Deirdre K. Mulligan

PIA Requirements and Privacy Decision-Making in US Government Agencies

Author(s): Kenneth A. Bamberger and Deirdre K. Mulligan
Year: 2012

Abstract:  This chapter explores the ways in which the Privacy Impact Assessment requirement of the U.S. E-Government Act might be implemented in government agencies so as to mitigate agency “tunnel vision” and begin to integrate meaningful consideration of privacy concerns into agency structures, cultures and decision-making. It does this by considering the implementation of the PIA requirement by two different federal agencies -- the Department of Homeland Security and the Department of State -- considering the adoption radio frequency identification (RFID) technology, which allows a remotely-accessible data chip to be attached to or inserted into a product, animal or person. The two different approaches reflect the highly inconsistent adherence to the PIA mandate across agencies, and even between programs within a single agency. An examination of the practices of these two US agencies, interviews with agency decision-makers involved in these processes, and insights from the US experience with the parallel context of environmental impact statements offer a starting point for developing hypotheses about the role of internal agency structure, culture, personnel and professional expertise in whether the PIA process can be meaningfully integrated as an element of bureaucratic decision-making. Specifically, they suggest the importance of continued research into the role of alternate methods of external accountability as a means for strengthening the hand of privacy officers internally, the importance of substantive experts combined with internal processes for insinuating privacy into daily practice, and the need for status and structures that respect the different roles privacy professionals play in protecting privacy during policy-making and integrating privacy into the bureaucracy.