Police Rules on Privacy Tweaked
The Capitol Police department is in the middle of restructuring its privacy policies after its inspector general recently found that the department does not have an overarching program to protect the identities of Members, staffers and officers.
“While USCP does collect and handle [personally identifiable information] of Congressional Members and their staff, the department has not identified where PII is collected, maintained, processed or disseminated,— IG Carl Hoecker said Wednesday at a hearing of the House Administration Subcommittee on Capitol Security. “The department has neither clearly defined the roles and responsibilities of key privacy personnel nor provided applicable training to such personnel.—
Personally identifiable information, or PII, is essentially any information that can be used to trace someone’s identity — such as a Social Security number or the combination of a name and address.
Police officials collect that information in a variety of ways. When staffers are arrested, for example, their information is entered into an internal police report. Members’ contact information, meanwhile, is kept on a hard copy that is locked away in a Capitol Police safe.
In each case, the department has policies to keep the personal information private, Capitol Police Chief Phillip Morse said. But those regulations are spread throughout the department’s different divisions and aren’t overseen by any one entity.
On Wednesday, Morse and Hoecker told Members that the department has already begun to improve its policies, including hiring a new chief privacy officer. CPO Norman Farley — who worked under House Chief Administrative Officer Dan Beard before moving to the Capitol Police — will complete an “implementation plan— in the next few months, Morse said.
The change reflects the Capitol Police department’s ongoing efforts to improve its administrative side, which was created in 2003 (before then, its payroll and other administrative duties fell to Congress). It has been a sometimes difficult path, with the Government Accountability Office criticizing the department’s finances and issuing dozens of recommendations (many of which have been adopted).
During the next year, Morse said, the department will purchase software to identify all the “servers, databases, records or documents— that include personally identifiable information. Right now, it’s kept in a variety of places, such as police reports and payroll files. While officials keep detailed data on Capitol Police officers, they do not keep such information on all staffers. Even the list of Members’ contact information is limited to such information as addresses and phone numbers.
Subcommittee Chairman Mike Capuano (D-Mass.) and ranking member Dan Lungren (R-Calif.) seemed content with the department’s progress at Wednesday’s hearing, asking only a few questions about the Capitol Police’s policies. Capuano commended the department for taking action.
“The measure is not in weakness,— he said. “The measure is in the response to weakness.—
But Hoecker’s report didn’t address one issue: whether the Capitol Police had released any personal information. The scope of the audit, he said, “was not designed to identify breaches of PII.—
House Administration Committee spokesman Kyle Anderson indicated that the committee might ask the police for more information on its procedures in the future.
“We’re evaluating our options after today’s hearing and will decide in the coming weeks how best to continue to ensure proper oversight of security of information,— he said in an e-mail.
Before the IG report, police officials assigned privacy issues to the department’s chief information officer. But he didn’t oversee a privacy program as Farley will, Capitol Police spokeswoman Sgt. Kimberly Schneider said.
“At that time, there was no CPO, no program, no overall program manager for oversight to ensure continuity,— she said in an e-mail. “PII was protected but the process was not streamlined.—