The Business of Government Hour


About the show

The Business of Government Hour features a conversation about management with a government executive who is changing the way government does business. The executives discuss their careers and the management challenges facing their organizations. Past government executives include Administrators, Chief Financial Officers, Chief Information Officers, Chief Operating Officers, Commissioners, Controllers, Directors, and Undersecretaries.

The interviews

Join the IBM Center for a weekly conversation about management with a government executive who is changing the way government does business.

Nuala O'Conner Kelly interview

Friday, September 23rd, 2005 - 20:00
"Our operation is to include privacy in all major decisions and to make sure that privacy is considered and is codified. It is built into programs, taught, and brought to our personnel in meaningful ways."
Radio show date: 
Sat, 09/24/2005
Intro text: 
Nuala O'Conner Kelly
Complete transcript: 

Monday, August 29, 2005

Arlington, Virginia

Mr. Morales: Good morning and welcome to The Business of Government Hour. I'm Albert Morales, your host and managing partner of The IBM Center for The Business of Government. We created the center in 1998 to encourage discussion and research into new approaches to improving government effectiveness. You can find out more about the center by visiting us on the web at

The Business of Government Radio Hour features a conversation about management with a government executive who is changing the way government does business. Our special guest this morning is Nuala O'Connor Kelly, chief privacy officer at the Department of Homeland Security. Good morning, Nuala.

Ms. Kelly: Good morning, Al. Pleasure to be here.

Mr. Morales: And joining us in our conversation, also from IBM, is Paul Hempstead. Good morning, Paul.

Mr. Hempstead: Morning.

Mr. Morales: Nuala, please tell us about the mission of the Department of Homeland Security and the mission of your office within DHS.

Ms. Kelly: I think many people -- although not everyone in the country -- knows right now that the Department of Homeland Security is largely a protective agency. I think -- obviously, we were created in the aftermath of September 11th and the tragedy that occurred around the country, and people think of us as an antiterrorism agency, but that's -- I would consider it a part of the larger mission of the department, which includes everyone from FEMA, as well as the Secret Service and the Coast Guard and the border protection services, and all of the parts of our former immigration services.

So we are a service agency, we are about protecting the homeland, but we are also about making an accessible and protective and safe space for citizens and visitors to this country. And I think that recent events that -- and recent changes Secretary Chertoff has made to the department really reflect that, with the appointment of chief medical officer, for example, to counteract medical threats, bioterrorist threats, and also to look for biohazards across the country, patterns and emerging trends. We're dealing, you know, with everything from local outbreaks of the flu, really, to kind of national and international epidemics that might be a threat to our homeland as well. So it's not just the terror cells that we -- you know, we think about and we hear about on television, but it's man-made and natural disasters, it is medical threats, it's bio threats, it's every kind of imaginable thing that we want to prepare for and be aware of and hopefully both act to prevent but also act to mitigate. So it's a very -- it's a wonderful mission, and I'm incredibly honored to be a part of it. I've been here since, really, almost day one. I was appointed two weeks after the department opened its doors under Secretary Ridge and the team that was in place at that point, and I've just been incredibly honored to be a part of that team and the current team as well.

The mission of the Privacy Office within the department is a unique one. Again, I'm honored to have been chosen to be the first statutorily required and appointed chief privacy officer for any federal agency. And that's not to say there aren't incredibly talented and excellent privacy and Freedom of Information Act specialists and personnel and leaders across the federal service because they already are. This is just a unique amalgamation of those responsibilities and those requirements in one office, and I can just tell you a few minutes about the office and what it does. First, our statute has five main components, and they include everything from overseeing all Privacy Act -- privacy impact assessment requirements, the Freedom of Information Act compliance across the entire department, legislative and regulatory proposals that might impact personal privacy, and interestingly enough, a reporting relationship, which is fairly clear, that we must report on complaints and concerns to Congress and to the public, which gives us a little bit of an outside kind of ombudsman feel to the office. But it is really largely -- and obviously it is intended to be a helpmate of the department. I hear people define us as what we are not. We're not the general counsel. We're not the inspector general. We're not a number of things. And all those things are true -- we don't pretend to be any of those things.

We are operational, and our operation is to include privacy in all major decisions and to make sure that privacy is considered and is codified, is built into programs, and is educated, is brought to our personnel in meaningful ways. We have done everything from videotaped learning modules to on-site classes for all of our new employees at headquarters. You know, any way we can reach our employees, we'll do it. And privacy, of course, means a lot of things to a lot of people. It means not just personal data -- what information the government knows about you and when and why, but also what kind of pat-downs are you getting at the airport and who's looking through your baggage and all the different ways that the department comes into contact with people. So we try to instill a sense of respect, a sense of dignity for the individual. So our role is a little bit of everything; it's policy, it's technology, it's legal, but every person -- including me -- that works in our office wants to be at the Department of Homeland Security to help our overall mission, which is to keep our country safe.

Mr. Hempstead: Nuala, that is certainly a broad set of issues. Could you provide some context for our listeners and describe the size and budget of your office?

Ms. Kelly: Our headquarters office right now numbers probably around 30 professionals, and we have a headquarters budget that's somewhere in the neighborhood of 5 or $6 million. We also oversee and have kind of a dotted-line reporting relationship -- or policy oversight over an additional 400-some personnel who practice Privacy Act, privacy impact assessment, and the Freedom of Information Act work across the department with a combined budget there of -- I want to say over 35 million. So those sound like big numbers, of course; when you think about the context of homeland security, that's actually a fairly small office. But I think we have a big impact considering our size. Not only, obviously, do I report directly to the secretary, but we're involved in management and decision-making and policy and program decision-making at all levels, at the very lowest level right on the front lines of what Homeland does, at the border and at airports and the like, and at the highest levels as well, about where we're going to put our resources and what directions we're taking major programs.

Mr. Hempstead: We understand your appointment was announced in April of 2003. You've been over there for over two years. You say you have a staff of 30. Do you do any investigative kind of work? And as being Congressionally mandated, do you also report to Congress from time and again?

Ms. Kelly: Thanks for that question. I know people at the department shudder when the word "investigation" is used in association with my office. I would say we review programs. We've certainly said publicly we had some concerns about a number of programs and have worked successfully with those programs to talk about what the right of privacy frameworks are and what the best practices are for personal information. So yes, we do review when the public raises concerns or when Congress raises concerns, or when, you know, concerns are raised even within the department. We'll go to various programs, and we'll say, listen, we're going to sit with you side-by-side. And it probably feels from the receiving end a little bit like an inspector general audit, although we like to be a little friendlier and a little more in-house. And we do report the results publicly; we've issued a number of public reports on the status of, say, for example, the use of personal information in the airline context, which is of great concern publicly, but also has a great validity in our homeland security work.

We are -- I think in the Fall, you'll see reports on the Matrix program, which, again, was incredibly worthwhile program about law enforcement sharing of information across state lines. Again, I think most people think that happens already, so -- but there were concerns about who was going to have access to the information, for what purposes, where it was going to be housed, and most importantly, the security of information. Something you've seen over and over again in the private sector in the last year, people are, I think, going to be increasingly concerned about their government having and being able to secure their personal information as well. We've got to demonstrate that we respect personal information; if we're going to require it for use for -- even the most valid purposes in the government space -- which I think are for homeland security -- let's just show that we can do this right, we can do this thoughtfully.

We do report to Congress at least annually and we've actually been asked to report more frequently than that through specific legislative direction and through coming in for hearings and testimony and the like. So again, this was a Congressionally mandated and created office, and a number of our godfathers and godmothers are still in Congress; a number actually have left and are still looking over us with great pride from the private sector as well. But we do go up to meet with both members and staff frequently, and we've been very grateful for their support. You know, I probably sound like an incredibly na�ve Washingtonian, but I really do believe that the support is very bipartisan. There isn't anyone I can think of walking down the street who'd say I don't really like privacy. You know, I think that's something everyone can get behind, and it's just a question of doing it right and thoughtfully and again, not impeding the mission of the Department of Homeland Security, but really strengthening it.

Mr. Hempstead: You described your role as being partly within, partly without or outside the department. Given this duality of roles, how do you ensure collaboration with your colleagues across DHS?

Ms. Kelly: I think by showing, first of all, a fundamental respect for what the mission is. You know, I was just -- I was doing some research online for a personal trip this weekend, and I came across some of the coverage of some of the folks on airplanes on 9/11 -- and I have a little girl named Nora, and one of the women who died had a one-year-old daughter named Nora. And these stories, again -- I mean, even four years later, still resonated with me, and I actually had family members and friends -- I'm from New York, I had just moved down a couple weeks before 9/11 -- who were in the World Trade Center, some of whom were injured and lost their lives. And so, you know, we all at this department support this mission and remember why it is we came and what it is we're about doing. I'm sure there are people at the department who sometimes think we're making their lives harder -- and that's probably true, we are probably making a few more steps to their getting their program out the door -- but again, it's with the thought that we are doing the tough scrub inside the department to make sure we have made the right choices about the use of personal information and about the impact on the individual because, you know, what we're about, again, is not only preserving our safety and our security, but preserving our way of life with a minimal intrusion by our government. And so when I say I'm partly within-without, I mean within, we are a helpmate, we are an educator, we are, again, assisting the operations; outside the department, we're a listener, we're there to hear the concerns of the public, we're there to bring them in and again, to operationalize them, to make them real, to make them hearable to departmental leadership. I think so many times the discourse in this country becomes so intolerant of the other side, and I really see our role as a translator, someone to say, you know, we have respect, we are privacy professionals. Every person I've hired, they are profoundly someone who cares about personal privacy and is educated in fair information and principles, not only domestically, but internationally as well.

So we come from that framework, but we're also Americans, and we also care about this country, and we also care about this department. So I think we sit on the fence, we sit on the line between, you know, those who would criticize the department and those who would defend it at all -- you know, with no ability to hear criticism. So I hope we've done that, and I think we've done it to greater and lesser, you know, success depending on the day.

Mr. Morales: How is DHS building Privacy Office? We will ask DHS Chief Privacy Officer Nuala O'Connor Kelly to share with us when the conversation about management continues on The Business of Government Hour.


Mr. Morales: Welcome back to The Business of Government Hour. I'm your host, Albert Morales and this morning's conversation is with Nuala O'Connor Kelly, chief privacy officer at the Department of Homeland Security. Also joining us in our conversation is Paul Hempstead.

Nuala, we understand that you file an annual report directly to Congress. Can you tell us more about this reporting relationship?

Ms. Kelly: It's an unusually drafted provision, our statutory authority, in that most reports issued by the department, obviously, are issued by the secretary. So it's a little quirk of drafting, but I think it was intended to be, frankly, actually, much more than that, and I've talked to some of the staffers, and they intended for this office to have, as I was saying a little earlier, kind of an ombudsman-like quality and ability to report in a kind of an unconstrained manner about concerns and about their -- the response of the department to public concern and outcry about privacy invasion or privacy complaints. We've reported a number of times, not just in our annual report, but in specific instances, we've been asked to investigate or analyze, really, the use of the no-fly list in the airline context. We've been asked to review the use of commercial data by the department to make sure that it's meeting public expectations. And we see these, really, as constructive ways to tell the public what the department's doing, but also to tell folks at the department here's the right way to be doing these things, and you know, here's the way to succeed with our programs, but also keeping privacy in mind at all times. And so we've been lucky to have just a really good relationship with the members of Congress who oversee our office and who've expressed concerns about these issues at the department. And again, they fall on both sides of the aisle. I think privacy is a universal issue, really, more than a Republican or Democrat one.

Mr. Morales: Nuala, many of the organizations within DHS have very long histories and well-formed cultures. How is your office contributing to the culture at DHS?

Ms. Kelly: I am fascinated -- absolutely fascinated -- by organization culture because I came from a high-tech company that was five years old, and it was run by -- I think at the time, a 37-year-old billionaire, and at 32, I was probably the second-oldest person in the company, so you know, it was really a fun, fun job, and a great place to work and a great entrepreneurial environment. That's a very different culture from any government organization, almost. There are parts of the Department of Homeland Security that date back to several centuries ago. It is hard to make change in cultures that are that old and that well-established. And we have other parts of the department that are brand new, that were created in the department's enabling statutes, so we've got two-year-old departments and 200-year-old departments within the Department of Homeland Security.

I think the challenge for all of us is to create a unified culture, and I'm so incredibly impressed by some of the language that Deputy Secretary Michael Jackson has used about creating one DHS where employees understand that their career trajectory is tied to the department, that they can succeed, you know, as a Coast Guard agent who does a -- or a member who goes to do a detail in the Secret Service or in the Customs and Border section, or in enforcement agencies, that there is respect for professionalism and growth and opportunity across the department that isn't tied to any one subset of the department. I have a lot of respect for the organizations like the Customs Service, for example, that date back, I think to the Constitution. I think people have mentioned that a number of times. But they have developed a career personnel track that is among the most professional, I would say, in the federal service. It attracts a terrifically high caliber of employee and promotes employees for their best work. I think we want to look across the department and build on what's already working and build those structures out and then also take this opportunity as a brand new two-year-old agency to be a little entrepreneurial, to be a little more open to new ways of doing things.

You know, I think people have been talking about -- for decades now -- bringing a private-sector kind of ethos into the government space. There are terrifically talented people; I think I've been more than impressed by the folks I've been able to hire and that I work with at DHS and across the service. Let's train and manage and promote them in a way and with the speed and with the benefits that you can see in the private sector. There are certainly benefits to being a government employee, but there are downsides in some of the inflexibilities as well, so let's kind of clean those weeds out of the way of the good folks who are trying to get work done.

Mr. Morales: Nuala, you touched a little bit upon collaboration. What are some of the other critical success factors or challenges in working across an organization the size of DHS?

Ms. Kelly: I think translating, making sure that our mission is explained within the department in a way that people understand that it's part of supporting the overall DHS mission. You know, we're not just there to put a rubber stamp on a program, to say, yeah, it's great, it's super, it's a terrific idea. We are going to ask the hard questions, but in asking the hard question, it's to get to the endgame, which is to get a worthwhile valid idea out the door and in a manageable timeframe and in a manageable way that respects the individual, respects the citizen. Often, folks are so focused -- and sometimes, I'm sure that the same criticism could be levied of my office -- we're so focused on our own mission, we can't necessarily conceive of how important others' missions are as well. And so just making sure we all understand it's really -- it really is one team, one fight, as Husband said, that we all have our part to play in the larger drama of DHS, but that it's about getting to the finish line.

Mr. Hempstead: Nuala, DHS interfaces with several different federal agencies. Many of them do not have chief privacy officers. How do you ensure that privacy issues are handled according to DHS standards and other applicable laws to people like the intelligence community and other civil agencies?

Ms. Kelly: Well, thanks for making me sound so important that I get to tell everybody else what to do, but that's not exactly the case. But in fact, there are more and more chief privacy officers that are statutorily required. We've had statutory mandates for a number of other federal agencies that have exactly followed our statutory language and in fact, enhanced it and expanded on it. We've got a great new person over at the National Intelligence Director, a privacy and civil liberties officer. We've got statutory language that encourages or, in fact, requires every federal agency to name a senior government official who is the overseeing person for privacy policy for each federal agency. I think you're seeing federal agencies come to that view that you need a senior person with a lens on privacy, and you know, I'm joking when I say that it was because of our office. It's really largely mirroring or imitating the private sector, which has had great success. Really, one of the leading chief privacy officers in the country is Harriet Pearson at IBM, who I think actually has a much bigger title, but she was one of the early leaders of the viewpoint that you can have a successful privacy practice within an organization.

I don't know if you guys want to get into international, but our way of looking at privacy is a little different in structure, but not necessarily in principle, to the rest of the world in that we have embedded privacy officers within our federal agencies and within our companies. You know, other parts of the world have free-standing offices that are separate and apart from their federal agencies -- you know, there are different ways to do it, but I think the proof is in the pudding -- you know, what's the outcome, do we see good and thoughtful programs and policies and new business products coming out of these institutions, and I think the answer is yes. I think you've seen great success with privacy officers in the private sector, and I think that the federal government is really following that lead and realizing, also, that the use of personal information has become one of the most compelling concerns about any organization that has information and that needs information to do its job, whether it's a bank, a hospital, or a federal agency.

Mr. Hempstead: Well, you mentioned international partner agencies. What about other partnerships? What are critical to the privacy office where you are? Perhaps private sector, advocacy groups, individual citizens?

Ms. Kelly: Absolutely. And let me run down the list with -- starting with our own agency first, actually. We work every single day with our Office of General Counsel and our various other leadership offices, our policy office, our international shop, you know, the program officers across the department. So partnering with the leadership, but also partnering at kind of a mid and lower and all throughout the levels of our agencies are the right way to do the job and to make sure the job's getting done across the federal service, obviously, with privacy offices, but also with our partner agencies, Justice and Defense and the intelligence community as kind of one, you know, operational force. And I think the idea, really, after 9/11 is to break down the walls, make sure that the information is going where it's supposed to be going and not where it's not supposed to be going. Our mission is to make sure that information is used legitimately and thoughtfully and in a limited fashion, but not that no information is used because information really is one of the lifebloods of our War on Terror.

I think we're forgetting our state and local partners here in this conversation, that they are our crucial -- and you see that again in any number of front-line activities, any kind of natural or man-made disaster is going to require our state and local, our first responders, and they are, you know, the people who are on the front lines of this, and we need to make sure that they have timely information in a manner that can save lives. So, you know, good and thoughtful and fast and effective information-flow is going to be essential to making sure people are moved to the right parts of the country or deployed in a way that's going to be helpful. So we are very much in favor of technologies that can both assist, but also constrain the flow of information. With good thoughtful rules at the outset, we can do that.

Mr. Morales: Nuala, you mentioned earlier that education is core to the mission of your office. Can you describe the steps that the Privacy Office is taking to educate others on the privacy concerns?

Ms. Kelly: Within the department, we have education programs, really, almost in every part of the federal service already. There are requirements under the Privacy Act and FSMA and a number of other laws to make sure our employees have been trained in Privacy Act requirements and, really, privacy policy. We've undertaken a particularly robust training program at headquarters, where we sit, to make sure that every new employee has gotten a class from a member of the Privacy Office. We're really looking at what's being done already. Again, Customs has a terrific online privacy training program, INS has some terrific technologies about limiting information flow and access to certain kinds of information, and what we're trying to do from our standpoint is really be the champion of the programs that are working well and to say, hey, here's a really good idea, you guys might want to copy that. Or if a division comes to us and says, you know, we really want to implement this, we say we don't necessarily need to reinvent the wheel, although you're welcome to go out an look at what's being offered in the private sector and get people to compete for, you know, terrific resources, but let's build on what's already there, let's not be reinventing the wheel.

So within the department, we're both the champion, but also the actual teacher. And then outside the department, again -- you know, I didn't talk enough about our relationship not only domestically and internationally, but also with the advocacy community and the public. I mean, we really see ourselves as bringing in and making real the concerns of individuals and of organized advocacy groups and being ourselves educated and then turning around and educating others in the department about these concerns and why they're valid, and in a way that can be heard.

Mr. Morales: How are privacy concerns impacting investigative technology? We will ask DHS Chief Privacy Officer Nuala O'Connor Kelly to explain this to us when the conversation about management continues on The Business of Government Hour.


Mr. Morales: Welcome back to The Business of Government Hour. I'm your host, Albert Morales and this morning's conversation is with Nuala O'Connor Kelly, chief privacy officer at the Department of Homeland Security. Also joining us in our conversation is Paul Hempstead.

Nuala, you've described yourself -- and please take this term lightly - as a geek at heart. What is the promise of technology in the privacy arena?

Ms. Kelly: Oh, no worries. I'm the one that said it, and I remember distinctly having said it. I came from a high-tech company, so I am a geek to a certain extent, and I do believe that there is tremendous potential in a number of the technologies the Department is considering using and is already using, both to strengthen identification and identity management, but also to put limits on the use of personal information by this department and other parts of the federal service. The promise of technology, I think, is greater accuracy. For example, many of the watch lists really seem to run off name and date of birth, and our airline tickets obviously are named, and so everyone who's got that name is going to match that individual. So, you know, that's just one kind of data management tool that people are considering is, what's the limited amount of information that's necessary to prevent those kind of mismatches and misidentifications?

But in a more robust way, the use of technology like biometrics and RFID and other kinds of identity management tools, I know they strike fear in the hearts of many who say, oh, I don't want my picture taken, I don't want my fingerprint taken -- and I understand the cultural concerns not only in this country, but in many other parts of the world. We do want to be sensitive and thoughtful about not only the concerns of our own citizens, but really the impact we're having internationally as well in programs like, for example, US-VISIT that is engaging in and meeting visitors to this country at the border. But we also do want a greater strengthening at our border of who's coming in and out, and I think the VISIT program, for example, is a tremendous success story in not only the use of technology, but in building in privacy principles and privacy practices into its foundation.

So I think the answer, really, is there are ways to do the things we need to do to make our country safer, but in a way that is thoughtful and respectful of individual privacy, and that technology can be one of the tools. I think the promise of technology, particularly biometrics, is greater accuracy and therefore cutting down on mismatches and misidentifications at the airport, at the border, wherever, but also through that, allowing our employees to focus on the issues that are really of concern, the people who really might be a correct match with a watch list or some other law enforcement activity, and really focus those resources. And again, I go back to VISIT just because it's a great real-life case study, but they've been able to arrest felons and folks who are wanted domestically and internationally on very, very serious violent crimes, as well as visa and border infractions. And so, you know, I think this is a powerful example of technology done right and our ability to protect ourselves and to create a strong border.

Mr. Morales: We understand that your office drafted a policy notice that covers access and redress opportunities for all persons, regardless of their country of origin. Can you tell us more about this notice and how your office is implementing this policy?

Ms. Kelly: As a principle, we in our office have very much tried to model our thinking on really universal fair information principles. And when you look at privacy law elsewhere in the world, you'll see that those privacy laws cover you when you're visiting that country or having any interaction with the Italian government or the French government or the like. And so to the extent that we have many international agreements that are reciprocal, we have tried very hard where we can to encourage the department to allow for and create access and redress programs that allow any individual, regardless of their citizenship or country of origin to access their information and correct it.

Now, let me be perfectly candid that I'm not inventing something new here. Our CIS -- our Citizen Immigration Service -- has had a fairly similar policy for some time, and that is really because the Freedom of Information Act allows for a person of any country of origin to see their own data through a FOIA request and access it and see what is known about them. This is really a practical principle because so many of our files of citizens and non-citizens become commingled in the process of folks becoming citizens that it just makes sense, it's more practical, it's more doable to cover the systems as they're known by -- systems of records notice under the Privacy Act or through FOIA protections. And we've just tried to encourage the department to think about those protections as really linked.

In a recent negotiation we had with the European Union on release of passenger name records, again, we relied heavily on the strength of our Freedom of Information Act, which I will argue is really second to none internationally. I think folks don't realize that we're constantly getting calls in our office from privacy and information commissioners from other countries saying, how do you do it and what do you do and, you know, what are the principles that you engage on. And I think you're seeing a growing trend of accountability and concern, and it's a way that citizens can -- in our country can petition our own government for correction and in the most minute sense, a correction of their own record. So it is a policy that combines the strength of Privacy Act and FOIA and really just says there's not practical difference between what we're doing for our own citizens and what we're doing for citizens of other worlds -- other countries. It's something we haven't gotten credit for enough internationally, and we should.

Mr. Hempstead: Let's see: you mentioned before your interaction with -- and, in fact, your impact upon -- the US-VISIT program. I did want to ask you about another program because we understand that your office recently completed a privacy assessment review of TSA's registered traveler pilot program. Could you tell us about the review process and some of the privacy issues that you evaluated?

Ms. Kelly: Certainly. And, of course, the review process for RT -- or registered travelers -- no different than the same PIA -- Privacy Impact Assessment -- process that every major program -- really, every program that has personal information in the department goes through very routinely now, and I give, you know, all the credit in the world to our staff that works on PIAs in our office, led by Becky Richards, our chief compliance officer in the Privacy Office, who came from a terrific organization called TRUSTe, the online seal program that really did compliance and auditing and training of online companies, and I'm just tremendously delighted that we're able to bring that kind of lens of operational efficiency and really just routine analysis of privacy and fair information principles to the DHS framework. Any program -- RT and any other program that's a new idea, a new pilot, has to do a PIA by law, and the idea behind a PIA is simply -- like an environmental impact assessment or any other paperwork reduction notice -- to consider what the impact is of this new program on the individual and on that individual's personal information. The PIAs -- we've really drilled down on the program folks that they are responsible for drafting the initial PIA and that's because they understand better than anyone else what the program does, and it makes sense for the program folks who take ownership of privacy as a principle and a practice for their own program. It's not something that we from headquarters, down from above, say you must do it this way; it's got to be something that's really learned and lived by the program personnel.

Now, that's not to say that the first year, we weren't sitting there side-by-side helping them write every single word because we sure were, but it's the old adage, teach a man to fish -- you know, I think this year we've had a smoother program, and next year, again, you're going to see more completed and more fully fleshed-out PIAs coming into our office at a later time in the evolution because the folks writing them will have done them before and be more comfortable doing them. So it's really a bottom-up division of labor, really, where the folks running the program, this is part of their tool kit, it's part of their to-do list, really, they're -- the PIAs are scrubbed by the CIOs for the various divisions because, obviously, it's a technology-heavy requirement. The E-gov Act requirement is particular to the new uses of technology or new technologies that impact personal information. The DHS-wide PIA requirement's a little bit broader for new programs, generally, and new use of personal information.

You know, in a perfect world, they come to our office a little further baked, you know, and closer to being done, and are reviewed by our office. And what we're looking for, really, is have you considered what the impact is on the individual. When you're asking for, you know, name and date of birth, do you really need it? Is that all you need? Do you need more, are you going to come back to us six months from now and ask for more? You know, if you're asking for 16 different things, is that all really, really necessary, or could you do with less? And sometimes the answer is, we really need all 16 things, and that's okay if you can really show a demonstrable law-enforcement or counterterrorism reason. Or, you know, have you considered other technologies that might work better.

A perfect case -- and we get a lot of press about the use of various technologies for screening at the airports or for screening for drugs or contraband or weapons, and what we're asking in those cases -- and again, I have not personally looked at that technology in a little while -- but the analysis I went through with both CBP -- Customs and Border -- and TSA when they first started looking at them was, what is the functionality you need, what do you need to look for, metal or plastics or explosives or -- you know, what are you looking for, and then what's the least invasive version of that that you can look for. And you know, by simply asking those questions, I think we've seen a great evolution both because of the great ingenuity in the private sector responding to those concerns, but also because of our folks saying, you know, guys, we really need to go back to the drawing board and look at something that's not going to show people's personal parts when they're walking through some screening, you know, program at the airport, but really just finds the bad stuff. And we've -- you know, we've seen great movement in the technology sector to say, okay, there are ways to look at this technology that will find the metal or the explosives or the this or the that but not be so kind of personally revealing about someone's physique. You know, just by asking the questions, I think we've started a very good conversation, a very good dialogue that's been very much responded to by the private sector as well as our employees.

Mr. Hempstead: Many of these programs use biometrics. Perhaps you take a minute to explain what biometric technology is, how it's playing a role at DHS, and what are the privacy concerns, and how DHS is approaching those concerns.

Ms. Kelly: Biometrics is a big word that people use to mean a lot of things, but kind of in a nutshell, it's any unique identifier that is kind of attached to your person. Whether it would be a picture or a fingerprint or a retinal scan or iris scan or even -- some people have seen the hand geometry access controls to various buildings which will measure the shape or the size of your hands or your relationship of your various body parts. There are facial geometry as well that shows the relationship of your various kind of -- you know your cheekbone to your chin, that sort of thing. So there are lots of different biometrics. And I know, again, they really -- to use a technical term -- they creep people out, and so we need to really dial down the dialogue, is what I keep saying. Let's talk practically what are we talking about, what are people's fears, and how do we resolve them. And -- case in point -- and we're not the lead agency on this, obviously, the State Department is -- but the use of biometrics in passports really has increased not only in this country, but elsewhere as well, and I'd like to say, you know, guys, listen, we have two biometrics already on your passport. You've got a photograph, and you got your signature. So we've had biometrics in this country for a long, long time.

Now, this is not to be na�ve or, you know, or disingenuous about the fact that the ability to store, to transmit, to translate, and to amalgamate biometrics has certainly changed profoundly. You know, your signature and your photograph were not heretofore storable in some, you, know, distant computer somewhere that you didn't know about. And so we need to be concerned and vigilant about those changes, but the reality is biometrics have historically always been used to identify you. I mean, signatures have been around for I don't know how many centuries now, but you know, before that, it was mark your X here. So this is not unusual and nor should it be considered a terrible, terrible development; if anything, it can be a very, very positive development, as I was saying before, and a way to correctly identify that you're you, that somebody else hasn't stolen your identity, that someone else hasn't appropriated your passport, and that you are the legitimate holder of these travel documents, and you have the right to move about this country or some other country. You know, I think this is a great strengthening of our -- not only our ability to have our own border, but to allow people across it for legitimate means, which is every country's right, really, but also to facilitate travel, to make things faster and easier and better at the airport, and I think we're all in favor of shorter lines. But part of what my office is concerned about is not only saying when things are going wrong, but also when things are going right. Let's talk about the good technologies and the good uses of them. Let's not jump on every bandwagon for every brilliant new idea, but you know, let's evaluate and be thoughtful about them. But we can be a champion, I think, for good and responsible use of technologies in the private sector and the government space as well.

We do need to be vigilant, as I was saying, about the amalgamation and the creation of the -- you know, what people call the big brother databases and these kinds of things. By creating good rules -- and you know, the Privacy Act, I think, is one of the most overlooked statutes in the federal government. It requires every federal agency to say upfront what it's going to do with information, where it's going to store it, and how it's going to secure it, and all sorts of things that I think the federal -- the government should be explaining to its citizens. And by having those conversations again early on, by simply enforcing the law as it's written, we are able to really have the dialogue at the front end about, okay, we've got now a fairly good-sized database, US-VISIT, with finger scans and biometric -- digital photographs. How are we planning on using these, what are the legitimate public policy purposes for which we are using them, and thinking very seriously about -- you know, there are concerns and issues always about once you've got the data, you're going to turn around and use it for something else, and I think we -- our office needs to be vigilant, as does the public, about those concerns. But it is not, again, the technology itself that is the concern, it is the public policy and the forces driving change that we need to, you know, have the dialogue with. No technology by itself is good or bad, but many of them can be very, very helpful to strengthening our identity management and our ability to know who's crossing our borders and who's coming in and out of the country.

Mr. Morales: What does the future hold for the DHS Privacy Office? We will ask Chief Privacy Officer Nuala O'Connor Kelly to explain this to us when the conversation about management continues on The Business of Government Hour.


Mr. Morales: Welcome back to The Business of Government Hour. I'm your host, Albert Morales and this morning's conversation is with Nuala O'Connor Kelly, chief privacy officer of the Department of Homeland Security. Also joining us in our conversation is Paul Hempstead.

Nuala, what are some of the biggest challenges for privacy that you will face in the near future, and how do you plan on overcoming these challenges?

Ms. Kelly: I think that the increased need and the increased speed of information flow. The increased need, again, very legitimate for our information-sharing efforts with not only the private sector, but within the intelligence community and with our state and local partners. With that, I think, comes an increasing need for rules and frameworks to constrain that data and to make sure it's only used for legitimate purposes. And again, I think there are good rules we can build on already; for example, some of our agencies have auditing mechanisms where they can see what employees have accessed what data and who's gotten into what database -- incredibly important and strong. But we've got to create, I think, a level playing field where everybody kind of knows what the rules are, that -- and there are agencies have done this already -- IRS has a great culture, they've had a privacy advocate for a long time. Folks know that, you know, your IRS files are sacred, and they shouldn't be looked at by anyone but the agents working on those cases. We've got to make sure we've got that same kind of environment and culture at DHS.

Mr. Hempstead: Nuala, we are focusing on the future here, so we can't let you get away without talking some about Secretary Chertoff's reorganization, what the impacts are, the Chief Privacy Office, and any good or bad points that you want to say about him.

Ms. Kelly: Everyone at the department -- at least, you know, the folks that I've worked with closely and have talked to about this -- are really delighted and all the major developments are very positive, including the new personnel that have come into the department. We are delighted with the support that we've gotten from Secretary Chertoff and Deputy Secretary Jackson. We also have a great working relationship with Stewart Baker, who's the new assistant secretary for Policy Designate, who I think we will be working incredibly closely with in the coming years and have in the past already. So from my office's standpoint, we're delighted by the support, we're delighted by, you know, all the public and private statements we've gotten from our leadership on the privacy office, but also speaking, you know, on a more global basis, all of the changes that were made, I think, largely were incredibly welcomed, not only by folks in the department, but members of Congress who were supportive -- you know, I thought, gosh, if there's anyone who's going to be offended, it might be members of Congress because they created the department and the structure that it was. But it was incredibly appropriate after two years to take a look, take a step back, and say, what's working, what can we do better. You know, nothing had been too set in stone, so two years into it was a good time to take on that review and say what might work a little better, what might streamline some, you know, reporting relationships and make this department achieve its mission even more fully. I am thrilled with the time I've spent at the department, and, you know, I don't know what the future holds, I don't know if more change is in the works, but we've been very grateful so far for the support we've gotten.

Mr. Hempstead: And what are some of the lessons learned from your first two years as chief privacy officer? What would you share with a new counterpart in another agency?

Ms. Kelly: Hire the best people -- of course, you can't have any of mine -- but go out and find some really stellar people because they will A, make you look really good, but also the work is hard, but it's incredibly enriching, incredibly rewarding. And I wake up in the morning, and I'm astounded by the quality of people and the caliber of people I've been able to attract to this office, and it has nothing to do with me and everything to do with the work and the mission of the overall department. We have begged, borrowed, and stolen the best people from the federal service -- I mean, just name a -- I shouldn't name a few names because I will not be able to name all 30 of them, but my chief of staff, the number two person in our office, Maureen Cooney, who came from the Federal Trade Commission, who was really one of the number one international privacy specialists in the federal service. And Toby Levine, who followed her, our senior policy advisor from FTC. As I mentioned, Becky came from TRUSTe. Peter Sand from a state agency in technology and privacy -- this list could go on and on.

That was just a few examples of folks from other federal agencies, folks from the private sector, and folks from state and local agencies, and folks from within the department who we've lifted up and brought to headquarters as well. So we've looked to where the talent is and brought together a team that I think really works, and then everybody's got their slice of the pie, and they are in charge of it, and that has worked really tremendously well. It's not all lawyers, it's not all technologists, it's not all government people, it's people who bring a variety of different viewpoints, but who are willing to, you know, to do the hard work and to also sell internally. I think -- and the number one -- the number two issue is really don't underestimate how many times you're going to have to explain what a privacy officer is and does because I still seem to be doing it even today, two years later, and that's just because it's something new, and we need to -- you know, the onus is on us to demonstrate that we have some added value for the department. And I think we have demonstrated that.

Mr. Morales: Nuala, you've had just a fantastic career, and I'd love to hear a little bit more about it and also what advice could you give a person who's interested in a career in public service?

Ms. Kelly: I was lucky to get into public service, as I mentioned, right around 9/11, and that really has shaped my career as a New Yorker, and, you know, as someone who really believes in creating a safe space. But I can't underestimate the opportunity that I think public service, particularly DHS, holds. You know, it really gets you up in the morning to know that you're helping and that you're helping make the country safer and that you're helping make the department better in its treatment of privacy and the protection of the individual. So, you know, that can take you a long way in your energy level.

I think it's hard to break into the government. I think -- you know, I see people trying to apply from the outside, and it's an onerous process, but it's well worth getting into. You know, I've kind of accidentally found my niche, but finding something you love to do and -- whether it's public or private sector -- has been lucky for me and hopefully will work for others as well.

Mr. Morales: Well, Nuala, your energy and enthusiasm certainly shows.

We've reached the end of our time, and that will have to be our last question. First, I want to thank you for fitting us into your busy schedule today. Second, Paul and I would like to thank you for your dedicated service to the public and our country, starting with your work at the Department of Commerce and now at the Department of Homeland Security.

Ms. Kelly: Well, thank you both so very much for your time. I'm delighted to be here. And if people have other questions for me or want to learn more about the office, we do have our own little slice of the DHS website; it's

Mr. Morales: This has been The Business of Government Hour featuring a conversation with Nuala O'Connor Kelly, chief privacy officer of the Department of Homeland Security. Be sure and visit us on the web at There you can learn more about our programs and get a transcript of today's fascinating conversation. Once again, that's

As you enjoy the rest of your day, please take time to remember the men and women of our armed and civil services abroad who can't hear this morning's show on how we're improving their government, but who deserve our unconditional respect and support.

For The Business of Government Hour, I'm Albert Morales. Thank you for listening.

Nuala O'Conner Kelly interview
"Our operation is to include privacy in all major decisions and to make sure that privacy is considered and is codified. It is built into programs, taught, and brought to our personnel in meaningful ways."

Broadcast Schedule

Federal News Radio 1500-AM
  • Mondays at 11 a.m. Fridays at 1 p.m. (Wednesdays at 12 p.m. as
  • available.)

Our radio interviews can be played on your computer or downloaded.


Subscribe to our program

via iTunes.


Transcripts are also available.


Your host

Michael Keegan
IBM Center for The Business of Government
Leadership Fellow & Host, The Business of Government Hour

Browse Episodes


Recent Episodes

Dr. Trevor Brown
The Ohio State University
Executive Director, State of Ohio Leadership Institute and Dean of the John Glenn College of Public Affairs
Loretta Early
George Washington University
Chief Information Officer
Professor Jim Hendler
Rensselaer Polytechnic Institute
Director, Institute for Data Exploration and Applications and Tetherless World Chair of Computer, Web and Cognitive Sciences, Computer Science
Henry Darwin
Environmental Protection Agency
Chief of Operations
Michael McKeown
Department of Homeland Security
Executive Director, Homeland Security Advisory Council