More information could mean less privacy: President Bush signed the E-Government Act to enhance public access to information after authorizing Homeland Security legislation that may threaten privacy. (Capital edge: legislative & regulatory update).
While e-government initiatives could be in place sometime in 2003, the new Homeland Security Department may take several years before becoming the fully functioning agency envisioned by its enacting legislation. However, both efforts will impact the future of records and information management, albeit in different ways. For example, the E-Government Act is meant to enhance public access to information while the homeland security legislation grants the government broader rights to access and collect private individual and corporate information.
The passage of the Homeland Security Act (Public Law 107-296) represents the largest government reorganization effort of the past 50 years. The reorganization, expected to begin taking shape in March with the goal of being fully operational by September 20, 2003, will combine 22 current agencies, with an aggregate budget of $40 billion, within the newly created department. The department will employ approximately 170,000 employees, including civil servants from the Immigration and Naturalization Service, the U.S. Secret Service, the Federal Emergency Management Agency, the Transportation Security Administration, and the U.S. Coast Guard. This reorganization will have major records management implications because, at present, most of these agencies' information management systems are not compatible for information sharing.
In addition to the basic reorganization of existing governmental functions, the legislation calls for the creation of four directorates, comprised of agencies to be consolidated into the Department of Homeland Security, which is responsible for detecting and identifying threats against the United States. The four directorates are:
* Information Analysis and Infrastructure Protection: Under the plan, the two biggest intelligence organizations--the Federal Bureau of Investigation (FBI) and the Central Intelligence Agency (CIA)--remain outside the department. But several assets, such as the FBI's National Infrastructure Protection Center, will be included. This directorate is responsible for protecting the nation's critical infrastructure.
It is charged with collecting and analyzing information regarding the threat of terrorist attacks from both public (local, state, and federal) and private sector sources. The directorate will first assess the nation's critical infrastructure and key resources for vulnerabilities, then develop a comprehensive plan for securing both the infrastructure and resources from various means of attack. The directorate also will address information security and will be responsible for recommending new policies for governing information sharing between government entities.
* Science and Technology: The plan moves parts of the National Laboratory programs under the department's control and entrusts it with developing countermeasures to chemical, biological, radiological, nuclear, and other emerging terrorist threats.
* Border and Transportation Security: This directorate will include the Bureau of Border Security, the Office of Domestic Preparedness, the Customs Service, the Transportation Security Administration, the Federal Law Enforcement Training Center, and the Federal Protective Service.
* Emergency Preparedness and Response: This directorate will coordinate the federal government's response to terrorist attacks.
The Homeland Security Act also addresses issues concerning the voluntary sharing of critical infrastructure information between public agencies and private interests. Many experts, however, have expressed concern over what information is collected and shared. For example, tucked into the act was the Cyber Security Enhancement Act (CSEA), which allows any federal entity, from the U.S. Centers for Disease Control and Prevention to the National Park Service, to seek Internet service providers' (ISP) permission to look through an individual's private or business e-mail. As long as the ISP has "good faith" that the electronic communications in question constitute some risk of death or injury, it can turn over to the government an individual's electronic records without breaching that individual's right to privacy or the law.
Before CSEA, according to the Electronic Privacy Information Council, only law enforcement agencies could collect information from communications providers; now any government entity has that power. Before CSEA, the standard for determining what information could be turned over to investigators was "reasonable belief" that the communication represented an "immediate danger." Now, all that is required is "good faith" that there is "danger."
Another provision of the Homeland Security Act gives U.S. authorities new power to trace e-mails and other Internet traffic during cyber attacks without first obtaining court approval. That could happen only during "an immediate threat to national security" or an attack against a "protected computer." Prosecutors would need to obtain a judge's approval within 48 hours. In addition, the government is considering a plan for a national database to store information it collects about individuals' credit card purchases, travels, e-mail messages, and phone records in order to better identify potential terrorists. Another questionable element is that the Act exempts information relating to the security of critical infrastructure information from release under the Freedom of Information Act to protect the proprietary nature of much of the information anticipated. Such information may not be used in any civil action arising from either federal or state law and may not be disclosed except in support of a congressional investigation.
Enhanced Public Access to Information
While the federal government sought to protect the nation's infrastructure with homeland security, it also endeavored to enhance public access to government information and resources. On December 17, President Bush signed the E-Government Act into law (Public Law 107-347). The bill, which requires the federal government to use Internet-based information technology (IT) to enhance citizen access to government information and make government Web sites more user-friendly, establishes a new Office of Electronic Government within the Office of Management and Budget (OMB). The office is responsible for organizing the government's various services, rules, and reports in ways that make them easier for the public to use. It will be managed by a presidentially appointed administrator and will be responsible for advising and providing direction to the executive branch on government-wide electronic initiatives.
Among the issues that the newly created office will address are capital planning and investment control for IT, information security, information privacy, and access to and preservation of government information. The E-Government Office will oversee the development of an integrated Internet-based information system for each federal agency while establishing government-wide policies to support IT standards. Developing a system to categorize federal electronic information also will be one of the new office's responsibilities.
The E-Government Act also created two new programs: the Federal Information Technology Workforce and the Federal Information Security Incident Center. The Federal Information Technology Workforce initiative will require the Office of Personnel Management (OPM) to conduct an assessment of the government's IT personnel needs. OPM will be responsible for identifying where current IT training is insufficient and will develop curriculum and training methods to address those deficiencies. The OMB will manage the new Federal Information Security Incident Center, which will provide technical assistance to each agency's information systems operator. The center will compile and analyze a list of information security incidents and inform agencies about possible security threats and vulnerabilities.
E-government activities will be financed by an "E-Government Fund." The General Service Administration will manage the fund, which will support OMB-approved e-government projects.
The legislation codifies the Chief Information Council comprised of chief information officers at major federal agencies and departments, as well as representatives from OMB and the CIA. The council, first created in 1996 by executive order 13011, will be responsible for developing recommendations on federal information management policies and a best-practices portfolio to recommend innovative approaches when instituting information management enterprises. Individual federal agencies will be required to develop a set of e-government performance measures based on their customer service record, productivity, and use of innovative technology. Each agency will collaborate with OMB to create an integrated Internet-based portal to provide the public with "consolidated access" to government information and services.
In addition, the bill requires government to be more accountable. The law requires every regulatory agency to establish a Web site to collect and post public comments on every rule it considers. Agencies also must establish public comment periods and consider public opinion when deciding what information to post online. Until now, members of Congress have opted not to post much information online, and the public does not have a searchable database of members' voting records or Web access to the independent analysis of bills from the Congressional Research Service.
Information security was an important goal of the new legislation. National security and law enforcement communities will partner with private sector entities to ensure effective government-wide management and oversight of threats to federal IT. Individual agencies will be required to provide protections against unauthorized access to or modification of their information systems. Each agency will be responsible for reporting information security activities in its annual budget submission and subsequent reports. Each agency also will be required to perform independent evaluations of information security programs either through the agency's inspector general or an independent auditor.
Privacy at Risk?
While the Homeland Security Act may threaten individuals' and business' basic privacy rights, the E-Government law requires agencies to conduct a "privacy impact assessment" each time they purchase new technology systems to determine whether the technology could lead to abuses of personal information. Even with this requirement, however, the push under the new law to link government databases worries some government watchdogs.
One provision of the e-Government bill encourages the creation of a single software protocol that, for the first time, would enable disparate government computer systems to communicate. That could allow the compilation of dossiers and databases not previously practical, and experts warn that this may endanger privacy because it will make sensitive information easier to find. The current systems' inadequacies provide inadvertent privacy protection.
The passage and approval of each bill blazes new trails in the U.S. government's information management efforts. The Homeland Security Act creates access to and analysis of critical infrastructure information while the E-Government Act seeks to improve public access to government information and to establish strong management regimes for information under the control of the various federal agencies. It remains to be seen, however, how much the methods by which these two acts are implemented will impact privacy and whether privacy will be sacrificed in the name of improved access to and management of information.
Bob Tillman is Director of Public Relations and Advocacy for ARMA International. He may be contacted at firstname.lastname@example.org.
|Printer friendly Cite/link Email Feedback|
|Publication:||Information Management Journal|
|Date:||Mar 1, 2003|
|Previous Article:||MIT's super archive. (Up front: news, trends & analysis).|
|Next Article:||What every business needs to know about HIPAA: most healthcare organizations must comply with HIPAA's Privacy Rule by April 14, 2003--but do all...|