in Government Accountability Office Reports
Privacy: Federal Law Should Be Updated to Address Changing Technology Landscape (GAO-12-961T, July 2012) (22pp | 299kb | PDF) — “GAO was asked to provide a statement describing (1) the impact of recent technology developments on existing laws for privacy protection in the federal government and (2) actions agencies can take to protect against and respond to breaches involving personal information."
Social Media: Federal Agencies Need Policies and Procedures for Managing and Protecting Information They Access and Disseminate (GAO-11-605, June 2011) (90pp | 2.6m | PDF) — "Federal agencies have been adapting commercially provided social media technologies to support their missions…[However] social media technologies present unique challenges and risks, and without establishing guidance and assessing risks specific to social media, agencies cannot be assured that they are adequately meeting their responsibilities to manage and preserve federal records, protect the privacy of personal information, and secure federal systems and information against threats."
OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background Investigations (GAO-10-849, September 2010) (35pp | 75kb | PDF) — "FIS, a component of OPM, conducts background investigations using extensive amounts of PII. Specifically, FIS collects PII from the individual being investigated, government agencies holding relevant data on the subject, and contacts familiar with the subject of the investigation." "GAO is recommending that the Director of OPM (1) develop guidance for analyzing and mitigating privacy risks in privacy impact assessments, and (2) develop and implement oversight mechanisms for ensuring that investigators properly protect PII and that customer agencies adhere to agreed-upon privacy protection measures."
Identity Theft: Governments Have Acted to Protect Personally Identifiable Information, but Vulnerabilities Remain (GAO-09-759T, June 2009) (24pp | 302kb | PDF) — "The loss of personally identifiable information, such as an individual’s Social Security number, name, and date of birth, can result in serious harm, including identity theft. Identity theft is a serious crime that impacts millions of individuals each year…. Despite efforts to prevent identity theft, vulnerabilities remain and can be grouped into several areas, including display and use of Social Security numbers, availability of personal information through information resellers, security weaknesses in federal agency information systems, and data security breaches…. GAO has reported that federal agencies continue to experience numerous security incidents that could leave sensitive personally identifiable information in federal records vulnerable to identity theft."
Food and Drug Administration Faces Challenges in Establishing Protections for Its Postmarket Risk Analysis System (GAO-09-355, June 2009) (79pp | 1.14m | PDF) — "FDA faces a number of key privacy and security challenges as it plans for the development of the Sentinel system…One major challenge will be ensuring that appropriate legal mechanisms are established to protect privacy and security consistently across all elements of the system, parts of which may be controlled by a variety of partner organizations. The variety of partners creates a complex legal environment in which existing privacy and security requirements may not apply to all participants. If adequate agreements and enforcement mechanisms are not established to ensure that a minimum set of standard requirements is applied consistently, there may be potential gaps in privacy and security protections. Establishing privacy and security requirements that apply consistently to all entities is key to ensuring that no particular entity with inadequate protections compromises the overall privacy and security of personal health information." (79 pp. PDF)
Freedom of Information Act: DHS Has Taken Steps to Enhance Its Program, but Opportunities Exist to Improve Efficiency and Cost-Effectiveness (GAO-09-260, March 2009) (38pp | 976kb | PDF) — "The Freedom of Information Act (FOIA) requires federal agencies to generally provide the public with access to government information.… DHS has taken steps to enhance its FOIA program. DHS developed an improvement plan that focused on eliminating its backlog of overdue requests, implementing enhanced training requirements, and deploying more advanced technology.… By implementing [GAO recommendations]—which are already being used by certain DHS components and other agencies—across major DHS components, the department could further reduce its backlog, increase efficiency, improve customer service, and respond to information requests in a more timely fashion."
Alternatives Exist for Enhancing Protection of Personally Identifiable Information (GAO-08-536, May 2008) (77pp | 780kb | PDF) — "Increasingly sophisticated ways of obtaining and using personally identifiable information have raised concerns about the adequacy of the legal framework for privacy protection. Although the Privacy Act, the E-Government Act, and related guidance from the Office of Management and Budget set minimum privacy requirements for agencies, they may not consistently protect personally identifiable information in all circumstances… Based on discussions with privacy experts, agency officials, and analysis of laws and related guidance, GAO identified issues in three major areas:…[1.] applying privacy protections consistently to all federal collection and use of personal information…[2.] ensuring that collection and use of personally identifiable information is limited to a stated purpose; and…[3.] establishing effective mechanisms for informing the public about privacy protections."
For Further Information -
Privacy: Government Use of Data from Information Resellers Could Include Better Protections (GAO-08-543T, March 2008) — "Agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices … For example, although agencies issued public notices when they systematically collected personal information, these notices did not always notify the public that information resellers were among the sources to be used. This practice is not consistent with the principle that individuals should be informed about privacy policies and the collection of information … The Federal Agency Data Protection Act was introduced on December 18, 2007. The legislation, among other things would require that agencies (1) conduct privacy impact assessments for their uses of commercial data, and (2) promulgate regulations concerning the use of commercial data brokers." (29 pp. PDF)
Protecting Personally Identifiable Information (GAO-08-343, January 2008) (34pp | 504kb | PDF) — "Two primary laws (the Privacy Act of 1974 and the E-Government Act of 2002) give federal agencies responsibilities for protecting personal information. Additionally, the Federal Information Security Management Act of 2002 (FISMA) requires agencies to implement programs to provide security for their information and information systems…. In the wake of recent incidents of security breaches involving personal data, OMB issued guidance in 2006 and 2007 reiterating agency responsibilities under these laws and technical guidance, drawing particular attention to the requirements associated with personally identifiable information…. Not all agencies had developed the range of policies and procedures reflecting OMB guidance on protection of personally identifiable information that is either accessed remotely or physically transported outside an agency’s secured physical perimeter…. Gaps in their policies and procedures reduced agencies’ ability to protect personally identifiable information from improper disclosure."
Social Security Numbers: Use is Widespread and Protection Could Be Improved (GAO-07-1023T, June 2007) (18pp | 258kb | PDF) — "In the private sector, certain entities, such as information resellers, collect SSNs from public sources, private sources, and their customers and use this information for identity verification purposes. In addition, banks, securities firms, telecommunication firms, and tax preparers engage in third party contracting, and consequently sometimes share SSNs with their contractors for limited purposes. Vulnerabilities persist in federal laws addressing SSN collection and use by private sector entities. In particular, we found variation in how different industries are covered by federal laws protecting individuals’ personal information….Vulnerabilities also exist in federal law and agency oversight for different industries that share SSNs with their contractors."
Lessons Learned about Data Breach Notification (GAO-07-65, April 2007) (78pp | 521kb | PDF) — "Based on the experience of VA and other federal agencies in responding to data breaches, GAO identified…lessons learned regarding how and when to notify government officials, affected individuals, and the public…These lessons have largely been addressed in guidance issued in 2006 from the Office of Management and Budget (OMB), which is responsible for overseeing security and privacy within the federal government. However, guidance to assist agency officials in making consistent risk-based determinations about when to offer credit monitoring or other protection services has not been developed. Without such guidance, agencies are likely to continue to make inconsistent decisions about what protections to offer affected individuals, potentially leaving some people more vulnerable than others."
Preventing and Responding to Improper Disclosures of Personal Information (GAO-06-833T, June 2006) (27pp | 196kb | PDF) — "Agencies can take a number of actions to help guard against the possibility that databases of personally identifiable information are inadvertently compromised. Two key steps are as follows: [1.] Develop a privacy impact assessment… [and 2.] Ensure that a robust information security program is in place …. More specific practical measures aimed at preventing inadvertent data breaches include limiting the collection of personal information, limiting the time that such data are retained, limiting access to personal information and training personnel accordingly, and considering the use of technological controls such as encryption when data need to be stored on mobile devices….When data breaches do occur, notification to the individuals affected and/or the public has clear benefits, allowing people the opportunity to take steps to protect themselves against the dangers of identity theft."
Key Privacy Challenges Facing Federal Agencies (GAO- 06-777T, May 2006) (26pp | 274kb | PDF) — "While agencies generally did well with certain aspects of the Privacy Act’s requirements,… they did less well at others, such as ensuring that information is complete, accurate, relevant, and timely before it is disclosed to a nonfederal organization … [T]he E-Gov Act requires that agencies perform privacy impact assessments (PIA) on collections of personal information. However, in work on commercial data resellers, GAO determined in 2006 that many agencies did not perform PIAs on systems that used reseller information, believing that these were not required. In addition, in public notices on these systems, agencies did not always reveal that information resellers were among the sources to be used… Agencies and privacy officers will also face the challenge of ensuring that privacy protections are not compromised by advances in technology."
For Further Information –
Personal Information: Agency and Reseller Adherence to Key Privacy Principles (GAO-06-421, April 2006) (93pp | 1.3m | PDF) — "The major information resellers that do business with the federal agencies we reviewed have practices in place to protect privacy, but these measures are not fully consistent with the Fair Information Practices…. Resellers said they believe may not be appropriate or practical for them to fully adhere to these principles because they do not obtain their information directly from individuals…. Agency practices for handling personal information acquired from information resellers does not always fully reflect the Fair Information Practices…. Contributing to the uneven application of the Fair Information Practices are ambiguities in guidance from the Office of Management and Budget (OMB) regarding the applicability of privacy requirements to federal agency uses of reseller information."
For Further Information – See CRS reports on privacy issues.