Author(s)
Kenneth A. Bamberger and
Deirdre Mulligan
Source
Chicago Law Review, Vol. 75, Winter 2008
Summary
This paper looks at how administrative agencies make decisions affecting privacy.
Policy Relevance
Using formal legal processes to protect privacy has limited effect, because agencies have considerable autonomy. Consultation with privacy experts is helpful.
Main Points
- Administrative agencies such as the Department of Defense increasingly rely on technology and collect data with serious implications for individual privacy.
- The E-Government Act of 2002 requires administrative agencies to publish privacy impact assessments (PIAs) when using new technology systems that include personally identifiable information.
- Described in Office of Management and Budget (OMB) guidelines, the PIA should assess threats to individual privacy, alternative systems, note measures taken to reduce risks, and justify final choices.
- Comparing the Department of State’s process for adding data chips to passports with the Department of Homeland Security’s process and other cases shows that privacy assessments across agencies are inconsistent in quality. OMB oversight has been limited, and there has been no judicial oversight.
- Independent personnel with contacts to the privacy community, and oversight by a privacy committee lead to more effective assessment at DHS.