A wide variety of government agencies collect personally identifiable information such as names, dates of birth, and Social Security numbers for an equally wide range of purposes -- and as new reports from the Government Accountability Office (GAO) indicate, agencies are often inconsistent in ensuring that the information they collect is safe from misuse, and existing privacy laws do not sufficiently account for changes in technology that enable easy access to information.
The GAO published severalreports on June 18, assembled for several months prior, dealing with the topic of how government agencies gather records of personal information, and how the laws that govern privacy are administered across the government.
The agency's investigation found that the "framework of legal mechanisms for protecting personal privacy that has been developed over the years may no longer be sufficient, given current practices."
"Although the Privacy Act, the E-Government Act, and related guidance from the Office of Management and Budget (OMB) set minimum privacy requirements for agencies, they may not consistently protect personally identifiable information in all circumstances of its collection and use throughout the federal government and may not fully adhere to key privacy principles," the agency said.
Linda Koontz, the agency's director of information technology, presented the findings in testimony before the Senate's Homeland Security and Governmental Affairs Committee.
Among the GAO's findings:
• The 1974 Privacy Act defines protected personal information as a "system of records" retrieved by a unique identifier, such as a name or Social Security number. The current definition enables many agencies to sidestep the Privacy Act and collect data without protections if they do not use unique identifiers to retrieve the information. The GAO recommended revising the Privacy Act to cover all information gathered by the federal government, regardless of its organization.
• Disclosures that personal information is being collected by a government agency require the data to be collected for a specific purpose, but as the GAO noted, the disclosures are often broadly written and vaguely phrased, enabling much broader use of the data than originally intended. The GAO recommended crafting disclosures to ensure any personal data would be collected only for a specific purpose, and that agencies which share the data get agreements in writing on how it is to be used.
• Notices that the government is collecting personal data are published in the Federal Register, the government's official catalogue of public records, but the GAO felt that the Register was not accessible enough to the general public to qualify as a broad disclosure of data collection. The GAO recommended centralizing all disclosures of data collection on an easily searchable Web site, such as "www.privacy.gov," and at corresponding pages on agency Web sites, such as "www.agency.gov/privacy."
Committee chairman Joe Lieberman (I-CT) said that Congress supported reforming the government's privacy practices, though he debated the practicality of passing smaller reforms in the current Congress versus waiting to make larger changes in the next.
"It is essential for the government to collect and use personal information," Lieberman said. "[The government] must properly balance our many policy goals against potential incursions on privacy."
Ongoing struggle
The GAO has long been an advocate of stronger privacy standards for collecting personal information, and has regularly criticized agencies that are lax in protecting the data they collect. In 2005, the GAO found that multiple government agencies flunked privacy tests by not performing all of the required steps necessary to ensure that data was secured.
The agency exposed security weaknesses in the Internal Revenue Service's (IRS) collection of taxpayer data in 2006, such as not providing proper training for employees or oversight for third-party contractors who had access to the information. In a follow-up report in 2007, the GAO noted that the IRS was making progress, but significant vulnerabilities remained.
The Department of Health and Human Services (HHS) came under scrutiny by the GAO in 2007 for its issuing of contracts to third-party companies to develop technologies for sharing medical records, without first implementing privacy practices.bodynews