Congressional investigators say they can’t assure the public that individuals’ personal data is being adequately protected from unauthorized reading, alteration or disclosure.
In a survey of 25 federal agencies and departments, the General Accounting Office, the investigative arm of Congress, found a lack of compliance with the federal Privacy Act of 1974 significant enough to conclude “the government cannot assure the public that individual privacy rights are being protected.”
The Privacy Act regulates how federal agencies may use the personal information that individuals supply when obtaining government services – like applying for a small business loan – or paying taxes.
According to the GAO report, one in four agencies surveyed, or 29 percent, did not have procedures to ensure that personal data about individuals they disclosed to non-federal organizations was complete, accurate, relevant and timely, as required by the law.
“This report should give Congress a good reason to reconsider building yet another database of citizen information,” commented Twila Brase, president of Citizens’ Council on Health Care, in a reference to the proposed National Patient Safety Database now under consideration in Congress. CCHC is an independent, non-profit patients’ rights advocate.
“Federal agencies are not following the law and, as a result, the personal data of citizens may be improperly collected and poorly protected,” Brase adds, “One system of records holds data on 290 million people. If that system happens to be one of the systems that’s out of compliance, the privacy rights of every citizen have already been violated, perhaps many times.”
For the third time in four years, the GAO criticized the Office of Management and Budget, the agency responsible for enforcing the Privacy Act, faulting it for not responding to earlier recommendations in 2000 and 2001 and long-standing agency requests for updated guidance on the law.
Senior privacy officials from the agencies who attended a GAO forum acknowledged the uneven level of compliance and cited several problems with OMB. These included a lack of leadership, oversight and guidance on implementation of the Act with respect to electronic records. The officials noted OMB places a low priority on compliance and subsequently provides insufficient training.
In a 10-page rebuttal letter included with the report, OMB administrators Mark Forman and John Graham said investigators’ conclusions “border on the reckless and irresponsible.”
Forman and Graham criticized the GAO for not determining whether compliance with the Privacy Act is “any more ‘uneven’ than is agency compliance with other government-wide statutes.”
The departments surveyed were Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Housing and Urban Development, Interior, Justice, Labor, State, Transportation, Treasury, and Veterans Affairs.
The agencies were The Small Business and Social Security administrations, Equal Employment Opportunity Commission, Federal Emergency Management Agency, Office of Personnel Management, National Science Foundation, Office of Government Ethics, Pension Benefit Guaranty Corp., Federal Trade Commission, Office of Special Counsel, and Securities and Exchange Commission.
Collectively, the departments and agencies account for 2,400 systems of records, of which 70 percent contain electronic records.
Among the other findings listed in the 82-page report:
- In 18 percent (432) of the systems of records, individuals have not been provided with full disclosure of the potential uses of their personal information before they provided it.
- In 18 percent (432) of the systems of records, there was no review of disclosures to ascertain whether data is being used outside the original purposes of the data collection.
- For 18 percent (432) of the systems of records, agencies did not assess security safeguards for the data.
- 21 percent (504) of the systems of records do not have the means to detect when persons, without authorization were reading, altering, disclosing, or destroying information.
- 14 percent (336) of the systems of records could not account for disclosures of personal information.
- 33 percent (8) of the agencies have not issued the required rules of conduct for employees as related to duties under the Privacy Act.
The GAO recommended that OMB direct agencies to correct compliance deficiencies, monitor compliance and reassess its guidance.
Sen. Joseph Lieberman, D-Conn., ranking member of the Governmental Affairs Committee, who requested the report, called on the Bush administration to “act quickly to strengthen privacy protections by committing more focused leadership and greater resources,” reports Newsbytes. He said people will never feel comfortable interacting with the government unless their personal information is kept private and secure.
Lieberman is seeking the Democratic nomination for president.
Related special offer: