Skip Main Navigation
Office of Management and Budget
President's Budget
Management
Information &
Regulatory Affairs
Legislative Information
Agency Information

STATEMENT OF JOHN T. SPOTILA
ADMINISTRATOR
OFFICE OF INFORMATION AND REGULATORY AFFAIRS
OFFICE OF MANAGEMENT AND BUDGET
ECECUTIVE OFFICE OF THE PRESIDENT OF THE UNITED STATES


SUBMITTED TO
THE SUBCOMMITTEE ON GOVERNMENT MANAGEMENT
INFORMATION, AND TECHNOLOGY
COMMITTEE ON GOVERNMENT REFORM
UNITED STATES HOUSE OF REPRESENTATIVES

May 15, 2000

Mr. Chairman and members of the Committee, thank you for inviting me here to present the Administration's views on H.R. 4049, the "Privacy Commission Act." As Administrator of OMB's Office of Information and Regulatory Affairs, I care deeply about the protection of privacy. In 1998, OIRA took on enhanced responsibility for coordinating privacy policy throughout the Administration. OIRA already had policy responsibility under the Privacy Act of 1974, which applies to federal government systems of records. Now it plays a cental coordinating role for privacy policy more generally. Last year, OMB appointed its first Chief Counselor for Privacy, Peter Swire, to be the point person in this coordination effort. Peter is with me here today.

 

The President and the Vice President are committed to the protection of individual privacy. As President Clinton said on April 30, when announcing his new financial privacy proposal: "From our earliest days, part of what has made America unique has been our dedication to freedom, and the clear understanding that real freedom requires a certain space of personal privacy." Vice President Gore showed similar leadership in 1998 when he called for an Electronic Bill of Rights, emphasizing that we should all do our part to protect individual privacy, relying on private sector leadership where possible, on legislation when necessary, on responsible government handling of personal information, and on an informed public.

 

In studying the proposed findings for H.R. 4049, we find much common ground. We agree that Americans are increasingly concerned about the security and use of their personal information. We agree that the shift from an industry-focused economy to an information-focused economy calls for reassessing the way we balance personal privacy and information use. As Administrator of OIRA, I work extensively on information policy issues relating to computer security, privacy, information collection, and our transition to the electronic delivery of government services. In these and other areas, we are working hard to gain the advantages that come from new technologies while guarding against possible costs to privacy and security that can come from badly crafted uses of those technologies.

 

In some areas, we already know that we must act swiftly to protect privacy and security. Indeed, the Administration's biggest concern with H.R. 4049 is the risk that some might use the Commission as a reason to delay much-needed privacy legislation. We understand that supporters of H.R. 4049 have emphasized that it should not be used as a reason for delay. But we are also aware from public reports that those who oppose privacy reform would prefer to have Congress study the issue indefinitely rather than take action. In the Administration's view, such delay would be unwise. We cannot afford to take a year and a half off in protecting Americans' privacy. We believe that action is needed now in the areas of financial privacy, medical records privacy, and genetic discrimination.

 

Before addressing specific aspects of H.R. 4049, it would be useful to review recent federal privacy initiatives.

 

Overview

There have been extensive initiatives by the Federal government since 1993 to study and take appropriate action in the area of privacy protection. Study of privacy was an integral part of the National Information Infrastructure project, sometimes called the "information superhighway" effort, with the issuance in 1995 by an inter-agency Privacy Working Group of "Principles for Providing and Using Personal Information." (See: Privacy Working Group of the Information Infrastructure Task Force, www.iitf.nist.gov/ipc/ipc-pub.html.) This effort was led by OIRA. With Administration support, Congress has passed privacy legislation including the Drivers' Privacy Protection Act of 1994 (motor vehicle records), the Telecommunications Act of 1996 (authority for the Customer Proprietary Network Information regulations), the Health Insurance Portability and Accountability Act of 1996 (authority for the currently proposed medical privacy regulations), the Children's Online Privacy Protection Act of 1998 (children's online records), the Identify Theft and Assumption Deterrence Act of 1998 (deterrence of identity theft), and the Gramm-Leach-Bliley Act of 1999 (financial records).

 

In the online world, the Administration has encouraged self-regulatory efforts by industry. For especially sensitive information -- such as medical, financial, and children's online records -- legal protections are required. Recent activities have included:

 

  • When children go online, parents should give their consent before companies gather personal information. Websites aimed at children must get such consent under the Children's Online Privacy Protection Act of 1998 and accompanying rules that went into effect in April of this year.
  • The Department of Commerce, the Federal Trade Commission, the White House Electronic Commerce Working Group, and other parts of the Federal government have undertaken a wide array of studies, reports, workshops, and other activities to address issues of online privacy. As one example, a public workshop last fall challenged the industry to address concerns about "online profiling," in which companies collect data, in ways few people would suspect, about individuals surfing the Internet.
  • In the international sphere, the Department of Commerce has taken the lead in creating "safe harbor" principles for transfers of personal information between the European Union and the United States. These principles, to which the European Commission has now agreed, recognize the appropriateness of effective self-regulatory regimes. In developing the principles, the Department has sought public comment on four separate occasions.
  • The President signed the Identity Theft and Assumption Deterrence Act of 1998. This March, the Department of the Treasury hosted an Identity Theft Summit to assist in the prevention, detection, and remediation of the significant problem of malicious misuse of another person's personal information for fraudulent purposes.
  • The Administration continues to build privacy protections into its own activities. Last year, for instance, all Federal agencies successfully posted clear privacy policies on their websites. Programs are now underway to strengthen Government computer security to provide new privacy safeguards for personal information held by the Government. The new Privacy Subcommittee of the Chief Information Officers Council is undertaking initiatives to ensure that privacy is effectively built into government information technology systems.

     

Financial Records

Congress discussed financial privacy intensively in the course of its financial modernization debate last year. As the President pointed out when signing the law, the modernization law took significant steps to protect the privacy of financial transactions, but did not go far enough. The President asked OMB, the Department of Treasury, and the National Economic Council to craft a legislative proposal to close loopholes under existing law. On April 30, he announced his plan to protect consumers' financial privacy. This plan would include:

 

  • Consumer choice: Giving consumers the right to choose whether a firm can share consumer financial information with third parties or affiliated firms.
  • Enhanced protection for especially sensitive information: Requiring that a consumer give affirmative consent before a firm can gain access to medical information within the financial conglomerate, or share detailed information about a consumer's personal spending habits.
  • Access and correction: Giving consumers a new right to review their information and correct material errors.
  • Effective enforcement: Providing effective enforcement tools for financial institutions subject to Federal Trade Commission enforcement of privacy rules.
  • Comparison shop on privacy policies: Giving consumers privacy notices upon application or request so they know how information is protected before a customer relationship is established.

These provisions were introduced in the House as H.R. 4380, attracting immediate and substantial support in both the House and the Senate. As Secretary of the Treasury Lawrence Summers emphasized on March 7, "It's time to start now."

 

Medical Records

There has been a longstanding appreciation in the United States that individual medical records include especially sensitive information. Disclosing medical data can reveal what is happening inside a person's body, such as a report that a person is HIV positive, or inside a person's mind, such as the transcript of a session with a psychotherapist. The Federal government has recognized these concerns at least since 1973, when the Department of Health, Education, and Welfare first announced the basic fair information practices that underlie privacy policy today.

 

Congress recognized the need for legal protection of medical records when it passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). After extensive discussions with stakeholders and as required by HIPAA, the Secretary of Health and Human Services issued her recommendations for health privacy legislation in September 1997. Congress was unable to meet the HIPAA deadline for enacting comprehensive privacy legislation by August 21, 1999. Accordingly, the President and Secretary Shalala announced proposed privacy regulations on October 29 of last year. It was HHS's goal to make the regulation process open to those who wanted to communicate their concerns in person. HHS met with many individuals and organizations to hear their concerns and clarify provisions of the proposed rule. HHS received over 53,000 submissions of comments by the February 17, 2000, deadline. HHS is now considering those comments, and the regulations will become final this year.

 

Although the medical privacy regulations will become final this year, there is a pressing need for further Congressional action. As HHS Assistant Secretary Margaret Hamburg testified in February of this year: "Health information privacy is a top priority for the Department and the Administration, and we continue to believe that legislation is the only way to achieve the goal." President Clinton explained some of the reasons for legislation when he proposed the privacy regulations last October. The Administration is especially concerned that the enforcement powers under current law are not as effective as they should be. We recommend federal legislation that would allow punishment of those who misuse personal health information and redress for people who are harmed by its misuse. Administration officials have testified often on what should be included in medical privacy legislation, and we urge that there be no delay on this subject.

 

Genetic Discrimination

This February 8, President Clinton signed an executive order that prohibits every federal department and agency from using genetic information in any hiring or promotion action. This order ensures that critical health information from genetic tests not be used against federal employees. The President has also endorsed the Genetic Nondiscrimination in Health Insurance and Employment Act of 1999, introduced by Senator Daschle and Congresswoman Slaughter, which would extend these protections to the private sector and to individuals purchasing health insurance. As with financial and medical privacy, legislation is before the Congress to address especially sensitive personal data -- genetic information on individuals. The time to act on each of these issues is now.

 

* * * *

Let me turn now to the specifics of H.R. 4049.

 

The Scope and Structure of the Proposed Commission

As indicated earlier, the Administration has significant concerns that the Study Commission might be used by some as an excuse for delaying needed activity in privacy protection. These concerns are especially acute for topics such as medical, financial, and genetic information where good legislative proposals are before the Congress now. There has already been extensive discussion of these proposals within the Congress and among the stakeholders. Further study of these topics by the Commission would duplicate the public examination that has already taken place, without adding real value. The proposed medical privacy rules that become final this year will be the result of a multi-year process that generated over 53,000 public comments, many in extensive detail. These comments show a need for further action, not further study.

 

We recognize that the Congress needs to make its own judgments on these matters, and we defer to it in its assessment of what it needs to inform those judgments. It seems sensible, however, to adopt a focused approach to exploring these topics. Ideally, any further study efforts should be done within a short time frame and would build on, not duplicate, existing studies.

 

If there were to be a Commission, contrary to our recommendation, we should ensure that it focuses its efforts in an effective way. Again, we are concerned about potential delay. Casting too broad a net would delay the work of any new Commission, with uncertain results. We note, for example, that the treatment of data collected on-line has been the subject of extensive hearings in Congress, as well as public workshops, public comments, studies, and reports by the Department of Commerce and the White House Electronic Commerce Working Group. The Federal Trade Commission is about to issue a major report. We recognize that this is a complicated area that requires careful evaluation and an understanding of new technology. It is not clear, however, that a Commission lasting 18 months will give decisionmakers the help they need.

 

Indeed, rather than have a Commission pursuing a very broad set of topics, it might be more productive to have technology and policy experts address specific, emerging issues that have not yet benefitted from much attention. One targeted way to study such privacy issues might be to enlist the expertise of the National Academy of Sciences/National Research Council or other appropriate bodies. The NAS/NRC has extensive experience in creating blue-ribbon groups with the expertise to provide insight into difficult policy problems. In the privacy area, the NAS/NRC has already produced studies such as "Cryptography's Role in Securing the Information Society" (1996) and "For the Record: Protecting Electronic Health Information" (1997). Perhaps we should call on it again.

 

The NAS/NRC's Computer Science and Telecommunications Board is currently exploring funding for a study on "Authentication Technologies and Their Privacy Implications." The problem identified for this study arises from the need to identify people in a trustworthy way-that is, to authenticate people-in order to facilitate business and other activities over the Internet. Many of the possible ways to identify people have privacy implications since they involve individuals turning over a good deal of personal information -- from a mother's maiden name to credit card numbers or other information that could put an individual at risk if revealed to unauthorized persons. As technology develops, our society needs to understand how to make authentication work in a way consistent with preserving privacy.

 

Another useful study topic, which similarly does not require a Commission, could be biometrics and privacy. "Biometrics" refer to fingerprints, iris scans, and other physical indicators of identity. Since many companies are now exploring the commercial deployment of biometric technology, now is a good time to assess the public policy of biometrics and privacy. If deployed carefully, biometrics could protect privacy by placing less reliance on sending credit card numbers or other sensitive information over the Internet. If deployed badly, however, biometric technology could create new privacy risks, such as if biometrics were used to record each room an employee enters while on the job. A study of this subject, taking proper account of new technological developments, could increase the likelihood that biometric systems will be more sensitive to privacy concerns as they become widely used.

 

For all these reasons, we believe there are sound alternatives to a Privacy Commission. If, nonetheless, legislation creating such a Commission moves forward, then we have specific concerns about certain provisions in H.R. 4049. For instance, as with other commissions on many important national issues, the President should have a greater role in appointing Commission members. In addition, the current section 7(c) is objectionable because it could be interpreted as requiring Executive Branch agencies to turn over confidential or classified information to the proposed Commission. The text could read that agencies "may," rather than "shall" furnish that information.

 

As I emphasized earlier, we share with the Congress a very strong interest in protecting privacy and look forward to working with you to find suitable new ways to improve that protection. We understand the good intentions motivating the Congressional sponsors of H.R. 4049. Despite our reservations about the specifics of this bill, we welcome the commitment to privacy protection that they seek to demonstrate.

 

Mr. Chairman and Members of the Committee, thank you once again for the invitation to discuss these issues.