[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
PRIVACY: THE USE OF COMMERCIAL INFORMATION RESELLERS BY FEDERAL
AGENCIES
=======================================================================
HEARING
before the
SUBCOMMITTEE ON INFORMATION POLICY,
CENSUS, AND NATIONAL ARCHIVES
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
MARCH 11, 2008
__________
Serial No. 110-108
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
http://www.oversight.house.gov
U.S. GOVERNMENT PRINTING OFFICE
46-195 PDF WASHINGTON DC: 2009
---------------------------------------------------------------------
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�090001
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
HENRY A. WAXMAN, California, Chairman
EDOLPHUS TOWNS, New York TOM DAVIS, Virginia
PAUL E. KANJORSKI, Pennsylvania DAN BURTON, Indiana
CAROLYN B. MALONEY, New York CHRISTOPHER SHAYS, Connecticut
ELIJAH E. CUMMINGS, Maryland JOHN M. McHUGH, New York
DENNIS J. KUCINICH, Ohio JOHN L. MICA, Florida
DANNY K. DAVIS, Illinois MARK E. SOUDER, Indiana
JOHN F. TIERNEY, Massachusetts TODD RUSSELL PLATTS, Pennsylvania
WM. LACY CLAY, Missouri CHRIS CANNON, Utah
DIANE E. WATSON, California JOHN J. DUNCAN, Jr., Tennessee
STEPHEN F. LYNCH, Massachusetts MICHAEL R. TURNER, Ohio
BRIAN HIGGINS, New York DARRELL E. ISSA, California
JOHN A. YARMUTH, Kentucky KENNY MARCHANT, Texas
BRUCE L. BRALEY, Iowa LYNN A. WESTMORELAND, Georgia
ELEANOR HOLMES NORTON, District of PATRICK T. McHENRY, North Carolina
Columbia VIRGINIA FOXX, North Carolina
BETTY McCOLLUM, Minnesota BRIAN P. BILBRAY, California
JIM COOPER, Tennessee BILL SALI, Idaho
CHRIS VAN HOLLEN, Maryland JIM JORDAN, Ohio
PAUL W. HODES, New Hampshire
CHRISTOPHER S. MURPHY, Connecticut
JOHN P. SARBANES, Maryland
PETER WELCH, Vermont
------ ------
Phil Schiliro, Chief of Staff
Phil Barnett, Staff Director
Earley Green, Chief Clerk
Lawrence Halloran, Minority Staff Director
Subcommittee on Information Policy, Census, and National Archives
WM. LACY CLAY, Missouri, Chairman
PAUL E. KANJORSKI, Pennsylvania MICHAEL R. TURNER, Ohio
CAROLYN B. MALONEY, New York CHRIS CANNON, Utah
JOHN A. YARMUTH, Kentucky BILL SALI, Idaho
PAUL W. HODES, New Hampshire
Tony Haywood, Staff Director
C O N T E N T S
----------
Page
Hearing held on March 11, 2008................................... 1
Statement of:
Evans, Karen S., Administrator, Office of E-Government and
Information Technology, OMB; Linda D. Koontz, Director,
Information Management Issues, GAO; and Hugo Teufel III,
Chief Privacy Officer, Department of Homeland Security..... 6
Evans, Karen S........................................... 6
Koontz, Linda D.......................................... 12
Teufel, Hugo, III........................................ 43
Schwartz, Ari, deputy director, Center for Democracy and
Technology; Stuart Pratt, president, Consumer Data Industry
Association; and Paula J. Bruening, deputy director, Center
for Information Policy Leadership.......................... 66
Bruening, Paula J........................................ 93
Pratt, Stuart............................................ 79
Schwartz, Ari............................................ 66
Letters, statements, etc., submitted for the record by:
Bruening, Paula J., deputy director, Center for Information
Policy Leadership, prepared statement of................... 95
Clay, Hon. Wm. Lacy, a Representative in Congress from the
State of Missouri, prepared statement of................... 3
Evans, Karen S., Administrator, Office of E-Government and
Information Technology, OMB, prepared statement of......... 8
Koontz, Linda D., Director, Information Management Issues,
GAO, prepared statement of................................. 14
Pratt, Stuart, president, Consumer Data Industry Association,
prepared statement of...................................... 81
Schwartz, Ari, deputy director, Center for Democracy and
Technology, prepared statement of.......................... 68
Teufel, Hugo, III, Chief Privacy Officer, Department of
Homeland Security:
Prepared statement of.................................... 45
Various e-mails.......................................... 58
PRIVACY: THE USE OF COMMERCIAL INFORMATION RESELLERS BY FEDERAL
AGENCIES
----------
TUESDAY, MARCH 11, 2008
House of Representatives,
Subcommittee on Information Policy, Census, and
National Archives,
Committee on Oversight and Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 2:12 p.m., in
room 2203, Rayburn House Office Building, Hon. Wm. Lacy Clay
(chairman of the subcommittee) presiding.
Present: Representatives Clay and Turner.
Staff present: Darryl Piggee, staff director/counsel; Jean
Gosa, clerk; Adam Bordes, professional staff member; Michelle
Mitchell, legislative assistant, Office of Wm. Lacy Clay;
Leneal Scott, information systems manager; and Charles
Phillips, minority counsel.
Mr. Clay. The Information Policy, Census, and National
Archives Subcommittee of the Oversight and Government Reform
Committee will now come to order. Today's hearing will examine
the role of the agencies using commercial information resellers
to obtain personal information about individuals and whether
there are adequate privacy safeguards in place for such
transaction. We will hear from both government and private
sector witnesses about the adequacy of current privacy
safeguards and solicit their recommendations for improving the
protections afforded to personal information that is obtained
and used by our agencies. And we will also examine whether our
current privacy laws and regulations require additional privacy
safeguards, such as those offered in my bill H.R. 4791, the
Federal Agency Data Protection Act.
Without objection, the Chair and ranking minority member
will have 5 minutes to make opening statements, followed by
opening statements not to exceed 3 minutes by any other Member
who seeks recognition. Without objection, Members and witnesses
may have 5 legislative days to submit a written statement or
extraneous materials for the record.
Since the enactment of our Nation's first comprehensive
privacy laws over three decades ago, advances in computing and
data mining have enabled agencies and the information service
industry to aggregate and combine different sources of personal
information in ways that no one could anticipate.
From a privacy perspective, however, such activities have
increased the risk of personal information being misused by
agency personnel or inadequately protected by data bases that
are used for multiple purposes. This problem has been further
magnified by the agency community's use of commercial data.
Brokers obtain specific and detailed information on individuals
without ensuring that adequate privacy measures are in place.
In fact, a recent GAO report confirms that both agencies and
commercial data brokers are uneven in their application of
those information safeguards required under the Privacy Act and
that agencies continue to lack effective privacy practices in
the handling of such information from commercial sources.
While I realize that obtaining such information from
private sources is vital to the work of our agencies, it is
critical that such information be afforded the same privacy
protections as data maintained on agency systems.
I welcome all of our witnesses today and look forward to
their testimony and I now yield to the distinguished ranking
minority member, Mr. Turner of Ohio.
[The prepared statement of Hon. Wm. Lacy Clay follows:]
[GRAPHIC] [TIFF OMITTED] T6195.001
[GRAPHIC] [TIFF OMITTED] T6195.002
Mr. Turner. Thank you, Mr. Chairman.
Mr. Chairman, I greatly appreciate your holding this
hearing. This issue involves the careful balancing of
individuals' right to privacy and the Federal Government's need
to obtain information to protect national security in the war
on terror and to provide other vital services. The role of
commercial information resellers in supplying data about
individuals to Federal agencies is certainly a new dimension
both for opportunity and the need for concern. The government
act requires that agencies conduct private investment
assessments [PIAs], analysis of how personal information is
collected, stored, shared and managed in a Federal system.
Under the E-Government Act and related Office of Management
and Budget's guidance, agencies must conduct PIAs before
developing or procuring information technology that collects,
maintains or disseminates information that is in a personally
identifiable form. Some are concerned that OMB has not provided
sufficient guidance on PIAs and that some agencies have not
always notified the public that commercial information
resellers were among the sources used.
The importance of this hearing, obviously, is for us to be
able to provide a balance. I understand that there will be a
significant amount of concern of the impact of our looking at
this issue on the commercial sector, and we also have concerns
as to protecting individual privacy. This will be helpful
because as we get more information, we can ensure that we do
the right thing in proceeding.
We certainly want to make certain that on all these issues
that we have a balance. We're going to hear from all sides and
perspectives that we can work together to improve the
situation, address valid concerns while avoiding overreaching
legislation that could negatively impact agency missions. As we
look to the successes that have occurred in the commercial
sector, we certainly don't want to overly restrict the ability
of the Federal Government to overlook these resources, but we
must look to affording protections.
Mr. Chairman, I look forward to all the witnesses'
testimony and yield back the balance of my time.
Mr. Clay. If there are no additional opening statements,
the subcommittee will now receive testimony from witnesses
before us today. I want to start by introducing our first
panel. Ms. Karen Evans is the Adiminstrator for the office of
E-Government and Information Technology at the Office of
Management and Budget. She is an experienced IT professional
and leads the administration's program in information security.
And welcome today.
Ms. Evans. Thank you.
Mr. Clay. We also have Ms. Linda Koontz who is the Director
of Information Management issues at the U.S. Government
Accountability Office. She is responsible for issues concerning
the collection, use and dissemination of government information
in an era of rapidly changing technology. Welcome, Ms. Koontz.
Welcome back.
We also have Mr. Hugo Teufel as the Chief Privacy Officer
at the Department of Homeland Security. His office is
responsible for all privacy policies throughout DHS, including
agency compliance with the Privacy Act of 1974, the conducting
of Privacy Impact Assessments and oversight of all agency
activities relating to the use, collection and disclosure of
personal information. Thank you too, Mr. Teufel, for being here
today.
It is the policy of the committee to swear in all witnesses
before they testify. I'd like to ask you to please stand and
raise your right hand.
[Witnesses sworn.]
Mr. Clay. Let the record reflect that the witnesses
answered in the affirmative. I ask that each of the witnesses
now give a brief summary of their testimony and to keep the
summary under 5 minutes in duration. Your complete written
statement will be included in the hearing record. Ms. Evans,
let's begin with you.
STATEMENTS OF KAREN S. EVANS, ADMINISTRATOR, OFFICE OF E-
GOVERNMENT AND INFORMATION TECHNOLOGY, OMB; LINDA D. KOONTZ,
DIRECTOR, INFORMATION MANAGEMENT ISSUES, GAO; AND HUGO TEUFEL
III, CHIEF PRIVACY OFFICER, DEPARTMENT OF HOMELAND SECURITY
STATEMENT OF KAREN S. EVANS
Ms. Evans. Good afternoon, Mr. Chairman and members of the
subcommittee. Thank you for inviting me to speak about the use
of commercial information resellers by Federal agencies and
privacy safeguards on such information.
Safeguarding the privacy of individuals and ensuring
transparent agency use of personally identifiable information
has been an administration priority. The administration has
demonstrated progress through implementing the recommendations
of the President's Identity Theft Task Force OMB guidance,
diligent execution, and statutory requirements for the System
of Record Notice [SORN], and Privacy Impact Assessments [PIAs],
in increasing agency reporting.
Building on the work of the President's task force, OMB
issued memorandum 0716 in May 2007 to enhance agency PII
protections. The guidance required agencies to establish breach
notification policies and provided a framework for reducing the
risk of PII breaches. M-07-16 required agencies to review their
use of Social Security numbers and to identify incidences in
which the collection or the use of Social Security numbers was
unnecessary. Within 120 days, agencies were required to
establish a plan to eliminate the unnecessary collection and
use of Social Security numbers.
In response to one of the task force recommendations, OMB
and DHS also issued a list of 10 common risks impeding adequate
protection of government information and best practices for
avoiding and mitigating those risks. The risk covers a range of
areas, such as security and privacy training, contracts and
data sharing agreements, and physical security. All the best
practices and important resources are interrelated and
complementary and can be broadly applied when administering
agency information security and privacy programs.
Federal agencies have pursued diligent execution of the
statutory requirements for SORN in the Privacy Act and PIAs in
the E-Gov Act to ensure transparent agency use and handling of
individuals' information. OMB released the Fiscal Year 2007
Report on the Implementation of the Federal Information
Security Management Act of 2002 on March 1st, which reports on
key measures of agencies' security and privacy programs,
including SORNs and PIAs.
For example, the goal of the Federal Government is for 90
percent of the applicable systems to have publicly posted PIAs.
In 2007 we reached 84 percent. While this percent remains the
same as it was in 2006, a substantial increase in the number of
systems identified requiring PIAs from 2006 to 2007 is
indicative of the agency progress.
In next year's FISMA report, we are requiring new key
privacy measures as outlined in memorandum 08-09 issued in
January 2008. The increased reporting will enhance public
confidence in the Federal agency privacy programs and further
drive agency progress.
Privacy warrants the administration's close attention. We
need to ensure Federal agencies are adhering to the enduring
principles of the Privacy Act and the E-Gov Act in the face of
advancing technology that allows for greater collection,
analysis and storage of information by the government and
industry. In the course of pursuing their missions, agencies
may determine if it's necessary to obtain these products for a
variety of reasons, such as verifying beneficiary addresses or
for law enforcement efforts.
H.R. 4791 contains two provisions amending the E-Gov Act of
2002 intended to strengthen privacy practices specifically
related to agency use of commercial information resellers. In
testimony provided to the subcommittee on February 14th, I
shared concerns covering the entire bill. Today I focus my
written statement on concerns related to sections 8 and 9, the
data broker provisions.
Although we strongly support enhancing privacy protections
for information obtained by Federal agencies, we share several
concerns expressed across the Federal agencies about the effect
of this legislation. We are concerned these provisions would
have a negative unintended consequence without the resulting
enhancements and privacy protections. Information Federal
agencies receive from commercial resellers must receive the
same Privacy Act and E-Gov Act protections provided to other
information obtained by agencies.
We look forward to working with you to ensure agency
privacy policies effectively provide those protections for
reseller information while enabling each agency to maintain
privacy policies that align with their diverse missions.
I'd be happy to take questions at the appropriate time.
Mr. Clay. Thank you so much, Ms. Evans.
[The prepared statement of Ms. Evans follows:]
[GRAPHIC] [TIFF OMITTED] T6195.003
[GRAPHIC] [TIFF OMITTED] T6195.004
[GRAPHIC] [TIFF OMITTED] T6195.005
[GRAPHIC] [TIFF OMITTED] T6195.006
Mr. Clay. Ms. Koontz, you may proceed.
STATEMENT OF LINDA D. KOONTZ
Ms. Koontz. Mr. Chairman and members of the subcommittee, I
appreciate the opportunity to be here today to discuss issues
surrounding the Federal Government's purchase of personal
information from businesses known as information resellers.
I'd like to briefly summarize the results of our work on
this topic. Information is an extremely valuable resource and
the services provided by information resellers are important to
a variety of Federal agency functions. Our work has shown that
agencies make significant use of information obtained from
information resellers. Specifically for fiscal year 2005, four
agencies we reviewed--Justice, Homeland Security, State, and
Social Security reported a combined total of approximately $30
million to purchase personal information from resellers. The
vast majority of the spending, just over 90 percent, was for
law enforcement or counterterrorism.
For example, the Department of Justice, the largest user
among the four, used the information for criminal
investigations, locating witnesses and fugitives, researching
assets held by individuals of interest and detecting fraud in
prescription drug transactions. Reseller information was also
used to detect and investigate fraud, verify identities and
determine benefit eligibility.
While agencies took steps to address privacy and security
of the information acquired from resellers, they did not do all
that they could to protect individuals' privacy rights.
Specifically, although agencies issued public notices on
information they were collecting about individuals, these did
not always specifically state that information resellers were
among the sources used. In several of these cases, agency
sources for personal information were described only in vague
terms such as private organization, other public resources, or
public source material.
We also found that few agencies were conducting Privacy
Impact Assessments which can be important tools for helping
agencies identify privacy implications because they did not
think they were required. Contributing to this rather uneven
application of privacy principles were ambiguities in OMB
guidance regarding the applicability of privacy requirements
for Federal agency uses of reseller information.
As a result we made recommendations to OMB to clarify its
guidance and direct agencies to review their uses of
information obtained from resellers. We've also recommended
that the agencies we reviewed develop specific policies for the
use of commercial data. OMB and the four agencies generally
agreed with our report. Since then, agencies have taken action
to address our recommendations.
For example, DHS incorporated direction on the use of
commercial data into its May 2007 Guidance on Privacy Impact
Assessments. However, OMB has not taken the actions we've
recommended.
We would also like to comment on the proposed Federal
Agency Data Protection Act which would require that agencies
conduct Privacy Impact Assessments for their uses of commercial
data and develop regulations governing the use of such data.
These provisions are very consistent with our previous
recommendations and should help ensure that Federal agencies
appropriately tend to privacy concerns when using commercial
data.
In conclusion, privacy is ultimately about striking a
balance between competing interests. In this case, it is about
balancing the value that reseller information adds to important
government functions against the privacy rights of individuals.
I look forward to participating in the discussion on how to
strike that balance.
That concludes my statement. Thank you.
Mr. Clay. Thank you so much, Ms. Koontz.
[The prepared statement of Ms. Koontz follows:]
[GRAPHIC] [TIFF OMITTED] T6195.007
[GRAPHIC] [TIFF OMITTED] T6195.008
[GRAPHIC] [TIFF OMITTED] T6195.009
[GRAPHIC] [TIFF OMITTED] T6195.010
[GRAPHIC] [TIFF OMITTED] T6195.011
[GRAPHIC] [TIFF OMITTED] T6195.012
[GRAPHIC] [TIFF OMITTED] T6195.013
[GRAPHIC] [TIFF OMITTED] T6195.014
[GRAPHIC] [TIFF OMITTED] T6195.015
[GRAPHIC] [TIFF OMITTED] T6195.016
[GRAPHIC] [TIFF OMITTED] T6195.017
[GRAPHIC] [TIFF OMITTED] T6195.018
[GRAPHIC] [TIFF OMITTED] T6195.019
[GRAPHIC] [TIFF OMITTED] T6195.020
[GRAPHIC] [TIFF OMITTED] T6195.021
[GRAPHIC] [TIFF OMITTED] T6195.022
[GRAPHIC] [TIFF OMITTED] T6195.023
[GRAPHIC] [TIFF OMITTED] T6195.024
[GRAPHIC] [TIFF OMITTED] T6195.025
[GRAPHIC] [TIFF OMITTED] T6195.026
[GRAPHIC] [TIFF OMITTED] T6195.027
[GRAPHIC] [TIFF OMITTED] T6195.028
[GRAPHIC] [TIFF OMITTED] T6195.029
[GRAPHIC] [TIFF OMITTED] T6195.030
[GRAPHIC] [TIFF OMITTED] T6195.031
[GRAPHIC] [TIFF OMITTED] T6195.032
[GRAPHIC] [TIFF OMITTED] T6195.033
[GRAPHIC] [TIFF OMITTED] T6195.034
[GRAPHIC] [TIFF OMITTED] T6195.035
Mr. Clay. Mr. Teufel.
STATEMENT OF HUGO TEUFEL III
Mr. Teufel. Good afternoon, Mr. Chairman and Ranking Member
Turner and members of the committee. It's an honor to be here
today to talk to you about commercial information and privacy.
And it's also a pleasure to be here today with my colleagues
who I hold in very high regard: Ms. Evans from OMB and Ms.
Koontz from GAO, and we work together often. I gather I'm here
to give an agency perspective and I will endeavor to do my best
in giving that perspective.
In my oral statement, which will be brief, I want to touch
on a few highlights beyond what's in my written statement. And
I note that the privacy implications of the use of commercial
information are not new to my office, and so I want to go
through a little timeline here for you.
In September 2005 the Privacy Office held a workshop on
commercial information.
September 28, 2005, our Data Privacy and Integrity Advisory
Committee issued the first of two reports on this information.
And on April 4, 2006, Acting Chief Privacy Officer Maureen
Cooney testified, I think before this committee, on the
subject.
Following that, on December 6, 2006, our Data Privacy and
Integrity Advisory Committee issued its second report on
commercial information.
As Ms. Koontz noted, our PIA guidance has been updated to
take into account the use of commercial information, and
section 2 of the Privacy Impact Assessment Guidance talks about
the sorts of things that operational components, Department-
Level components, programs at the Department thinking about
using personally identifiable information, should consider when
using commercial information.
So we've got our PIA guidance that addresses this type of
information, and our PIA guidance. And our authority to conduct
Privacy Impact Assessments comes not just from section 208 of
the E-Government Act, which is one of the three pillars of
Federal privacy law, but also comes from section 222,
subsection 4, which allows us to conduct Privacy Impact
Assessments on proposed rules, and the subsection 1 of the old
section 222, which relates to the uses of technology at the
Department to make sure that they sustain privacy and do not
erode privacy.
So the next thing I want to talk about is training. We
provide privacy impact assessment training throughout the
government. We are looking at doing another workshop for
Federal agency privacy officers in probably May or June this
year. We recently have begun doing smaller training for 20 or
fewer within the Department of Homeland Security on Privacy
Impact Assessments. And we find that when we give PIA training,
other agencies follow the lead that we have--the trail that we
have blazed.
System of Records Notices, which as you will recall were
required under the privacy impact of 1974, and GAO and Ms.
Koontz recently issued a report--actually I guess it was not so
recent, it was maybe 9 months ago--on my office. And one of the
things that Ms. Koontz mentioned was that we had a number of
legacy agency System of Records Notices that we have to update.
About 208 to be exact, give or take a couple. We have made
substantial progress in revising our legacy agency System of
Records Notices. We've just sent over 28 to Coast Guard for
them to consider. And we anticipate that there will be a
substantial number more that will be updated in the coming
months. And of course we take into account the types of
information that go into Systems of Records, as required under
the Privacy Act of 1974.
Then the last highlight I wanted to mention to you is
component privacy officers. One of my recommendations that
existed prior to Ms. Koontz's report but was highlighted or
mentioned independently in her report was for an increase in
component privacy officers at the Department. At the time of
the report there were two component privacy officers at the
Transportation Security Administration and at US-VISIT. In
November, the Secretary--of last year--the Secretary agreed
with me that there should be additional component privacy
officers, and four operational components and two Department-
level components. And we and the components are moving forward
on the hiring or the selection of those component privacy
officers.
So the last thing that I wanted to mention to you is
something that you won't see on paper, and that's what happens
day in and day out in my Office. And that is when operational
components and program personnel come to my folks who work in
the Compliance Section of the Office to talk about new systems.
And one of the things that is discussed is whether commercial
information is being used and if so, how it's being used. And
using the Fair Information Practice Principles, which are set
forth in my written testimony, we work through with the
components and program personnel to make sure that commercial
information is used appropriately.
That's all I have to say. Thank you very much.
Mr. Clay. Thank you so much, Mr. Teufel.
[The prepared statement of Mr. Teufel follows:]
[GRAPHIC] [TIFF OMITTED] T6195.036
[GRAPHIC] [TIFF OMITTED] T6195.037
[GRAPHIC] [TIFF OMITTED] T6195.038
[GRAPHIC] [TIFF OMITTED] T6195.039
[GRAPHIC] [TIFF OMITTED] T6195.040
[GRAPHIC] [TIFF OMITTED] T6195.041
[GRAPHIC] [TIFF OMITTED] T6195.042
[GRAPHIC] [TIFF OMITTED] T6195.043
Mr. Clay. I will recognize Ranking Member Turner for 5
minutes.
Mr. Turner. Thank you, Mr. Chairman. I want to thank each
of you because you have outlined very clearly some of the
dangers and problems that--is my mic on?
Mr. Clay. Yes.
Mr. Turner. Can you guys hear me? OK. Good. Because it
doesn't sound like it's on.
You've outlined the dangers and concerns that individuals
have about the privacy aspect of their personal information.
But I'm going to ask you a question that really goes to the
broader umbrella of how we have to be concerned, why we protect
personal information that we don't commercially restrict, some
important information gathering for our economy.
I want to tell you a story. I just recently took some
people from my community on a tour of the Supreme Court
building. And I had not been to the floor that had the library.
And we walked into the library of the Supreme Court and here
was this beautifully ornate room with all of these books and
absolutely gorgeous and reverent to the point of the
information that it contained--absolutely empty.
Now, I'm a member of the Supreme Court Bar but I've never
been to the library and I'd not researched in the library. So I
asked the librarian, has this always been empty? And they were
telling us, no; but in fact, by the advent of technology, a
library that used to be packed now has information that is
readily accessible to others. And certainly in the area of law.
I know that we have had increased efficiency but also
higher quality and that the level--the playing field has been
leveled more among individuals seeking attorneys, that those
attorneys might have access to information that could be vital
to their case, as opposed to just hiring those that have the
best research skills. We have people who are now more able to
bring to bear in their case in their defense, or they are
advocating information that's available to them.
I noted, Ms. Koontz, that in your GAO report--and it seems
like I'm always referring to footnotes--but you have a
footnote.
Ms. Koontz. That's where we put our best stuff.
Mr. Turner. In footnote 7, when you cite that there's $30
million that is planned to be spent to purchase personal
information, your footnote No. 7 says, this figure may include
information that--uses that do not involve or include personal
information. And you go down to cite LexisNexis and West, and
LexisNexis is in my district. And of course being a lawyer,
I've used both.
I would like each of you to speak for a moment on the issue
of although we want to protect privacy, some of the things that
we are actually seeking in a commercial marketplace where
someone has taken the data information and reconfigured it for
our use so that we can all do a better job of whatever we are
doing; that our things that are just available in the library,
how do we--how do we balance privacy and personal information
without restricting things that we've seen in the law practice
that actually makes the system work better?
Ms. Koontz. And I do think that this issue is all about
balance. It's clear from our work that the information obtained
from information resellers is valuable to a number of agency
functions, it's very important. But the balance then is that we
have to do this within the context of personal privacy and with
the laws and the guidance that we have now.
I just want to speak for a minute to that footnote. The
footnote, we love to be very exacting. And in all cases we knew
that information from--you know, services from LexisNexis, for
example, are procured sort of in bulk. And so it wasn't--we
weren't able--we were mostly able to sever the legal services
sorts of things from the purchase of personal information. But
there were a few places where we thought, well, there might be
a small amount of that still in there. But I mean, generally
speaking, I think we were able to put things in separate
buckets. But we wanted to make the reader aware it's not down
to the dollar, probably. So I think that this is general--you
know, generally a good number.
But, again, that's what this is about, it is about balance.
And I think that the PIA requirement, you know, is a very
valuable way for agencies to think through how they're going to
use information before they collect it, before they invest in
information technology, and to look at the reason for
collecting this information, any privacy risks that might
present themselves and then come up with specific mitigation
strategies. And this is a way of ensuring that we've done the
right things in terms of privacy.
Mr. Turner. Would you like to comment?
Ms. Evans. Well, following off of your example, so looking
at our guidance, we feel that the example that you gave, like
LexisNexis, or looking at data for one-time use and querying
into a system, is already covered. And so, you know, that would
not necessarily require us to do or require, like LexisNexis,
to do a privacy impact assessment. I believe the distinction
that we are making, which GAO may agree or may not agree upon,
is when we bring that data into a Federal system and we then
start merging it in with other things that we are doing. That
is where our guidance says where you're using it on a recurring
basis, where it's more than just a one-time inquiry, like going
into a library and looking at something, then you have to do
the full privacy impact assessment. And that's where we are
drawing the line with the commercial resellers, because you are
bringing that information in, you're using it and you need to
let the public know how you are using the information and where
the source is coming from.
So in your example, we think our guidance allows for you to
still go to the library. It's when you start taking the
information from the library and bringing it back into your
agency and using it on a recurring basis that you need to
disclose to the public how you're doing that.
Mr. Turner. I appreciate that, because that really is the
other distinction, I'm looking to your No. 1 footnote. When you
described what it is that we are talking about here for this
type of information, you include things such as an individual's
name, their date, place of birth, mother's maiden name,
biometric records. You go on to talk about employment. And some
of those things--excluding biometric information, obviously--
are things that are available in the daily newspaper that may
have been reported.
Ms. Evans. Right.
Mr. Turner. And we don't want our use, even commercial use
of what would be in fact the evolution of our library, to also
then be the same as data collection on the Federal Government.
Ms. Evans. Right.
Mr. Turner. And how do we do one without inhibiting what
has become--what we have all become now used to as our sense of
what a library is. Mr. Teufel.
Mr. Teufel. Sure. I'm a nonpracticing lawyer as well, and
it's a wonderful thing. You know, no billable hours for one
thing.
So what caught my eye as I went--as I was reading the
legislation was--were the definitions. And I'm not sure that--
the definition seemed to be broad and would include the uses of
Lexis and Westlaw or Nexis. I think maybe there's a provision
in the definitions that talks about news, news clippings
services, or news reporting services. But when I think about
Lexis and Nexis and Westlaw, I'm not necessarily thinking about
the data bases of driver's license records, marriages and
divorces. I'm thinking about--I need to look up a GSBCA ruling
or a Federal circuit ruling or a 10th Circuit ruling, or other
things that are more of the types of things that lawyers tend
to look at, than my concern was this definition within the
legislation so broad as to encompass those lawyer-types of
uses. So that was a concern that came to my eye as I read the
legislation.
Mr. Turner. Thank you. Mr. Chairman.
Mr. Clay. Thank you, Mr. Turner.
Ms. Evans, the April 2006 GAO report contained
recommendations to OMB to clarify its guidance on the use of
commercial data, yet nearly 2 years have passed and OMB has not
taken steps to address its recommendations. Why hasn't OMB
acted on this issue? And can we expect to see new guidance? And
if so, when?
Ms. Evans. Well, actually, we feel that we've taken the
steps based on the actions that were identified by the
President's Identity Theft Task Force, so we have issued
additional guidance. We've also taken additional steps and
asked the inspector generals to review the quality associated
with Privacy Impact Assessments because we feel that's a very
holistic approach in how the agencies look at it. We didn't
issue guidance specifically for data commercial resellers
because we were really looking at the program holistically.
But every year as we send the guidance out--the draft
guidance which will come out again this spring, and we are
adding new requirements in for privacy--we also solicit GAO's
comments before it becomes final. So if they feel that the
actions that we've taken to date since the time that they've
issued that report, how we've improved, I believe, the quality
and have the measures and have the IG looking at the privacy
aspects of the programs, we can work with GAO to issue any
further guidance if necessary at this point.
Mr. Clay. Ms. Koontz, any response?
Ms. Koontz. I think what we've found in our work, that
OMB's guidance says that agencies are to do a PIA if they
systematically incorporate commercial data into existing data
bases. The same guidance says if you merely query the data
base, the reseller's data base, then that does not trigger the
PIA requirement. And I think that our feeling was that there
was a lot of room between systematic incorporation and merely
querying a data base and that OMB's guidance can't go further
to say, well, what does systematic incorporation mean? And when
we went to agencies, they said, well, most of what we do is of
the querying nature but sometimes we keep the queries,
sometimes we keep the information. And that's somewhere in
between, and we wanted more clarity around when--when agencies
should do PIAs. And I think we were particularly concerned
about the instance where the information was safe in that
agency.
Mr. Clay. Yes, sir.
Mr. Teufel. Well, I would refer the committee to our PIA
guidance. And we asked the questions, how are you using the
information? Are you keeping it or not? And when we have our
conversations with programmatic personnel, we talk about these
sorts of things. And so we--I mean, the big issue is the ad hoc
or one-time querying use versus the systematic use and that
necessarily entails judgment. We think we do a very good job in
exercising judgment and discretion, and certainly with our
authorities to conduct Privacy Impact Assessments, some may
feel that sometimes we do more PIAs than are necessary. But we
think that's an important thing because PIAs are part of the
transparency process, letting the public know what it is that
the Department's doing. So in an ideal world, there is trust
and confidence in what the Department is doing, but also so
that the public is informed, can make informed decisions and
advise its elected representatives of where it wants government
to go.
Mr. Clay. Thank you.
Ms. Evans, OMB's PIA guidance from 2003 requires a PIA to
be performed when an agency systematically incorporate
information into their system; but then merely pinging or
querying a data base does not require a PIA. Given the
systematic use of this information by the Federal Government,
why is this distinction necessary? Isn't the government using
this information to inform decisionmaking?
Ms. Evans. Well, and I think--well, the short answer is
yes, you are using the information to inform decisions. But the
example--I mean one example that I would give is, I also go out
and do Google, and I Google information, and it comes up about
a whole bunch of different things. But I don't incorporate the
results of the Google search into a Federal information system.
We are making a distinction between the systems that the
Federal Government manages, the information we manage, versus
just a general type of query. The point, though, that GAO has
made--and we could go back and look at this--and that my
colleague Hugo has also made, is that it may not necessarily be
a change to the guidance or the policy because the framework
exists to allow flexibility for each agency head and how they
use the information. But it might be more of a sharing of best
practices.
Now, we do have a committee that we formalized off of the
CIO Council that specifically deals with privacy practices. So
some of the activities that DHS does and some of the other
activities that the agencies do could help level the playing
field across the board and share these best practices so that
agencies then incorporate them into their existing ways that
they then do their PIAs.
Mr. Clay. Thank you.
Ms. Koontz, in its 2006 report, GAO identified instances in
which the use of reseller information was either not identified
in Federal Register notices or was identified only in vague
terms.
In your opinion, why haven't agencies been identifying
commercial resellers as a source of personal information?
Ms. Koontz. We thought that both the OMB guidance and the
agency guidance were not clear on this particular point. And it
may be simply that the guidance predates--substantial use of
personal information obtained from resellers. And it's a case
of perhaps the guidance needs to catch up with what the current
practice is.
Mr. Clay. OK. And Mr. Teufel, the information contained in
the 2006 GAO report on this subject is based on fiscal year
2005 contracts with information sellers. Can you tell us what
the value of DHS's contracts with the information resellers was
for years--fiscal years 2006 and 2007?
Mr. Teufel. I'm sorry, sir. I don't have that information
available but I would be happy to get back to the committee
with that information.
Mr. Clay. OK. And you'll provide the committee with that?
Mr. Teufel. I'll do my best, sir.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T6195.044
[GRAPHIC] [TIFF OMITTED] T6195.045
[GRAPHIC] [TIFF OMITTED] T6195.046
[GRAPHIC] [TIFF OMITTED] T6195.047
Mr. Clay. OK. Is it fair to say that the 2006 GAO report
still accurately characterizes DHS's use of information
reseller data? Have there been significant privacy improvements
made that we should know about?
Mr. Teufel. Well, sir, I think other than the numbers being
different, I think the report probably does a pretty good job
of describing things at the Department. That commercial
information is used by--I'm guessing all, I'm trying to recall
now--almost all, if not all, of the seven operational
components and some of the Department-Level components.
We've been doing a pretty good job of privacy. And since
that report came out, we've made some improvements in how we do
privacy. We are updating the legacy agency system of records
notices. We've added to our Privacy Impact Assessment Guidance
on how the Department handles commercial information. So so
we've made improvements. We were doing a good job before. We
are doing a better job today.
Mr. Clay. Mr. Turner, you are recognized.
Mr. Turner. Another issue that I'd like you to address that
we should be concerned about is there are things that we do
want our government to know. Whenever anything of significance
happens, one of the first questions that you always hear from
any reporter is, why didn't the government know? The government
is expected to have knowledge of basic current events that we
are all aware of, and then some information that might lead to
issues of threat.
Certainly issues that are publicly available that might
pose--information from which decisionmaking should occur. How
do we balance making certain that we don't inhibit or
discourage the data brokers or resellers from doing business or
providing information to the Federal Government?
Ms. Koontz. I think if we talk about the kinds of
recommendations that we made in our report, which were for
Federal agencies to be very specific and forthright in
notifying the public about their use of commercial data and
also our suggestion that OMB clarify the guidance so we know
when PIAs are required; admittedly, I think we have a sense
that we would like to see PIAs done more frequently and for
agencies to think through the use of this information before
before they acquire it from virtually any source. But--and I
think that none of these sorts of things that are intended for
privacy would inhibit resellers from doing business with the
government or providing the information that they provide now.
Even the bill that we are looking at today doesn't place
any new obligations on resellers. It says it's--instead it
asks--asks the Federal Government, as it is obligated to, to
think through very carefully how they're going to use this
information, and how they're going to protect it also. So I
don't see it as an inhibiting factor.
Mr. Turner. Any other thoughts?
Ms. Evans. First and foremost, I'd like to clarify one
thing. I think just because we haven't issued an updated policy
doesn't mean that we are focusing on the use of the information
and how the agencies do Privacy Impact Assessments. I would say
that the administration has really stepped up its efforts in
this area as we continue with the implementation of the E-Gov
Act and as we've built out on the foundation of what a Privacy
Impact Assessment is supposed to be.
So we have issued subsequent guidance to the agencies
dealing with privacy information, how they collect information,
what their systems are doing and for them to go back and look
at it. We followup on this on a quarterly basis through the
President's management agenda. So we track what the agencies
are doing, what they said they're doing, how they're using the
information. And we track the number of Privacy Impact
Assessments, Systems of Records of Notice, what they say
they're going to do, how you match that against everything that
they're doing.
So we have issued guidance in the bigger, broader aspect of
information protection, information security and privacy. Not
to this specific issue of commercial resellers, because we
think that they need to look at this in a holistic way of how
they're doing everything, not just necessarily narrowly focused
on the use of commercial resellers.
I don't think that what we are doing when you bring the
information into the Federal Government would prohibit data
brokers from working with the Federal Government. But I do
agree with GAO that the agencies need to be very transparent
about how we are using information to make sure that the public
has the ability to comment on that.
Mr. Teufel. Rigorous application of the fair information
practice principles.
Mr. Turner. One question that personally triggered me, you
were talking about Google. And there's been some discussion on
systematic use versus pinging. I have a question for you; this
is for my own personal information. How do those distinctions
fall within--I understand one computer doing 100 searches on
the same thing. But what if 100 computers are doing the
searches on the same thing? How does that get balanced?
Like I'll give you an example. I won't use the Mayflower
Hotel as an example. But we have a satellite that is coming
into orbit and we are going to hit it down with an Aegis
system. I'm assuming that there are a number of computers, as
that current event was happening, was doing an inquiry similar
on public records and information for that. So you have a
number of computers all focused on the same current event that
has happened versus one computer that is trying to determine as
much information about a narrow topic.
How does that affect you? You have a number of agencies
perhaps with the same needs for the same information. How does
that affect the analysis? The distinction between systematic
and pinging?
Ms. Evans. OK. So I'm going to try and not get real
technical here. But let's focus on the agency and the use of
the agency. And this is one of the reasons why we always talk
about trying to keep things technology-neutral, just based on
the example that you gave.
I think the distinction here in GAO, Ms. Koontz has laid
this out, is it's one thing when 1 agency or 100 agencies go
and ask a question. It's what you do with the results of that
question. And if you store that result back into a Federal
information system is when all of these triggers then happen.
If I go out and I look at that satellite, but I don't do
anything with the information, it's for informational purposes
and I'm looking, it doesn't matter whether 1 person did it or
100 people did it. It makes a difference if one person, like,
searches on you, and then I take that information in and now I
store it in a Federal system and I start using it in
conjunction with other information I have. That's when it's
important for the Federal agency to say how they're using the
information, what they're storing and how they're retrieving
it. That's the Privacy Act implications of when you do the
Systems of Records Notice, and then that is the PIA piece,
Privacy Impact Assessment.
Do you want to add anything?
Ms. Koontz. I'll just add that there is definitely an issue
here about whether we make decisions on the basis of storing
information or we make decisions based on how we use
information. And I think that it would be fair to say that the
PIA guidance right now is more based on the storage model; that
if we are going to bring it in and systematically incorporate--
although I would say I'm not sure what systematically
incorporate means versus incorporate versus somehow keep the
information--but the point is is that even if I ping a data
base and I--I have existing data and I confirm that an address
I have is--I think that's now the correct address because I
have--I have corroborating information now. I am using that
information despite the fact I'm not, quote, bringing it in or
incorporating it into any kind of data base, but I'm using that
as part of my decisionmaking ability. And I think that's one of
the things that we need to look at going forward, concerning
how we approach the use of reseller information from the
Federal Government.
Mr. Teufel. Well, when we mentioned satellite, I thought we
were going to be talking about another DHS program. But we are
not. Its use. I mean, it's all about use. Your example sounded
more like situational awareness with the hundred computers as
opposed to information that was mission-essential for the
conduct of the operation of that particular agency's use.
Mr. Turner. Your descriptions have been very helpful. Thank
you, Mr. Chairman.
Mr. Clay. This is a panel-wide question. Should information
resellers that are governed under the Fair Credit Reporting Act
and Gramm-Leach-Bliley Act be exempted from requirements in the
proposed Federal Agency Data Protection Act? Why or why not?
We'll start with Ms. Evans.
Ms. Evans. Those particular acts are covered by the FTC and
how they use that. I would not feel that it would be
appropriate for me to answer that question right now. What I
would rather do is take it for the record and be able to go
back and discuss it more specifically with the FTC on that.
Mr. Clay. Yes. That's right. Thank you, Ms. Evans. Ms.
Koontz.
Ms. Koontz. We do not think it's appropriate to exempt any
data source, any specific data source, from the proposed
provisions of the bill if it passes. Our feeling is that what
this does is to bring the treatment of reseller information--
the requirements into line with how we treat other information
sources as well.
I also would question to some extent what the basis or the
rationale would be for exempting--making exemption for Federal
agencies not to do PIAs because resellers are covered by the
two laws that you mentioned. These two laws do place
restrictions on resellers' use and collection and disclosure of
certain kinds of consumer and financial information. But I
don't--you know, despite these requirements, I wouldn't think
that would mean that we would be any less interested in having
Federal agencies critically think through their use of
commercial data.
Mr. Clay. Thank you for that response.
Mr. Teufel.
Mr. Teufel. I'm with Karen. I'm very hesitant to answer the
question without the benefit of guidance from FTC.
Mr. Clay. OK. Let me start with you. Shouldn't we also be
looking to add greater privacy safeguards with personal
information that is shared with us by all nongovernmental
sources such as employers, contractors, banks, etc.?
Mr. Teufel. Well, sir, I think at DHS we do that.
Mr. Clay. You do it now?
Mr. Teufel. Certainly there's always room for improvement.
But I think at DHS, as I'm thinking through the various
programs at the Department and how we handle that with our PIA
process, our SORN process and other things that we have in
place, I think we do a pretty good job of protecting the
privacy of individuals when we've obtained that information
from non-Federal sources.
Mr. Clay. Ms. Koontz, how about adding greater privacy?
Ms. Koontz. I think that there's a recognition that we need
to protect personally identifiable information regardless of
source. There are a number of laws, of course, that seek to do
just that, and we haven't evaluated the efficacy of all those
requirements. But I do think that it's important for the
Federal Government to pay particular attention to personal
information that's obtained from third-party resources--third-
party sources, rather than from the individual themselves.
Mr. Clay. Thank you. Ms. Evans, any comment?
Ms. Evans. The President's Identity Theft Task Force did
look at both the Federal Government as well as private
industry. There were several recommendations that were made by
the task force. My office was responsible for the Federal
Government portion of implementing those recommendations. That
group is chaired by the FTC and the Department of Justice and
we are going to be issuing an update this spring, which I
believe is next month, April, to where exactly we are in the
progress that we've made on all the recommendations. So as soon
as that report is out, I'd be happy to share that with the
committee so that you can see, because it's full encompassing,
private sector as well as public sector.
Mr. Clay. Very good. We are very interested in seeing that.
And let me thank this entire panel for your responses and your
expert testimony. Panel one is dismissed. Thank you.
Mr. Teufel. Thank you.
Ms. Evans. Thank you.
Mr. Clay. The committee will recess for 15 minutes and
we'll return with panel two when we come back.
[Recess.]
Mr. Clay. We will now have our second panel.
And that panel will include Mr. Ari Schwartz, who is the
vice president and chief operating officer of the Center for
Democracy and Technology. This work focuses on increasing
individual control over personal and public information by
promoting privacy protection in the digital age and expanding
access to Government information via the Internet.
Welcome, Mr. Schwartz.
We also have on the panel Mr. Stuart Pratt, who is the CEO
of the Consumer Data Industry Association, an international
trade association representing the consumer information
industry. Prior to his current position, Mr. Pratt served as
the association's vice president of government relations. He is
a well-known expert on the Fair Credit Reporting Act, identity
fraud, and the issues of consumer data and public record data
issues.
Thank you for being here, Mr. Pratt.
And our third witness, Ms. Paula Bruening, is deputy
executive director of the Center for Information Policy
Leadership at Hunton & Williams. At the center, she focuses on
global, cyber privacy issues, as well as a frequent author and
lecturer on information policy issues throughout the United
States and Europe.
And welcome.
And I welcome you all.
It is the policy of the subcommittee to swear in all
witnesses before they testify. At this time, I would ask that
you all stand and raise your right hand.
[Witnesses sworn.]
Mr. Clay. Let the record reflect that all the witnesses
answered in the affirmative.
I would ask that each witness now give an oral summary of
his or her testimony, and to keep this summary under 5 minutes
in duration. Bear in mind your complete written statement will
be included in the hearing record.
Mr. Schwartz, we will begin with you.
STATEMENTS OF ARI SCHWARTZ, DEPUTY DIRECTOR, CENTER FOR
DEMOCRACY AND TECHNOLOGY; STUART PRATT, PRESIDENT, CONSUMER
DATA INDUSTRY ASSOCIATION; AND PAULA J. BRUENING, DEPUTY
DIRECTOR, CENTER FOR INFORMATION POLICY LEADERSHIP
STATEMENT OF ARI SCHWARTZ
Mr. Schwartz. Chairman Clay, thank you for holding a public
hearing on this important privacy issue and for inviting me to
participate.
Government's use of personal information is key to the
functioning of many of its most essential programs, from
determining eligibility for benefits to supporting law
enforcement investigations. As the information economy grows,
more personal information is being provided from commercial
data brokers, who aggregate and categorize this information for
a wide range of purposes to the private and Government sectors
alike.
As with any organization, Government agencies must take the
management responsibility to ensure that their partners and
employees are meeting standards of care and use of that
information. In this case, there are many concerns that come
from the use of personal data. Creating guidelines is a
sensible and needed approach. Simply put, Congress should
ensure that Americans do not lose privacy, security and quality
protections that are already a part of law and policy only
because a Government agency is using a private-sector data
partner rather than to have the agency collect it themselves.
The chairman's bill, H.R. 4791, would move the agencies in
the right direction by requiring agencies to make important
management considerations, by requiring the vetting of
commercial partners through the privacy impact assessment [PIA]
process. The PIA requirement, which passed as part of the E-
Government Act, was designed to provide greater transparency to
how the Government collects and uses personal information. Over
the past 6 years, PIAs have become an essential tool to help
protect privacy. Mr. Teufel, on the previous panel, called one
of them the three pillars of the U.S. Government privacy
policy.
However, as evidenced by OMB's FISMA report to Congress
last month, the Federal Government has unevenly implemented the
PIA process across agencies. The guidance issued pursuant to
the act with respect to PIAs was vague and has simply not
provided the agencies with the tools they need to successfully
implement the PIA process unless they already had privacy
experts on staff.
While some agencies, like the Department of Homeland
Security, have set high quality standards for the PIAs and have
continued to improve them over time, the lack of clear guidance
has led some agencies, such as the State Department, to create
cursory PIAs or others, such as the Department of Defense, to
have none at all. We, therefore, urge Congress to also require
that OMB create a set of best practices for PIAs while it is
updating the PIA guidance to cover agency use of any commercial
partner.
Even then, the transparency provided by the PIA process
must not be viewed as a full solution for privacy. Congress
must begin to address more fundamental privacy issues within
Government agencies to ensure the trust of the American people.
This should begin with a review of the Privacy Act of 1974.
In 2000, the full committee passed a bill, sponsored by
Ranking Member Davis and Representative Moran, to create a
commission that would study the state of the Privacy Act and
recommend updates to the law. The record shows that, even 8
years ago, it was clear that this important law, the most
direct legal protections that citizens have over the Federal
Governments's regular use of information, was beginning to
erode due to unforeseen advances in technology. We hope that
the committee will once again take up a review of the Privacy
Act to help protect the privacy of Americans into the future.
We look forward to working with this subcommittee to help
address these critical privacy issues in more detail in the
near the future, and we thank you for your leadership on this
important issue. I look forward to your questions.
[The prepared statement of Mr. Schwartz follows:]
[GRAPHIC] [TIFF OMITTED] T6195.048
[GRAPHIC] [TIFF OMITTED] T6195.049
[GRAPHIC] [TIFF OMITTED] T6195.050
[GRAPHIC] [TIFF OMITTED] T6195.051
[GRAPHIC] [TIFF OMITTED] T6195.052
[GRAPHIC] [TIFF OMITTED] T6195.053
[GRAPHIC] [TIFF OMITTED] T6195.054
[GRAPHIC] [TIFF OMITTED] T6195.055
[GRAPHIC] [TIFF OMITTED] T6195.056
[GRAPHIC] [TIFF OMITTED] T6195.057
[GRAPHIC] [TIFF OMITTED] T6195.058
Mr. Clay. Thank you so much, Mr. Schwartz.
Mr. Pratt, you are recognized for 5 minutes.
STATEMENT OF STUART PRATT
Mr. Pratt. Thank you, Mr. Chairman, for this opportunity to
appear before you today.
Government's use of CDIA member products brings value to
citizens individually and to Government, which works on their
behalf. This is an important context, I think, for the
committee as it considers H.R. 4791. Let me just share a couple
of examples of how products are used and, really, the logic
behind these.
Our members provide products which help Government agencies
to enforce child support enforcement orders, to locate missing
and exploited children, to prevent entitlement fraud, to
provide background screening for employment and security
clearances, to assist with various natural disasters, and also
with witness location and with various law enforcement
investigations.
Equally important, I think, to the context of our
discussion today is the fact that these many products that I've
just described are heavily regulated under a range of current
Federal laws. And these laws affect both the public and the
private sector. Two laws that are particularly important, I
think, for today are the Fair Credit Reporting Act and the
Gramm-Leach-Bliley Act, which have already been mentioned in
the first panel.
H.R. 4791 proposes to improve Government's effort to
protect personal information and to ensure that citizens are
notified when personal information is lost. Actually, both of
these goals make a lot of sense for us. Our members live under
data security requirements today. Our members live under breach
notification requirements today. And so, having those apply to
the Government in the same way that they would apply to the
private sector makes all the sense in the world.
Our written comments provide some thoughts on how you might
tailor those provisions just a little bit to make sure that
they are very effective. But, overall, those are good ideas.
The bill also proposes privacy impact assessments and
certain contractual requirements where the Government obtains
data from an entity, termed a ``data broker.'' And this is
really some new territory that is being built within this
proposal. And we understand the importance of this focus on
governmental uses to ensure there is a trust between Government
and its citizens. And that really goes all the way back to the
Privacy Act.
In this case, though, is seems to us perhaps the question
is where the data is regulated, or where the data is not
regulated--in other words, where is the trust, and how do
consumers feel about their personal information being used by
Government.
In the case of our members' products, the bridge of trust
already exists through existing laws. And it is for this reason
that we urge the committee to exclude from the definition of
``data broker'' entities that are subject to the Gramm-Leach-
Bliley Act privacy rules, consumer reporting agencies regulated
under the Fair Credit Reporting Act, and publicly available
data sources provided by the private sector.
And our reasons for this are several. For example, the
contract requirements in this proposal stipulate that a
Government agency must obtain data from a data broker, and they
appear to assume that data is unregulated. Further, the
contract would, for example, impose an accuracy requirement on
a consumer reporting agency which already has an accuracy
requirement under the Fair Credit Reporting Act.
So, Mr. Chairman, here, perhaps, it's just an alignment
question. You already have a Federal law. The Government is
going to purchase data that's already under an accuracy
standard. And then the question is, how would the contractual
accuracy standard interplay with the standard of law that's
already provided for under the Fair Credit Reporting Act?
The contractual provisions also would impose, more or less,
a one-size-fits-all approach to the concept of--well, let me
just back up here--would also provide a one-size-fits-all to
location tools. And a location tool is a tool that's used to
try to find a noncustodial parent to enforce a child support
enforcement order. That's not really an accuracy tool or a tool
based on accuracy, but it's a way to try to locate that
individual and to get them to pay what they owe in delinquent
child support. So, again, here maybe the one-size-fits-all
approach of the accuracy requirement might go a little outside
of the bounds of where you might like it to be at the end of
the day.
The concept of a privacy impact assessment is sound, there
is no doubt about it, and it's appropriate to Government
processes. However, we think that requiring a PIA across the
board may well have some adverse effects. For example, will
Government continue to use the private-sector tools for skip
tracing where a consumer hasn't paid his student loan if the
PIA requirements are highly restrictive? Where the Government
is a user, defined under the Fair Credit Reporting Act, and is
using a consumer report for background screening, is there a
need for a privacy impact assessment, when the Government is
regulated under the FCRA, as is the private sector?
So, Mr. Chairman, in conclusion, there seem to be a lot of
good ideas in this proposal that you have put together. I think
there may be some places where we have other good laws already
on the books. Some of these laws come from other committees on
which you serve, as well. And here today, we're just offering
some thoughts on how we might be able to more effectively align
current Federal laws with the ideas that you have in this bill.
And, with that, I will look forward to your questions.
Thank you.
[The prepared statement of Mr. Pratt follows:]
[GRAPHIC] [TIFF OMITTED] T6195.059
[GRAPHIC] [TIFF OMITTED] T6195.060
[GRAPHIC] [TIFF OMITTED] T6195.061
[GRAPHIC] [TIFF OMITTED] T6195.062
[GRAPHIC] [TIFF OMITTED] T6195.063
[GRAPHIC] [TIFF OMITTED] T6195.064
[GRAPHIC] [TIFF OMITTED] T6195.065
[GRAPHIC] [TIFF OMITTED] T6195.066
[GRAPHIC] [TIFF OMITTED] T6195.067
[GRAPHIC] [TIFF OMITTED] T6195.068
[GRAPHIC] [TIFF OMITTED] T6195.069
[GRAPHIC] [TIFF OMITTED] T6195.070
Mr. Clay. Thank you so much for your testimony.
Ms. Bruening, you are recognized for 5 minutes.
STATEMENT OF PAULA BRUENING
Ms. Bruening. Thank you, Chairman Clay, for having me here
today. I am honored to testify about Government use of
commercial information and H.R. 4791.
The Center for Information Policy Leadership is a think
tank in policy development organization located in the law firm
of Hunton & Williams. The center and its 41 member companies
believe that difficult information policy issues must be
resolved in a responsible fashion if we're to fully realize the
benefits of an information economy.
While I've consulted with center colleagues and members, my
comments today reflect my views and do not necessarily reflect
the views of the center member companies, Hunton & Williams or
any firm clients.
The provisions of H.R. 4791 highlight the growing practice
of Government access and use of information collected and
retained by business and the lack of comprehensive, overarching
legal protections for that information when such access is
obtained.
Without question, the information collected by companies
can serve as a critical resource for Government in law
enforcement, anti-terrorism efforts, fraud reduction, delivery
of services, and administration of programs. With appropriate
controls, Government should continue to be able to access it.
Government should not be precluded from using valuable
information for these important purposes, but it should do so
under established, rigorous guidance that ensures its use is
both effective and responsible.
Today, the lack of legal protections related to the
Government's use of data collected in the private sector, due
in part to the limitations of the Privacy Act, raises serious
risks to U.S. business and compromises opportunities for
growth. Access to information by the Government without the
protection of law places companies of all kinds in the position
of acting as Government data gatherers that are unable to
assure their customers that information they release to the
Government will be used for specified limited purposes, that it
will be handled properly when it is no longer useful, and that
the consumer has redress when data it is mishandled. This
failure of governance erodes consumer confidence in the
companies themselves, reduces trust in the information field
commerce more generally, and compromises the growth of the
digital marketplace.
Moreover, because of the lack of sound guidance and
potential for nearly unfettered access by Government to this
information, every privacy question related to data collection
in the private sector is shattered by the issues of
undisciplined Government access and use of information.
Efforts to resolve issues of consumer protection and
privacy in new services, products, business models and
technologies are complicated by this constant concern, making
it more difficult to build consumer confidence that data is
being used responsibly.
The lack of oversight further compromises U.S. businesses'
ability to engage with organizations and consumers
internationally. Even as companies become more global in
presence and reach, it has become increasingly unattractive to
transfer data to U.S. companies because of concerns about U.S.
Government access to information about foreign nationals that
might occur outside the bounds of law of their home countries
and without any real oversight in U.S. law. Lack of broad
protection and accountability challenges businesses' ability to
make the case that information from foreign companies and about
foreign nationals will be managed in a trustworthy fashion,
limiting opportunities to transfer and exchange data that can
enable innovative business models, research and services.
It is time to consider the myriad ways in which Government
accesses, maintains and uses information collected throughout
the private sector and develop an overarching governing
structure for data use that establishes discipline and
accountability in the practice. This inquiry must be forward-
thinking and broad in scope, as the solutions we arrive at must
be sufficiently rigorous to promote trust and sufficiently
flexible to adapt to as-yet-unanticipated technological and
marketplace developments.
Developing guidance will require a review of new and
emerging technologies for data collection and storage and the
trajectory of future technological development. It will be
important to consider the legitimate needs and activities of
Government for this data and the manner in which it is to be
used to further legitimate Government objectives. It must
involve development of reliable structures that establish
accountability, oversight and protocols for Government
collection, retention, use and disposal of data. At the same
time, it must assure that access to data is not unduly hindered
when it is legitimately needed.
The goal of this inquiry must be to develop a system of
governance that fosters data use that is both effective and
responsible. Government entities must be required to identify
clear objectives for data use and to understand what and how
data will be used to accomplish those objectives. Limits must
be set for data use and procedures established for data
management. Citizens must have redress when data has been
misused. Governance must include oversight, both within
agencies and by other branches of Government, to instill
confidence that the goals of effectiveness and responsibility
are achieved.
Thank you very much, and I look forward to the discussion
this afternoon.
[The prepared statement of Ms. Bruening follows:]
[GRAPHIC] [TIFF OMITTED] T6195.071
[GRAPHIC] [TIFF OMITTED] T6195.072
[GRAPHIC] [TIFF OMITTED] T6195.073
[GRAPHIC] [TIFF OMITTED] T6195.074
[GRAPHIC] [TIFF OMITTED] T6195.075
[GRAPHIC] [TIFF OMITTED] T6195.076
Mr. Clay. Thank you so much for your testimony.
Let's start with Mr. Schwartz.
This question is similar to the one I asked Ms. Evans from
OMB earlier. OMB's PIA guidance from 2003 requires a PIA to be
performed when agencies systematically incorporate information
into their system, but that merely pinging or querying a data
base does not require a PIA.
Given the systematic use of this information by the Federal
Government, why is this distinction necessary? And isn't the
Government using this information to inform decisionmaking?
Mr. Schwartz. It's an excellent question. I think that it
really gets to the heart of the matter about where we stand
with PIAs today.
I think we agree with Ms. Evans about agency flexibility,
and there would be room for agency flexibility. But I disagree
with her in how she was talking about that flexibility. To me,
it doesn't matter where the information is stored; it is how
the information is used and what it is going to be used for.
And I can illustrate this pretty easily in some of the
other issues by talking about that the PIA is really a
management function of the agency, in terms of information
policy management, which is why this----
Mr. Clay. Why should it matter, how agencies are accessing
the information?
Mr. Schwartz. Well, I don't think that's what the
distinction should be.
Mr. Clay. OK.
Mr. Schwartz. It should be how they are using information
and what they are using for.
So an example I can give is that we've been talking about
the use of the information, which resulted in the question of
how do we stop misuse of information. The information that an
agency may be pinging from a data base may be entirely accurate
and may follow all the rules and laws that it is supposed to
follow, but there is still the question of how that Government
employee uses the information.
We've had cases where a drug enforcement agent has gone and
looked up their ex-girlfriend's record using a commercial data
base, looked up the ex-girlfriend's boyfriend's records using a
commercial data base. That shouldn't be allowed today, and it's
not allowed. The question is, how do you effect those rules?
And what the privacy officers tell me today is that the only
tool that they have at their disposal to make sure that's in
place is the privacy impact assessment.
So if we're not covering this data and not looking at how
that management goes into effect, we're going to miss those
cases where we could have stopped misuse before it happens.
Mr. Clay. It is a tool, and a needed tool. Is what you're
telling me?
Mr. Schwartz. Yes, absolutely.
Mr. Clay. Thank you for that.
Any comment on that?
Mr. Pratt. If I may, let's just take a consumer reporting
agency as one example.
And I think that Mr. Schwartz gives a great example of
browsing. Browsing is always something that you want to
control, and there's some technological strategy for how you
can control browsing. If you're a using a consumer reporting
agency data base, it is not an unregulated data base. It will
register an inquiry showing that the Government agency accessed
the data base. And, in fact, contracts and Federal law would
prohibit the browsing activity.
So I think that if Mr. Schwartz is simply saying that there
needs to be an effective oversight mechanism within the
Government agency to ensure that browsing doesn't occur or that
other data security practices are effective in protecting data,
I mean, that makes sense. I just wanted to make the distinction
between that and the idea that the data is just sitting on a
screen and anybody should be able to walk up or that law
doesn't somehow constrain it.
The same is true, by the way, for the Gramm-Leach-Bliley
Act. If you are using fraud-prevention tool or a locator tool,
it is used for a certain purpose, and there is a certain
limited amount of data that will be made available.
So those are just two examples of where Federal laws today
set up a regime where both the end user, in many cases by
contract and in some cases by Federal law, is restricted in
terms of its use of that information.
Mr. Clay. You know, Mr. Pratt, in your testimony, you
mention that sections 8 and 9 of H.R. 4791 are unnecessary or
inconsistent with current law. Please define what those
provisions are and how they would unduly burden CDIA's members.
And if we follow your train of thought, you know, there
would not be many teeth left in the original intent of the
bill, and it would only be a shadow of its original self.
Mr. Pratt. Well, we hope not, meaning I think we share the
same goal, which is to make sure that when Government obtains
information it understands why it is obtaining it, it
understands the uses of that information, it understands what
current Federal law requires or imposes.
And so when we talk about, for example, section 8, that's
the section which defines the data broker, and then in
following, section 9 is the section which establishes, not just
the PIA review, but it also talks about the contract.
And so, again, one of our concerns is a Government agency
imposing wrongly or imprecisely an accuracy requirement on a
data product which isn't built to be accurate but to be a law
enforcement research tool, or a skip tracing tool to try to
locate, again, somebody who has not paid a student loan.
So there seems to be just a little bit of a one-size-fits-
all in the current structure of the bill that you've proposed.
And so, we're not suggesting there should be no teeth, but I'm
suggesting that the FCRA has a lot of teeth with regard to
accuracy and a lot of teeth with regard to the end user, the
Government, and the restrictions that they must have and the
contracts that they must sign off on, and the private liability
and the civil enforcement powers that apply to the FCRA.
The same is true for contracts under GLB. It's that there
is a limited set of uses, and they contract for those uses. So
those are not data-mining browsing data bases. Those are data
bases used for particular----
Mr. Clay. OK. I look forward to working with you on those
sections.
Mr. Pratt. Thank you, sir. We appreciate that.
Mr. Clay. Let me also say, to followup, how exactly are
PIAs, which would be the responsibility of an agency to carry
out, an undue burden for your membership? It seems to me that
our proposed legislation places nearly all of the burden on the
agencies obtaining the information, does it not?
Mr. Pratt. It does. Our concern is that--and I think I
heard this at least implied in some of the previous panel's
discussion--it is a resource question, first of all. Saying we
will require PIAs across the board almost on a product-specific
basis would require individuals with the right core
competencies to be able to do that well. So there is a training
issue. And there's an appropriations resource question, just
how many new FTEs we have to hire on a Government agency basis.
So at the beginning of the dialog was, first, have we
staffed properly each governmental agency to have the right
core competency around data management? And then you move to
the question of, well, how then do we use data under the Fair
Credit Reporting Act? That may be a different flow.
But, for now, our concern is that what are going to find is
that some agencies say, ``Well, we just won't clean up our
internal data base. We just can't use the private sector
anymore. We don't have anybody who can do this PIA this year,
so we just simply won't use private sector. We'll just be less
effective in doing what it is that we're required to do by a
Federal law.''
Mr. Clay. OK, then.
Please explain the information reseller industry's position
regarding the appropriate use of information in public records
that is not specifically restricted by law. Given that
resellers aggregate information from multiple sources,
including public record, and make it more readily available
than paper records located in places such as courthouses,
shouldn't resellers be responsible for protecting the privacy
of the individuals involved?
Mr. Pratt. That it is a great question. It's actually one
of the tough societal questions we're wrestling with right now.
A couple of things. First of all, and it was mentioned in
the first panel, a Google search. In Maryland today, for
example, I can go to my courthouse and I can go online and
actually find my deed. And on my deed is a certain amount of
personal information. I would say, over the last 10 years,
though, the State government and local government agencies that
are storing a great deal of information have been removing
sensitive personal information, making those kinds of documents
less prone to contributing to the risk of identity theft, for
example.
But the key here is, this is all publicly available. And
it's not actually in paper records, in many cases. Now it's an
online process. Most of the court systems have online systems
available. In fact, State laws often require online systems to
be available to fulfill their mission.
So between Google searches and your ability to go to
certain Web sites where you can just simply pick up the URL and
click through to the public record, that data is out there
today and it is publicly available information. So our view is
that a data reseller that has publicly available information is
in no different position than the courthouse itself with regard
to the same information.
Do we want a Social Security number--this is a different
question--do we want a Social Security number in a deed for a
home? Our members' answer is no.
Mr. Clay. No.
Mr. Pratt. In other words, we are working with State
governments right now to try to pull back data where it is not
appropriately or necessarily part of a public record.
Mr. Clay. OK. But now, Mr. Pratt, here is what GAO has told
us, is that information resellers generally allow individuals
limited ability to access and correct their personal
information.
Mr. Pratt. That's a great point.
Mr. Clay. So how do we square with that?
Mr. Pratt. Well, again, this would be a general data base,
not an FCRA-regulated data base. If it is built for Fair Credit
Reporting Act purposes, you have the right to correct the
information.
One of the big challenges is, if you don't correct the
information at the courthouse level, then the same data can be
gathered by another company, subsequently, under general public
record and Freedom of Information Act laws today.
So it isn't so much that we don't want to correct the
record, but we want to make sure if a record is going to be
corrected it is not just artificially corrected in a single
private-sector data base, but that the consumer goes to the
right original source, so that it's corrected in the
courthouse, so every data base that might have that public
record are all going to reflect the correct information.
Mr. Clay. And the court clerk has a responsibility then to
redact or to block out?
Mr. Pratt. The court should. I mean, candidly, one of the
challenges is for courts to make sure that they have a way for
consumers to correct their information.
By the way, not every court does today. That's one of the
challenges we have in the public record discussion that we've
had in this country for some time. I, as an individual, may not
easily get the attention of a court to correct information, or
it may take a longer period of time than we would like. We
think we're getting closer to solutions, but that is a problem
we're still facing.
Mr. Clay. Thank you for your response.
Let me go to Ms. Bruening.
An important thing in the testimony seems to be that
information collected by the Government from all sources, not
just data brokers, is inadequately protected or safeguarded.
Please explain the reasons why you believe this is so. For
example, is it due to an outdated Government privacy act or an
effect of private-sector regulations?
Ms. Bruening. Well, first, Mr. Chairman, I think it is
important to emphasize that data is being collected from all
kinds of private-sector sources, not just data resellers. Our
ISPs are being asked for information, retailers are asked for
information, our telecommunication services. So this practice
goes on throughout the private sector.
The other point I think that's important to be made is that
the Federal Privacy Act was passed in 1974 at a time during
mainframe computing, and it certainly has not anticipated where
we are today. It probably didn't even anticipate a couple of
different jumps we've made since 1974 in terms of computing.
We're now in an age of cloud computing. We're collecting
data in all kinds of different ways, through different kinds of
technologies. In some cases, the Government may access that
information and bring it into its own systems of records. In
other cases, it doesn't. It merely pings data bases or obtains
information from data bases, never bringing it into Government.
So the definitions in the Privacy Act are challenged by
this new kind of technology and these new kinds of data uses.
And so, given that, we're left with very little protection for
the kinds of information access that the Government is using in
the private sector.
Mr. Clay. You know, you also cite the lack of a cohesive or
modernized definition of what is a system of records, in your
testimony. How is current law limited in its definition of what
constitutes a system of record? Do you have recommendations on
how to improve the current definition?
Ms. Bruening. Well, as I mentioned, the way that
information is maintained and stored today is very different
from the traditional ways we've thought about that, in terms of
data bases, and therefore the way we access it very different.
In the past, we thought about systems of records as the
ability to search for information on the basis of an identifier
or a person's name. In many cases, that's not how Government
uses information anymore. And, you know, data mining is the
prime example. There are other analytics tools that have very
creative ways of using information about individuals that would
not involve a system of records as it is defined in the Privacy
Act.
I don't have the recommendation for how to fix it. I think
this is a big question. It's one that would require a lot of
serious thinking on the part of people in a range of areas,
whether it's technology, the law, people who are involved in
data management, security people. So I don't have the answer,
but it is a question I think that requires some very serious
attention, because it is raising some significant concerns for
the business community, as I'm sure it is elsewhere.
Mr. Clay. Please explain for us how ineffective protections
for personal data negatively impact business. Is it because of
legal liability or an issue of consumer trustworthiness in
modern technology? Do ineffective privacy safeguards have a
tangible impact on electronic commerce or online banking
activities?
Ms. Bruening. Well, I think one of the prime examples in
the area of, sort of, our ability as American business to
engage with companies outside of the United States is an action
that was recently taken by the province of British Columbia in
Canada, which limited the ability of Canadian companies in
British Columbia to outsource data for processing in the United
States. And that action was taken on the basis of concerns
about the perceived lack of protection for information that is
potentially accessed by Government.
And what that does is create inefficiencies in business,
and it puts businesses at a competitive disadvantage. I think
it also does impact the relationship of companies with their
consumers. I think that responsible companies put a lot of time
and effort into addressing the privacy concerns that are raised
by some of their new businesses models and the new technologies
that they deploy.
But what happens is, in attempting to address those
questions, what we've come to call the elephant in the room--
although, I guess in a political year that's not the best term,
but we will call it the rhinoceros in the room--tends to be, no
matter what we do to protect privacy, this data is accessible
by Government, and where does that leave us in our relationship
with consumers. And so, that is of very serious concern on the
part of companies.
Mr. Clay. Thank you for your response.
Let me start--yes, sir, Mr. Schwartz?
Mr. Schwartz. I want to followup on something that Ms.
Bruening said that I agree with, in terms of her comments on a
definition of systems of records. And you heard Ms. Evans on
the last panel talk about, in terms of, in the case of
commercial resellers, information being systematically
incorporated. And one of things she said then was, if it is
turned into a part of a system of records. Right?
And so, this shows both the weakness of the Privacy Act in
that there are fewer and fewer data bases that are qualifying
as Privacy Act system of records today because of the decay
that Ms. Bruening talked about in technology, being able to
search out information without necessarily searching on an
identifier or a name.
So we have a lot more information that is being brought
into the Government that may not necessarily be in a system of
records. And I think Ms. Koontz was getting at that in the last
panel, too. It is hard to figure out what ``systematically
incorporated'' means today, with this definition of system of
records that we have. And because OMB has not defined that
better, you have a lot of confusion at agencies about that. You
have agencies with a lot of different standards.
Mr. Clay. This is a series of questions for the entire
panel. Let's start with Mr. Schwartz and move down. This is a
yes-or-no question.
Is it considered a best practice today for large
organizations to conduct a privacy impact assessment when
purchasing or subscribing to a service that could have a major
impact on the privacy of its customers or citizens?
Mr. Schwartz. Yes.
Mr. Clay. Mr. Pratt? And you can elaborate, if you'd like.
Mr. Pratt. Is it a yes-or-no?
Mr. Clay. You can elaborate.
Mr. Pratt. Every private-sector company that's going to
obtain data is going to do several things. They are going to
say, is it sensitive personal information under a State data
breach law, so do I have to protect it in a certain way? Is it
regulated under the Fair Credit Reporting Act? Does the
contract, if I'm contracting with an entity, put certain
restraints on what I must do?
So I suppose, in essence, that is a privacy assessment. Am
I going to secure it because it is sensitive personal
information? Is it a consumer report, so then do I have
additional responsibilities such as properly disposing of it,
limiting access to it and so on?
So, in that sense, yes, I think private-sector laws
regulating entities all across this country are, in fact,
conducting privacy assessments with regard to sensitive
personal information of all types, many of which are
represented by the members of the CDIA.
Mr. Clay. OK.
Ms. Bruening.
Ms. Bruening. Yes, privacy impact assessments are a best
practice. They serve a very important role.
The concern is, however, that within Government it isn't
enough to simply conduct a privacy impact assessment; that
there needs to be oversight both within an agency and from
other branches of Government so that you can get the kind of
accountability and responsibility in that use that you need.
Mr. Clay. Mr. Schwartz, should information resellers that
are governed under the Fair Credit Reporting Act or Gramm-
Leach-Bliley be exempted from requirements in the proposed
Federal Agency Data Protection Act?
Mr. Schwartz. I think that they should. The question of
whether they take steps toward accuracy--and, again, you also
heard Mr. Pratt speak earlier about different kinds of data
bases, so it is not necessarily--I think that there is some
distinction there about whether the information broker has to
follow FCRA for certain data bases and not for other data
bases, and that's confusing, I think. And it is the
responsibility of the agency to figure out where the coverage
lies, what the protections are, and to do that kind of review.
PIAs, in particular, are set at different levels. And the
OMB guidance today has said that agencies are supposed to do
the PIA based on what the potential of impact of privacy is.
And that's really what the goal should be here. It is
completely incumbent on the agency to do this review.
As I said earlier, beyond the accuracy issues and beyond
figuring out who the partner is, it is also to figure out what
the rules are internally for the use of that information, and
to set that up in a way that the program officers understand
those rules. The PIA is the only way do that today under U.S.
law.
Mr. Clay. OK, let me go to Ms. Bruening.
What is your feeling?
Ms. Bruening. Unfortunately, I'm not in a position to speak
to the specifics of the provisions of the bill.
However, I think what your question does highlight is the
fact that we really need to be careful that we don't approach
this question in a piecemeal fashion; that this really is a
question about how Government treats data once it is brought
into Government, so that we can--you know, are we asking the
right questions? Are we setting appropriate objectives? Are we
setting the right priorities about those objectives? Are we
looking closely at what data is being used and how it is being
used and whether it is going to get us to the objectives that
we want to reach? And is there accountability around that? And
do we have the right kind of processes and procedures for
management of that data once it is brought into Government?
Mr. Clay. Mr. Pratt, go ahead. You may respond.
Mr. Pratt. Thank you, Mr. Chairman.
I see it this way: There already is an assessment any time
a Government agency is going to have to purchase a consumer
report, whether they're going to hire an employee and they need
to conduct a background check, whether it's for a national
security investigation. And legal counsel, not just a privacy
officer, but legal counsel are going to have to determine and
ensure that the State or Federal Government agency is going to
comply with the Fair Credit Reporting Act, that there is a
certain permissible purpose for which the data can be obtained.
And, by the way, the permissible purpose--obtaining for a
permissible purpose under the 2003 amendments made it very
clear that the user had to obtain and use the data for the
permissible purpose. This is not just a question of what the
consumer reporting agency does to deliver a report for
permissible purpose.
So, to me, it is just apples and oranges. A consumer
reporting agency delivering a consumer report to a Government
agency knows that Government agency, by contract and by Federal
law, is going to have to comply with everything that is
required of it, including notifying the consumer if the
decision based on that data was adverse to the consumer, the
adverse action notice that we're familiar with.
Same thing on the Gramm-Leach-Bliley Act side. I am selling
you a look-up service product, you are going to use it for
look-up services. Now, to the extent it should not be used for
other purposes, that's probably part of what a Government
agency should do well. But that's not really a privacy impact
assessment, or maybe there's some semantics here in terms of
what we mean by the scope of a privacy impact.
But if you are buying it for a skip tracing purpose, that's
what it's going to be used for and that's what the contract's
going to limit you to. That's different than ISP data. That's
different than telecom data. That's different than
depersonalized credit card transaction data that the U.S.
Secret Service might use, for example, to try to locate a belt
skimming operation in Miami.
So there really are, I think, different approaches, and so
I don't think--you can look at it holistically, but at the
granular level you are going to take different approaches.
Mr. Clay. Yes, sir, Mr. Schwartz?
Mr. Schwartz. I don't think it is different at all from the
private impact assessments that we see from the--the ones that
receive good marks from OMB in the FISMA reports. You go back
and you look at their PIAs that they've done, they all go
through how the information is used, what was management's
intent for the use of the data. That's what they are supposed
to do.
So this idea that this is only focused on what FCRA is, I
think is another universe from what's going on in Government,
or what should be going on in the Government, which is covering
how this information is managed and used.
Mr. Clay. Thank you very much for your responses.
And that will conclude the testimony from the second panel.
This hearing is adjourned. Thank you.
[Whereupon, at 4:05 p.m., the subcommittee was adjourned.]
�