Advice to the next Homeland Security CPO

If you had a chance to pose any question to the person in charge of protecting Americans' privacy as the U.S. Department of Homeland Security executes its mission, what would you say? I had that chance this month when Hugo Teufel, departing chief privacy officer at the DHS, delivered an address, entitled "Reflections on My Time as DHS CPO of the War on Terror," to the Twin Cities Privacy Retreat.

After the address, I cornered Teufel for some follow-up questions. Those and his answers follow.

Your last public act as DHS CPO was to release a report (download PDF) critical of data practices at European hotels. What do you hope this will accomplish? Critical of hotels? No. We issued a report that set forth the facts and the law, as we currently understand them, about data protection in the "third pillar" and in certain EU member states with regard to security service collection and use of hotel guest registration data, a common practice throughout Europe. If we were critical, it was of the officials who were reluctant in being transparent about what their security services do with hotel guest registration data.

In your speech, you said U.S. CPOs would be wise to understand how the European Union treats privacy differently within its "first pillar" commercial policy and "third pillar" security areas. Can you elaborate? The rules covering the same personally identifiable information appear to be different for security services than they are for businesses operating in the EU. Security services may make demands of businesses for certain data, which by law the businesses are not allowed to collect. The businesses can refuse, risking the wrath of the security service, or they can comply, risking punishment from the data-protection authority, which may not have competence over the security service collection and use of that data. It's a real catch-22.

What was your top lesson learned from the U.S.-EU compromise on the sharing of airline passenger name records? Sadly, that politics sometimes took precedence over the security and privacy of Americans and Europeans.

Any takeaways from the U.S.-EU dispute over U.S. government access to SWIFT data? Hey, that involved Treasury, not DHS! I will say that, generally speaking, one should be on firm legal and policy footing when trans-Atlantic data flows are concerned. Certainly, never underestimate the importance of data protection to the Europeans.

You mentioned that you put a lot of materials on the DHS privacy Web site. What do you wish the public knew more about regarding DHS's privacy function? I wish the public knew how hard we work to protect their privacy while the department secures the homeland. We are at the forefront of American privacy protection domestically and internationally. Come visit our Web site, and you will see what I mean.

You have 35 people on staff. What do they do? A lot! Our compliance team is responsible for all privacy impact assessments and system-of-records notices at the department. Our technology and intelligence team handles the thorny issues involving the interface between privacy and technology and intelligence community activities. Our privacy incidents and inquiries team investigates incidents and complaints. Our international privacy policy team stays abreast of the latest developments with the EU, APEC [Asia-Pacific Economic Cooperation], ISO and various other international and multinational organizations. On the [Freedom of Information Act] side, our office sets FOIA policy for the department and handles requests for many of the department-level components. Finally, our director of administration keeps it all running.

For more enterprise computing news, visit Computerworld. Story copyright Computerworld, Inc.