Personal Information: Agency and Reseller Adherence to Key	 
Privacy Principles (04-APR-06, GAO-06-421).			 
                                                                 
Federal agencies collect and use personal information for various
purposes, both directly from individuals and from other sources, 
including information resellers--companies that amass and sell	 
data from many sources. In light of concerns raised by recent	 
security breaches involving resellers, GAO was asked to determine
how the Departments of Justice, Homeland Security, and State and 
the Social Security Administration use personal data from these  
sources. In addition, GAO reviewed the extent to which		 
information resellers' policies and practices reflect the Fair	 
Information Practices, a set of widely accepted principles for	 
protecting the privacy and security of personal data. GAO also	 
examined agencies' policies and practices for handling personal  
data from resellers to determine whether these reflect the Fair  
Information Practices.						 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-421 					        
    ACCNO:   A50797						        
  TITLE:     Personal Information: Agency and Reseller Adherence to   
Key Privacy Principles						 
     DATE:   04/04/2006 
  SUBJECT:   Data collection					 
	     Information access 				 
	     Information security				 
	     Privacy law					 
	     Privacy policies					 
	     Right of privacy					 
	     Information resellers				 
	     Personal information				 
	     Policies and procedures				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-421

     

     * Report to Congressional Committees
          * April 2006
     * PERSONAL INFORMATION
          * Agency and Reseller Adherence to Key Privacy Principles
     * Contents
          * Results in Brief
          * Background
               * Federal Laws and Guidance Govern Use of Personal Information
                 in Federal Agencies
               * Additional Laws Provide Privacy Protections for Specific
                 Types and Uses of Information
               * The Fair Information Practices Are Widely Agreed to Be Key
                 Principles for Privacy Protection
               * Congressional Interest in the Information Reseller Industry
                 Has Been Heightened
          * Using Governmentwide Contracts, Federal Agencies Obtain Personal
            Information from Information Resellers for a Variety of Purposes
               * Department of Justice Uses Information Resellers Primarily
                 for Law Enforcement and Counterterrorism Purposes
               * DHS Uses Information Resellers Primarily for Law Enforcement
                 and Counterterrorism
               * SSA Uses Information Resellers Primarily for Fraud
                 Prevention and Identity Verification
               * The Department of State Uses Information Resellers Primarily
                 for Passport Fraud Detection and Investigation
               * Agencies Contract with Information Resellers Primarily
                 through Use of GSA's Federal Supply Schedules and the
                 Library of Congress's FEDLINK Service
          * Resellers Take Steps to Protect Privacy, but These Measures Are
            Not Fully Consistent with the Fair Information Practices
               * Information Resellers Generally Did Not Report Limiting
                 Their Data Collection to Specific Purposes or Notifying
                 Individuals about Them
               * Information Resellers Do Not Ensure That Personal
                 Information They Provide Is Accurate for Specific Purposes
               * Information Resellers' Specification of the Purpose of Data
                 Collection Consists of Broad Descriptions of Business
                 Categories
               * Information Resellers Generally Limit the Use of Information
                 as Required by Law, Rather Than on the Basis of Purposes
                 Originally Specified When the Information Was Collected
               * Information Resellers Reported Taking Steps to Improve
                 Security Safeguards
               * Information Resellers Generally Informed the Public about
                 Their Privacy Policies and Practices
               * Information Reseller Policies Generally Allow Individuals
                 Limited Ability to Access and Correct Their Personal
                 Information
               * Information Resellers Report Measures to Ensure
                 Accountability for the Collection and Use of Personal
                 Information
          * Agencies Lack Policies on Use of Reseller Data, and Practices Do
            Not Consistently Reflect the Fair Information Practices
               * Agency Procedures Reflect the Collection Limitation, Data
                 Quality, Use Limitation, and Security Safeguards Principles
               * Limitations in the Applicability of the Privacy Act and
                 Ambiguities in OMB Guidance Contribute to an Uneven
                 Adherence to the Purpose Specification, Openness, and
                 Individual Participation Principles
               * Privacy Impact Assessments Could Address Openness, and
                 Purpose Specification Principles but Are Often Not Conducted
               * Agencies Often Did Not Have Practices in Place to Ensure
                 Accountability for Proper Handling of Information Reseller
                 Data
          * Conclusions
          * Matter for Congressional Consideration
          * Recommendations for Executive Action
          * Agency Comments and Our Evaluation
          * Comments from Information Resellers
     * Objectives, Scope, and Methodology
     * Federal Laws Affecting Information Resellers
          * Gramm-Leach-Bliley Act
               * Driver's Privacy Protection Act
          * Health Insurance Portability and Accountability Act
          * Fair Credit Reporting Act
          * Fair and Accurate Credit Transactions Act
     * Comments from the Department of Justice
     * Comments from the Department of Homeland Security
     * Comments from the Social Security Administration
     * Comments from the Department of State
     * PDF6-Ordering Information.pdf
          * Order by Mail or Phone

Report to Congressional Committees

April 2006

PERSONAL INFORMATION

Agency and Reseller Adherence to Key Privacy Principles

Contents

Tables

Figures

April 4, 2006Letter

Congressional Committees:

Recent security breaches at large information resellers, such as
ChoicePoint and LexisNexis, have highlighted the extent to which such
companies collect and disseminate personal information.1 Information
resellers are companies that collect information, including personal
information about consumers, from a wide variety of sources for the
purpose of reselling such information to their customers, which include
both private-sector businesses and government agencies. Before advanced
computerized techniques made aggregating and disseminating such
information relatively easy, much personal information was less
accessible, being stored in paper-based public records at courthouses and
other government offices or in the files of nonpublic businesses. However,
information resellers have now amassed extensive amounts of personal
information about large numbers of Americans, and federal agencies access
this information for a variety of reasons. Federal agency use of such
information is governed primarily by the Privacy Act of 1974,2 which
requires that the use of personal information be limited to predefined
purposes and involve only information germane to those purposes.

The provisions of the Privacy Act are largely based on a set of principles
for protecting the privacy and security of personal information, known as
the Fair Information Practices, which were first proposed in 1973 by a
U.S. government advisory committee.3 These principles, now widely
accepted, include

o collection limitation,

o data quality,

o purpose specification,

o use limitation,

o security safeguards,

o openness,

o individual participation, and

o accountability.4

These principles, with some variation, are used by organizations to
address privacy considerations in their business practices and are also
the basis of privacy laws and related policies in many countries,
including the United States, Germany, Sweden, Australia, New Zealand, and
the European Union.

Given recent events involving information resellers and federal agencies'
use of information obtained from these resellers, you asked us to review
how selected federal agencies use such information. Specifically, our
objectives were to determine (1) how the Departments of Justice, Homeland
Security (DHS), and State and the Social Security Administration (SSA) are
making use of personal information obtained through contracts with
information resellers; (2) the extent to which information resellers
providing personal information to these agencies have policies and
practices in place that reflect the Fair Information Practices; and
(3) the extent to which these agencies have policies and practices in
place for the handling of personal data from resellers that reflect the
Fair Information Practices.

To address our first objective, we analyzed fiscal year 2005 contracts and
other vehicles for the acquisition of personal information from
information resellers by DHS, Justice, State, and SSA to identify their
purpose, scope, and value. We obtained additional information on these
contracts and uses in discussions with agency officials to ensure that all
relevant information had been provided to us.

To address our second objective, we reviewed documentation from five major
information resellers5 and conducted site visits at three of them6 to
obtain information on privacy and security policies and procedures and
compared these with the Fair Information Practices. In conducting our
analysis, we identified the extent to which reseller practices were
consistent with the key privacy principles of the Fair Information
Practices. We also assessed the potential effect of any inconsistencies;
however, we did not attempt to make determinations of whether or how
information reseller practices should change. Such determinations are a
matter of policy based on balancing the public's right to privacy with the
value of services provided by resellers to customers such as government
agencies. We determined that the five resellers we reviewed accounted for
most of the contract value of personal information obtained from resellers
in fiscal year 2005 by the four agencies we reviewed. We did not evaluate
the effectiveness of resellers' information security programs.

To address our third objective, we identified and evaluated agency
guidelines and management policies and procedures governing the use of
personal information obtained from information resellers and compared
these to the Fair Information Practices. We also conducted interviews at
the four agencies with senior agency officials designated for privacy
issues as well as officials of the Office of Management and Budget (OMB)
to obtain their views on the applicability of federal privacy laws and
related guidance to agency use of information resellers. We performed our
work from May 2005 to March 2006 in the Washington, D.C., metropolitan
area; Little Rock, Arkansas; Alpharetta, Georgia; and Miamisburg, Ohio.
Our work was performed in accordance with generally accepted government
auditing standards. Our objectives, scope, and methodology are discussed
in more detail in appendix I.

Results in Brief

In fiscal year 2005, Justice, DHS, State, and SSA reported using personal
information from information resellers for a variety of purposes,
including law enforcement, counterterrorism, fraud prevention, and debt
collection. Taken together, approximately 91 percent of planned spending
on resellers reported by the agencies for fiscal year 2005 was for law
enforcement (69 percent) or counterterrorism (22 percent). For example,
components of the Department of Justice (the largest user of resellers)
made use of such information for criminal investigations, location of
witnesses and fugitives, research of assets held by individuals of
interest, and detection of fraud in prescription drug transactions.
Examples of uses by the DHS include immigration fraud detection and border
screening programs. SSA and State acquire personal information from
information resellers for fraud detection and investigation, identity
verification, and benefit eligibility determination. The four agencies
obtained personal information from resellers primarily through two
general-purpose governmentwide contract vehicles-the Federal Supply
Schedule of the General Services Administration (GSA) and the Library of
Congress's Federal Library and Information Network. Collectively, the four
agencies reported approximately $30 million7 in fiscal year 2005 in
contractual arrangements with information resellers that enabled the
acquisition and use of personal information.

The major information resellers that do business with the federal agencies
we reviewed have practices in place to protect privacy, but these measures
are not fully consistent with the Fair Information Practices. For example,
the nature of the information reseller business is largely at odds with
the principles of collection limitation, data quality, purpose
specification, and use limitation. These principles center on limiting the
collection and use of personal information, and they link data quality
(e.g., accuracy) requirements to these limitations. Resellers said they
believe it may not be appropriate or practical for them to fully adhere to
these principles because they do not obtain their information directly
from individuals. In fact, the information reseller industry is based on
multipurpose

collection and use of personal and other information8 information from
multiple sources. In many cases, resellers take steps that address aspects
of the Fair Information Practices. For example, resellers reported that
they have taken steps recently to improve their security safeguards, and
they generally inform the public about key privacy principles and policies
(relevant to the openness principle). However, resellers generally limit
the extent to which individuals can gain access to personal information
held about themselves as well as the extent to which inaccurate
information contained in their databases can be corrected or deleted
(relevant to the individual participation principle).

Agency practices for handling personal information acquired from
information resellers reflected the principles of the Fair Information
Practices in four cases and in the other four did not. Specifically,
regarding the collection limitation, data quality, use limitation, and
security safeguards principles, agency practices generally reflected the
Fair Information Practices. For example, regarding the data quality
principle that data should be accurate, current, and complete, as needed
for the defined purpose, law enforcement agencies (including the Federal
Bureau of Investigation and the U.S. Secret Service) generally reported
that they corroborate information obtained from resellers to ensure that
it is accurate when it is used as part of an investigation.

Regarding other principles, however, agency practices were uneven.
Specifically, agencies did not always have practices in place to fully
address the purpose specification, individual participation, openness, and
accountability principles with regard to use of reseller information. For
example,

o although agencies notify the public through Federal Register notices and
published privacy impact assessments that they collect personal
information from various sources, they do not always indicate specifically
that information resellers are among those sources, and

o some agencies lack robust audit mechanisms to ensure that use of
personal information from information resellers is for permissible
purposes, reflecting an uneven application of the accountability
principle.

Contributing to the uneven application of the Fair Information Practices
are ambiguities in guidance from OMB regarding the applicability of
privacy requirements to federal agency uses of reseller information. In
addition, agencies generally lack policies that specifically address these
uses.

The Congress should consider the extent to which information resellers
should adhere to the Fair Information Practices. We are also recommending
that the Director, OMB, revise privacy guidance to clarify the
applicability of requirements for public notices and privacy impact
assessments to agency use of personal information from resellers and
direct agencies to review their uses of such information to ensure it is
explicitly referenced in privacy notices and assessments. Further, we are
recommending that agencies develop specific policies for the use of
personal information from resellers.

We obtained written comments on a draft of this report from Justice, DHS,
SSA, and State. We also received comments via E-mail from OMB. Comments
from Justice, DHS, SSA, and State are reproduced in appendixes III to VI,
respectively. Justice, DHS, SSA, and OMB all generally agreed with the
report and described actions initiated to address our recommendations. In
its comments, Justice recommended that prior to issuance of any new or
revised policy, careful consideration be given to its impact on Justice.
We believe the policy clarifications we are proposing are unlikely to
result in an adverse impact on law enforcement activities at Justice.
Justice and SSA also provided technical comments, which were incorporated
in the final report as appropriate.

State interpreted our draft report to "rest on the premise that records
from `information resellers' should be accorded special treatment when
compared with sensitive information from other sources." State also
indicated that it does not distinguish between types of information or
sources of information in complying with privacy laws. However, our report
does not suggest that data from resellers should receive special
treatment. Instead, our report takes the widely accepted Fair Information
Practices as a universal benchmark of privacy protections and assesses
agency practices in comparison with them.

We also obtained comments on excerpts of our draft report from the five
information resellers we reviewed. Several resellers raised concerns
regarding the version of the Fair Information Practices we used to assess
their practices, stating their view that it was more appropriate for
organizations that collection information directly from consumers and that
they were not legally bound to adhere to the Fair Information Practices.
As discussed in our report, the version of the Fair Information Practices
we used has been widely adopted and cited within the federal government as
well as internationally. Further, we use it as an analytical framework for
identifying potential privacy issues for further consideration by
Congress-not as criteria for strict compliance. Resellers also stated that
the draft did not take into account that public record information is open
to all for any use not prohibited by state or federal law. However, we
believe it is not clear that individuals give up all privacy rights to
personal information contained in public records, and we believe it is
important to assess the status of privacy protections for all personal
information being offered commercially to the government so that informed
policy decision can be made about the appropriate balance between
resellers' services and the public's right to privacy. Resellers also
offered technical comments, which were incorporated in the final report as
appropriate.

Background

Before advanced computerized techniques for aggregating, analyzing, and
disseminating data came into widespread use, personal information
contained in paper-based public records at courthouses or other government
offices was relatively difficult to obtain, usually requiring a personal
visit to inspect the records. Nonpublic information, such as personal
information contained in product registrations, insurance applications,
and other business records, was also generally inaccessible. In recent
years, however, advances in technology have spawned information reseller
businesses that systematically collect extensive amounts of personal
information from a wide variety of sources and make it available
electronically over the Internet and by other means to customers in both
government and the private sector. This automation of the collection and
aggregation of multiple-source data, combined with the ease and speed of
its retrieval, have dramatically reduced the time and effort needed to
obtain information of this type. Among the primary customers of
information resellers are financial institutions (including insurance
companies), retailers, law offices, telecommunications and technology
companies, and marketing firms.

We use the term "information resellers" to refer to businesses that vary
in many ways but have in common the fact that they collect and aggregate
personal information from multiple sources and make it available to their
customers. These businesses do not all focus exclusively on aggregating
and reselling personal information. For example, Dun & Bradstreet
primarily provides information on commercial enterprises for the purpose
of contributing to decision making regarding those enterprises. In doing
so, it may supply personal information about individuals associated with
those commercial enterprises. To a certain extent, the activities of
information resellers may also overlap with the functions of consumer
reporting agencies, also known as credit bureaus-entities that collect and
sell information about individuals' creditworthiness, among other things.
As is discussed further below, to the extent that information resellers
perform the functions of consumer reporting agencies, they are subject to
legislation specifically addressing that industry, particularly the Fair
Credit Reporting Act.

Information resellers obtain personal information from many different
sources. Generally, three types of information are collected: public
records, publicly available information, and nonpublic information.

o Public records are a primary source of information about consumers,
available to anyone, and can be obtained from governmental entities. What
constitutes public records is dependent upon state and federal laws, but
generally these include birth and death records, property records, tax
lien records, motor vehicle registrations, voter registrations, licensing
records, and court records (including criminal records, bankruptcy
filings, civil case files, and legal judgments).

o Publicly available information is information not found in public
records but nevertheless publicly available through other sources. These
sources include telephone directories, business directories, print
publications such as classified ads or magazines, Internet sites, and
other sources accessible by the general public.

o Nonpublic information is derived from proprietary or nonpublic sources,
such as credit header data,9 product warranty registrations, and other
application information provided to private businesses directly by
consumers.

Private sector businesses rely on information resellers for information to
support a variety of activities, such as

o conducting pre-employment background checks on prospective employees,

o verifying individuals' identities by reviewing records of their personal
information;

o marketing commercial products to consumers matching specified
demographic characteristics; and

o preventing financial fraud by examining insurance, asset, and other
financial record information.

Typically, while information resellers may collect and maintain personal
information in a variety of databases, they provide their customers with a
single, consolidated online source for a broad array of personal
information. Figure 1 illustrates how information is collected from
multiple sources and ultimately accessed by customers, including
government agencies, through contractual agreements.

Figure 1: Typical Information Flow through Resellers to Government
Customers

In addition to providing consolidated access to personal information
through Internet-based Web sites, information resellers offer a variety of
products tailored to the specific needs of various lines of business. For
example, an insurance company could obtain different products covering
police and accident reports, insurance carrier information, vehicle owner
verification or claims history, or online public records. Typically,
services offered to law enforcement officers include more
information-including sensitive information, such as full Social Security
numbers and driver's license numbers-than is offered to other customers.

Federal Laws and Guidance Govern Use of Personal Information in Federal
Agencies

There is no single federal law that governs all use or disclosure of
personal information. Instead, U.S. law includes a number of separate
statutes that provide privacy protections for information used for
specific purposes or maintained by specific types of entities. The major
requirements for the protection of personal privacy by federal agencies
come from two laws, the Privacy Act of 1974 and the privacy provisions of
the E-Government Act of 2002. The Federal Information Security Management
Act of 2002 (FISMA) also addresses the protection of personal information
in the context of securing federal agency information and information
systems.

The Privacy Act places limitations on agencies' collection, disclosure,
and use of personal information maintained in systems of records. The act
describes a "record" as any item, collection, or grouping of information
about an individual that is maintained by an agency and contains his or
her name or another personal identifier. It also defines "system of
records" as a group of records under the control of any agency from which
information is retrieved by the name of the individual or by an individual
identifier. The Privacy Act requires that when agencies establish or make
changes to a system of records, they must notify the public by a notice in
the Federal Register identifying, among other things, the type of data
collected, the types of individuals about whom information is collected,
the intended "routine" uses of data, and procedures that individuals can
use to review and correct personal information.10

The act's requirements also apply to government contractors when agencies
contract for the development and maintenance of a system of records to
accomplish an agency function.11 The act limits its applicability to cases
in which systems of records are maintained specifically on behalf of a
government agency.

Several provisions of the act require agencies to define and limit
themselves to specific predefined purposes. For example, the act requires
that to the greatest extent practicable, personal information should be
collected directly from the subject individual when it may affect an
individual's rights or benefits under a federal program. The act also
requires that an agency inform individuals whom it asks to supply
information of (1) the authority for soliciting the information and
whether disclosure of such information is mandatory or voluntary; (2) the
principal purposes for which the information is intended to be used;
(3) the routine uses that may be made of the information; and (4) the
effects on the individual, if any, of not providing the information.
According to OMB, this requirement is based on the assumption that
individuals should be provided with sufficient information about the
request to make a decision about whether to respond.

In handling collected information, the Privacy Act also requires agencies
to, among other things, allow individuals to (1) review their records
(meaning any information pertaining to them that is contained in the
system of records), (2) request a copy of their record or information from
the system of records, and (3) request corrections in their information.
Such provisions can provide a strong incentive for agencies to correct any
identified errors.

Agencies are allowed to claim exemptions from some of the provisions of
the Privacy Act if the records are used for certain purposes. For example,
records compiled for criminal law enforcement purposes can be exempt from
a number of provisions, including (1) the requirement to notify
individuals of the purposes and uses of the information at the time of
collection and (2) the requirement to ensure the accuracy, relevance,
timeliness, and completeness of records. A broader category of
investigative records compiled for criminal or civil law enforcement
purposes can also be exempted from a somewhat smaller number of Privacy
Act provisions, including the requirement to provide individuals with
access to their records and to inform the public of the categories of
sources of records. In general, the exemptions for law enforcement
purposes are intended to prevent the disclosure of information collected
as part of an ongoing investigation that could impair the investigation or
allow those under investigation to change their behavior or take other
actions to escape prosecution.

The E-Government Act of 2002 strives to enhance protection for personal
information in government information systems or information collections
by requiring that agencies conduct privacy impact assessments (PIA). A PIA
is an analysis of how personal information is collected, stored, shared,
and managed in a federal system. More specifically, according to OMB
guidance,12 a PIA is an analysis of how

Agencies must conduct PIAs (1) before developing or procuring information
technology that collects, maintains, or disseminates information that is
in a personally identifiable form or (2) before initiating any new data
collections involving personal information that will be collected,
maintained, or disseminated using information technology if the same
questions are asked of 10 or more people. OMB guidance also requires
agencies to conduct PIAs when a system change creates new privacy risks,
for example, changing the way in which personal information is being used.
The requirement does not apply to all systems. For example, no assessment
is required when the information collected relates to internal government
operations, the information has been previously assessed under an
evaluation similar to a PIA, or when privacy issues are unchanged.

FISMA also addresses the protection of personal information. FISMA defines
federal requirements for securing information and information systems that
support federal agency operations and assets; it requires agencies to
develop agencywide information security programs that extend to
contractors and other providers of federal data and systems.13 Under
FISMA, information security means protecting information and information
systems from unauthorized access, use, disclosure, disruption,
modification, or destruction, including controls necessary to preserve
authorized restrictions on access and disclosure to protect personal
privacy, among other things.

OMB is tasked with providing guidance to agencies on how to implement the
provisions of the Privacy Act and the E-Government Act and has done so,
beginning with guidance on the Privacy Act, issued in 1975.14 The guidance
provides explanations for the various provisions of the law as well as
detailed instructions for how to comply. OMB's guidance on implementing
the privacy provisions of the E-Government Act of 2002 identifies
circumstances under which agencies must conduct PIAs and explains how to
conduct them. OMB has also issued guidance on implementing the provisions
of FISMA.

Additional Laws Provide Privacy Protections for Specific Types and Uses of
Information

Although federal laws do not specifically regulate the information
reseller industry as a whole, they provide safeguards for personal
information under certain specific circumstances, such as when financial
or health information is involved, or for such activities as
pre-employment background checks. Specifically, the Fair Credit Reporting
Act, the Gramm-Leach-Bliley Act, the Driver's Privacy Protection Act, and
the Health Insurance Portability and Accountability Act all restrict the
ways in which businesses, including information resellers, may use and
disclose consumers' personal information (see app. II for more details
about these laws). The Gramm-Leach-Bliley Act, for example, limits
financial institutions' disclosure of nonpublic personal information to
nonaffiliated third parties and requires companies to give consumers
privacy notices that explain the institutions' information sharing
practices. Consumers then have the right to limit some, but not all,
sharing of their nonpublic personal information.

As shown in table 1, these laws either restrict the circumstances under
which entities such as information resellers are allowed to disclose
personal information or restrict the parties with whom they are allowed to
share information.

Table 1: Federal Laws Addressing Private Sector Disclosure of Personal
Information

                                        

           Federal laws                          Provisions                   
Fair Credit Reporting Act    Consumer reporting agencies are limited to    
                                providing data only to their customers that   
                                have a permissible purpose for using the      
                                data. With few exceptions, government         
                                agencies are treated like other parties and   
                                must have a permissible purpose in order to   
                                obtain a consumer report.                     
Gramm-Leach-Bliley Act       Sets limitations  on financial institutions'  
                                disclosure of customer data to third parties, 
                                such as information resellers. Requires       
                                companies to give consumers privacy notices   
                                that explain the institutions'                
                                information-sharing practices. In turn,       
                                consumers have the right to limit some, but   
                                not all, sharing of their nonpublic personal  
                                information.                                  
Driver's Privacy Protection  Restricts a third party's ability to obtain   
Act                          Social Security numbers and other driver's    
                                license information from state motor vehicle  
                                offices unless doing so for a permissible     
                                purpose under the law; restricts state motor  
                                vehicle offices' ability to disclose driver's 
                                license information.                          
Health Insurance Portability Health care organizations are restricted from 
and Accountability Act       disclosing a patient's health information     
                                without the patient's consent, except for     
                                permissible reasons, and are required to      
                                inform individuals of privacy practices.      
Fair and Accurate Credit     Consumers may obtain one free annual consumer 
Transactions Act             report from nationwide consumer reporting     
                                agencies.                                     

Source: GAO analysis.

Note: Appendix II provides additional details on the requirements of these
laws.

Information resellers are also affected by various state laws. For
example, California state law requires businesses to notify consumers
about security breaches that could directly affect them. Legal
requirements, such as the California law, led ChoicePoint, a large
information reseller, to notify its customers in mid-February 2005 of a
security breach in which unauthorized persons gained access to personal
information from its databases. Since the ChoicePoint notification, bills
were introduced in at least 35 states and enacted in at least 22 states15
that require some form of notification upon a security breach.

The Fair Information Practices Are Widely Agreed to Be Key Principles for
Privacy Protection

The Fair Information Practices are a set of internationally recognized
privacy protection principles. First proposed in 1973 by a U.S. government
advisory committee, the Fair Information Practices were intended to
address what the committee termed a poor level of protection afforded to
privacy under contemporary law.16 A revised version of the Fair
Information Practices, developed by the Organization for Economic
Cooperation and Development (OECD)17 in 1980, has been widely adopted. The
OECD principles are shown in table 2.

Table 2: The OECD Fair Information Practices

                                        

          Principle                            Description                    
Collection limitation    The collection of personal information should be  
                            limited, should be obtained by lawful and fair    
                            means, and, where appropriate, with the knowledge 
                            or consent of the individual.                     
Data quality             Personal information should be relevant to the    
                            purpose for which it is collected, and should be  
                            accurate, complete, and current as needed for     
                            that purpose.                                     
Purpose specification    The purposes for the collection of personal       
                            information should be disclosed before collection 
                            and upon any change to that purpose, and its use  
                            should be limited to those purposes and           
                            compatible purposes.                              
Use limitation           Personal information should not be disclosed or   
                            otherwise used for other than a specified purpose 
                            without consent of the individual or legal        
                            authority.                                        
Security safeguards      Personal information should be protected with     
                            reasonable security safeguards against risks such 
                            as loss or unauthorized access, destruction, use, 
                            modification, or disclosure.                      
Openness                 The public should be informed about privacy       
                            policies and practices, and individuals should    
                            have ready means of learning about the use of     
                            personal information.                             
Individual participation Individuals should have the following rights: to  
                            know about the collection of personal             
                            information, to access that information, to       
                            request correction, and to challenge the denial   
                            of those rights.                                  
Accountability           Individuals controlling the collection or use of  
                            personal information should be accountable for    
                            taking steps to ensure the implementation of      
                            these principles.                                 

Source: OECD.

The Fair Information Practices are, with some variation, the basis of
privacy laws and related policies in many countries, including the United
States, Germany, Sweden, Australia, New Zealand, and the European Union.18
They are also reflected in a variety of federal agency policy statements,
beginning with an endorsement of the OECD principles by the Department of
Commerce in 1981,19 and including policy statements of the DHS, Justice,
Housing and Urban Development, and Health and Human Services.20 In 2004,
the Chief Information Officers Council issued a coordinating draft of
their Security and Privacy Profile for the Federal Enterprise
Architecture21 that links privacy protection with a set of acceptable
privacy principles corresponding to the OECD's version of the Fair
Information Practices.

The Fair Information Practices are not precise legal requirements. Rather,
they provide a framework of principles for balancing the need for privacy
with other public policy interests, such as national security, law
enforcement, and administrative efficiency. Striking that balance varies
among countries and among types of information (e.g., medication versus
employment information).

The Fair Information Practices also underlie the provisions of the Privacy
Act of 1974. For example, the system of records notice required under the
Privacy Act embodies the purpose specification, openness, and individual
participation principles in that it provides a public accounting through
the Federal Register of the purpose and uses for personal information, and
procedures by which individuals may access and correct, if necessary,
information about themselves. Further, the E-Government Act's requirement
to conduct PIAs likewise reflects the Fair Information Practices. Under
the act, agencies are to make these assessments publicly available, if
practicable, through agency Web sites or by publication in the Federal
Register, or other means. To the extent that such assessments are made
publicly available, they also provide notice to the public about the
purpose of planned information collections and the planned uses of the
information being collected.

Congressional Interest in the Information Reseller Industry Has Been
Heightened

A number of congressional hearings were held and bills introduced in 2005
in the wake of widely publicized data security breaches at major
information resellers such as ChoicePoint and LexisNexis as well as other
firms. In March 2005, the House Subcommittee on Commerce, Trade, and
Consumer Protection of the House Energy and Commerce Committee held a
hearing entitled "Protecting Consumers' Data: Policy Issues Raised by
ChoicePoint," which focused on potential remedies for security and privacy
concerns regarding information resellers. Similar hearings were held by
the House Energy and Commerce Committee and by the U.S. Senate Committee
on Commerce, Science, and Transportation in spring 2005.

The heightened interest in this subject led a number of Members of
Congress to propose a variety of bills aimed at regulating companies that
handle personal information, including information resellers. Several of
these bills require companies such as information resellers to notify the
public of security breaches, while a few also allow consumers to "freeze"
their credit (i.e., prevent new credit accounts from being opened without
special forms of authentication),  or see and correct personal information
contained in reseller data collections. Other proposed legislation
includes (1) the Data Accountability and Trust Act,22 requiring security
policies and procedures to protect computerized data containing personal
information and nationwide notice in the event of a security breach, and
(2) the Personal Data Privacy and Security Act of 2005,23 requiring data
brokers to disclose personal electronic records pertaining to an
individual and inform individuals on procedures for correcting
inaccuracies.

Using Governmentwide Contracts, Federal Agencies Obtain Personal
Information from Information Resellers for a Variety of Purposes

Primarily through governmentwide contracts, Justice, DHS, State, and SSA
reported using personal information obtained from resellers for a variety
of purposes, including law enforcement, counterterrorism, fraud
detection/prevention, and debt collection. Most uses by Justice were for
law enforcement and counterterrorism, such as investigations of fugitives
and obtaining information on witnesses and assets held by individuals of
interest. DHS also used reseller information primarily for law enforcement
and counterterrorism, such as screening vehicles entering the United
States. State and SSA reported acquiring personal information from
information resellers for fraud detection and investigation, identity
verification, and benefit eligibility determination. The four agencies
reported approximately $30 million in contractual arrangements with
information resellers in fiscal year 2005.24 Justice accounted for most of
the funding (about 63 percent).

Approximately 91 percent of agency uses of reseller data were in the
categories of law enforcement (69 percent) or counterterrorism (22
percent). Figure 2 details contract values categorized by their reported
use. (Details on uses by each agency are given in the individual agency
discussions.)

Figure 2: Fiscal Year 2005 Contractual Vehicles Enabling the Use of
Personal Information from Information Resellers, Categorized by Reported
Use

Department of Justice Uses Information Resellers Primarily for Law
Enforcement and Counterterrorism Purposes

According to Justice contract documentation, access to up-to-date and
comprehensive public record information is a critical ongoing mission
requirement, and the department relies on a wide variety of information
resellers-including ChoicePoint, Dun & Bradstreet, LexisNexis, and West-to
meet that need. Departmental use of information resellers was primarily
for purposes related to law enforcement (75 percent) and counterterrorism
(18 percent), including support for criminal investigations, location of
witnesses and fugitives, information on assets held by individuals under
investigation, and detection of fraud in prescription drug transactions.
In fiscal year 2005, Justice and its components reported approximately $19
million in acquisitions from information resellers involving personal
information. The department acquired these services primarily through use
of GSA's Federal

SupplySchedule25 offerings including a blanket purchase agreement26 with
ChoicePoint valued at approximately $15 million.27 Several component
agencies, such as the Federal Bureau of Investigation (FBI), the Drug
Enforcement Administration (DEA), and the Bureau of Alcohol, Tobacco,
Firearms, and Explosives (ATF) placed orders with information resellers
based on the schedules. In addition, for fiscal year 2005, Justice
established separate departmentwide contracts with LexisNexis and West
valued at $4.5 million and $5.2 million, respectively.28

Tasked to protect and defend the United States against terrorist and
foreign intelligence threats and to enforce criminal laws, the FBI is
Justice's largest user of information resellers, with about $11 million in
contracts in fiscal year 2005. The majority of FBI's use involves two
major programs, the Public Source Information Program and the Foreign
Terrorist Tracking Task Force (FTTTF). In support of the investigative and
intelligence missions of the FBI, the Public Source Information Program
provides all offices of the FBI with access via the Internet to public
record, legal, and news media information available from various online
commercial databases. These databases are used to assist with
investigations by identifying the location of individuals and identifying
alias names, Social Security numbers, relatives, dates of birth, telephone
numbers, vehicles, business affiliations, other associations, and assets.
Public Source Information Program officials reported that use of these
commercial databases often results in new information regarding the
subject of the investigation. Officials noted that commercial databases
are used in preliminary investigations, and that subsequently,
investigative personnel must verify the results of each search.

The FBI's FTTTF also contracts with several information resellers (1) to
assist in fulfilling its mission of assisting federal law enforcement and
intelligence agencies in locating foreign terrorists and their supporters
who are in or have visited the United States and (2) to provide
information to other law enforcement and intelligence community agencies
that can lead to their surveillance, prosecution, or removal. As we
previously reported,29 FTTTF makes use of personal information from
several commercial sources to analyze intelligence and detect terrorist
activities in support of ongoing investigations by law enforcement
agencies and the intelligence community. Information resellers provide
FTTTF with names, addresses, telephone numbers, and other biographical and
demographical information as well as legal briefs, vehicle and boat
registrations, and business ownership records.

Other Justice components reported using personal information from
information resellers to support the conduct of investigations and other
law enforcement-related activities. For example, the U.S. Marshals Service
uses an information reseller to, among other things, locate fugitives by
identifying a fugitive's relatives and their addresses.30 Through
interviews with relatives, a U.S. Marshal may be able to ascertain the
location of a fugitive and subsequently apprehend the individual.

DEA, the second largest Justice user of information resellers in fiscal
year 2005, obtains reseller data to detect fraud in prescription drug
transactions.31 Through these data, DEA agents can detect irregular
prescription patterns for specific drugs and trace this information to the
pharmacy and prescribing doctor.32 DEA also uses an information reseller
to locate individuals in asset forfeiture cases.33 Reseller data allows
DEA to identify all possible addresses for an individual in order to meet
the agency's obligation to make a reasonable effort to notify individuals
of seized property and inform them of their rights to contest the
seizures.

Other uses reported by Justice components are not related to law
enforcement. For example, uses by the U.S. Trustees, Antitrust, Civil,
Tax, and Criminal Divisions include ascertaining the financial status of
individuals for debt collection purposes or bankruptcy proceedings or for
the location of individuals for court proceedings. The Executive Office
for U.S. Attorneys uses information resellers to ascertain the financial
status of those indebted to the United States in order to assess the
debtor's ability to repay the debt. According to officials, information
reseller databases may reveal assets that a debtor is attempting to
conceal. Further, the U.S. Attorneys use information resellers to locate
victims of federal crime in order to notify these individuals of relevant
court proceedings pursuant to the Justice for All Act.34

Table 3 details in aggregate the vendors, fiscal year 2005 contract
values, and reported uses for contracts with information resellers by
major Justice components.

Table 3: Reported Uses of Personal Information: Department of Justice
Contracts with Information Resellers, Fiscal Year 2005

                                        

    Major component     Information      Aggregate   Uses involving personal  
                         resellers        contract         information        
                                             value  
Federal Bureau of  ChoicePoint,     $11,248,000  Public Source Information 
Investigation      LexisNexis,                   Program. Find individuals 
                      West, Credit                  and identify alias names, 
                      Bureau Reports,               Social Security numbers,  
                      Dun &                         relatives, dates of       
                      Bradstreet,                   birth, telephone numbers, 
                      Seisinta                      vehicles, business        
                                                    affiliations,             
                                                    associations, and assets. 
                                                                              
                                                    The program provides FBI  
                                                    units with access to      
                                                    public record, legal, and 
                                                    news media information    
                                                    from various online       
                                                    commercial databases.     
                                                                              
                                                    Criminal Investigative    
                                                    Division. Same use.       
                                                                              
                                                    Foreign Terrorist         
                                                    Tracking Task Force.      
                                                    Obtain such information   
                                                    as names, addresses,      
                                                    telephone numbers, other  
                                                    biographical information, 
                                                    vehicle and boat          
                                                    registrations, and        
                                                    business ownership        
                                                    records.                  
Drug Enforcement   ChoicePoint,      $4,283,000  Conduct investigations of 
Administration     LexisNexis, Dun               drug diversions and       
                      & Bradstreet                  improper drug             
                                                    transactions:             
                                                                              
                                                    For example, identifying  
                                                    cases in which physicians 
                                                    sell prescriptions to     
                                                    drug dealers or abusers,  
                                                    pharmacists falsely       
                                                    report legitimate drug    
                                                    sales and subsequently    
                                                    sell the drugs illegally, 
                                                    and employees steal from  
                                                    inventory and falsify     
                                                    orders to hide illicit    
                                                    sales.                    
                                                                              
                                                    Support criminal          
                                                    investigations of         
                                                    specific individuals and  
                                                    companies.                
                                                                              
                                                    Locate an individual's    
                                                    address in asset removal  
                                                    cases.                    
U.S. Marshals      ChoicePoint,      $1,661,000  Generate leads related to 
Service            LexisNexis, West              fugitive investigations   
                                                    (e.g., a fugitive's       
                                                    relatives and their       
                                                    contact information).     
                                                                              
                                                    Asset Forfeiture Office.  
                                                    Obtain information on     
                                                    preseized, seized, and    
                                                    forfeited property.       
                                                                              
                                                    The Marshals Service      
                                                    offers property for sale  
                                                    to the public that has    
                                                    been forfeited under laws 
                                                    enforced or administered  
                                                    by Justice and its        
                                                    investigative agencies.   
                                                                              
                                                    Office of General         
                                                    Counsel. Research assets  
                                                    to administer tort claims 
                                                    against the service.      
                                                                              
                                                    For example, if a         
                                                    claimant makes an         
                                                    assertion that the        
                                                    service is responsible    
                                                    for damaging property and 
                                                    does not provide          
                                                    supporting documentation, 
                                                    General Counsel personnel 
                                                    may use commercial data   
                                                    to verify tax assessment  
                                                    records, proof of         
                                                    ownership, etc.           
Executive Office   ChoicePoint, CBR    $855,000  Financial Litigation      
for U.S. Attorneys Information                   Units. Ascertain the      
                      Services                      financial status of       
                                                    individuals and uncover   
                                                    concealed assets for      
                                                    civil and criminal debt   
                                                    collection efforts.       
                                                                              
                                                    Locate and notify crime   
                                                    victims of relevant court 
                                                    proceedings pursuant to   
                                                    the Justice for All Act   
                                                    of 2004.                  
Bureau of Alcohol, ChoicePoint, Dun    $791,000  Support investigative     
Tobacco, Firearms, & Bradstreet,                 activities such as        
and Explosives     LexisNexis, West              locating and apprehending 
                                                    fugitives or obtaining    
                                                    data on businesses (such  
                                                    as in arson               
                                                    investigations), which    
                                                    may include personal      
                                                    information about         
                                                    business owners.          
Executive Office   ChoicePoint,        $303,000  Obtain information on     
of the United      Equifax,b Real                assets (openly held or    
States Trustees    Data Corp, MLS                concealed) of individuals 
                      Hawaii                        in bankruptcy proceedings 
                                                    (as part of office's      
                                                    mission to enforce        
                                                    bankruptcy laws and       
                                                    provide oversight of      
                                                    private trustees).        
                                                                              
                                                    Obtain credit reports on  
                                                    employees as part of a    
                                                    security clearance        
                                                    process.                  
Office of the      ChoicePoint,         $43,000  Investigations Division.  
Inspector General  LexisNexis, West              Support investigations of 
                                                    alleged violations of     
                                                    fraud, abuse, and         
                                                    integrity laws that       
                                                    govern Justice employees, 
                                                    operations, grantees, and 
                                                    contractors.              
U.S. National      ChoicePoint          $31,000  Conduct business and      
Central Bureau                                   address checks on         
                                                    individuals who may be    
                                                    potentially involved in   
                                                    fraud or fugitive cases.  
                                                                              
                                                    The bureau facilitates    
                                                    international law         
                                                    enforcement cooperation   
                                                    as the U.S.               
                                                    representative of the     
                                                    International Criminal    
                                                    Police Organization       
                                                    (INTERPOL).               
National Drug      ChoicePoint          $28,000  Document Exploitation     
Intelligence                                     Division. Locate          
Center                                           individuals, identify     
                                                    assets, and investigate   
                                                    fraud.                    
                                                                              
                                                    The Document Exploitation 
                                                    Division specializes in   
                                                    analyzing information     
                                                    seized in major federal   
                                                    drug investigations.      
Office of Justice  Dun & Bradstreet     $22,000  Office of Comptroller,    
Programs                                         Financial Management      
                                                    Division. Obtain credit   
                                                    reports to assess new     
                                                    grantees'                 
                                                    (nongovernmental or       
                                                    nontribal) financial      
                                                    integrity. These credit   
                                                    reports may include       
                                                    personal information on   
                                                    company owners.           
                                                                              
                                                    This information is used  
                                                    to support the new        
                                                    grantee's ability to      
                                                    operate the grant         
                                                    programs of the Office of 
                                                    Justice Programs, to      
                                                    confirm the existence of  
                                                    the company, and to       
                                                    determine any outstanding 
                                                    liens or obligations that 
                                                    might influence the       
                                                    success of the grant      
                                                    program.                  
Litigating         ChoicePoint,         $21,000  Civil Division. Locate    
Divisions (Civil,  Credit Bureau                 individuals and assets in 
Criminal,          Reports                       connection with           
Antitrust, and     (division of CBC              litigation for purposes   
Tax)               Companies)                    such as obtaining         
                                                    depositions, debt         
                                                    collection, and           
                                                    identifying assets that a 
                                                    debtor may be concealing  
                                                    in bankruptcy             
                                                    proceedings.              
                                                                              
                                                    Criminal Division, Office 
                                                    of Special                
                                                    Investigations. Locate    
                                                    individuals who may have  
                                                    taken part in             
                                                    Nazi-sponsored acts of    
                                                    persecution abroad before 
                                                    and during World War II   
                                                    and who subsequently      
                                                    entered, or seek to       
                                                    enter, the United States  
                                                    illegally and/or          
                                                    fraudulently.             
                                                                              
                                                    Antitrust Division.       
                                                    Locate witnesses for      
                                                    trials.                   
                                                                              
                                                    Tax Division. Obtain      
                                                    credit bureau reports for 
                                                    debt collection purposes. 

Source: Department of Justice.

Notes: The table represents fiscal year 2005 contract values and may not
reflect actual expenditures. We did not verify the accuracy or
completeness of the dollar figures provided to us.

Contract values were rounded to the nearest thousand. Several Justice
components use departmentwide contracts with LexisNexis and West, which
provide, among other things, access to public records information. Several
components, including the litigating divisions (Civil, Criminal,
Antitrust, and Tax), the Office of Justice Programs, and the Executive
Office for U.S. Attorneys, reported that their use of these departmentwide
contracts was primarily for legal research, and therefore we did not
include these uses in the table.

aSeisint is now owned by LexisNexis.

bEquifax is an example of a consumer reporting agency. Consumer reporting
agencies, also known as credit bureaus, are entities that collect and sell
information about the creditworthiness, among other things, of individuals
and are required by the Fair Credit Reporting Act to disclose such
information only for permissible purposes.

DHS Uses Information Resellers Primarily for Law Enforcement and
Counterterrorism

In fiscal year 2005, DHS and its components reported that they used
information reseller data primarily for law enforcement purposes, such as
for developing leads on subjects in criminal investigations and detecting
fraud in immigration benefit applications (part of enforcing the
immigration laws). Counterterrorism uses involved screening programs at
the northern and southern borders as well as at the nation's airports. DHS
reported planning to spend about $9 million acquiring personal information
from resellers in fiscal year 2005. DHS acquired these services primarily
for law enforcement (63 percent) and counterterrorism (35 percent)
purposes through FEDLINK-a governmentwide contract vehicle provided by the
Library of Congress-and GSA's Federal Supply Schedule contracts as well as
direct purchases by its components. DHS's primary vehicle for acquiring
data from information resellers was the FEDLINK contract vehicle, which
DHS used to acquire reseller services from Choicepoint ($4.1 million), Dun
& Bradstreet ($640,000), LexisNexis ($2 million), and West ($1 million).

U.S. Immigration and Customs Enforcement (ICE) is DHS's largest user of
personal information from resellers, with acquisitions worth over $4.3
million. The largest investigative component of DHS, ICE has as its
mission to prevent acts of terrorism by targeting the people, money, and
materials that support terrorist and criminal activities. ICE uses
information resellers to collect personal information for criminal
investigative purposes and to perform background security checks. Data
commonly obtained include address and vehicle information; according to
officials, this information is either used to verify data already
collected or is itself verified by investigators through other means. For
example, ICE's Federal Protective Service has about 50 users who access an
information reseller database to assist in properly identifying and
locating potential criminal suspects. Investigators may verify an address
obtained from the database by confirming billing information with a
utility company or by conducting "drive-by" surveillance. The Federal
Protective Service views information obtained from resellers as "raw" or
"unverified" data, which may or may not be of use to investigators.

Other DHS components likewise reported using personal information from
resellers to support investigations and other law enforcement-related
activities. For example, U.S. Customs and Border Protection (CBP)-tasked
with managing, controlling, and protecting the nation's borders at and
between the official ports of entry-uses information resellers for law
enforcement, intelligence gathering, and prosecution support. Using these
databases, investigators conduct queries on people, businesses, property,
and corresponding links via a secure Internet connection. According to
officials, information obtained is corroborated with other previously
obtained data, open-source information, and investigative leads.

CBP also uses a specially developed information reseller product to assist
law enforcement officials in vehicle identification at northern and
southern land borders. CBP uses electronic readers to capture license
plate data on vehicles entering or exiting U.S. borders, converts the data
to an electronic format, and transmits the data to an information
reseller, which returns U.S. motor vehicle registration information to
CBP. The license plate data, merged with the associated motor vehicle
registration data provided by the reseller, are then checked against
government databases in order to help assess risk related to vehicles
(i.e., a vehicle whose license plate is associated with a law enforcement
record might be referred for secondary examination).

The Federal Emergency Management Agency (FEMA), charged with building and
supporting the nation's emergency management system, uses an information
reseller to detect fraud in disaster assistance applications. FEMA uses
this service to verify information that individuals present in their
applications for disaster assistance via the Internet. At the time of
application, an individual is required to pass an identity check that
determines whether the presented identity exists, followed by an identity
validation quiz to better ensure that the applicant corresponds to the
identity presented. The information reseller is used to verify the
applicant's name, address, and Social Security number.

DHS is also using information resellers in its counterterrorism efforts.
For example, the Transportation Security Administration (TSA), tasked with
protecting the nation's transportation systems, used data obtained from
information resellers as part of a test associated with the development of

its domestic passenger prescreening program, called "Secure Flight."35
TSA's plans for Secure Flight involve the submission of passenger
information by an aircraft operator to TSA whenever a reservation is made
for a flight in which the origin and destination are domestic airports. In
the prescreening of airline passengers, this information would be compared
with federal watch lists of individuals known or suspected of activities
related to terrorism. TSA conducted a test designed to help determine the
extent to which information resellers could be used to authenticate
passenger identity information provided by air carriers. It plans to use
the test results to determine whether commercial data can be used to
improve the effectiveness of watch-list matching by identifying passengers
who would not have been identified from passenger name records and
government data alone. The test results also may be used to identify items
of personally identifying information that should be required of
passengers to improve aviation security.

Table 4 provides detailed information about DHS uses of information
resellers in fiscal year 2005, as reported by officials of the
department's components.

Table 4: Reported Uses of Personal Information: DHS Contracts with
Information Resellers, Fiscal Year 2005

                                        

    Major component    Information     Aggregate    Uses involving personal   
                         reseller       contract          information         
                                           value  
U.S. Immigration  ChoicePoint, Dun $4,389,000  Acquire data (generally,    
and Customs       & Bradstreet,                address and vehicle         
Enforcement       LexisNexis, West             information) for criminal   
                                                  investigations and          
                                                  background security checks. 
                                                                              
                                                  According to officials,     
                                                  information is either used  
                                                  to verify data already      
                                                  collected or is itself      
                                                  verified by investigators   
                                                  through other means.        
                                                                              
                                                  Federal Protective Service. 
                                                  Identify and locate         
                                                  potential criminal suspects 
                                                  using address, vehicle, and 
                                                  other information.          
                                                                              
                                                  Office of Detention and     
                                                  Removal. Locate and remove  
                                                  illegal aliens from the     
                                                  United States using         
                                                  address, vehicle, and other 
                                                  information.                
U.S. Customs and  ChoicePoint,     $2,375,000  Conduct queries on people,  
Border Protection LexisNexis, Dun              businesses, property, and   
                     & Bradstreet,                corresponding links in      
                     and West                     support of law enforcement, 
                                                  intelligence gathering, and 
                                                  prosecution support.        
                                                                              
                                                  Border Patrol Del Rio       
                                                  Sector. Obtain information  
                                                  such as addresses,          
                                                  telephone numbers, and      
                                                  names of relatives in       
                                                  support of investigations   
                                                  involving registered owners 
                                                  of seized vehicles and      
                                                  property.                   
                                                                              
                                                  National Targeting Center.  
                                                  Look up information         
                                                  associated with license     
                                                  plate data to assist in     
                                                  vehicle identification at   
                                                  northern and southern land  
                                                  borders.                    
                                                                              
                                                  License plate readers       
                                                  capture data on vehicles    
                                                  and cross-check against     
                                                  information reseller and    
                                                  government databases. Data  
                                                  captured are used to help   
                                                  assess risk related to      
                                                  these vehicles (e.g., a car 
                                                  whose license plate is      
                                                  associated with a law       
                                                  enforcement record might be 
                                                  referred for secondary      
                                                  examination).               
U.S. Citizenship  ChoicePoint,       $960,000  Offices of Fraud Detection  
and Immigration   LexisNexis, West             and National Security and   
Services                                       Asylum. Detect fraud in     
                                                  applications for immigrant  
                                                  benefits and obtain court   
                                                  records (including          
                                                  judgments and conviction    
                                                  documents) to support a     
                                                  broad range of evidentiary  
                                                  requirements for official   
                                                  adjudication proceedings.   
Transportation    Acxiom, Insight    $897,000  Test the feasibility of     
Security          America, Qsenta              using commercial data       
Administration                                 sources to authenticate     
                                                  identity information        
                                                  contained in passenger      
                                                  records to support          
                                                  passenger prescreening.     
                                                                              
                                                  As part of the Secure       
                                                  Flight Program, TSA         
                                                  conducted a test to         
                                                  determine whether           
                                                  commercial data could be    
                                                  used to improve the         
                                                  effectiveness of watch list 
                                                  matching by identifying     
                                                  passengers who would not    
                                                  have been identified from   
                                                  passenger name records and  
                                                  government data alone. TSA  
                                                  plans to use the results of 
                                                  the test to identify what   
                                                  personally identifying      
                                                  information should be       
                                                  required in passenger name  
                                                  records to maximize         
                                                  aviation security.          
U.S. Secret       ChoicePoint,       $471,000  Provide investigative leads 
Service           Dallas Computer              to field agents and other   
                     Services, Dun &              Secret Service personnel in 
                     Bradstreet,                  conducting their            
                     LocatePLUS, and              investigations (e.g., to    
                     APPRISS                      develop background          
                                                  information on persons,     
                                                  locations, or businesses).  
                                                                              
                                                  Acquire jail data that are  
                                                  used as a cross-check       
                                                  against state and federal   
                                                  databases on warrants, sex  
                                                  offenders, child support,   
                                                  probations, and paroles.    
Federal Emergency ChoicePoint        $113,000  Acquire information such as 
Management Agency                              name, address, and Social   
                                                  Security number to help     
                                                  verify and validate the     
                                                  identities of individuals   
                                                  applying for disaster       
                                                  assistance via the          
                                                  Internet.                   
Office of         ChoicePoint,        $39,000  Generate leads in law       
Inspector General LexisNexis                   enforcement investigations. 
U.S. Coast Guard  ChoicePoint         $19,000  Obtain up-to-date credit    
                                                  reports as needed to assist 
                                                  in the resolution of        
                                                  financial issues that are   
                                                  of a security concern in    
                                                  adjudications.              
Federal Law       ChoicePoint          $7,900  Verify addresses, conduct   
Enforcement                                    background checks, criminal 
Training Center-                               and administrative          
Special                                        investigations.             
Investigations                                 
Division                                       

Source: DHS.

Notes: The table represents fiscal year 2005 contract values and may not
reflect actual expenditures. We did not verify the accuracy or
completeness of the dollar figures provided to us.

Contract values were rounded to the nearest thousand.

Several DHS components use the departmentwide contracts with LexisNexis
and West. Components such as the Science and Technology and Management
Directorates reported that their use of these departmentwide contracts did
not involve the use of personal information (e.g., reported uses were for
legal or scientific research); accordingly, we did not include these
values in the table.

To the extent possible, we excluded uses that did not involve personal
information; however, since DHS officials responsible for administering
departmentwide FEDLINK contracts were unable to provide a breakdown of
component billings by information reseller, the values reflected in the
table may include uses that do not involve personal information. For
example, U.S. Citizenship and Immigration Services' fiscal year 2005 use
of departmentwide FEDLINK contracts totaled approximately $960,000, but
contract officials could not provide specific amounts for this
organization's use of ChoicePoint, LexisNexis, and West. Although U.S.
Citizenship and Immigration Services described use of West as primarily
for legal research, we could not separate costs associated with use of
personal information.

aAcxiom, Insight America (now owned by Acxiom), and Qsent were
subcontractors on the EagleForce Associates contract to conduct a
commercial data test for the Secure Flight Program. Although EagleForce is
not an information reseller, we included the contract value because the
commercial data test involved the acquisition of personal information from
resellers.

SSA Uses Information Resellers Primarily for Fraud Prevention and Identity
Verification

In an effort to ensure the accuracy of Social Security benefit payments,
SSA and its components reported using approximately $1.3 million in
contracts in fiscal year 2005 with information resellers for a variety of
purposes relating to fraud prevention (66 percent), such as skiptracing,36
confirming suspected fraud related to workers compensation payments,
obtaining information on criminal suspects for follow-up investigations
(18 percent), and collecting debts (16 percent). SSA and its components
acquired these services through the use of the GSA and FEDLINK
governmentwide contracts and their own contracts. In fiscal year 2005, SSA
contracted with ChoicePoint, LexisNexis, SourceCorp, and Equifax.

The Office of the Inspector General (OIG), the largest user of information
reseller data at SSA, supports the agency's efforts to prevent fraud,
waste, and abuse. The OIG uses several information resellers to assist
investigative agents in detecting benefit abuse by Social Security
claimants and to assist agents in locating claimants. For example, OIG
agents access reseller data to verify the identity of subjects undergoing
criminal investigations.

Regional office agents may also use reseller data in investigating persons
suspected of claiming disability fraudulently and draw upon assistance
from OIG headquarters staff and state investigators from the state
Attorney General's office in these investigations. For example, the
Northeastern Program Service Center, located in the New York branch of
SSA, obtains New York State Workers Compensation Board data from
SourceCorp, the only company legally permitted to maintain the physical
and electronic records for New York State Workers Compensation. Through
the use of this information, SSA can identify persons collecting workers
compensation benefits but not reporting those benefits, as required, to
the SSA.

Table 5 details in aggregate the vendors, fiscal year 2005 contract
values, and uses of contracts with information resellers reported by major
SSA components.

Table 5: Reported Uses of Personal Information: SSA Contracts with
Information Resellers, Fiscal Year 2005

                                        

         User        Information  Contract       Uses involving personal      
                      reseller       value             information            
Agencywide        LexisNexis  $848,000a  Field Office Staff. Obtain        
                                            resource information (i.e., real  
                                            property ownership, values, real  
                                            property transfers, and           
                                            information concerning the        
                                            ownership of automobiles and      
                                            boats) to verify the validity of  
                                            Supplemental Security Income      
                                            applicants and recipients.        
                                                                              
                                            Office of Inspector General.      
                                            Access public records information 
                                            to assist with investigations of  
                                            fraud and abuse within the SSA    
                                            programs.                         
                                                                              
                                            Office of Hearings and Appeals.   
                                            Access public records information 
                                            to locate the addresses of        
                                            individuals.                      
Office of the     ChoicePoint  $240,000  Acquire information on subjects   
Inspector General                        of criminal investigations (e.g., 
                                            locations, assets, relatives) and 
                                            help corroborate fraud            
                                            allegations that are submitted to 
                                            the Office of the Inspector       
                                            General by SSA or the general     
                                            public.b                          
Agencywidec       Equifax      $204,000  Obtain address verification       
                                            reports for the most current      
                                            address of delinquent debtors for 
                                            undeliverable overpayment-related 
                                            notices and follow up billing and 
                                            teleprinter profile reports       
                                            (standard credit reports) that    
                                            show the credit history of the    
                                            debtor referred to Justice for    
                                            enforced collection via civil     
                                            suit.                             
Northeastern      SourceCorp    $14,000  Access New York State Worker      
Program Service                          Compensation Board payment data   
Center                                   to ensure that persons claiming   
                                            Social Security benefits are      
                                            correctly reporting workers       
                                            compensation benefits on their    
                                            forms.                            
Office of the     ChoicePoint    $4,000  Access information on disability  
Inspector General                        claimants and their physicians to 
New Jersey                               determine if the claimants may be 
Cooperative                              hiding assets and other sources   
Disability                               of income that may make them      
Investigation                            ineligible for disability         
Unitd                                    benefits.                         

Source: SSA.

Notes: The table represents fiscal year 2005 contract values and may not
reflect actual expenditures. We did not verify the accuracy or
completeness of the dollar figures provided to us.

Contract values were rounded to the nearest thousand.

aThis figure may include uses that do not involve personal information
since LexisNexis provides news and legal research in addition to public
records. SSA was unable to separate the dollar values associated with use
of personal information from uses for other purposes.

bIn addition to initiating its own investigations, the Office of the
Inspector General receives notices from the general public about suspected
fraud. According to one agency official, a large portion of these fraud
allegations are either incomplete or unfounded and must be supported by
substantial evidence. Before moving ahead with an investigation, officials
obtain data from an information reseller to verify the legitimacy of the
fraud allegations, fill in any missing information on the submitted forms
and develop leads that would further the development of the allegation and
any subsequent investigation if warranted.

cThe Equifax data are accessible by the Northeastern Program Service
Center, Mid-Atlantic Program Service Center, Southeastern Program Service
Center, Great Lakes Program Service Center, Western Program Service
Center, Mid-America Program Service Center, Office of Central Operations,
and Office of Financial Policy and Operations.

dThis is an SSA-funded joint investigation between SSA and the New Jersey
State Attorney General's Office.

The Department of State Uses Information Resellers Primarily for Passport
Fraud Detection and Investigation

The Department of State and its components reported approximately $569,000
in contracts in fiscal year 2005 with information resellers, primarily for
assistance in fraud related activities through criminal investigations (51
percent), fraud detection (26 percent), and other uses (23 percent) such
as background screening. State acquired information reseller services
through the GSA schedule and a Justice blanket-purchase agreement. In
fiscal year 2005, the majority of State contracts were with ChoicePoint;
the agency also had contracts with LexisNexis, Equifax and Metronet.

State's components reported use of these contracts mainly for
passport-related activities. For example, several components of State
accessed personal information to validate information submitted on
immigrant and nonimmigrant visa petitions, such as marital or familial
relationships, birth and identity information, and address validation. A
major use of reseller data at State is by investigators acquiring
information on suspects in passport and visa fraud cases. According to
State, information reseller data are increasingly important to its
operations, because the number of passport and visa fraud cases has
increased, and successful investigations of passport and visa fraud are
critical to combating terrorism.

In addition to these uses, State acquires personal information through
Equifax to support the financial background screening of its job
applicants.

Table 6 details the vendors, fiscal year 2005 contract values, and uses of
contracts with information resellers reported by major State components.

Table 6: Reported Uses of Personal Information: Department of State
Contracts with Information Resellers, Fiscal Year 2005

                                        

      Component     Information  Contract       Uses involving personal       
                      reseller      value             information             
Diplomatic       ChoicePoint  $288,000  Criminal Investigations Division.  
Security                                Obtain leads on addresses,         
                                           locations, identity, etc., used in 
                                           the conduct of criminal            
                                           investigations of passport and     
                                           visa fraud.                        
                                                                              
                                           Diplomatic Security Command Center 
                                           and Diplomatic Security agents at  
                                           26 overseas posts. Same use.       
Office of        Equifax      $132,000  Obtain credit checks on applicants 
Personnel                               and new hires to support           
Security and                            background screening processes.    
Suitability                             
Bureau of        ChoicePoint,  $89,000  Check the validity of selected     
Consular Affairs Metronet               passport applications,             
                                           particularly two categories of     
                                           high-risk applications.a           
National Visa    ChoicePoint   $40,000  Verify information submitted on    
Center                                  immigrant and nonimmigrant visa    
                                           petitions.                         
Office of        LexisNexis    $21,000  Investigate claims of marital and  
Consular Fraud                          familial relationships on          
Prevention                              immigrant visa applications and    
Programs                                determine the bona fides of        
                                           prospective employers for          
                                           employment-based nonimmigrant      
                                           visas.                             

Source: Department of State.

Note: The table represents fiscal year 2005 contract values and may not
reflect actual expenditures. We did not verify the accuracy or
completeness of the dollar figures provided to us.

aThe two categories of high-risk passport applications include those with
birth certificates from Puerto Rico and those from applicants lacking
acceptable primary identification documents, who include affidavits from
family or associates attesting to their identity.

Agencies Contract with Information Resellers Primarily through Use of
GSA's Federal Supply Schedules and the Library of Congress's FEDLINK
Service

In fiscal year 2005, the four agencies acquired personal information
primarily through governmentwide contracts, including GSA's Federal Supply
Schedule (52 percent) contracts and the Library of Congress's FEDLINK
contracts (28 percent). Components within these agencies also initiated
separate contracts with resellers as well. The Department of Justice was
the largest user, accounting for approximately $19 million of the $30
million total for all four agencies. Figure 3 shows the values of reseller
data acquisition by agency for fiscal year 2005.

Figure 3: Total Dollar Values, Categorized by Agency, of Fiscal Year 2005
Acquisition of Personal Information from Information Resellers

In fiscal year 2005, the most common vehicles used among all four agencies
to acquire personal information from information resellers were the
governmentwide contracts made available through GSA's Federal Supply
Schedule. The GSA schedule provides agencies with simplified, streamlined
contracting vehicles, allowing them to obtain access to information
resellers' services either by issuing task or purchase orders or by
establishing blanket purchase agreements based on the schedule contracts.
The majority of Justice's acquisition of information reseller services was
obtained through the GSA schedule, including a blanket purchase agreement
with ChoicePoint that was also made available to non-Justice agencies (for
example, the Departments of State and Health and Human Services). In
addition, components of DHS such as the U.S. Secret Service and the SSA's
Office of Inspector General made use of GSA schedule contracts with
information resellers.

The Federal Supply Schedule allows agencies to take advantage of
prenegotiated contracts with a variety of vendors, including information
resellers. GSA does not assess fees for the use of these contracts; rather
it funds the operation of the schedules in part by obtaining
administrative fees from vendors on a quarterly basis. According to GSA
officials, use of the schedule contracts allows agencies to obtain the
best price and reduce their procurement lead time. Since these contracts
have been prenegotiated, agencies do not need to issue their own
solicitation. Instead, agencies may simply place a task order directly
with the vendor, citing the schedule number. GSA's role in administering
these contracts is primarily to negotiate baseline contract requirements
and pricing; it does not monitor which agencies are using its schedule
contracts. GSA officials noted that the requirements contained in the
schedule contracts are baseline, and agencies may add more stringent
requirements to their individual task orders.

Another contract vehicle commonly used to obtain personal information from
information resellers was the Library of Congress's FEDLINK service (28
percent).  This vehicle was used by both DHS and SSA.37 FEDLINK, an
intragovernmental revolving fund,38 is a cooperative procurement,
accounting, and training program designed to provide access to online
databases, periodical subscriptions, books, and other library and
information support services from commercial suppliers, including
information resellers. At DHS, use of the FEDLINK service was the primary
vehicle for contracting with information resellers. DHS also used GSA
schedule buys, and some smaller purchases were made directly between DHS
components and information resellers. The majority of SSA's fiscal year
2005 acquisitions from information resellers were through FEDLINK, with
some use of the GSA schedule contracts.

FEDLINK allows agencies to take advantage of prenegotiated contracts at
volume discounts with a variety of vendors, including information
resellers. As with the GSA schedule contracts, the requirements of the
FEDLINK contracts serve as a baseline, and agencies may add more stringent
requirements if they so choose.

FEDLINK offers two different options for using its contracts: direct
express and transfer pay. The direct express option is similar to the GSA
schedule process, in which the agency issues a purchase order directly to
the vendor and cites the underlying FEDLINK contract. Under direct
express, the ordering agency is responsible for managing the delivery of
products and services and paying invoices, and the vendor pays an
administrative fee to the Library. Under the transfer pay option, ordering
agencies must sign an interagency agreement and pay an administrative fee
to the Library. In turn, the ordering agencies receive additional
administrative services. DHS used both the direct express and transfer pay
options in fiscal year 2005, while SSA used transfer pay exclusively.

Resellers Take Steps to Protect Privacy, but These Measures Are Not Fully
Consistent with the Fair Information Practices

Although the information resellers that do business with the federal
agencies we reviewed39 have practices in place to protect privacy, these
measures were not fully consistent with the Fair Information Practices.
Most significantly, the first four principles, relating to collection
limitation, data quality, purpose specification, and use limitation, are
largely at odds with the nature of the information reseller business.
These principles center on limiting the collection and use of personal
information and require data accuracy based on that limited purpose and
limited use of the information. However, the information reseller industry
presupposes that the collection and use of personal information is not
limited to specific purposes, but instead that information can be
collected and made available to multiple customers for multiple purposes.
Resellers make it their business to collect large amounts of personal
information40 and to combine that information in new ways so that it
serves purposes other than those for which it was originally collected.
Further, they are limited in their ability to ensure the accuracy,
currency, or relevance of their holdings, because these qualities may vary
based on customers' varying uses.

Information reseller policies and procedures were consistent with aspects
of the remaining four Fair Information Practices. Large resellers reported
implementing a variety of security safeguards, such as stringent customer
credentialing, to improve protection of personal information. Resellers
also generally provided public notice of key aspects of their privacy
policies and practices, (relevant to the openness principle) and reported
taking actions to ensure internal compliance with their own privacy
policies (relevant to the accountability principle). However, resellers
generally limited the extent to which individuals could gain access to
personal information held about themselves, and because they obtain their
information from other sources, most resellers also had limited provisions
for correcting or deleting inaccurate information contained in their
databases (relevant to the individual participation principle).41 Instead,
they directed individuals wishing to make corrections to contact the
original sources of the data. Table 7 provides an overview of information
resellers' application of the Fair Information Practices.

Table 7: Information Resellers' Application of Principles of the Fair
Information Practices

                                        

               Principle                      Resellers' application          
Collection limitation. The         Resellers do not limit collections to   
collection of personal             specific purposes but collect large     
information should be limited,     amounts of personal information, within 
should be obtained by lawful and   the bounds of the law. Further, in many 
fair means, and, where             cases, individuals do not know that     
appropriate, with the knowledge    their personal information is being     
or consent of the individual.      collected by the reseller, even though  
                                      they may have known of the original     
                                      (source) collection.                    
Data quality. Personal             Although they often have measures in    
information should be relevant to  place for ensuring data accuracy in the 
the purpose for which it is        aggregate, resellers do not ensure that 
collected, and should be           the information they provide is         
accurate, complete, and current    accurate, complete, and current for a   
as needed for that purpose.        specific purpose. Instead, they monitor 
                                      and rely on the quality controls of the 
                                      original data source.                   
Purpose specification. The         Resellers disclose general categories   
purpose for the collection of      of purposes for their data collection   
personal information should be     rather than specific purposes. They     
disclosed before collection and    obtain information originally collected 
upon any change to that purpose,   for specific purposes and generally     
and its use should be limited to   offer it for a much wider range of      
that purpose and compatible        purposes.                               
purposes.                          
Use limitation. Personal           Resellers generally limit the use of    
information should not be          information as required by law rather   
disclosed or otherwise used for    than on the basis of the purposes       
other than a specified purpose     originally specified when the           
without consent of the individual  information was collected. Resellers    
or legal authority.                generally pass responsibility for legal 
                                      use restrictions to customers through   
                                      licensing and contract terms and        
                                      agreements. Customers must              
                                      contractually agree to appropriate uses 
                                      of the data and must agree to comply    
                                      with applicable laws.                   
Security safeguards. Personal      Resellers reported implementing a       
information should be protected    variety of security safeguards, such as 
with reasonable security           stringent customer credentialing, to    
safeguards against risks such as   improve protection of personal          
loss or unauthorized access,       information.                            
destruction, use, modification,    
or disclosure.                     
Openness. The public should be     Resellers generally inform the public   
informed about privacy policies    of key aspects of privacy policies      
and practices, and individuals     through Web sites, brochures, and so    
should have ready means of         on.                                     
learning about the use of          
personal information.              
Individual participation.          Although information resellers allow    
Individuals should have the        individuals access to their personal    
following rights: to know about    information, this access is generally   
the collection of personal         limited, as is the opportunity to make  
information, to access that        corrections. Generally, resellers only  
information, to request            correct errors they may have introduced 
correction, and to challenge the   in the process of obtaining and         
denial of those rights.            aggregating data.                       
Accountability. Individuals        Resellers reported taking actions, such 
controlling the collection or use  as designating a chief privacy officer  
of personal information should be  or equivalent, to ensure compliance     
accountable for taking steps to    with their privacy policies. Annual     
ensure the implementation of       privacy audits were conducted in one    
these principles.                  case.                                   

Source: GAO analysis of reseller information.

Note: We did not evaluate the effectiveness of information reseller
practices, only the extent to which resellers applied the Fair Information
Practices.

Information Resellers Generally Did Not Report Limiting Their Data
Collection to Specific Purposes or Notifying Individuals about Them

According to the collection limitation principle of the Fair Information
Practices, the collection of personal information should be limited,
information should be obtained by lawful and fair means, and, where
appropriate, it should be collected with the knowledge and consent of the
individual. The collection limitation principle also suggests that
organizations could limit collection to the minimum amount of data
necessary to process a transaction.

In practice, resellers are limited in the personal information that they
can obtain by laws that apply to specific kinds of information (for
example, the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act,
which restrict the collection, use, and disclosure of certain consumer and
financial data). One reseller reported that it also restricts collection
of Social Security number information from public records, as well as
collection of identifying information on children from public sources,
such as telephone directories.

Beyond specific legal restrictions, information resellers generally
attempt to aggregate large amounts of personal information so as to
provide useful information to a broad range of customers. For example,
resellers collect personal information from a wide variety of sources,
including state motor vehicle records; local government records on births,
real property, and voter registrations; and various court records.
Information resellers may also obtain information from telephone
directories, Internet sites, and consumer applications for products or
services. The widely varying sources and types of information demonstrate
the broad nature of the collection of personal information. The amount and
scope of information collected vary from company to company, and resellers
use this information to offer a range of products tailored to different
markets and uses.42

Regarding the principle that information should be obtained by lawful and
fair means, resellers stated that they take steps to ensure that their
collection of information is legal. For example, resellers told us that
they obtain assurances from their data suppliers that information is
legally collected from reputable sources. Further, they design their
products and services to ensure they are in conformance with laws such as
the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act.

Regarding the principle that, where appropriate, information should be
collected with the knowledge and consent of the individual, resellers do
not make provisions to notify the individuals involved when they obtain
personal data from their many sources, including public records.
Concomitantly, individuals are not afforded an opportunity to express or
withhold their consent when the information is collected. Resellers said
they believe it may not be appropriate or practical for them to provide
notice or obtain consent from individuals because they do not collect
information directly from them. One reseller noted that in many instances
the company does not have a direct relationship with the data subject and
is therefore not in a position to interact with the consumer for purposes
such as providing notice. Further, this reseller stated its belief that
requiring resellers to notify and obtain consent from each individual
about whom they obtain information would result in consumers being
overwhelmed with notices and negate the value of notice.

Under certain conditions, some information resellers offer consumers an
"opt-out" option-that is, individuals may request that information about
themselves be suppressed from selected databases. However, resellers
generally offer this option only with respect to certain types of
information and only under limited circumstances. For example, one
reseller allows consumers to opt out of its marketing products but not
other products, such as background screening and fraud detection products.
The privacy policy for another information reseller states that it will
allow certain individuals to opt out of its nonpublic information
databases containing sensitive information under specific conditions: if
the individual is a state, local, or federal law enforcement officer or
public official whose position exposes him or her to a threat of imminent
harm; if the individual is a victim of identity theft; or if the
individual is at risk of physical harm. In order to exercise this option,
consumers generally must provide satisfactory documentation to support the
basis for their request. In any event, the reseller retains the right to
determine (1) whether to grant or deny any request, (2) to which databases
the request for removal will apply, and (3) the duration of the removal.
Two resellers stated their belief that under certain circumstances it may
not be appropriate to provide consumers with opportunities for opting out,
such as for information products designed to detect fraud or locate
criminals. These resellers stated that if individuals were permitted to
opt out of fraud prevention databases, some of those opting out could be
criminals, which would undermine the effectiveness and utility of these
databases.

Information Resellers Do Not Ensure That Personal Information They Provide
Is Accurate for Specific Purposes

According to the data quality principle, personal information should be
relevant to the purpose for which it is collected, and should be accurate,
complete, and current as needed for that purpose. Information resellers
reported taking steps to ensure that they generally receive accurate data
from their sources and that they do not introduce errors in the process of
transcribing and aggregating information; however, they generally provide
their customers with exactly the same data they obtain and do not claim or
guarantee that the information is accurate for a specific purpose. Some
resellers' privacy policies state that they expect their data to contain
some errors. Further, resellers varied in their policies regarding
correction of data determined to be inaccurate as obtained by them. One
reseller stated that it would delete information in its databases that was
found to be inaccurate. Another stated that even if an individual presents
persuasive evidence that certain information is in error, the reseller
generally does not make changes if the information comes directly from an
official public source (unless instructed to do so by that source).
Because they are not the original source of the personal information,
information resellers generally direct individuals to the original sources
to correct any errors. Several resellers stated that they would correct
any identified errors introduced through their own processing and
aggregation of data.

While not providing specific assurance of the accuracy of the data they
provide, information resellers reported that they take steps to ensure
that their suppliers have data quality controls in place. For example,
officials from one information reseller said they use a screening process
to help determine whether they should use a particular supplier.43 As part
of this process, the reseller assesses whether the supplier has internal
controls in place that are in line with the reseller's policies.
Information resellers also reported that they conduct annual audits of
their suppliers aimed at assessing the integrity and quality of the
information they receive. If these audits show that a supplier has failed
to provide accurate, complete, and timely information, the reseller may
discontinue using that supplier.

Resellers also noted that data accuracy is contingent upon intended use.
That is, data that may be perfectly adequate for one purpose may not be
precise enough or appropriate for another purpose. While end users, such
as federal agencies, may address data quality for their specific purposes,
resellers-who maintain personal information for multiple purposes-are less
able to achieve accuracy because they support multiple uses. Thus,
resellers generally disclaim data accuracy and leave it to their customers
to ensure that the data are accurate for their intended uses. One reseller
stated that their customers understand the accuracy limitations of the
data they obtain and take the potential for data inaccuracy into account
when using the data.

Information Resellers' Specification of the Purpose of Data Collection
Consists of Broad Descriptions of Business Categories

According to the purpose specification principle, the purpose for the
collection of personal information should be disclosed before collection
and upon any change to that purpose, and its use should be limited to that
purpose and compatible purposes. While information resellers specify
purpose in a general way by describing the types of businesses that use
their data, they generally do not designate specific intended uses for
each of their data collections. Resellers generally obtain information
that has already been collected for a specific purpose and make that
information available to their customers, who in turn have a broader
variety of purposes for using it. For example, personal information
originally submitted by a customer to register a product warranty could be
obtained by a reseller and subsequently made available to another business
or government agency, which might use it for an unrelated purpose, such as
identity verification, background checking, or marketing.

In a general sense, information resellers specify their purpose by
indicating (on company Web sites, for example) the business categories of
the customers for whom they collect information. For example, reseller
privacy policies generally state that resellers make personal information
available for legitimate uses by business and government organizations.
Examples of business categories may be provided, but resellers do not
specify which types of information are to be used in which business
categories. It is difficult for resellers to provide greater specificity
because they make their data available to many customers for a wide range
of legitimate purposes. As a result, the public is made aware only of the
broad range of potential uses to which their personal information may be
applied, rather than a specific use, as envisioned in the Fair Information
Practices.

Information Resellers Generally Limit the Use of Information as Required
by Law, Rather Than on the Basis of Purposes Originally Specified When the
Information Was Collected

Under the use limitation principle, personal information should not be
disclosed or used for other than the originally specified purpose without
consent of the individual or legal authority. However, because information
reseller purposes are specified very broadly, it is difficult for
resellers to ensure that use of the information in their databases is
limited. As previously discussed, information reseller data may have many
different uses, depending on the types of customers involved. Resellers do
take steps to ensure that their customers' use of personal information is
limited to legally sanctioned purposes. Information resellers pass this
responsibility to their customers through licensing agreements and
contract terms and agreements.

According to two large information resellers, customers are generally
contractually required to use data from resellers appropriately and must
agree to comply with applicable laws, such as the Gramm-Leach-Bliley Act,
the Fair Credit Reporting Act, and the Driver's Privacy Protection Act.
For example, one information reseller uses a service agreement that
includes provisions governing permissible use of information sought by the
customer, the confidentiality of information provided, legal requirements
under federal and state laws, and other customer obligations. The reseller
reported that the company monitors its customers' compliance by conducting
periodic audits and taking appropriate actions in response to any audit
findings.

In a standardized agreement form used by another reseller, federal
agencies must certify that they will use information obtained from the
reseller only as permissible under the Gramm-Leach-Bliley Act and the
Driver's Privacy Protection Act. The service agreement identifies
permissible purposes for information whose use is restricted by these laws
and requires agencies to agree that they will use the information only in
the performance or the furtherance of appropriate government activities.
In conformance with the Gramm-Leach-Bliley Act permissible uses, the
information reseller requires agencies to certify that they will use
personal information "only as requested or authorized by the consumer."

The information resellers used by the federal agencies we reviewed
generally also reported taking steps to ensure that access to certain
sensitive types of personally identifiable information is limited to
certain customers and uses. For example, two resellers reported that they
provide full Social Security numbers and driver's license numbers only to
specific types of customers, including law enforcement agencies and
insurance companies, and for purposes such as employment or tenant
screening. While actions such as these are useful in protecting privacy
and are consistent with the use limitation principle in that they narrow
the range of potential uses for this type of information, they are not
equivalent to  limiting use only to a specific predefined purpose. Without
limiting use to predefined purposes, resellers cannot provide individuals
with assurance that their information will only be accessed and used for
the purpose originally specified when the information was collected.

Information Resellers Reported Taking Steps to Improve Security Safeguards

According to the security safeguards principle, personal information
should be protected with reasonable safeguards against risks such as loss
or unauthorized access, destruction, use, modification, or disclosure.
While we did not evaluate the effectiveness of resellers' information
security programs, resellers we spoke with said they employ various
safeguards to protect consumers' personal information. They implemented
these safeguards in part for business reasons but also because federal
laws require such protections. Resellers describe these safeguards in
various policy statements, such as online and data privacy policies or
privacy statements posted on Internet sites. Resellers also generally had
information security plans describing, among other things, access controls
for information and systems, document management practices, incident
reporting, and premises security.

Given recent incidents, large information resellers reported having
recently taken steps to improve their safeguards against unauthorized
access. In a well-publicized incident, in February 2005, ChoicePoint
disclosed that unauthorized individuals had gained access to personal
information by posing as a firm of private investigators. In the following
month, LexisNexis disclosed that unauthorized individuals had gained
access to personal information through the misappropriation of user IDs
and passwords from legitimate customers. These disclosures were required
by state law, as previously discussed. In January 2006, ChoicePoint
reached a settlement with the Federal Trade Commission44 over charges that
the company did not have reasonable procedures to verify the identity of
prospective new users. The company agreed to implement new procedures to
ensure that it provides consumer reports only to legitimate business for
lawful purposes. In the mean time, both information resellers reported
that they had taken steps to improve their procedures for authorizing
customers to have access to sensitive information, such as Social Security
numbers. For example, one reseller established a credentialing task force
with the goal of centralizing its customer credentialing process. In order
for customers of this reseller to obtain products and services containing
sensitive personal information, they must now undergo a credentialing
process involving a site visit by the information reseller to verify the
accuracy of information reported about the business. Applicants are then
scored against a credentialing checklist to determine whether they will be
granted access to sensitive information. In addition, both resellers
reported efforts to strengthen user ID and password protections and
restrict access to sensitive personal information (including full driver's
license numbers and Social Security numbers) to a limited number of
customers, such as law enforcement agencies (others would be able to view
masked information). Although we did not test the effectiveness of these
measures, if implemented correctly, they could help provide assurance that
sensitive information is protected appropriately.

In addition to enhancing safeguards on customer access authorizations,
resellers have instituted a variety of other security controls. For
example, three large information resellers have implemented physical
safeguards at their data centers, such as continuous monitoring of
employees entering and exiting facilities, monitoring of activity on
customer accounts, and strong authentication of users entering and exiting
secure areas within the data centers. Officials at one reseller told us
that security profiles were established for each employee that restrict
access to various sections of the center based upon employee job
functions. Computer rooms were further protected with a combined system of
biometric hand readers and security codes. Security cameras were placed
throughout the facility for continuous recording of activity and review by
security staff. Information resellers also had contingency plans in place
to continue or resume operations in the event of an emergency.

Information resellers reported that on an annual basis, or more frequently
if needed, they conduct security risk assessments as well as internal and
external security audits. These assessments address such topics as
vulnerabilities to internal or external security threats, reporting and
responding to security incidents, controls for network and physical
facilities, and business continuity management. The assessments also
addressed strategies for mitigating potential or identified risks.

If properly implemented, security measures such as those reported by
information resellers could contribute to effective implementation of the
security safeguards principle.

Information Resellers Generally Informed the Public about Their Privacy
Policies and Practices

According to the openness principle, the public should be informed about
an organization's privacy policies and practices, and individuals should
have ready means of learning about the organization's use of personal
information.

To address openness, information resellers took steps to inform the public
about key aspects of their privacy policies. They used means such as
company Web sites and brochures to inform the public of specific policies
and practices regarding the collection and use of personal information.
Reseller Web sites also generally provided information about the types of
information products the resellers offered-including product samples-as
well as general descriptions about the types of customers served. Several
Web sites also provided advice to consumers on protecting personal
information and discussed what to do if individuals suspect they are
victims of identity theft.

Providing public notice of privacy policies informs individuals of what
steps an organization takes to protect the privacy of the personal
information it collects and helps to ensure the organization's
accountability for its stated policies.

Information Reseller Policies Generally Allow Individuals Limited Ability
to Access and Correct Their Personal Information

According to the individual participation principle, individuals should
have the right to know about the collection of personal information, to
access that information, to request correction, and to challenge the
denial of those rights. Information resellers generally allow individuals
access to their personal information. However, this access is limited, as
is the opportunity to make corrections. Resellers may provide an
individual a report containing certain types of information-such as
compilations of public records information-however, the report may not
include all information maintained by the resellers about that individual.
For example, one information reseller stated that it offers a free report,
under certain circumstances, on an individual's claims history, employment
history, or tenant history. Resellers may offer basic reports to
individuals at no cost, but they generally charge for reports on
additional information. A free consumer report, such as an employment
history report, for example, typically excludes information such as
driver's license data, family information, and credit header data that a
reseller may possess in other databases.

Although individuals can access information about themselves, if they find
inaccuracies, they generally cannot have these corrected by the
resellers.45 Information resellers direct individuals to take their cases
to the original data sources-such as courthouses or other local government
agencies-and attempt to have the inaccuracy corrected there. Several
resellers stated that they would correct any identified errors introduced
through their own processing and aggregation of data. As discussed above,
resellers, as a matter of policy, do not make corrections to data obtained
from other sources, even if the consumer provides evidence that the data
are wrong.

According to resellers, making corrections to their own databases is
extremely difficult, for several reasons. First, the services these
resellers provide concentrate on providing references to a particular
individual from many sources, rather than distilling only the most
accurate or current reference. For example, a reseller might have many
instances in its databases of a particular individual's current address.
Although most might be the same, there could be errors as well. Resellers
generally would report the information as they have it rather than
attempting to determine which entry is correct. This information is
important to customers such as law enforcement agencies. Further,
resellers stated that making corrections to their databases could be
ineffective because the data are continually refreshed with updated data
from the source, and thus any correction is likely to be changed back to
its original state the next time the data are updated. In addition, as
discussed in the collection limitation section, resellers stated their
belief that it would not be appropriate to allow the public to access and
correct information held for certain purposes, such as fraud detection and
locating criminals, since providing such rights could undermine the
effectiveness of these uses (e.g., by allowing criminals to access and
change their information). However, as a result of these practices,
individuals cannot know the full extent of personal information maintained
by resellers or ensure its accuracy.

Information Resellers Report Measures to Ensure Accountability for the
Collection and Use of Personal Information

According to the accountability principle, individuals controlling the
collection or use of personal information should be accountable for taking
steps to ensure the implementation of the Fair Information Practices.
Although information resellers' overall application of the Fair
Information Practices varied, each reseller we spoke with reported actions
to ensure compliance with its own privacy policies. For example, resellers
reported designating chief privacy officers to monitor compliance with
internal privacy policies and applicable laws (e.g., the
Gramm-Leach-Bliley Act and the Driver's Privacy Protection Act).
Information resellers reported that these officials had a range of
responsibilities aimed at ensuring accountability for privacy policies,
such as establishing consumer access and customer credentialing
procedures, monitoring compliance with federal and state laws, and
evaluating new sources of data (e.g., cell phone records).

Auditing of an organization's practices is one way of ensuring
accountability for adhering to privacy policies and procedures. Although
there are no industrywide standards requiring resellers to conduct
periodic audits of their compliance with privacy policies, one information
reseller reported using a third party to conduct privacy audits on an
annual basis. Using a third party to audit compliance with privacy
policies further helps to ensure that an information reseller is
accountable for the implementation of its privacy practices.

Establishing accountability is critical to the protection of privacy.
Actions taken by data resellers should help ensure that their privacy
policies are appropriately implemented.

Agencies Lack Policies on Use of Reseller Data, and Practices Do Not
Consistently Reflect the Fair Information Practices

Agency practices for handling personal information acquired from
information resellers did not always fully reflect the Fair Information
Practices. Further, agencies generally lacked policies that specifically
address their use of personal information from commercial sources,
although DHS Privacy Office officials reported that they were drafting
such a policy. As shown in table 8, four of the Fair Information
Practices-the collection limitation, data quality, use limitation, and
security safeguards principles-were generally reflected in agency
practices. For example, several agency components (specifically, law
enforcement agencies such as the FBI and the U.S. Secret Service) reported
that in practice, they generally corroborate information obtained from
resellers when it is used as part of an investigation. This practice is
consistent with the data quality principle that data should be accurate,
current, and complete. Agency policies and practices with regard to the
other four principles, however, were uneven. Specifically, agencies did
not always have policies or practices in place to address the purpose
specification, openness, and individual participation principles with
respect to reseller data. The inconsistencies in application of these
principles as well as the lack of specific agency policies can be
attributed in part to ambiguities in OMB guidance regarding the
applicability of the Privacy Act to information obtained from resellers.
Further, privacy impact assessments, which often are not conducted, are a
valuable tool that could address important aspects of the Fair Information
Practices. Finally, components within each of the four agencies did not
consistently hold staff accountable by monitoring usage of personal
information from information resellers and ensuring that it was
appropriate; thus, their application of the accountability principle was
uneven.

Table 8: Application of Fair Information Practices to the Reported
Handling of Personal Information from Data Resellers at Four Agencies

                                        

           Principle             Agency             Agency practices          
                             application of 
                               principle    
Collection limitation.    General        Agencies limited personal data    
The collection of                        collection to individuals under   
personal information                     investigation or their            
should be limited, should                associates.                       
be obtained by lawful and                
fair means, and, where                   
appropriate, with the                    
knowledge or consent of                  
the individual.                          
Data quality. Personal    General        Agencies corroborated information 
information should be                    from resellers and did not take   
relevant to the purpose                  actions based exclusively on such 
for which it is                          information.                      
collected, and should be                 
accurate, complete, and                  
current as needed for                    
that purpose.                            
Purpose specification.    Uneven         Agency system of records notices  
The purpose for the                      did not generally reveal that     
collection of personal                   agency systems could incorporate  
information should be                    information from data resellers.  
disclosed before                         Agencies also generally did not   
collection and upon any                  conduct privacy impact            
change to that purpose,                  assessments for their systems or  
and its use should be                    programs that involve use of      
limited to that purpose                  reseller data.                    
and compatible purposes.                 
Use limitation. Personal  General        Agencies generally limited their  
information should not be                use of personal information to    
disclosed or otherwise                   specific investigations           
used for other than a                    (including law enforcement,       
specified purpose without                counterterrorism, fraud           
consent of the individual                detection, and debt collection).  
or legal authority.                      
Security safeguards.      General        Agencies had security safeguards  
Personal information                     such as requiring passwords to    
should be protected with                 access databases, basing access   
reasonable security                      rights on need to know, and       
safeguards against risks                 logging search activities         
such as loss or                          (including "cloaked logging,"     
unauthorized access,                     which prevents the vendor from    
destruction, use,                        monitoring search content).       
modification, or                         
disclosure.                              
Openness. The public      Uneven         See Purpose specification above.  
should be informed about                 Agencies did not have established 
privacy policies and                     policies specifically addressing  
practices, and                           the use of personal information   
individuals should have                  obtained from resellers.          
ready means of learning                  
about the use of personal                
information.                             
Individual participation. Uneven         See Purpose specification above.  
Individuals should have                  Because agencies generally did    
the following rights: to                 not disclose their collections of 
know about the collection                personal information from         
of personal information,                 resellers, individuals were often 
to access that                           unable to exercise these rights.  
information, to request                  
correction, and to                       
challenge the denial of                  
those rights.                            
Accountability.           Uneven         Agencies do not generally monitor 
Individuals controlling                  usage of personal information     
the collection or use of                 from information resellers to     
personal information                     hold users accountable for        
should be accountable for                appropriate use; instead, they    
taking steps to ensure                   rely on users to be responsible   
the implementation of                    for their behavior. For example,  
these principles.                        agencies may instruct users in    
                                            their responsibilities to use     
                                            personal information              
                                            appropriately, have them sign     
                                            statements of responsibility, and 
                                            have them indicate what           
                                            permissible purpose a given       
                                            search fulfills.                  

Legend:

General = policies or procedures to address all major aspects of a
particular principle.

Uneven = policies or procedures addressed some but not all aspects of a
particular principle or some but not all agencies and components had
policies or practices in place addressing the principle.

Source: GAO analysis of agency-supplied data.

Note: We did not independently assess the effectiveness of agency
information security programs.  Our assessment of overall agency
application of the Fair Information Practices was based on the policies
and management practices described by the Department State and SSA as a
whole and by major components of Justice and DHS (footnote 2 in app. I
lists these components). We did not obtain information on smaller
components of Justice and DHS.

Agency Procedures Reflect the Collection Limitation, Data Quality, Use
Limitation, and Security Safeguards Principles

The collection limitation principle establishes, among other things, that
organizations should obtain only the minimum amount of personal data
necessary to process a transaction. This principle also underlies the
Privacy Act requirement that agencies maintain in their records "only such
information about an individual as is relevant and necessary to accomplish
a purpose of the agency."46 Regarding most law-enforcement and
counterterrorism purposes, which accounted for 90 percent of usage in
fiscal year 2005, agencies generally limited their personal data
collection in that they reported obtaining information only on specific
individuals under investigation or associates of those individuals.47
Having initiated investigations on specific individuals, however, agencies
generally reported that they obtained as much personal information as
possible about the individuals being investigated, because law enforcement
investigations require pursuing as many investigative leads as possible.

The data quality principle states that, among other things, personal
information should be relevant to the purpose for which it is collected
and be accurate. This principle is mirrored in the Privacy Act's
requirement for agencies to maintain all records used to make
determinations about an individual with sufficient accuracy, relevance,
timeliness, and completeness as is reasonably necessary to ensure
fairness.48

Agencies reported taking steps to mitigate the risk of inaccurate
information reseller data by corroborating information obtained from
resellers. Agency officials described the practice of corroborating
information as a standard element of conducting investigations. Officials
from several law enforcement component agencies, including ATF and DEA,
said corroboration was necessary to build legally sound cases from
investigations. For example, U.S. Secret Service officials reported that
they instruct agents that the information obtained from resellers should
be independently corroborated, and that none of it should be used as
probable cause for obtaining warrants.

Further, FBI officials from FTTTF noted that obtaining data from
information resellers helps to improve the overall quality and accuracy of
the data in investigative files. Officials stated that the variety of
private companies providing personal information enhances the value,
quality, and diversity of the information used by the FBI, noting that a
decision to put an individual under arrest is based on "probable cause,"
which is determined by a preponderance of evidence, rather than any single
source of information, such as information in a reseller's data base.

Likewise, for non law-enforcement use, such as debt collection and fraud
detection and prevention, agency components reported procedures for
mitigating potential problems with the accuracy of data provided by
resellers by obtaining additional information from other sources when
necessary. For example, the Executive Office for U.S. Attorneys uses
information resellers to obtain information on assets possessed by an
individual indebted to the United States. According to officials, should
information contained in the information reseller databases conflict with
informataion provided by an individual, further investigation takes place
before any action to collect debts would be taken. Likewise, officials
from the U.S. Citizenship and Immigration Services (USCIS) component of
DHS and the Office of Consular Affairs within the Department of State
reported similar practices. While these practices do not eliminate
inaccuracies in data coming into the agency, they help ensure the quality
of the information that is the basis for agency actions.

The use limitation principle provides that personal information should not
be disclosed or used for other than a specified purpose without consent of
the individual or legal authority. This principle underlies the Privacy
Act requirement that prevents agencies from disclosing records on
individuals except with consent of the individual, unless disclosure of
the record would be, for example, to another agency for civil or criminal
law enforcement activity or for a purpose that is compatible with the
purpose for which the information was collected.49

Although agencies rely on resellers' multipurpose collection of
information as a source, agency officials said their use of reseller
information was limited to distinct purposes, which were generally related
to law enforcement or counterterrorism. For example, the Department of
Justice reported uses specific to the conduct of criminal investigations
on individuals, terrorism investigations, and the location of assets and
witnesses. Other Justice and DHS components, such as the Federal
Protective Service, U.S. Secret Service, FBI, and ATF, also reported that
they used information reseller data for investigations. For uses not
related to law enforcement, such as those reported by State and SSA, use
of reseller information was also described as supporting a specific
purpose (e.g., fraud detection or debt collection).

The use limitation principle also precludes agencies from sharing personal
information they collect for purposes unrelated to the original intended
use of the information. Officials of certain law enforcement components of
these agencies reported that in certain cases they share information with
other law enforcement agencies, a use consistent with the purposes
originally specified by the agency. For example, the FBI's FTTTF supports
ongoing investigations in other law enforcement agencies and the
intelligence community by sharing information obtained from resellers
(among other information) in response to requests about foreign terrorists
from FBI agents or officials from partner agencies.50

The security safeguards principle requires that personal information be
reasonably protected against unauthorized access, use, or disclosure. This
principle also underlies the Privacy Act requirement that agencies
establish appropriate administrative, technical, and physical safeguards
to ensure the security and confidentiality of records on individuals.51
This principle is further mirrored in the FISMA requirement to protect
information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction, including through
controls for confidentiality.

While we did not assess the effectiveness of information security or the
implementation of FISMA at any of these agencies, we found that all four
had measures in place intended to safeguard the security of personal
information obtained from resellers.52 For example, all four agencies
cited the use of passwords to prevent unauthorized access to information
reseller databases. Further, agency components such as ATF, DEA, CBP, and
USCIS, reported that they limit access to sensitive personal information
(e.g., full Social Security number, driver's license number) to those with
a specific need for this information. Several agency components also
reported that resellers were promptly notified to deactivate accounts for
employees separated from government service to protect against
unauthorized use. As another security measure, several components,
including DEA and the FBI, reported that resellers notified them when
accounts were accessed from Internet addresses at unexpected locations,
such as outside the United States.

Another measure to prevent unauthorized disclosure reported by law
enforcement agencies, such as the FBI, ICE, and Secret Service, is the use
of "cloaked logging," which prevents vendor personnel from monitoring the
queries being made by law enforcement agents. Officials in FBI's FTTTF
reported that, in order to maintain the integrity of investigations,
resellers are contractually prohibited from tracking or monitoring the
exact persons or other entities being searched by FTTTF personnel. Law
enforcement officials stated that the ability to mask searches from
vendors is important so that those outside law enforcement have no
knowledge of who is being investigated and so that subjects of an
investigation are not "tipped off."

Agency adherence to the collection limitation, data quality, use
limitation, and security safeguards principles was based on general
business procedures-including law-enforcement investigative practices-that
reflect security and civil liberties protections, rather than written
policies specifically regarding the collection, accuracy, use, and
security of personal information obtained from resellers. Implementation
of these practices provides individuals with assurances that only a
limited amount of their personal information is being collected, that it
is used only for specific purposes, and that measures are in place to
corroborate the accuracy of the information and safeguard it from improper
disclosure. These controls help prevent potential harm to individuals and
invasion of their privacy by limiting the exposure of their information
and reducing the likelihood of inaccurate data being used to make
decisions that could affect their welfare.

Limitations in the Applicability of the Privacy Act and Ambiguities in OMB
Guidance Contribute to an Uneven Adherence to the Purpose Specification,
Openness, and Individual Participation Principles

The purpose specification, openness, and individual participation
principles stipulate, among other things, that individuals should be made
aware of the purpose and intended uses of the personal information being
collected about them and have the ability to access and correct such
information, if necessary. The Privacy Act reflects these principles in
part by requiring agencies to publish in the Federal Register, "upon
establishment or revision, a notice of the existence and character of a
system of records." This notice is to include, among other things, the
categories of records in the system as well as the categories of sources
of records.53

In a number of cases, agencies did not adhere to the purpose specification
or openness principles in regard to their use of reseller information in
that they did not notify the public that they were using such information
and did not specify the purpose for their data collections. Agency
officials said that they generally did not prepare system-of-records
notices that would address these principles because they were not required
to do so by the Privacy Act. The act's vehicle for public notification-the
system-of-records notice-becomes binding on an agency only when the agency
collects, maintains, and retrieves personal data in the way defined by the
act or when a contractor does the same thing explicitly on behalf of the
government. Agencies generally did not issue system-of-records notices
specifically for their use of information resellers largely because
information reseller databases were not considered "systems of records
operated by or on behalf of a government agency" and thus were not
considered subject to the provisions of the Privacy Act.54 OMB guidance on
implementing the Privacy Act does not specifically refer to the use of
reseller data or how it should be treated. According to OMB and other
agency officials, information resellers operate their databases for
multiple customers, and federal agency use of these databases does not
amount to the operation of a system of records on behalf of the
government. Further, agency officials stated that merely querying
information reseller databases did not amount to agency "maintenance" of
the personal information being queried and thus also did not trigger the
provisions of the Privacy Act. In many cases, agency officials considered
their use of resellers to be of this type-essentially "ad hoc" querying or
"pinging" of reseller databases for personal information about specific
individuals, which they believed they were not doing in connection with a
formal system of records.

In other cases, however, agencies maintained information reseller data in
systems for which system-of-records notices had been previously published.
For example, law enforcement agency officials stated that, to the extent
they retain the results of reseller data queries, this collection and use
is covered by the system of records notices for their case file systems.
However, in preparing such notices, agencies generally did not specify
that they were obtaining information from resellers. Among system of
records notices that were identified by agency officials as applying to
the use of reseller data, only one-TSA's system of records notice for the
test phase of its Secure Flight program-specifically identified the use of
information reseller data.55 Other programs that involve use of
information reseller data include the fraud prevention and detection
programs reported by SSA and State as well as law enforcement programs
within ATF, the U.S. Marshals, and USCIS. For these programs, associated
system of records notices identified by officials did not specify the use
of information reseller data.

In several of these cases, agency sources for personal information were
described only in vague terms, such as "private organizations," "other
public sources," or "public source material," when information was being
obtained from information resellers.56 In one case, a notice indicated
incorrectly that personal information was collected only from the
individuals concerned. Specifically, USCIS prepared a system of records
notice covering the Computer Linked Application Information Management
System, which did not identify information resellers as a source. Instead,
the notice stated only that "information contained in the system of
records is obtained from individuals covered by the system."57

The inconsistency with which agencies specify resellers as a source of
information in system-of-records notices is in part due to ambiguity in
OMB guidance, which states that "for systems of records which contain
information obtained from sources other than the individual to whom the
records pertain, the notice should list the types of sources used."
Although the guidance is unclear what would constitute adequate disclosure
of "types of sources," OMB and DHS Privacy Office officials agreed that to
the extent that reseller data are subject to the Privacy Act, agencies
should specifically identify information resellers as a source and that
merely citing public records information does not sufficiently describe
the source.

The individual participation principle gives individuals the right to
access and correct information that is maintained about them. However,
under the Privacy Act, agencies can claim exemptions from the requirement
to provide individual access and the ability to make corrections if the
systems are for law enforcement purposes.58 In most cases where officials
identified system-of-record notices associated with reseller data
collection for law enforcement purposes, agencies claimed this exemption.
Like the ability to mask database searches from vendors, this provision is
important so that the subjects of law enforcement investigations are not
tipped off.

Aside from the law enforcement exemptions to the Privacy Act, adherence to
the purpose specification and openness principles is critical to
preserving a measure of individual control over the use of personal
information. Without clear guidance from OMB or specific policies in
place, agencies have not consistently reflected these principles in their
collection and use of reseller information. As a result, without being
notified of the existence of an agency's information collection
activities, individuals have no ability to know that their personal
information could be obtained from commercial sources and potentially used
as a basis, or partial basis, for taking action that could have
consequences for their welfare.

Privacy Impact Assessments Could Address Openness, and Purpose
Specification Principles but Are Often Not Conducted

The PIA is an important tool for agencies to address privacy early in the
process of developing new information systems, and to the extent that PIAs
are made publicly available,59 they provide explanations to the public
about such things as the information that will be collected, why it is
being collected, how it is to be used, and how the system and data will be
maintained and protected. In doing so, they serve to address the openness
and purpose specification principles.

However, only three agency components reported developing PIAs for their
systems or programs that make use of information reseller data.60 As with
system-of-records notices, agencies often did not conduct PIAs because
officials did not believe they were required.

Current OMB guidance on conducting PIAs is not always clear about when
they should be conducted. According to guidance from OMB, a PIA is
required by the E-Government Act when agencies "systematically incorporate
into existing information systems databases of information in identifiable
form purchased or obtained from commercial or public sources."61 However,
the same guidance also instructs agencies that "merely querying a database
on an ad-hoc basis does not trigger the PIA requirement." Reported uses of
reseller data were generally not described as a "systematic" incorporation
of data into existing information systems; rather, most involved querying
a database and in some cases retaining the results of these queries. OMB
officials stated that agencies would need to make their own judgments on
whether retaining the results of searches of information reseller
databases constituted a "systematic incorporation" of information.

DHS has recently developed guidance requiring PIAs to be conducted
whenever reseller data are involved. The DHS Privacy Office62 guidance on
conducting PIAs points out, for example, that a program decision to obtain
information from a reseller would constitute a new source of information,
requiring that a PIA be conducted. However, although the DHS guidance
clearly states that PIAs are required when personally identifiable
information is obtained from a commercial source, it also states that
"merely querying such a source on an ad hoc basis using existing
technology does not trigger the PIA requirement."63 Like OMB's guidance,
the DHS guidance is not clear, because agency personnel are left to make
individual determinations as to whether queries are "on an ad hoc basis."

In one case, a DHS component prepared a PIA for a system that collects
reseller data but had not identified in the assessment that resellers were
being used. DHS's USCIS uses copies of court records obtained from an
information reseller to support evidentiary requirements for official
adjudication proceedings concerning fraud. Although this use was reported
to be covered by the PIA for the office's Fraud Tracking System, the PIA
identifies only "public records" as the source of its information and does
not mention that the public records are obtained from information
resellers.64 In contrast, the draft DHS guidance on PIAs instructs DHS
component agencies to "list the individual, entity, or entities providing
the specific information identified above. For example, is the information
collected directly from the individual as part of an application for a
benefit, or is it collected from another source such as a commercial data
aggregator." At the time of our review, this draft guidance had not yet
been disseminated to DHS components. Lacking such guidance, DHS components
did not have policies in place regarding the conduct of PIAs with respect
to reseller data, nor did other agencies we reviewed.

Until PIAs are conducted more thoroughly and consistently, the public is
likely to remain incompletely informed about agency purposes and uses for
obtaining reseller information.

Agencies Often Did Not Have Practices in Place to Ensure Accountability
for Proper Handling of Information Reseller Data

According to the accountability principle (individuals controlling the
collection or use of personal information should be accountable for taking
steps to ensure the implementation of the Fair Information Practices),
agencies should take steps to ensure that employee uses of personal
information from information resellers are appropriate. While agencies
described activities to oversee the use of information resellers, such
activities were largely based on trust of the user to use the information
appropriately. For example, in describing controls placed on the use of
commercial data, officials from component agencies identified measures
such as instructing users that reseller data are for official use only and
requiring users to sign statements of responsibility attesting to a need
to access the information reseller databases and that their use will be
limited to official business. Additionally, agency officials reported that
in accessing reseller databases, users are required to select from a list
of vendor-defined "permissible purposes" (e.g., law enforcement,
transactions authorized by the consumer) before conducting a search. While
these practices appear consistent with the accountability principle, they
are focused on individual user responsibility rather than management
oversight.

For example, agencies did not have practices in place to obtain reports
from resellers that would allow them to monitor usage of reseller
databases at a detailed level. Although agencies generally receive usage
reports from the information resellers, these reports are designed
primarily for monitoring costs. Further, these reports generally contained
only high-level statistics on the number of searches and databases
accessed, not the contents of what was actually searched, thus limiting
their utility in monitoring usage. For example, one information reseller
reported that it does not provide reports to agencies on the "permissible
purpose" that a user selects before conducting a search.

Not all component agencies lacked robust user monitoring. Specifically,
according to FBI officials from the FTTTF, their network records and
monitors searches conducted by the user account, including who is searched
against what public source database. The system also tracks the date and
time of the query as well as what the analyst does with the data. FBI
officials stated that the vendor reports as well as the network monitoring
provide FBI with the ability to detect unusual usage of the public source
providers.

To the extent that federal agencies do not implement methods such as user
monitoring or auditing of usage records, they provide limited
accountability for their usage of information reseller data and have
limited assurance that the information is being used appropriately.

Conclusions

Services provided by information resellers serve as important tools that
can enhance federal agency functions, such as law enforcement and fraud
protection and identification. Resellers have practices in place to
protect privacy, but these practices are not fully consistent with the
Fair Information Practices. Among other things, resellers collect large
amounts of information about individuals without their knowledge or
consent, do not ensure that the data they make available are accurate for
a given purpose, and generally do not make corrections to the data when
errors are identified by individuals. Information resellers believe that
application of the relevant principles of the Fair Information Practices
is inappropriate or impractical in these situations. Given that reseller
data may be used for a variety of purposes, determining the appropriate
degree of control or influence individuals should have over the way in
which their personal information is obtained and used-as envisioned in the
Fair Information Practices-is critical. To more fully embrace these
principles could require resellers to change the way they conduct
business, and currently resellers are not legally required to follow them.
As Congress weighs various legislative options, adherence to the Fair
Information Practices will be an important consideration in determining
the appropriate balance between the services provided by information
resellers to customers such as government agencies and the public's right
to privacy.

Agencies take steps to adhere to Fair Information Practices such as the
collection limitation, data quality, use limitation, and security
safeguards principles. However, they have not taken all the steps they
could to reflect others-or to comply with specific Privacy Act and
e-Government Act requirements-in their handling of reseller data.
Specifically, agencies did not always have policies or practices in place
to address the purpose specification, individual participation, openness,
and accountability principles with respect to reseller data. An important
factor contributing to this is that OMB privacy guidance does not clearly
address information reseller data, which has become such a valuable and
useful tool for agencies. As a result, agencies are left largely on their
own to determine how to satisfy legal requirements and protect privacy
when acquiring and using reseller data. Without current and specific
guidance, the government risks continued uneven adherence to important,
well-established privacy principles and lacks assurance that the privacy
rights of individuals are adequately protected.

Matter for Congressional Consideration

In considering legislation to address privacy concerns related to the
information reseller industry, Congress should consider the extent to
which the industry should adhere to the Fair Information Practices.

Recommendations for Executive Action

To improve accountability, ensure adequate public notice of agencies' use
of personal information from commercial sources, and allay potential
privacy concerns arising from agency use of information from such sources,
we are making three recommendations to the Director of OMB and the heads
of the four agencies. Specifically, we recommend that:

o the Director of OMB revise guidance on system of records notices and
privacy impact assessments to clarify the applicability of the governing
laws (the Privacy Act and the E-Government Act) to the use of personal
information from resellers. These clarifications should specify the
circumstances under which agencies should make disclosures about their
uses of reseller data so that agencies can properly notify the public (for
example, what constitutes a "systematic" incorporation of reseller data
into a federal system). The guidance should include practical scenarios
based on uses agencies are making of personal information from information
resellers (for example, visa, criminal, and fraud investigations).

o the Director of OMB direct agencies to review their uses of personal
information from information resellers, as well as any associated system
of records notices and privacy impact assessments, to ensure that such
notices and assessments explicitly reference agency use of information
resellers.

o the Attorney General, the Secretary of Homeland Security, the Secretary
of State, and the Commissioner of SSA develop specific policies for the
collection, maintenance, and use of personal information obtained from
resellers that reflect the Fair Information Practices, including oversight
mechanisms such as the maintenance and review of audit logs detailing
queries of information reseller databases-to improve accountability for
agency use of such information.

Agency Comments and Our Evaluation

We received written comments on a draft of this report from the Justice's
Assistant Attorney General for Administration (reproduced in appendix
III), from the Director of the DHS Departmental GAO/OIG Liaison Office
(reproduced in appendix IV), from the Commissioner of SSA (reproduced in
appendix V), and from State's Assistant Secretary and Chief Financial
Officer (reproduced in appendix VI). We also received comments via E -mail
from staff of OMB's Office of Information and Regulatory Affairs. Justice,
DHS, SSA, and OMB all generally agreed with the report and described
actions initiated to address our recommendations. Justice and SSA also
provided technical comments, which has been incorporated in the final
report as appropriate.

In its comments, Justice agreed that revised or additional guidance and
policy could be created to address unique issues presented by use of
personal information obtained from resellers. However, noting that the
Privacy Act allows law enforcement agencies to exempt certain records from
provisions of the law that reflect aspects of the Fair Information
Practices, Justice recommended that prior to issuance of any new or
revised policy, careful consideration be given to the balance struck in
the Privacy Act on applying the Fair Information Practices to law
enforcement data. We recognize that law enforcement purposes are afforded
the opportunity for exemptions from some of the provisions of the Privacy
Act. The report acknowledges this fact. We also agree and acknowledge in
the report that the Fair Information Practices serve as a framework of
principles for balancing the need for privacy with other public policy
interests, such as national security and law enforcement.

DHS also agreed on the importance of guidance to federal agencies on the
use of reseller information and stated that it is working diligently on
finalizing a DHS policy for such use. The agency commented that its
Privacy Office has been reviewing the use and appropriate privacy
protections for reseller data, including conducting a 2-day public
workshop on the subject in September 2005. DHS also noted that it had just
issued departmentwide guidance on the conduct of privacy impact
assessments in March 2006, which include directions relevant to the
collection and use of commercial data. We have made changes to the final
report to reflect the recent issuance of the DHS guidance.

SSA noted in its comments that it had established internal controls,
including audit trails of systems usage, to ensure that information is not
improperly disclosed. SSA also stated that it would amend relevant
system-of-record notices to reflect use of information resellers and would
explore options for enhancing its policies and internal controls over
information obtained from resellers.

State interpreted our draft report to "rest on the premise that records
from `information resellers' should be accorded special treatment when
compared with sensitive information from other sources." State indicated
that it does not distinguish between types of information or sources of
information in complying with privacy laws. However, our report does not
suggest that data from resellers should receive special treatment.
Instead, our report takes the widely accepted Fair Information Practices
as a universal benchmark of privacy protections and assesses agency
practices in comparison with them. State also interpreted our draft report
to state that fraud detection, as a purpose for collecting personal
information, is not related to law enforcement. However, the draft does
not make such a claim. We have categorized agency uses of personal
information based on descriptions provided by agencies and have
categorized fraud detection uses separately from law enforcement to
provide insight into different types of uses. We do not claim the two uses
are unrelated. Finally, the department stated that in its view, it would
be bad policy to require specification of sources such as data resellers
in agency system of records notices. In contrast, we believe that adding
clarity and specificity about sources is in the spirit of the purpose
specification practice and note that DHS has recently issued guidance on
privacy impact assessments that is consistent with this view.

OMB stated that, based on a staff-level meeting of agency privacy experts,
it believes agencies recognize that when personal data are brought into
their systems, this fact must be reflected in their privacy impact
assessments and system-of-record notices. We do not find this observation
inconsistent with our findings. We found, however, that inconsistencies
occurred in agencies' determinations of when or whether reseller
information was actually brought into their systems, as opposed to being
merely "accessed" on an ad-hoc basis. We believe clarification of this
issue is important. OMB further stated that agencies have procedures in
place to verify commercial data before they are used in decisions
involving the granting or recoupment of benefits or entitlements. Again,
this is not inconsistent with the results of our review. Finally OMB
stated that it would discuss its guidance with agency senior officials for
privacy to determine whether additional guidance concerning reseller data
is needed.

Comments from Information Resellers

We also obtained comments on excerpts of our draft report from the five
information resellers we reviewed. General comments made by resellers and
our evaluation are summarized below:

o Several resellers raised concerns about our reliance on the OECD version
of the Fair Information Practices as a framework for assessing their
privacy policies and business practices. They suggested that it would be
unreasonable to require them to comply with aspects of the Fair
Information Practices that they believe were intended for other types of
users of personal information, such as organizations that collect
information directly from consumers. Further, they commented that our
draft summary appeared to treat strict adherence to all of the Fair
Information Practices as if it were a legally binding requirement. In
several cases, they suggested that it would be more appropriate for us to
use the privacy framework developed by the Asia-Pacific Economic
Cooperation (APEC) organization in 2004, because the APEC framework is
more recent and because it explicitly states that it has limited
applicability to publicly available information.

o As discussed in our report, the OECD version of the Fair Information
Practices is widely used and cited within the federal government as well
as internationally. In addition, the APEC privacy framework, which was
developed as a tool for encouraging the development of privacy protection
in the Asia Pacific region, acknowledges that the OECD guidelines are
still relevant and "in many ways represent the international consensus on
what constitutes honest and trustworthy treatment of personal
information."65 Further, our use of the OECD guidelines is as an
analytical framework for identifying potential privacy issues for further
consideration by Congress-not as legalistic compliance criteria. The
report states that the Fair Information Practices are not precise legal
requirements; rather they provide a framework of principles for balancing
the needs for privacy against other public policy interests, such as
national security, law enforcement, and administrative efficiency. In
conducting our analysis, we noted that the nature of the reseller business
is largely at odds with the principles of collection limitation, data
quality, purpose specification, and use limitation. We also noted that
resellers are not currently required to follow the Fair Information
Practices and that for resellers to more fully embrace them could require
that they change the way they do business. We recognize that it is
important to achieve an appropriate balance between the benefits of
resellers' services and the public's right to privacy and point out that,
as Congress weighs various legislative options, it will be critical to
determine an appropriate balance. We have made changes in this report to
clarify that we did not attempt to make determinations of whether or how
information reseller practices should change and that such determinations
are a matter of policy based on balancing the public's right to privacy
with the value of reseller services.

o Several information resellers stated that the draft did not take into
account that public record information is freely available. For example,
one reseller stated that public records should be understood by consumers
to be open to all for any use not prohibited by state or federal law.
Another stated that information resellers merely effectuate the
determination made by governmental entities that public records should be
open to all.

However, the views expressed by the resellers do not take into account
several important factors. First, resellers collect information for their
products from a variety of sources, including information provided by
consumers to businesses. Resellers products are not based exclusively on
public records. Thus a consideration of protections for public record
information does not take the place of a full assessment of the
information reseller business. Second, resellers do not merely pass on
public record information as they find it; they aggregate information from
many different sources to create new information products, and they make
the information much more readily available than it would be if it
remained only in paper records on deposit in government facilities. The
aggregation and increased accessibility provided by resellers raises
privacy concerns that may not apply to the original paper-based public
records. Finally, it is not clear that individuals give up all privacy
rights to personal information contained in public records. The Supreme
Court has expressed the opinion in the past that individuals retain a
privacy interest in publicly released personal information. We therefore
believe it is important to assess the status of privacy protections for
all personal information being offered commercially to the government so
that informed policy decisions may be made about the appropriate balance
between resellers' services and the public's right to privacy.

o Several resellers also noted that the draft report did not address the
complexity of the reseller business-the extent to which resellers'
businesses vary among themselves and overlap with consumer reporting
agencies. We have added text addressing this in the final report.

The resellers also provided technical comments, which were incorporated in
the final report as appropriate.

We are sending copies of this report to the Attorney General, the
Secretary of Homeland Security, the Secretary of State, the Commissioner
of the Social Security Administration, the Director of the Office of
Management and Budget, and other interested congressional committees.
Copies will be made available to others on request. In addition, this
report will be available at no charge on our Web site at www.gao.gov .

If you have any questions concerning this report, please call me at (202)
512-6240 or send E-mail to [email protected] . Contact points for our
Offices of Congressional Relations and Public Affairs may be found on the
last page of this report. Major contributors to this report are John de
Ferrari, Assistant Director; Mathew Bader; Barbara Collier; Pamlutricia
Greenleaf; David Plocher; and Jamie Pressman.

Linda D. Koontz Director, Information Management Issues

List of Requesters

The Honorable F. James Sensenbrenner, Jr. Chairman The Honorable John
Conyers, Jr. Ranking Minority Member Committee on the Judiciary House of
Representatives

The Honorable Steve Chabot Chairman The Honorable Jerrold Nadler Ranking
Minority Member Subcommittee on the Constitution Committee on the
Judiciary House of Representatives

The Honorable Bill Nelson Ranking Minority Member Subcommittee on
International Operations and Terrorism, Committee on Foreign Relations
United States Senate

The Honorable Bennie G. Thompson Ranking Minority Member Committee on
Homeland Security House of Representatives

The Honorable Zoe Lofgren Ranking Minority Member Subcommittee on
Intelligence, Information Sharing, and Terrorism Risk Assessment Committee
on Homeland Security House of Representatives

The Honorable Loretta Sanchez Ranking Minority Member Subcommittee on
Economic Security, Infrastructure Protection, and Cybersecurity Committee
on Homeland Security House of Representatives

Objectives, Scope, and Methodology Appendix I

Our objectives were to determine the following:

o how the Departments of Justice, Homeland Security, and State and the
Social Security Administration are making use of personal information
obtained through contracts with information resellers;

o the extent to which the information resellers providing personal
information to these agencies have policies and practices in place that
reflect widely accepted principles for protecting the privacy and security
of personal information; and

o the extent to which these agencies have policies and practices in place
for handling information reseller data that reflect widely accepted
principles for protecting the privacy and security of personal
information.

To address our objectives, we identified and reviewed applicable laws such
as the Privacy Act of 1974 and the E-Government Act, agency policies and
practices, and the widely accepted privacy principles embodied in the
Organization for Economic Cooperation and Development (OECD) version of
the Fair Information Practices. Working with liaisons at the four federal
agencies we were requested to review, we identified officials responsible
for the acquisition and use of personal information from information
resellers. Through these officials, we obtained applicable contractual
documentation such as statements of work, task orders, blanket purchase
agreements, purchase orders, interagency agreements, and contract terms
and conditions.

To address our first objective, we obtained and reviewed contract vehicles
covering federal agency use of information reseller services for fiscal
year 2005. We also reviewed applicable General Services Administration
(GSA) schedule and Library of Congress FEDLINK contracts with information
resellers that agencies made use of by various means, including through
issuance of blanket purchase agreements, task orders, purchase orders, or
interagency agreements. We analyzed the contractual documentation provided
to determine the nature, scope, and dollar amounts associated with these
uses, as well as mechanisms for acquiring personal information. In an
effort to identify all relevant instances of agency use of information
resellers and related contractual documents, we developed a list of
structured questions to address available contract documents, uses of
personal information, and applicable agency guidance. We provided these
questions to agency officials and held discussions with them to help
ensure that they provided all relevant information on uses of personal
information from information resellers. To further ensure that relevant
contract vehicles were identified, we asked major information resellers
about their business with the four agencies. We also interviewed officials
from GSA and the Library of Congress to discuss the mechanisms available
to federal agencies for acquiring personal information and to identify any
additional uses of these mechanisms by the four agencies.

To further address our first objective, we categorized agency use of
information resellers into five categories: counterterrorism, debt
collection, fraud detection/prevention, law enforcement, and other. These
categorizations were based on the component and applicable program's
mission, as well as the specific reported use of the contract. In
identifying relevant uses of information resellers, we were unable to
identify small purchases (e.g., purchases below $2,500), as agencies do
not track this information centrally. In addition, to the extent
practicable, we excluded uses that generally did not involve the use of
personal information. For example, officials from several component
agencies reported that their use of the LexisNexis and West services was
primarily for legal research rather than for public records information.
In other cases, reported amounts may reflect uses that do not involve
personal information because agencies were unable to separate such uses
from uses involving personal information.

To address our second objective, we obtained and reviewed relevant private
sector laws and guidance, such as the Gramm-Leach-Bliley Act, the Fair
Credit Reporting Act, and the Fair Information Practices. We also
identified major information resellers in agency contractual agreements
for personal information and held interviews with officials from these
companies, including Acxiom, ChoicePoint, Dun & Bradstreet,1 LexisNexis,
and West, to discuss security, quality controls, and privacy policies. In
addition, we conducted site visits at Acxiom, ChoicePoint, and LexisNexis,
and obtained written responses to related questions from West. These five
resellers accounted for approximately 95 percent of the dollar value of
all reported contracts with resellers. To determine the extent that they
reflect widely accepted Fair Information Practices, we reviewed and
compared information reseller's privacy policies and procedures with these
principles. In conducting our analysis, we identified the extent to which
reseller practices were consistent with the key privacy principles of the
Fair Information Practices. We also assessed the effect of any
inconsistencies; however, we did not attempt to make determinations of
whether or how information reseller practices should change. Such
determinations are a matter of policy based on balancing the public's
right to privacy with the value of services provided by resellers to
customers such as government agencies.

To address our third objective, we identified applicable guidelines and
management controls regarding the acquisition, maintenance, and use of
personal information from information resellers at each of the four
agencies. We also interviewed agency officials, including acquisition and
program staff, to further identify relevant policies and procedures. Our
assessment of overall agency application of the Fair Information Practices
was based on the policies and procedures of major components at each of
the four agencies.2 We also conducted interviews at the four agencies with
senior agency officials designated for privacy as well as officials of the
Office of Management and Budget (OMB) to obtain their views on the
applicability of federal privacy laws (including the Privacy Act of 1974
and the E-Government Act of 2002) and related guidance on agency use of
information resellers. In addition, we compared relevant policies and
management practices with the Fair Information Practices.

We assessed the overall application of the principles of the Fair
Information Practices by agencies according to the following categories:

1.General. We assessed the application as general if the agency had
policies or procedures to address all major aspects of a particular
principle.

2.Uneven. We assessed the application as uneven if the agency had policies
or procedures that addressed some but not all aspects of a particular
principle or if some but not all components and agencies had policies or
practices in place addressing the principle.

We performed our work at the Departments of Homeland Security, Justice,
and State in Washington, D.C.; at the Social Security Administration in
Baltimore, Maryland; Acxiom Corporation in Little Rock, Arkansas;
ChoicePoint in Alpharetta, Georgia; Dun & Bradstreet in Washington, D.C.;
and LexisNexis in Washington, D.C., and Miamisburg, Ohio. Our work was
conducted from May 2005 to March 2006 in accordance with generally
accepted government auditing standards.

Federal Laws Affecting Information Resellers Appendix II

Major laws that affect information resellers include the
Gramm-Leach-Bliley Act, the Drivers Privacy Protection Act, the Health
Insurance Portability and Accountability Act, the Fair Credit Reporting
Act, and the Fair and Accurate Credit Transactions Act. Their major
privacy related provisions are briefly summarized below.

Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act requires financial institutions (e.g., banks,
insurance, and investment companies) to give consumers privacy notices
that explain the institutions' information-sharing practices (P.L. 106-102
(1999), Title V, 15 U.S.C. 6801). In turn, consumers have the right to
limit some, but not all, sharing of their nonpublic personal information.
Financial institutions are permitted to disclose consumers' nonpublic
personal information without offering them an opt-out right in a number of
circumstances including the following:

o to effect a transaction requested by the consumer in connection with a
financial product or service requested by the consumer; maintaining or
servicing the consumer's account with the financial institution or another
entity as part of a private label credit card program or other extension
of credit; or a securitization, secondary market sale, or similar
transaction;

o with the consent or at the direction of the consumer;

o to protect the confidentiality or security of the consumer's records; to
prevent fraud; for required institutional risk control or for resolving
customer disputes or inquiries; to persons holding a legal or beneficial
interest relating to the consumer; or to the consumer's fiduciary;

o to provide information to insurance rate advisory organizations,
guaranty funds or agencies, rating agencies, industry standards agencies,
and the institution's attorneys, accountants, and auditors;

o to the extent specifically permitted or required under other provisions
of law and in accordance with the Right to Financial Privacy Act of 1978,
to law enforcement agencies, self-regulatory organizations, or for an
investigation on a matter related to public safety;

o to a consumer reporting agency in accordance with the Fair Credit
Reporting Act or from a consumer report reported by a consumer reporting
agency;

o in connection with a proposed or actual sale, merger, transfer, or
exchange of all or a portion of a business if the disclosure concerns
solely consumers of such business; and

o to comply with federal, state, or local laws; an investigation or
subpoena; or to respond to judicial process or government regulatory
authorities.

Driver's Privacy Protection Act

The Driver's Privacy Protection Act generally prohibits the disclosure of
personal information by state departments of motor vehicles. (P.L. 103-322
(1994), 18 U.S.C. S: 2721-2725). It also specifies a list of exceptions
when personal information contained in a state motor vehicle record may be
disclosed. These permissible uses include the following:

o for use by any government agency in carrying out its functions;

o for use in connection with matters of motor vehicle or driver safety and
theft; motor vehicle emissions; motor vehicle product alterations,
recalls, or advisories; motor vehicle market research activities;

o for use in the normal course of business by a legitimate business, but
only to verify the accuracy of personal information submitted by the
individual to the business and, if such information is not correct, to
obtain the correct information but only for purposes of preventing fraud
by pursuing legal remedies against, or recovering on a debt or security
interest against, the individual;

o for use in connection with any civil, criminal, administrative, or
arbitral proceeding in any federal, state, or local court or agency;

o for use in research activities;

o for use by any insurer or insurance support organization in connection
with claims investigation activities;

o for use in providing notice to the owners of towed or impounded
vehicles;

o for use by a licensed private investigative agency for any purpose
permitted under the act;

o for use by an employer or its agent or insurer to obtain information
relating to the holder of a commercial driver's license;

o for use in connection with the operation of private toll transportation
facilities;

o for any other use, if the state has obtained the express consent of the
person to whom a request for personal information pertains;

o for bulk distribution of surveys, marketing, or solicitations, if the
state has obtained the express consent of the person to whom such personal
information pertains;

o for use by any requester, if the requester demonstrates that it has
obtained the written consent of the individual to whom the information
pertains; and

o for any other use specifically authorized under a state law, if such use
is related to the operation of a motor vehicle or public safety.

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (P.L.
104-191) made a number of changes to laws relating to health insurance. It
also directed the Department of Health and Human Services to issue
regulations to protect the privacy and security of personally identifiable
health information. The resulting privacy rule (45 C.F.R. Part 164)
defines certain rights and obligations for covered entities (e.g., health
plans and health care providers) and individuals, including the following:

o giving individuals the right to be notified of privacy practices and to
inspect, copy, request correction, and have an accounting of disclosures
of health records, except for specified exceptions;

o setting limits on the use of health information apart from treatment,
payment, and health care operations (e.g., for marketing) without the
individual's authorization;

o permitting disclosure of health information without the individual's
authorization for purposes of public health protection; health oversight;
law enforcement; judicial and administrative proceedings; approved
research activities; coroners, medical examiners, and funeral directors;
workers' compensation programs, government abuse, neglect, and domestic
violence authorities; organ transplant organizations; government agencies
with specified functions, e.g., national security activities; and as
required by law;

o requiring that authorization forms contain specific types of
information, such as a description of the health information to be used or
disclosed, the purpose of the use or disclosure, and the identity of the
recipient of the information; and

o requiring covered entities to take steps to limit the use or disclosure
of health information to the minimum necessary to accomplish the intended
purpose, unless authorized or under certain circumstances.

Fair Credit Reporting Act

The Fair Credit Reporting Act (P.L. 91-508, 1970, 15 U.S.C. S: 1681)
governs the use of personal information by consumer reporting agencies,
which are individuals or entities that regularly assemble or evaluate
information about individuals for the purpose of furnishing consumer
reports to third parties. The act defines a consumer report as any
communication by a consumer reporting agency about an individual's credit
worthiness, character, reputation, characteristics, or mode of living and
permits its use only in the following situations:

o as ordered by a court or federal grand jury subpoena;

o as instructed by the consumer in writing;

o for the extension of credit as a result of an application from a
consumer or the review or collection of a consumer's account;

o for employment purposes, including hiring and promotion decisions, where
the consumer has given written permission;

o for the underwriting of insurance as a result of an application from a
consumer;

o when there is a legitimate business need, in connection with a business
transaction that is initiated by the consumer;

o to review a consumer's account to determine whether the consumer
continues to meet the terms of the account;

o to determine a consumer's eligibility for a license or other benefit
granted by a governmental instrumentality required by law to consider an
applicant's financial responsibility or status;

o for use by a potential investor or servicer or current insurer in a
valuation or assessment of the credit or prepayment risks associated with
an existing credit obligation; and

o for use by state and local officials in connection with the
determination of child support payments, or modifications of enforcement
thereof.

The act generally limits the amount of time negative information can be
included in a consumer report to no more than 7 years, or 10 years in the
case of bankruptcies. Under the act, individuals have a right to access
all information in their consumer reports; a right to know who obtained
their report during the previous year or two, depending on the
circumstances; and a right to dispute the accuracy of any information
about them.

Fair and Accurate Credit Transactions Act

The Fair and Accurate Credit Transactions Act (P.L. 108-159, 2003) amended
the Fair Credit Reporting Act, extending provisions to improve the
accuracy of personal information assembled by consumer reporting agencies
and better provide for the fair use of and consumer access to personal
information. The act's provisions include the following:

o consumers may request a free annual credit report from nationwide
consumer reporting agencies, to be made available no later than 15 days
after the date on which the request is received;

o persons furnishing information about individuals to consumer reporting
agencies, and resellers of consumer reports, must have polices and
procedures for investigating and correcting inaccurate information,

o consumers are given the right to prohibit business affiliates of
consumer reporting agencies from using information about them for certain
marketing purposes; and

o consumer reporting agencies cannot include medical information in
reports that will be used for employment, credit transactions, or
insurance transactions unless the consumer consents to such disclosures.

Comments from the Department of Justice Appendix III

Comments from the Department of Homeland Security Appendix IV

Comments from the Social Security Administration Appendix V

Comments from the Department of State Appendix VI

(310732)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

www.gao.gov/cgi-bin/getrpt? GAO-06-421 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Linda Koontz at (202) 512- 6240 or
[email protected].

Highlights of GAO-06-421 , a report to congressional committees

April 2006

PERSONAL INFORMATION

Agency and Reseller Adherence to Key Privacy Principles

Federal agencies collect and use personal information for various
purposes, both directly from individuals and from other sources, including
information resellers-companies that amass and sell data from many
sources. In light of concerns raised by recent security breaches involving
resellers, GAO was asked to determine how the Departments of Justice,
Homeland Security, and State and the Social Security Administration use
personal data from these sources. In addition, GAO reviewed the extent to
which information resellers' policies and practices reflect the Fair
Information Practices, a set of widely accepted principles for protecting
the privacy and security of personal data. GAO also examined agencies'
policies and practices for handling personal data from resellers to
determine whether these reflect the Fair Information Practices.

What GAO Recommends

The Congress should consider the extent to which resellers should adhere
to the Fair Information Practices. In addition, GAO is making
recommendations to OMB and the four agencies to establish policy to
address agency use of personal information from commercial sources.

Agency officials generally agreed with the content of this report.
Resellers questioned the applicability of the Fair Information Practices,
especially with regard to public records.

In fiscal year 2005, the Departments of Justice, Homeland Security, and
State and the Social Security Administration reported that they used
personal information obtained from resellers for a variety of purposes.
Components of the Department of Justice (the largest user of resellers)
used such information in performing criminal investigations, locating
witnesses and fugitives, researching assets held by individuals of
interest, and detecting prescription drug fraud. The Department of
Homeland Security used reseller information for immigration fraud
detection and border screening programs. Uses by the Social Security
Administration and the Department of State were to prevent and detect
fraud, verify identity, and determine eligibility for benefits. The
agencies spent approximately $30 million on contractual arrangements with
resellers that enabled the acquisition and use of such information. About
91 percent of the planned fiscal year 2005 spending was for law
enforcement (69 percent) or counterterrorism (22 percent).

The major information resellers that do business with the federal agencies
we reviewed have practices in place to protect privacy, but these measures
are not fully consistent with the Fair Information Practices. For example,
the principles that the collection and use of personal information should
be limited and its intended use specified are largely at odds with the
nature of the information reseller business, which presupposes that
personal information can be made available to multiple customers and for
multiple purposes. Resellers said they believe it is not appropriate for
them to fully adhere to these principles because they do not obtain their
information directly from individuals. Nonetheless, in many cases,
resellers take steps that address aspects of the Fair Information
Practices. For example, resellers reported that they have taken steps
recently to improve their security safeguards, and they generally inform
the public about key privacy principles and policies. However, resellers
generally limit the extent to which individuals can gain access to
personal information held about themselves, as well as the extent to which
inaccurate information contained in their databases can be corrected or
deleted.

Agency practices for handling personal information acquired from
information resellers did not always fully reflect the Fair Information
Practices. That is, some of these principles were mirrored in agency
practices, but for others, agency practices were uneven. For example,
although agencies issued public notices on information collections, these
did not always notify the public that information resellers were among the
sources to be used. This practice is not consistent with the principle
that individuals should be informed about privacy policies and the
collection of information. Contributing to the uneven application of the
Fair Information Practices are ambiguities in guidance from the Office of
Management and Budget (OMB) regarding the applicability of privacy
requirements to federal agency uses of reseller information. In addition,
agencies generally lack policies that specifically address these uses.
*** End of document. ***