - and the need for public confidence in
the Federal government's on-line privacy standards - is expected to only
increase in the years ahead. It would be most unfortunate if any misleading
conclusions as to the state of privacy on federal web-sites interfered with our
common goal of achieving an electronic government with full public
participation.
As I said before, the federal government can, and should,
continue to improve in its protection of the privacy of those individuals who
access government web-sites. The first GAO report pointed out that we could do a
better job of posting privacy policies at specific Federal web pages where a
substantial amount of personal information is collected. That report also made
recommendations about how OMB might provide clearer guidance to agencies, and we
are working with the Federal CIO Council to respond to those recommendations.
Beyond that, I think that we will learn much from the privacy materials included
with the agency FY 2002 budget submissions to OMB. At the same time, I would
again emphasize that the Administration's record on privacy protection in this
area is strong, with a resolute commitment to safeguard personal privacy.
I thank you, Mr. Chairman, for holding this hearing today and for
inviting me to testify. I look forward to continuing to work with you and the
other members of this committee in making the federal government a model of good
privacy practices.
END
LOAD-DATE: October 21,
2000 
