Office of Management and Budget
OMB Home

STATEMENT OF
JOHN T. SPOTILA
ADMINISTRATOR, OFFICE OF INFORMATION AND REGULATORY AFFAIRS
OFFICE OF MANAGEMENT AND BUDGET
SUBMITTED TO
THE SUBCOMMITTEE ON GOVERNMENT MANAGEMENT,
INFORMATION, AND TECHNOLOGY
COMMITTEE ON GOVERNMENT REFORM
UNITED STATES HOUSE OF REPRESENTATIVES

May 15, 2000

Mr. Chairman and members of the Committee, thank you for inviting me here to present the Administration's views on H.R. 4049, the "Privacy Commission Act." As Administrator of OMB's Office of Information and Regulatory Affairs, I care deeply about the protection of privacy. In 1998, OIRA took on enhanced responsibility for coordinating privacy policy throughout the Administration. OIRA already had policy responsibility under the Privacy Act of 1974, which applies to federal government systems of records. Now it plays a cental coordinating role for privacy policy more generally. Last year, OMB appointed its first Chief Counselor for Privacy, Peter Swire, to be the point person in this coordination effort. Peter is with me here today.

The President and the Vice President are committed to the protection of individual privacy. As President Clinton said on April 30, when announcing his new financial privacy proposal: "From our earliest days, part of what has made America unique has been our dedication to freedom, and the clear understanding that real freedom requires a certain space of personal privacy." Vice President Gore showed similar leadership in 1998 when he called for an Electronic Bill of Rights, emphasizing that we should all do our part to protect individual privacy, relying on private sector leadership where possible, on legislation when necessary, on responsible government handling of personal information, and on an informed public.

In studying the proposed findings for H.R. 4049, we find much common ground. We agree that Americans are increasingly concerned about the security and use of their personal information. We agree that the shift from an industry-focused economy to an information-focused economy calls for reassessing the way we balance personal privacy and information use. As Administrator of OIRA, I work extensively on information policy issues relating to computer security, privacy, information collection, and our transition to the electronic delivery of government services. In these and other areas, we are working hard to gain the advantages that come from new technologies while guarding against possible costs to privacy and security that can come from badly crafted uses of those technologies.

In some areas, we already know that we must act swiftly to protect privacy and security. Indeed, the Administration's biggest concern with H.R. 4049 is the risk that some might use the Commission as a reason to delay much-needed privacy legislation. We understand that supporters of H.R. 4049 have emphasized that it should not be used as a reason for delay. But we are also aware from public reports that those who oppose privacy reform would prefer to have Congress study the issue indefinitely rather than take action. In the Administration's view, such delay would be unwise. We cannot afford to take a year and a half off in protecting Americans' privacy. We believe that action is needed now in the areas of financial privacy, medical records privacy, and genetic discrimination.

Before addressing specific aspects of H.R. 4049, it would be useful to review recent federal privacy initiatives.

Overview.

There have been extensive initiatives by the Federal government since 1993 to study and take appropriate action in the area of privacy protection. Study of privacy was an integral part of the National Information Infrastructure project, sometimes called the "information superhighway" effort, with the issuance in 1995 by an inter-agency Privacy Working Group of "Principles for Providing and Using Personal Information." (See: Privacy Working Group of the Information Infrastructure Task Force, www.iitf.nist.gov/ipc/ipc-pub.html.) This effort was led by OIRA. With Administration support, Congress has passed privacy legislation including the Drivers' Privacy Protection Act of 1994 (motor vehicle records), the Telecommunications Act of 1996 (authority for the Customer Proprietary Network Information regulations), the Health Insurance Portability and Accountability Act of 1996 (authority for the currently proposed medical privacy regulations), the Children's Online Privacy Protection Act of 1998 (children's online records), the Identify Theft and Assumption Deterrence Act of 1998 (deterrence of identity theft), and the Gramm-Leach-Bliley Act of 1999 (financial records).

In the online world, the Administration has encouraged self-regulatory efforts by industry. For especially sensitive information -- such as medical, financial, and children's online records -- legal protections are required. Recent activities have included:

Financial records.

Congress discussed financial privacy intensively in the course of its financial modernization debate last year. As the President pointed out when signing the law, the modernization law took significant steps to protect the privacy of financial transactions, but did not go far enough. The President asked OMB, the Department of Treasury, and the National Economic Council to craft a legislative proposal to close loopholes under existing law. On April 30, he announced his plan to protect consumers' financial privacy. This plan would include:

These provisions were introduced in the House as H.R. 4380, attracting immediate and substantial support in both the House and the Senate. As Secretary of the Treasury Lawrence Summers emphasized on March 7, "It's time to start now."

Medical Records.

There has been a longstanding appreciation in the United States that individual medical records include especially sensitive information. Disclosing medical data can reveal what is happening inside a person's body, such as a report that a person is HIV positive, or inside a person's mind, such as the transcript of a session with a psychotherapist. The Federal government has recognized these concerns at least since 1973, when the Department of Health, Education, and Welfare first announced the basic fair information practices that underlie privacy policy today.

Congress recognized the need for legal protection of medical records when it passed the Health Insurance Portability and Accountability Act of 1996 (HIPAA). After extensive discussions with stakeholders and as required by HIPAA, the Secretary of Health and Human Services issued her recommendations for health privacy legislation in September 1997. Congress was unable to meet the HIPAA deadline for enacting comprehensive privacy legislation by August 21, 1999. Accordingly, the President and Secretary Shalala announced proposed privacy regulations on October 29 of last year. It was HHS's goal to make the regulation process open to those who wanted to communicate their concerns in person. HHS met with many individuals and organizations to hear their concerns and clarify provisions of the proposed rule. HHS received over 53,000 submissions of comments by the February 17, 2000, deadline. HHS is now considering those comments, and the regulations will become final this year.

Although the medical privacy regulations will become final this year, there is a pressing need for further Congressional action. As HHS Assistant Secretary Margaret Hamburg testified in February of this year: "Health information privacy is a top priority for the Department and the Administration, and we continue to believe that legislation is the only way to achieve the goal." President Clinton explained some of the reasons for legislation when he proposed the privacy regulations last October. The Administration is especially concerned that the enforcement powers under current law are not as effective as they should be. We recommend federal legislation that would allow punishment of those who misuse personal health information and redress for people who are harmed by its misuse. Administration officials have testified often on what should be included in medical privacy legislation, and we urge that there be no delay on this subject.

Genetic Discrimination.

This February 8, President Clinton signed an executive order that prohibits every federal department and agency from using genetic information in any hiring or promotion action. This order ensures that critical health information from genetic tests not be used against federal employees. The President has also endorsed the Genetic Nondiscrimination in Health Insurance and Employment Act of 1999, introduced by Senator Daschle and Congresswoman Slaughter, which would extend these protections to the private sector and to individuals purchasing health insurance. As with financial and medical privacy, legislation is before the Congress to address especially sensitive personal data -- genetic information on individuals. The time to act on each of these issues is now.

* * * *

Let me turn now to the specifics of H.R. 4049.

The Scope and Structure of the Proposed Commission.

As indicated earlier, the Administration has significant concerns that the Study Commission might be used by some as an excuse for delaying needed activity in privacy protection. These concerns are especially acute for topics such as medical, financial, and genetic information where good legislative proposals are before the Congress now. There has already been extensive discussion of these proposals within the Congress and among the stakeholders. Further study of these topics by the Commission would duplicate the public examination that has already taken place, without adding real value. The proposed medical privacy rules that become final this year will be the result of a multi-year process that generated over 53,000 public comments, many in extensive detail. These comments show a need for further action, not further study.

We recognize that the Congress needs to make its own judgments on these matters, and we defer to it in its assessment of what it needs to inform those judgments. It seems sensible, however, to adopt a focused approach to exploring these topics. Ideally, any further study efforts should be done within a short time frame and would build on, not duplicate, existing studies.

If there were to be a Commission, contrary to our recommendation, we should ensure that it focuses its efforts in an effective way. Again, we are concerned about potential delay. Casting too broad a net would delay the work of any new Commission, with uncertain results. We note, for example, that the treatment of data collected on-line has been the subject of extensive hearings in Congress, as well as public workshops, public comments, studies, and reports by the Department of Commerce and the White House Electronic Commerce Working Group. The Federal Trade Commission is about to issue a major report. We recognize that this is a complicated area that requires careful evaluation and an understanding of new technology. It is not clear, however, that a Commission lasting 18 months will give decisionmakers the help they need.

Indeed, rather than have a Commission pursuing a very broad set of topics, it might be more productive to have technology and policy experts address specific, emerging issues that have not yet benefitted from much attention. One targeted way to study such privacy issues might be to enlist the expertise of the National Academy of Sciences/National Research Council or other appropriate bodies. The NAS/NRC has extensive experience in creating blue-ribbon groups with the expertise to provide insight into difficult policy problems. In the privacy area, the NAS/NRC has already produced studies such as "Cryptography's Role in Securing the Information Society" (1996) and "For the Record: Protecting Electronic Health Information" (1997). Perhaps we should call on it again.

The NAS/NRC's Computer Science and Telecommunications Board is currently exploring funding for a study on "Authentication Technologies and Their Privacy Implications." The problem identified for this study arises from the need to identify people in a trustworthy way-that is, to authenticate people-in order to facilitate business and other activities over the Internet. Many of the possible ways to identify people have privacy implications since they involve individuals turning over a good deal of personal information -- from a mother's maiden name to credit card numbers or other information that could put an individual at risk if revealed to unauthorized persons. As technology develops, our society needs to understand how to make authentication work in a way consistent with preserving privacy.

Another useful study topic, which similarly does not require a Commission, could be biometrics and privacy. "Biometrics" refer to fingerprints, iris scans, and other physical indicators of identity. Since many companies are now exploring the commercial deployment of biometric technology, now is a good time to assess the public policy of biometrics and privacy. If deployed carefully, biometrics could protect privacy by placing less reliance on sending credit card numbers or other sensitive information over the Internet. If deployed badly, however, biometric technology could create new privacy risks, such as if biometrics were used to record each room an employee enters while on the job. A study of this subject, taking proper account of new technological developments, could increase the likelihood that biometric systems will be more sensitive to privacy concerns as they become widely used.

For all these reasons, we believe there are sound alternatives to a Privacy Commission. If, nonetheless, legislation creating such a Commission moves forward, then we have specific concerns about certain provisions in H.R. 4049. For instance, as with other commissions on many important national issues, the President should have a greater role in appointing Commission members. In addition, the current section 7(c) is objectionable because it could be interpreted as requiring Executive Branch agencies to turn over confidential or classified information to the proposed Commission. The text could read that agencies "may," rather than "shall" furnish that information.

As I emphasized earlier, we share with the Congress a very strong interest in protecting privacy and look forward to working with you to find suitable new ways to improve that protection. We understand the good intentions motivating the Congressional sponsors of H.R. 4049. Despite our reservations about the specifics of this bill, we welcome the commitment to privacy protection that they seek to demonstrate.

Mr. Chairman and Members of the Committee, thank you once again for the invitation to discuss these issues.


Privacy Statement

The Budget Legislative Information Management Reform/GPRA Grants Management Financial Management Procurement Policy Information & Regulatory Policy Contact the White House Web Master

Help

Site Map

Graphic Version

T H E   W H I T E   H O U S E