Privacy: Congress Should Consider Alternatives for Strengthening 
Protection of Personally Indentifiable Information (18-JUN-08,	 
GAO-08-795T).							 
                                                                 
Concerns have been raised about the privacy and security of	 
personal information in light of advances in information	 
technology and the increasingly sophisticated ways in which the  
government obtains and uses information. Federal agencies' use of
personal information is governed by the Privacy Act of 1974 and  
the E-Government Act of 2002, while the Office of Management and 
Budget (OMB) provides implementation guidance and oversight.	 
These laws and guidance are based on the Fair Information	 
Practices, a set of widely accepted principles for protecting	 
privacy. GAO was asked to testify on its report, being released  
today, concerning the sufficiency of privacy protections afforded
by existing laws and guidance. To do this, GAO analyzed privacy  
laws and guidance, compared them with the Fair Information	 
Practices, and obtained perspectives from federal agencies as	 
well as an expert forum.					 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-795T					        
    ACCNO:   A82406						        
  TITLE:     Privacy: Congress Should Consider Alternatives for       
Strengthening Protection of Personally Indentifiable Information 
     DATE:   06/18/2008 
  SUBJECT:   Classified information				 
	     Computer security					 
	     Confidential information				 
	     E-government					 
	     Government information				 
	     Government information dissemination		 
	     Information access 				 
	     Information disclosure				 
	     Information management				 
	     Information security				 
	     Information security management			 
	     Information security regulations			 
	     Information systems				 
	     Information technology				 
	     Personal security					 
	     Privacy law					 
	     Privacy policies					 
	     Privacy policy violation				 
	     Program evaluation 				 
	     Program management 				 
	     Records						 
	     Records management 				 
	     Reporting requirements				 
	     Right of privacy					 
	     Risk assessment					 
	     Risk management					 
	     Security policies					 
	     Security regulations				 
	     Strategic planning 				 
	     Systems analysis					 
	     Technology 					 
	     Personal information				 
	     Program goals or objectives			 
	     GAO High Risk Series				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-795T

   

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected]. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Testimony: 

Before the Committee on Homeland Security and Governmental Affairs, 
U.S. Senate: 

For Release on Delivery: 
Expected at 10 a.m. EDT: 
Wednesday, June 18, 2008: 

Privacy: 

Congress Should Consider Alternatives for Strengthening Protection of 
Personally Identifiable Information: 

Statement of Linda Koontz:
Director, Information Management Issues: 

GAO-08-795T: 

GAO Highlights: 

Highlights of GAO-08-795T, a testimony before the Committee on Homeland 
Security and Governmental Affairs, U.S. Senate. 

Why GAO Did This Study: 

Concerns have been raised about the privacy and security of personal 
information in light of advances in information technology and the 
increasingly sophisticated ways in which the government obtains and 
uses information. Federal agenciesï¿½ use of personal information is 
governed by the Privacy Act of 1974 and the E-Government Act of 2002, 
while the Office of Management and Budget (OMB) provides implementation 
guidance and oversight. These laws and guidance are based on the Fair 
Information Practices, a set of widely accepted principles for 
protecting privacy. 

GAO was asked to testify on its report, being released today, 
concerning the sufficiency of privacy protections afforded by existing 
laws and guidance. To do this, GAO analyzed privacy laws and guidance, 
compared them with the Fair Information Practices, and obtained 
perspectives from federal agencies as well as an expert forum. 

What GAO Found: 

Although privacy laws and guidance set minimum requirements for 
agencies, they may not consistently protect personally identifiable 
information in all circumstances of its collection and use throughout 
the federal government and may not fully adhere to key privacy 
principles. Based on discussions with privacy experts and agency 
officials, as well as analysis of laws and related guidance, GAO 
identified issues in three major areas: 

Applying privacy protections consistently to all federal collection and 
use of personal information: The Privacy Actï¿½s definition of a ï¿½system 
of records,ï¿½ which sets the scope of the actï¿½s protections, does not 
always apply whenever personal information is obtained and processed by 
federal agencies. For example, if agencies do not retrieve personal 
information by identifier, the actï¿½s protections do not apply. This has 
led experts to agree that the Privacy Actï¿½s system-of-records construct 
is too narrowly defined. An alternative for addressing these issues 
could include revising the system-of-records definition to cover all 
personally identifiable information collected, used, and maintained 
systematically by the federal government. 

Ensuring that use of personally identifiable information is limited to 
a stated purpose: According to the Fair Information Practices, the use 
of personal information should be limited to a specified purpose. Yet 
current laws and guidance impose only modest requirements for 
describing the purposes for personal information and limiting how it is 
used. For example, agencies are not required to be specific in 
formulating purpose descriptions in their public notices. Overly broad 
specifications of purpose could allow for unnecessarily broad ranges of 
uses, thus calling into question whether meaningful limitations had 
been imposed. Alternatives for addressing these issues include setting 
specific limits on use of information within agencies and requiring 
agencies to establish formal agreements with external governmental 
entities before sharing personally identifiable information with them. 

Establishing effective mechanisms for informing the public about 
privacy protections: Public notices are a primary means of establishing 
accountability for privacy protections and giving individuals a measure 
of control over the use of their personal information. Although the 
Federal Register is the governmentï¿½s official vehicle for issuing 
public notices, critics have questioned whether system-of-records 
notices published in the Federal Register effectively inform the public 
about government uses of personal information. Options for addressing 
concerns about public notices include requiring that purpose, 
collection limitations, and use limitations are better addressed in the 
content of privacy notices, and revising the Privacy Act to require 
that all notices be published on a standard Web site, with an address 
such as www.privacy.gov. 

What GAO Recommends: 

In its report GAO identified alternatives that the Congress should 
consider, including revising the scope of privacy laws to cover all 
personal information, requiring that the use of such information be 
limited to a specific purpose, and revising the structure and 
publication of privacy notices. 

OMB commented that the Congress should consider these alternatives in 
the broader context of existing privacy and related statutes. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-795T]. For more 
information, contact Linda Koontz at (202) 512-6240 or [email protected]. 

[End of section] 

June 18, 2008: 

Mr. Chairman and Members of the Committee: 

I appreciate the opportunity to discuss today the critical protections 
afforded to individual privacy by laws and guidance governing the 
federal government's use of personally identifiable information. 
[Footnote 1] The increasingly sophisticated ways in which personal 
information is obtained and used by the federal government has the 
potential to assist in performing critical functions, such as 
preventing terrorism, but also can pose challenges in ensuring the 
protection of citizens' privacy. In this regard, concerns have been 
raised that the framework of legal mechanisms for protecting personal 
privacy that has been developed over the years may no longer be 
sufficient, given current practices. 

Federal agency use of personal information is governed primarily by the 
Privacy Act of 1974 and the E-Government Act of 2002.[Footnote 2] The 
Privacy Act of 1974 serves as the major mechanism for controlling the 
collection, use, and disclosure of personally identifiable information 
within the federal government. The E-Government Act of 2002 strives to 
enhance the protection of personal information in government 
information systems by requiring that agencies conduct privacy impact 
assessments.[Footnote 3] The Office of Management and Budget (OMB) is 
charged with ensuring implementation of the privacy impact assessment 
requirement and the Privacy Act by federal agencies and is also 
responsible for providing guidance to agencies. 

The provisions of the Privacy Act are largely based on a set of 
principles for protecting the privacy and security of personal 
information known as the Fair Information Practices, which were first 
proposed in 1973 by a U.S. government advisory committee.[Footnote 4] 
These principles, with some variation, are used by organizations to 
address privacy considerations in their business practices and are also 
the basis of privacy laws and related policies in many countries, 
including the United States, Germany, Sweden, Australia, and New 
Zealand, as well as the European Union. 

My testimony today will highlight key findings from a report that we 
are releasing today.[Footnote 5] In the report, we assess the 
sufficiency of laws and guidance covering the federal government's 
collection and use of personal information. We also identify 
alternatives for addressing issues raised by our review. In conducting 
our work, we analyzed the Privacy Act of 1974, section 208 of the E- 
Government Act, and related guidance to identify any inconsistencies or 
gaps in the coverage of these laws as they apply to uses of personal 
information by federal agencies. We also compared these laws and 
related guidance with the Fair Information Practices to identify any 
significant gaps, including assessing the role of the Paperwork 
Reduction Act (PRA) in protecting privacy by limiting collection of 
information. We obtained an operational perspective on the sufficiency 
of these laws from six federal departments and agencies with large 
inventories of information collections, prominent privacy issues, and 
varied missions. We also obtained expert perspective through the use of 
an expert panel convened for us by the National Academy of Sciences. We 
conducted our work for this performance audit in accordance with 
generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

Today, after a brief summary of the laws and guidance currently in 
place, my remarks will focus on key results of our review of their 
sufficiency in governing the government's collection and use of 
personal information. 

Results in Brief: 

Although the Privacy Act, the E-Government Act, and related OMB 
guidance set minimum requirements for agencies, they may not 
consistently protect personally identifiable information in all 
circumstances of its collection and use throughout the federal 
government and may not fully adhere to key privacy principles. Based on 
discussions with privacy experts and agency officials, as well as 
analysis of laws and related guidance, we identified issues in three 
major areas: 

Applying privacy protections consistently to all federal collection and 
use of personal information: The Privacy Act's definition of a "system 
of records" (any grouping of records containing personal information 
retrieved by individual identifier), which sets the scope of the act's 
protections, does not always apply whenever personal information is 
obtained and processed by federal agencies. For example, if agencies do 
not retrieve personal information by identifier, the act's protections 
do not apply. Our 2003 report concerning compliance with the Privacy 
Act found that among the agencies surveyed, the most frequently cited 
reason for systems not being considered Privacy Act systems of records 
was that the agency did not use a personal identifier to retrieve the 
information.[Footnote 6] Factors such as these have led experts to 
agree that the Privacy Act's system-of-records construct is too 
narrowly defined. An alternative for addressing these issues could 
include revising the system-of-records definition to cover all 
personally identifiable information collected, used, and maintained 
systematically by the federal government. 

Ensuring that use of personally identifiable information is limited to 
a stated purpose: According to the purpose specification and use 
limitation principles, the use of personal information should be 
limited to a specified purpose. Yet current laws and guidance impose 
only modest requirements for describing the purposes for personal 
information and limiting how it is used. For example, agencies are not 
required to be specific in formulating purpose descriptions in their 
public notices. While purpose statements for certain law enforcement 
and antiterrorism systems might need to be phrased broadly enough so as 
not to reveal investigative techniques or the details of ongoing cases, 
very broadly defined purposes could allow for unnecessarily broad 
ranges of uses, thus calling into question whether meaningful 
limitations had been imposed. Examples of alternatives for addressing 
these issues include setting specific limits on the use of information 
within agencies and requiring agencies to establish formal agreements 
with external governmental entities before sharing personally 
identifiable information with them. 

Establishing effective mechanisms for informing the public about 
privacy protections: According to the openness principle, the public 
should be informed about privacy policies and practices, and the 
accountability principle calls for those who control the collection or 
use of personal information to be held accountable for taking steps to 
ensure privacy protection. Public notices are a primary means of 
establishing accountability for privacy protections and giving 
individuals a measure of control over the use of their personal 
information. Yet concerns have been raised that Privacy Act notices may 
not serve this function well. Although the Federal Register is the 
government's official vehicle for issuing public notices, critics have 
questioned whether system-of-records notices published in the Federal 
Register effectively inform the public about government uses of 
personal information. Among others, options for addressing concerns 
about public notices could include setting requirements to ensure that 
purpose, collection limitations, and use limitations are better 
addressed in the content of privacy notices, and revising the Privacy 
Act to require that all notices be published on a standard Web site, 
with an address such as www.privacy.gov. 

Some of these issues--particularly those dealing with limitations on 
use and mechanisms for informing the public--could be addressed by OMB 
through revisions or supplements to guidance. However, unilateral 
actions by OMB would not have the benefit of public deliberations 
regarding how best to achieve an appropriate balance between the 
government's need to collect, process, and share personally 
identifiable information and the rights of individuals to know about 
such collections and be assured that they are only for limited purposes 
and uses. In assessing such a balance, we suggested that Congress 
consider amending applicable laws, such as the Privacy Act and the E- 
Government Act, according to the alternatives outlined in the report, 
including: 

* revising the scope of the laws to cover all personally identifiable 
information collected, used, and maintained by the federal government; 

* setting requirements to ensure that the collection and use of 
personally identifiable information is limited to a stated purpose; 
and: 

* establishing additional mechanisms for informing the public about 
privacy protections by revising requirements for the structure and 
publication of public notices. 

In commenting on a draft of our report OMB officials noted that they 
shared our concerns about privacy and listed guidance that the agency 
has issued in the areas of privacy and information security. The 
officials stated that they believe it would be important for Congress 
to consider potential amendments to the Privacy Act and the E- 
Government Act in the broader context of the several privacy statutes 
that Congress has enacted. 

Though we did not make specific recommendations to OMB, the agency 
provided comments on the alternatives identified in conjunction with 
our matter for congressional consideration. Regarding alternatives for 
revising the scope of laws to cover all personally identifiable 
information collected, used, and maintained by the federal government, 
OMB stated that it would be important for Congress to evaluate fully 
the potential implications of revisions such as amending the Privacy 
Act's system-of-records definition. We believe that, given that the 
Privacy Act's controls on the collection, use, and disclosure of 
personally identifiable information do not consistently protect such 
information in all circumstances of its collection and use throughout 
the federal government, amending the act's definition of a system of 
records is an important alternative for Congress to consider. However, 
we agree with OMB that such consideration should be thorough and 
include further public debate on all relevant issues. 

Background: 

In response to growing concern about the harmful consequences that 
computerized data systems could have on the privacy of personal 
information, in 1972 the Secretary of Health, Education, and Welfare 
commissioned an advisory committee to examine to what extent 
limitations should be placed on the application of computer technology 
to record keeping about people. The committee's final report proposed a 
set of principles for protecting the privacy and security of personal 
information, known as the Fair Information Practices.[Footnote 7] These 
practices were intended to address what the committee termed a poor 
level of protection afforded to privacy under then-existing law, and 
they underlie the major provisions of the Privacy Act, which was 
enacted the following year. A revised version of the Fair Information 
Practices was developed in 1980 by the Organization for Economic 
Cooperation and Development (OECD) and has been widely adopted. 
[Footnote 8] This version of the principles was reaffirmed by OECD 
ministers in a 1998 declaration and further endorsed in a 2006 OECD 
report.[Footnote 9] The OECD version of the principles is shown in 
table 1. 

Table 1: The Fair Information Practices: 

Principle: Collection limitation; 
Description: The collection of personal information should be limited, 
should be obtained by lawful and fair means, and, where appropriate, 
with the knowledge or consent of the individual. 

Principle: Data quality; 
Description: Personal information should be relevant to the purpose for 
which it is collected, and should be accurate, complete, and current as 
needed for that purpose. 

Principle: Purpose specification; 
Description: The purposes for the collection of personal information 
should be disclosed before collection and upon any change to that 
purpose, and its use should be limited to those purposes and compatible 
purposes. 

Principle: Use limitation; 
Description: Personal information should not be disclosed or otherwise 
used for other than a specified purpose without consent of the 
individual or legal authority. 

Principle: Security safeguards; 
Description: Personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized access, 
destruction, use, modification, or disclosure. 

Principle: Openness; 
Description: The public should be informed about privacy policies and 
practices, and individuals should have ready means of learning about 
the use of personal information. 

Principle: Individual participation; 
Description: Individuals should have the following rights: to know 
about the collection of personal information, to access that 
information, to request correction, and to challenge the denial of 
those rights. 

Principle: Accountability; 
Description: Individuals controlling the collection or use of personal 
information should be accountable for taking steps to ensure the 
implementation of these principles. 

Source: Organization for Economic Cooperation and Development. 

[End of table] 

The Fair Information Practices are, with some variation, the basis of 
privacy laws and related policies in many countries, including the 
United States, Germany, Sweden, Australia, and New Zealand, as well as 
the European Union.[Footnote 10] They are also reflected in a variety 
of federal agency policy statements, beginning with an endorsement of 
the OECD principles by the Department of Commerce in 1981.[Footnote 11] 

The Fair Information Practices are not legal requirements but provide a 
framework of principles for balancing the need for privacy with other 
public policy interests, such as national security, law enforcement, 
and administrative efficiency. Striking that balance varies among 
countries and among types of information. 

Federal Laws and Guidance Govern Use of Personal Information in Federal 
Agencies: 

There is no single federal law that governs all use or disclosure of 
personal information. Instead, U.S. law includes a number of separate 
statutes that provide privacy protections for information used for 
specific purposes or maintained by specific entities. The major 
requirements for the protection of personal information by federal 
agencies come from two laws: the Privacy Act of 1974 and the privacy 
provisions of the E-Government Act of 2002. 

The Privacy Act places limitations on agencies' collection, disclosure, 
and use of personal information maintained in systems of records. The 
act describes a "record" as any item, collection, or grouping of 
information about an individual that is maintained by an agency and 
contains his or her name or another personal identifier. It also 
defines a "system of records" as a group of records under the control 
of any agency from which information is retrieved by the name of the 
individual or by an individual identifier. The Privacy Act requires 
that when agencies establish or make changes to a system of records, 
they must notify the public through a system-of-records notice in the 
Federal Register that identifies, among other things, the categories of 
data collected, the categories of individuals about whom information is 
collected, the intended "routine" uses of data, and procedures that 
individuals can use to review and correct personally identifiable 
information.[Footnote 12] 

Several provisions of the act require agencies to define and limit 
collection and use to predefined purposes. For example, the act 
requires that, to the greatest extent practicable, personal information 
should be collected directly from the subject individual when it may 
affect that individual's rights or benefits under a federal program. 
The act also requires that an agency inform individuals whom it asks to 
supply information of (1) the authority for soliciting the information 
and whether disclosure of such information is mandatory or voluntary; 
(2) the principal purposes for which the information is intended to be 
used; (3) the routine uses that may be made of the information; and (4) 
the effects on the individual, if any, of not providing the 
information. According to OMB, this requirement is based on the 
assumption that individuals should be provided with sufficient 
information about the request to make a decision about whether to 
respond. 

In handling collected information, agencies are generally required by 
the Privacy Act to, among other things, allow individuals to (1) review 
their records (meaning any information pertaining to them that is 
contained in the system of records), (2) request a copy of their record 
or information from the system of records, and (3) request corrections 
to their information. 

Agencies are allowed to claim exemptions from some of the provisions of 
the Privacy Act if the records are used for certain purposes. For 
example, records compiled by law enforcement agencies for criminal law 
enforcement purposes can be exempt from a number of provisions, 
including (1) the requirement to notify individuals of the purposes and 
uses of the information at the time of collection and (2) the 
requirement to ensure the accuracy, relevance, timeliness, and 
completeness of records. A broader category of investigative records 
compiled for criminal or civil law enforcement purposes can also be 
exempted from a somewhat smaller number of Privacy Act provisions, 
including the requirement to provide individuals with access to their 
records and to inform the public of the categories of sources of 
records. In general, the exemptions for law enforcement purposes are 
intended to prevent the disclosure of information collected as part of 
an ongoing investigation that could impair the investigation or allow 
those under investigation to change their behavior or take other 
actions to escape prosecution. 

In 2002, Congress enacted the E-Government Act to, among other things, 
enhance protection for personal information in government information 
systems or information collections by requiring that agencies conduct 
privacy impact assessments, which are analyses of how personal 
information is collected, stored, shared, and managed in a federal 
system. 

In addition, the Paperwork Reduction Act applies to federal information 
collections and was designed to help ensure that when the government 
asks the public for information, the burden of providing this 
information is as small as possible and the information itself is used 
effectively.[Footnote 13] Among the act's provisions is the requirement 
that agencies not establish information collections without having them 
approved by OMB, and that before submitting them for approval, 
agencies' chief information officers certify that the collections meet 
10 specified standards. The law also requires agencies both to publish 
notices in the Federal Register and to otherwise consult with the 
public about their planned collections. 

Privacy is also addressed in the legal framework for the emerging 
information sharing environment. As directed by the Intelligence Reform 
and Terrorism Prevention Act of 2004, the administration has taken 
steps, beginning in 2005, to establish an information sharing 
environment to facilitate the sharing of terrorism-related 
information.[Footnote 14] The move was driven by the recognition that 
before the attacks of September 11, 2001, federal agencies had been 
unable to effectively share information about suspected terrorists and 
their activities. In addressing this problem, the National Commission 
on Terrorist Attacks Upon the United States (9/11 Commission) 
recommended that the sharing and uses of information be guided by a set 
of practical policy guidelines that would simultaneously empower and 
constrain officials, closely circumscribing what types of information 
they would be permitted to share as well as the types of information 
they would need to protect. Exchanging terrorism-related information 
continues to be a significant challenge for federal, state, and local 
governments--one that we recognize is not easily addressed. 
Accordingly, since January 2005, we have designated information sharing 
for homeland security a high-risk area.[Footnote 15] 

Other federal laws address privacy protection for personal information 
with respect to information security requirements, as well as for 
certain types of information, such as when taxpayer, statistical, or 
health information is involved. This includes the Federal Information 
Security Management Act (FISMA), which addresses the protection of 
personal information by defining federal requirements for securing 
information and information systems that support federal agency 
operations and assets; the Health Insurance Portability and 
Accountability Act of 1996, which addresses the use and disclosure of 
individual health information; the Confidential Information Protection 
and Statistical Efficiency Act, which limits the use of information 
gathered for statistical purposes; and laws governing the disclosure of 
taxpayer data collected by the Internal Revenue Service. 

OMB Has Primary Responsibility for Oversight of the Privacy, E-
Government, and Paperwork Reduction Acts: 

The Privacy Act gives OMB responsibility for developing guidelines and 
providing "continuing assistance to and oversight of" agencies' 
implementation of the Privacy Act. The E-Government Act of 2002 also 
assigns OMB responsibility for developing privacy impact assessment 
guidance and ensuring agency implementation of the privacy impact 
assessment requirement. In July 1975, OMB published guidance for 
implementing the provisions of the Privacy Act. Since then, OMB has 
periodically issued additional guidance, including guidance to assist 
agencies in complying with the Computer Matching and Privacy Protection 
Act[Footnote 16] and guidance to agencies on conducting privacy impact 
assessments. 

In 1980, the enactment of the Paperwork Reduction Act made virtually 
all federal agency information collection activities subject to OMB 
review and established broad objectives for OMB oversight of the 
management of federal information resources. The act established the 
Office of Information and Regulatory Affairs within OMB and gave this 
office a variety of oversight responsibilities over federal information 
functions, including general information policy, reduction of paperwork 
burden, and information privacy. To assist agencies in fulfilling their 
responsibilities under the act, OMB took various steps. It issued a 
regulation[Footnote 17] and provided agencies with instructions on 
filling out a standard form for submissions and providing supporting 
statements. 

OMB has also periodically issued guidance on other privacy-related 
issues, including: 

* federal agency Web site privacy policies; 

* interagency sharing of personal information; 

* designation of senior staff responsible for privacy; and: 

* data breach notification. 

Prior GAO Reports Have Identified Privacy Challenges at Federal 
Agencies: 

We have previously reported on a number of agency-specific and 
governmentwide privacy-related issues at federal agencies. For example, 
in 2003, we reported that agencies generally did well with certain 
aspects of the Privacy Act's requirements--such as issuing systems-of-
records notices when required--but did less well at other requirements, 
such as ensuring that information is complete, accurate, relevant, and 
timely before it is disclosed to a nonfederal organization.[Footnote 
18] In discussing this uneven compliance, agency officials reported the 
need for additional OMB leadership and guidance to assist in difficult 
implementation issues in a rapidly changing environment. For example, 
officials had questions about the act's applicability to electronic 
records. We have also reported on key privacy challenges facing federal 
agencies, federal Web site privacy, notification of individuals in the 
event of a data breach, and government data-mining initiatives. 

Key Terms in the Privacy Act May Be Defined Too Narrowly: 

Because the Privacy Act's controls on the collection, use, and 
disclosure of personally identifiable information only apply when such 
information is covered by the act's key terms, especially the "system-
of-records" construct, they do not consistently protect such 
information in all circumstances of its collection and use throughout 
the federal government. There are several different ways in which 
federal collection and use of personally identifiable information could 
be outside of such a construct and thus not receive the Privacy Act's 
protections, as shown by the following examples: 

* Personally identifiable information held by the government is not 
always retrieved by identifier. The Privacy Act defines a system of 
records as "a group of records"[Footnote 19] that is "under the control 
of any agency from which information is retrieved by the name of the 
individual or by some identifying number, symbol, or other identifying 
particular assigned to the individual." If personally identifiable 
information (records) is not retrieved by identifier but instead 
accessed through some other method or criteria--for example, by 
searching for all individuals who have a certain medical condition or 
who applied for benefits on a certain date--the system would not meet 
the Privacy Act's system-of-records definition and therefore would not 
be governed by the act's protections. OMB's 1975 Privacy Act 
implementation guidance reflects an acknowledgement that agencies could 
potentially evade the act's requirements by organizing personal 
information in ways that may not be considered to be retrieved by 
identifier. 

In our 2003 report concerning compliance with the Privacy Act, we found 
that the increasing use of electronic records by federal agencies 
resulted in personal information falling outside the scope of Privacy 
Act protections. A key characteristic of agencies' systems of records 
at the time was that a large proportion of them were electronic, 
reflecting the government's significant use of computers and the 
Internet to collect and share personal information. Based on survey 
responses from 25 agencies in 2002, we estimated that 70 percent of the 
agencies' systems of records contained electronic records and that 11 
percent of information systems in use at those agencies contained 
personal information that was outside a Privacy Act system of records. 
We also reported that among the agencies we surveyed, the most 
frequently cited reason for systems not being considered Privacy Act 
systems of records was that the agency did not use a personal 
identifier to retrieve the personal information.[Footnote 20] 

* The Privacy Act's protections may not apply to contemporary data 
processing technologies and applications. In today's highly 
interconnected environment, information can be gathered from many 
different sources, analyzed, and redistributed in very dynamic, 
unstructured ways that may have little to do with the file-oriented 
concept of a Privacy Act system of records. For example, data mining, a 
prevalent technique used by federal agencies for extracting useful 
information from large volumes of data, may escape the purview of the 
Privacy Act's protections.[Footnote 21] Specifically, a data-mining 
system that performs analysis by looking for patterns in personal 
information located in other systems of records or that performs 
subject-based queries across multiple data sources may not constitute a 
system of records under the act. 

In recent years, reports required by law on data mining have described 
activities that had not been identified as systems of records covered 
by the Privacy Act. In one example, DHS reported that all the data 
sources for the planned Analysis Dissemination Visualization Insight 
and Semantic Enhancement (ADVISE) data mining program were covered by 
existing system-of-records notices; however, the system itself was not 
covered, and no system of records notice was created specifically to 
document protections under the Privacy Act governing the specific 
activities of the system.[Footnote 22] ADVISE was a data-mining tool 
intended to allow an analyst to search for patterns in data--such as 
relationships among people, organizations, and events-- and to produce 
visual representations of those patterns. 

As a result, personally identifiable information collected and 
processed by such systems may be less well protected than if it were 
more specifically addressed by the Privacy Act. 

The issues associated with the coverage of the Privacy Act's 
protections could be addressed by revising the system-of-records 
definition to cover all personally identifiable information collected, 
used, and maintained by the federal government. Experts at our forum 
were in agreement that the system-of-records definition is outdated and 
flawed and that the act's protections should be applied whenever 
agencies obtain, process, store, or share personally identifiable 
information--not just when records are retrieved by personal 
identifier. Changing the system-of-records definition is an option that 
could help ensure that the act's protections are consistently applied 
to all personally identifiable information. 

The Privacy Act Does Not Ensure that the Use of Personal Information Is 
Limited to Clearly Stated Purposes: 

The fair information practices' purpose specification principle states 
that the purpose for the collection of personal information should be 
disclosed before the collection is made and upon any change to that 
purpose, while the use limitation principle provides that personal 
information, once collected, should not be disclosed or used for other 
than its specified purpose without consent of the individual or legal 
authority. When the government is required to define a specific purpose 
for the collection of personal information and limit its use to that 
purpose, individuals gain assurance that their privacy will be 
protected and their information will not be used in ways that could 
jeopardize their rights or otherwise unfairly affect them. 

The Privacy Act requires agencies to (1) inform individuals from whom 
information is being collected of the principal purpose or purposes for 
which the information is intended to be used and (2) publish a system-
of-records notice in the Federal Register of the existence and 
character of the system of records, including planned routine uses of 
the records and the purpose of each of these routine uses. Concerns 
have been raised, however, that these requirements do not go far enough 
in ensuring that the government's planned purposes are sufficiently 
specified and that the use of information is limited to these purposes: 

* Purpose descriptions in public notices are not required to be 
specific. While there is no requirement for an overall statement of 
purpose, Privacy Act notices may contain multiple descriptions of 
purposes associated with routine uses, and agencies are not required to 
be specific in formulating these purposes. OMB guidance on the act 
gives agencies discretion to determine how to define the range of 
appropriate uses and associated purposes that it intends for a given 
system of records. While purpose statements for certain law enforcement 
and anti-terrorism systems might need to be phrased broadly enough so 
as not to reveal investigative techniques or the details of ongoing 
cases, very broadly defined purposes could allow for unnecessarily 
broad ranges of uses, thus calling into question whether meaningful 
limitations had been imposed. 

* Unconstrained application of predefined "routine" uses may weaken use 
limitations. A number of concerns have been raised about the impact on 
privacy of potentially unnecessary routine uses for agency systems of 
records, particularly through the application of "standard" routine 
uses that are developed for general use on multiple systems of records. 
This practice is not prohibited by the Privacy Act. All six agencies we 
reviewed had lists of standard routine uses for application to their 
systems of records. However, the language of these standard routine 
uses varies from agency to agency. For example, several agencies have a 
routine use allowing them to share information about individuals with 
other governmental entities for purposes of decision-making about 
hiring or retention of an individual, issuance of a security clearance, 
license, contract, grant, or other benefit. Experts expressed concern 
that "standard" routine uses such as these vary to such a great extent 
from agency to agency, with no specific legal requirement that they be 
formulated consistently. 

The Privacy Act sets only modest limits on the use of personal 
information for multiple purposes within an agency. The Privacy Act 
permits disclosures from agency systems of records "to those officers 
and employees of the agency which maintains the record who have a need 
for the record in the performance of their duties." However, without 
additional limits, internal uses could go beyond uses related to the 
purpose of the original collection. In our interviews with senior 
agency privacy officials, we asked what, if any, limits were placed on 
internal agency uses of information. Several agencies responded that, 
consistent with the Privacy Act and OMB guidance, internal agency usage 
of personal information was limited to those personnel with a "need to 
know." However, because the Privacy Act and related guidance do not 
require it, none of these agencies took steps to determine whether 
internal uses were consistent with the purposes originally stated for 
the collection of information. The potential that personal information 
could be used for multiple, unspecified purposes is especially 
heightened in large agencies with multiple components that may collect 
personal information in many different ways for disparate purposes. 

The Privacy Act's provisions may not apply when data are shared for use 
by another agency. In addition to concerns about limiting use to a 
specified purpose within an agency, more extensive issues have been 
raised when data are shared outside an agency. Although the Privacy Act 
provides assurance that the information in systems of records cannot be 
disclosed unless it is pursuant to either a routine use or another 
statutorily allowed condition, the act does not attach its protections 
to data after they have been disclosed. As data sharing among agencies 
becomes central to the sharing of terrorism-related information, 
measures to ensure that data are being used appropriately will become 
more important. Despite not being required to do so, agencies we 
reviewed reported taking measures to ensure the data are used 
appropriately by recipients. However, in the absence of such measures, 
data shared outside federal agencies would not always have sufficient 
protections. 

To better confine agencies' use of personal information to its 
specified purposes, laws or guidance could be revised to (1) require 
agencies to justify the use of key elements of personal information, 
(2) set specific limits on routine uses and internal agency uses of 
personal information, and (3) require agencies to establish formal 
agreements with external entities before sharing personal information 
with them. 

The Privacy Act May Not Include Effective Mechanisms for Informing the 
Public: 

A primary method for providing transparency about government programs 
and systems that collect and use personal information is through public 
written notices. A clear and effective notice can provide individuals 
with critical information about what personal data are to be collected, 
how they are to be used, and the circumstances under which they may be 
shared. An effective notice can also provide individuals with 
information they need to determine whether to provide their personal 
information (if voluntary), or who to contact to correct any errors 
that could result in an adverse determination about them. 

In formal terms, the openness principle states that the public should 
be informed about privacy policies and practices and that individuals 
should have a ready means of learning about the use of personal 
information. The openness principle underlies the public notice 
provisions of the Privacy Act. Specifically, the Privacy Act requires 
agencies to publish in the Federal Register, "upon establishment or 
revision, a notice of the existence and character of a system of 
records." This notice is to include, among other things, the categories 
of records in the system as well as the categories of sources of 
records. The notice is also required to explain agency procedures 
whereby an individual can gain access to any record pertaining to him 
or her contained in the system of records and contest its content. 
Agencies are further required to publish notice of any new use or 
intended use of the information in the system and provide an 
opportunity for interested persons to submit written data, views, or 
arguments to the agency.[Footnote 23] 

However, experts at our forum as well as agency privacy officials 
questioned the value of system-of-records notices as vehicles for 
providing information to the general public for several reasons: 

* System-of-records notices may be difficult to understand. As with 
other legally required privacy notices, system-of-records notices have 
been criticized as hard to read and understand. To the lay reader, the 
meaning of "routine" uses may be unclear, or a list of exemptions could 
raise more questions than it answers. Agency privacy officials and 
privacy experts at our forum both agreed that system-of-records notices 
have limited value as vehicles for public notification. 

* System-of-records notices do not always contain complete and useful 
information about privacy protections. They often describe purposes and 
use in such broad terms that it becomes questionable whether those 
purposes and uses have been significantly limited. Likewise, broad 
purpose statements may not usefully inform the public of the 
government's intended purposes, and the citation of multiple routine 
uses does little to aid individuals' understanding of how the 
government is using their personal information. The Privacy Act does 
not require agencies to be specific in describing the purposes 
associated with routine uses of personal information or to publish all 
expected internal agency uses of that information. 

* Publication in the Federal Register may reach only a limited 
audience. Agency privacy officials questioned whether the required 
publication of system-of-records notices in the Federal Register would 
be useful to a broader audience than federal agency officials and 
public interest groups, such as privacy advocacy groups. Notices 
published in the Federal Register may not be very accessible and 
readable. The Federal Register Web site does not provide a ready means 
of determining what system-of-records notices are current, when they 
were last updated, or which ones apply to any specific governmental 
function. Officials agreed that it can be difficult to locate a system- 
of-records notice on the Federal Register Web site, even when the name 
of the relevant system of records is known in advance. Privacy experts 
at our forum likewise agreed that the Federal Register is probably not 
effective with the general public and that a more effective technique 
for reaching a wide audience in today's environment is via consolidated 
publication on a governmentwide Web site devoted to privacy. Both 
agency officials and privacy experts also agreed, however, that the 
Federal Register serves a separate but important role as the official 
public record of federal agencies and as the official basis for 
soliciting comments from the public on proposed systems of records. 

Based on discussions with privacy experts, agency officials, and 
analysis of laws and related guidance, a number of options exist for 
improving public notice regarding federal collection and use of 
personal information: 

* Require layered public notices in conjunction with system-of-records 
notices. Layering involves providing only the most important summary 
facts up front--often in a graphically oriented format-- followed by 
one or more lengthier, more narrative versions. By offering both types 
of notices, the benefits of each can be realized: long notices offer 
completeness, while brief notices offer ease of understanding. 

* Set requirements to ensure that purpose, collection limitations, and 
use limitations are better addressed in the content of privacy notices. 
These could include requirements for a specific description of the 
planned purpose of a system, what data needs to be collected to serve 
that purpose, and how its use will be limited to that purpose, 
including descriptions of primary and secondary uses of information. 
Setting these requirements could spur agencies to prepare notices that 
include more meaningful descriptions of the intents and purposes of 
their systems of records. 

* Make all notices available on a governmentwide privacy Web site. 
Relevant privacy notices could be published at a central governmentwide 
location, with an address such as www.privacy.gov, and at corresponding 
standard locations on agency Web sites with addresses of the form 
www.agency.gov/privacy. These sites have the potential to reach a far 
broader spectrum of users than the Federal Register. 

Amending Privacy Laws Could Address Gaps and Shortcomings in Privacy 
Protections: 

In summary, current laws and guidance governing the federal 
government's collection, use, and disclosure of personal information 
have gaps and other potential shortcomings in three broad categories: 
(1) the Privacy Act and E-Government Act do not always provide 
protections for federal uses of personal information, (2) laws and 
guidance may not effectively limit agency collection and use of 
personal information to specific purposes, and (3) the Privacy Act may 
not include effective mechanisms for informing the public. 

In assessing the appropriate balance between the needs of the federal 
government to collect personally identifiable information for 
programmatic purposes and the assurances that individuals should have 
that their information is being sufficiently protected and properly 
used, Congress should consider amending applicable laws, such as the 
Privacy Act and the E-Government Act, according to the alternatives 
outlined in our report, including: 

* revising the scope of the laws to cover all personally identifiable 
information collected, used, and maintained by the federal government; 

* setting requirements to ensure that the collection and use of 
personally identifiable information is limited to a stated purpose; 
and: 

* establishing additional mechanisms for informing the public about 
privacy protections by revising requirements for the structure and 
publication of public notices. 

In commenting on a draft of our report, OMB officials noted that they 
shared our concerns about privacy and stated they believe it would be 
important for Congress to consider potential amendments to the Privacy 
Act and the E-Government Act in the broader context of all existing 
privacy and related laws that Congress has enacted. 

Though we did not make specific recommendations to OMB, the agency 
provided comments on the alternatives identified in conjunction with 
our matter for Congressional consideration. Regarding alternatives for 
revising the scope of laws to cover all personally identifiable 
information collected, used, and maintained by the federal government, 
OMB stated that it would be important for Congress to evaluate fully 
the potential implications of revisions such as amending the Privacy 
Act's system-of-records definition. We believe that, given that the 
Privacy Act's controls on the collection, use, and disclosure of 
personally identifiable information do not consistently protect such 
information in all circumstances of its collection and use throughout 
the federal government, amending the act's definition of a system of 
records is an important alternative for Congress to consider. 

We agree with OMB, however, that any consideration of amendments to the 
Privacy Act and E-Government Act should be considered thoroughly and 
within the context of all existing laws. Further, the challenge of how 
best to balance the federal government's need to collect and use 
information with individuals' privacy rights in the current 
technological and political environment merits a national public debate 
on all relevant issues, including the alternatives I have highlighted 
today. 

Mr. Chairman, this concludes my testimony today. I would be happy to 
answer any questions you or other members of the committee may have. 

Contacts and Acknowledgements: 

If you have any questions concerning this testimony, please contact 
Linda D. Koontz, Director, Information Management, at (202) 512-6240, 
or [email protected]. Other individuals who made key contributions 
include John de Ferrari (Assistant Director), Susan Czachor, Nancy 
Glover, Lee McCracken, David Plocher, and Jamie Pressman. 

[End of testimony] 

Footnotes: 

[1] For purposes of this testimony, the terms personal information and 
personally identifiable information are used interchangeably to refer 
to any information about an individual maintained by an agency, 
including (1) any information that can be used to distinguish or trace 
an individual's identity, such as name, Social Security number, date 
and place of birth, mother's maiden name, or biometric records; and (2) 
any other information that is linked or linkable to an individual, such 
as medical, educational, financial, and employment information. 

[2] In addition, the Paperwork Reduction Act, enacted in 1980 and 
significantly revised in 1995, also has provisions affecting privacy 
protection in that it sets requirements for limiting the collection of 
information from individuals, including personal information. While the 
act's requirements are aimed at reducing the paperwork burden on 
individuals rather than specifically protecting personally identifiable 
information, the act nevertheless serves an important role in 
protecting privacy by setting these controls. 

[3] A privacy impact assessment is an analysis of how personal 
information is collected, stored, shared, and managed in an information 
system. 

[4] Congress used the committee's final report as a basis for crafting 
the Privacy Act of 1974. See U.S. Department of Health, Education, and 
Welfare, Records, Computers, and the Rights of Citizens: Report of the 
Secretary's Advisory Committee on Automated Personal Data Systems 
(Washington, D.C.: July 1973). 

[5] GAO, Privacy: Alternatives Exist for Enhancing Protection of 
Personally Identifiable Information, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-08-536] (Washington, D.C.: May 19, 2008). 

[6] GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-304] 
(Washington, D.C.: June 30, 2003). 

[7] Department of Health, Education & Welfare, Records, Computers, and 
the Rights of Citizens: Report of the Secretary's Advisory Committee on 
Automated Personal Data Systems (Washington, D.C.: 1973). 

[8] OECD, Guidelines on the Protection of Privacy and Transborder Flow 
of Personal Data (Sept. 23, 1980). The OECD plays a prominent role in 
fostering good governance in the public service and in corporate 
activity among its 30 member countries. It produces internationally 
agreed-upon instruments, decisions, and recommendations to promote 
rules in areas where multilateral agreement is necessary for individual 
countries to make progress in the global economy. 

[9] OECD, Making Privacy Notices Simple: An OECD Report and 
Recommendations (July 24, 2006). 

[10] European Union Data Protection Directive ("Directive 95/46/EC of 
the European Parliament and of the Council of 24 October 1995 on the 
Protection of Individuals with Regard to the Processing of Personal 
Data and the Free Movement of Such Data") (1995). 

[11] "Report on OECD Guidelines Program," Memorandum from Bernard 
Wunder, Jr., Assistant Secretary for Communications and Information, 
Department of Commerce (Oct. 30, 1981). 

[12] Under the Privacy Act of 1974, the term "routine use" means (with 
respect to the disclosure of a record) the use of such a record for a 
purpose that is compatible with the purpose for which it was collected. 
5 U.S.C. ï¿½ 552a (a)(7). 

[13] The Paperwork Reduction Act was originally enacted into law in 
1980 (Pub. L. No. 96-511, Dec. 11, 1980). It was reauthorized with 
minor amendments in 1986 (Pub. L. No. 99-591, Oct. 30, 1986) and was 
reauthorized a second time with more significant amendments in 1995 
(Pub. L. No. 104-13, May 22, 1995). 

[14] Pub. L. No. 108-458 (Dec. 17, 2004). 

[15] For more information, see GAO, High-Risk Series: An Update, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-310] (Washington, 
D.C.: January 2007), p. 47, and Information Sharing: The Federal 
Government Needs to Establish Policies and Processes for Sharing 
Terrorism-Related and Sensitive but Unclassified Information, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-385] (Washington, 
D.C.: Mar. 17, 2006). 

[16] In 1988, Congress passed the Computer Matching and Privacy 
Protection Act as an amendment to the Privacy Act, to establish 
procedural safeguards that affect agencies' use of Privacy Act records 
from benefit programs in performing certain types of computerized 
matching programs. For example, the 1988 act requires agencies to 
create written agreements specifying the terms under which matches are 
to be done. 

[17] 5 C.F.R. Part 1320. 

[18] GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-304] 
(Washington, D.C.: June 30, 2003). 

[19] A record is defined as "any item, collection, or grouping of 
information about an individual that is maintained by an agency, 
including, but not limited to, his education, financial transactions, 
medical history, and criminal or employment history and that contains 
his name, or the identifying number, symbol, or other identifying 
particular assigned to the individual, such as a finger or voice print 
or a photograph." 

[20] GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-304] 
(Washington, D.C.: June 30, 2003). 

[21] GAO, Data Mining: Federal Efforts Cover a Wide Range of Uses, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-548] (Washington, 
D.C.: May 4, 2004). 

[22] The DHS Privacy Office determined that because the data mining 
applications did not involve retrieval by individual identifier, a 
separate system of records notice describing the data mining 
application was not required. DHS Privacy Office, ADVISE Report: DHS 
Privacy Office Review of the Analysis, Dissemination, Visualization, 
Insight, and Semantic Enhancement (ADVISE) Program (Washington, D.C., 
July 11, 2007). 

[23] The Privacy Act allows agencies to claim exemptions if the records 
are used for certain purposes, such as criminal law enforcement. See 
the earlier discussion on pp. 9-10. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***