GAO Study Warns Privacy Protections Are Weak
Personal data in the federal government may not be adequately protected from collection, use, and disclosure, according to a report released on July 30 by the United States General Accounting Office.
In the report, Privacy Act: OMB Leadership Needed to Improve Agency Compliance, the GAO writes that compliance with the federal Privacy Act of 1974 is generally high in many areas, but uneven across the federal government. “As a result of this uneven compliance, the government cannot adequately assure the public that all legislated individual privacy rights are being protected,” the GAO concludes.
The Privacy Act regulates how federal agencies may use the personal information individuals supply when obtaining government services, applying for small business loans, or paying taxes. Provisions of the Privacy Act include minimum necessary data collection, informed consent, maintaining accurate records, safeguarding data, accounting for disclosures, training employees, providing notice for exemptions, and providing remedies and penalties for violations.
Importantly, the Privacy Act places limits only on the collection, disclosure, and use of personal information that is contained in a federal “system of records.” A system of records is a collection of information about individuals from which data are retrieved by using the individual’s name or other identifying number or code.
Collections of personal information in which data can be retrieved without the use of such identifiers (e.g., through computerized search functions) are not considered to be a “system of records” and are therefore not protected by the Privacy Act.
Two Dozen Agencies Surveyed
In May 2001, at the request of Rep. Joseph Lieberman (D-Connecticut), the GAO began an extensive survey of agency compliance with the Privacy Act and related guidance documents from the Office of Management and Budget (OMB). Participating in the survey were 25 large and small federal departments and agencies, including the Department of Health and Human Services, Department of Commerce, Social Security Administration, and Department of Veterans Affairs. Responses represented about 2,400 systems of records, of which 70 percent were found to contain electronic records.
Although the 82-page GAO report did not include details about specific agency failures to comply with the federal Privacy Act, it provided the following aggregate results for the 2,400 systems of records:
- 11 percent of the systems of records have not been disclosed to the public, meaning individuals do not know such records are being kept about them.
- For 18 percent of the systems, the potential uses of the personal information were not fully disclosed to individuals before they provided that information.
- For 18 percent of the systems, no review of disclosures was made to ascertain whether data are being used outside the original purposes of the data collection.
- For the 29 percent of systems that release data to non-federal organizations, agencies do not assure that personal data on individuals are accurate, relevant, timely, and complete.
- For 18 percent of the systems, agencies did not assess security safeguards for the data.
- 21 percent of the systems have no mechanism for detecting if unauthorized persons are reading, altering, disclosing, or destroying information.
- 14 percent of the agencies could not account for disclosures of personal information.
- One-third (eight) of the agencies have not issued the rules of conduct for employees required under the Privacy Act.
The GAO also found that 83 information systems in use at large agencies during 2002 contained personal information outside a Privacy Act system of records. Because the information could be retrieved without using a name or personal identifier (e.g., by using search codes), it was not protected by the Act. The GAO report suggested additional research is needed to offer a more complete examination of privacy concerns raised by such information systems.
Survey Follow Up
The survey was followed by a February 2003 meeting with representatives, mostly Privacy Act officers, of the 25 agencies. The forum was conducted by the GAO to clarify the results of the survey. Federal Privacy Act officers reported several problems with Privacy Act compliance, among them:
- lack of leadership, oversight, and guidance from the Office of Management and Budget;
- low priority on compliance within agencies, and therefore inadequate funding for the task; and
- insufficient training, including a lack of information on how the Privacy Act relates to electronic databases.
The OMB is responsible for enforcing the Privacy Act. Despite two previous GAO reports on privacy weaknesses in other activities of federal agencies, and agency requests to the OMB for updated guidance on the Privacy Act pertaining particularly to new technologies, the new GAO report says the OMB has yet to act.
A blistering reply from the Office of Management and Budget is included in the report. In a 10-page letter, the OMB says the report’s statements “border on the reckless and irresponsible.” The GAO countered with a detailed 13-point rebuttal, concluding again “the government cannot adequately assure the public that all legislated individual privacy rights are being protected.”
For more information ...
The 82-page June 30 GAO report is available online at http://www.gao.gov/cgi-bin/getrpt?GAO-03-304. A one-page summary is available at http://www.gao.gov/highlights/d03304high.pdf. Both documents are in Adobe Acrobat’s PDF format.