Feds Lack Privacy Protection Safeguards

10 New Mobile Government Apps

Federal agencies are falling short in protecting personally identifiable information (PII) collected and used throughout the government, may not be adhering fully to key privacy principles, and may not be effectively notifying citizens about government use of personal information.

Those are key conclusions presented by Greg Wilshusen, director of information security issues with the Government Accountability Office (GAO), in written testimony for a hearing of the Senate Homeland Security subcommittee on oversight of government management, the federal workforce, and the District of Columbia.

Wilshusen recommended that Congress consider updating federal laws to reflect changes in how agencies collect and use personal information, and consider the appropriate balance between citizens' privacy and the government's need to collect that information. He also pointed to recurring problems in preventing data breaches and suggested that agencies need to act on guidance, issued by GAO, the Office of Management and Budget (OMB), and inspectors general at numerous agencies, to tighten their data security measures.

[ The feds are trying to cut down on the information private business collects about you. See FTC Sets Consumer Data Collection Limits. ]

The watchdog agency identified ongoing issues in three major areas.

First, the Privacy Act of 1974 established protections for personal information, but limited it to when the information is part of a "system of records" defined by the act. Changes in IT, however, allow agencies to retrieve information in ways that fall outside that definition. For instance, data-mining systems may retrieve information without using an identifier, something not covered by the Privacy Act.

"Factors such as these have led experts to agree that the Privacy Act's system-of-records construct is too narrowly defined," Wilshusen's statement read. "An alternative for addressing these issues could include revising the ... definition to cover all personally identifiable information collected, used, and maintained systematically by the federal government."

The second issue identified by GAO is ensuring that PII is used only for stated purposes. Current laws, including the E-Government Act of 2002 and guidance provided by OMB, set modest requirements for describing reasons for collecting personal information and how it will be used. For instance, Wilshusen said, agencies are not required to be specific in describing the purpose of information gathering in their public notices. While some law enforcement and anti-terrorism systems may need to use broad statements to keep from revealing details of open cases or investigative techniques, allowing unnecessarily broad purpose statements raise the question of whether meaningful limits are in place at all.

"Examples for alternatives for addressing these issues include setting specific limits on the use of information within agencies and requiring agencies to establish formal agreements with external government entities before sharing" PII, Wilshusen testified.

Finally, Wilshusen questioned the effectiveness of requiring agencies to publish notices in the Federal Register regarding the information they collect, the categories of individuals covered, and how the information will be used, among other things.

"An expert panel convened for GAO questioned whether system-of-records notices published in the Federal Register effectively inform the public about government uses of personal information," Wilshusen testified. He suggested alternatives such as revising the Privacy Act to require that privacy notices be published on a standard website.

In addition to the potential misuse of PII by government agencies, Wilshusen pointed to serious security breaches in federal IT systems that have jeopardized personal information. Over the past six years, incidents reported by agencies to US-CERT have increased nearly 680%, he said, from 5,503 incidents in fiscal 2006 to 42,887 in fiscal 2011. Of the incidents in 2011, more than 36% involved unauthorized disclosure of PII, he testified.

Wilshusen credited OMB for issuing extensive guidance to agencies on protecting PII, including the use of encryption to protect data and requirements to report security breaches and loss of or unauthorized access to PII. He noted that both GAO and inspectors general throughout the government "have made hundreds of recommendations to resolve similar previously identified significant control deficiencies.

Nonetheless, "it is unclear the extent to which all agencies, including smaller agencies such as the Federal Retirement [Thrift] Investment Board, are adhering to OMB's guidelines," he testified.