This is the accessible text file for GAO report number GAO-06-421 entitled 'Personal Information: Agency and Reseller Adherence to Key Privacy Principles' which was released on April 4, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: April 2006: Personal Information: Agency and Reseller Adherence to Key Privacy Principles: GAO-06-421: GAO Highlights: Highlights of GAO-06-421, a report to congressional committees: Why GAO Did This Study: Federal agencies collect and use personal information for various purposes, both directly from individuals and from other sources, including information resellers—companies that amass and sell data from many sources. In light of concerns raised by recent security breaches involving resellers, GAO was asked to determine how the Departments of Justice, Homeland Security, and State and the Social Security Administration use personal data from these sources. In addition, GAO reviewed the extent to which information resellers’ policies and practices reflect the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. GAO also examined agencies’ policies and practices for handling personal data from resellers to determine whether these reflect the Fair Information Practices. What GAO Found: In fiscal year 2005, the Departments of Justice, Homeland Security, and State and the Social Security Administration reported that they used personal information obtained from resellers for a variety of purposes. Components of the Department of Justice (the largest user of resellers) used such information in performing criminal investigations, locating witnesses and fugitives, researching assets held by individuals of interest, and detecting prescription drug fraud. The Department of Homeland Security used reseller information for immigration fraud detection and border screening programs. Uses by the Social Security Administration and the Department of State were to prevent and detect fraud, verify identity, and determine eligibility for benefits. The agencies spent approximately $30 million on contractual arrangements with resellers that enabled the acquisition and use of such information. About 91 percent of the planned fiscal year 2005 spending was for law enforcement (69 percent) or counterterrorism (22 percent). The major information resellers that do business with the federal agencies we reviewed have practices in place to protect privacy, but these measures are not fully consistent with the Fair Information Practices. For example, the principles that the collection and use of personal information should be limited and its intended use specified are largely at odds with the nature of the information reseller business, which presupposes that personal information can be made available to multiple customers and for multiple purposes. Resellers said they believe it is not appropriate for them to fully adhere to these principles because they do not obtain their information directly from individuals. Nonetheless, in many cases, resellers take steps that address aspects of the Fair Information Practices. For example, resellers reported that they have taken steps recently to improve their security safeguards, and they generally inform the public about key privacy principles and policies. However, resellers generally limit the extent to which individuals can gain access to personal information held about themselves, as well as the extent to which inaccurate information contained in their databases can be corrected or deleted. Agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices. That is, some of these principles were mirrored in agency practices, but for others, agency practices were uneven. For example, although agencies issued public notices on information collections, these did not always notify the public that information resellers were among the sources to be used. This practice is not consistent with the principle that individuals should be informed about privacy policies and the collection of information. Contributing to the uneven application of the Fair Information Practices are ambiguities in guidance from the Office of Management and Budget (OMB) regarding the applicability of privacy requirements to federal agency uses of reseller information. In addition, agencies generally lack policies that specifically address these uses. What GAO Recommends: The Congress should consider the extent to which resellers should adhere to the Fair Information Practices. In addition, GAO is making recommendations to OMB and the four agencies to establish policy to address agency use of personal information from commercial sources. Agency officials generally agreed with the content of this report. Resellers questioned the applicability of the Fair Information Practices, especially with regard to public records. www.gao.gov/cgi-bin/getrpt?GAO-06-421. To view the full product, including the scope and methodology, click on the link above. For more information, contact Linda Koontz at (202) 512- 6240 or koontzl@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Using Governmentwide Contracts, Federal Agencies Obtain Personal Information from Information Resellers for a Variety of Purposes: Resellers Take Steps to Protect Privacy, but These Measures Are Not Fully Consistent with the Fair Information Practices: Agencies Lack Policies on Use of Reseller Data, and Practices Do Not Consistently Reflect the Fair Information Practices: Conclusions: Matter for Congressional Consideration: Recommendations for Executive Action: Agency Comments and Our Evaluation: Comments from Information Resellers: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: Federal Laws Affecting Information Resellers: Gramm-Leach-Bliley Act: Health Insurance Portability and Accountability Act: Fair Credit Reporting Act: Fair and Accurate Credit Transactions Act: Appendix III: Comments from the Department of Justice: Appendix IV: Comments from the Department of Homeland Security: Appendix V: Comments from the Social Security Administration: Appendix VI: Comments from the Department of State: Tables: Table 1: Federal Laws Addressing Private Sector Disclosure of Personal Information: Table 2: The OECD Fair Information Practices: Table 3: Reported Uses of Personal Information: Department of Justice Contracts with Information Resellers, Fiscal Year 2005: Table 4: Reported Uses of Personal Information: DHS Contracts with Information Resellers, Fiscal Year 2005: Table 5: Reported Uses of Personal Information: SSA Contracts with Information Resellers, Fiscal Year 2005: Table 6: Reported Uses of Personal Information: Department of State Contracts with Information Resellers, Fiscal Year 2005: Table 7: Information Resellers' Application of Principles of the Fair Information Practices: Table 8: Application of Fair Information Practices to the Reported Handling of Personal Information from Data Resellers at Four Agencies: Figures: Figure 1: Typical Information Flow through Resellers to Government Customers: Figure 2: Fiscal Year 2005 Contractual Vehicles Enabling the Use of Personal Information from Information Resellers, Categorized by Reported Use: Figure 3: Total Dollar Values, Categorized by Agency, of Fiscal Year 2005 Acquisition of Personal Information from Information Resellers: APEC: Asia-Pacific Economic Cooperation: ATF: Bureau of Alcohol, Tobacco, Firearms, and Explosives: CBP: Customs and Border Protection: DEA: Drug Enforcement Administration: DHS: Department of Homeland Security: FBI: Federal Bureau of Investigation: FEDLINK: Federal Library and Information Network: FEMA: Federal Emergency Management Agency: FISMA: Federal Information Security Management Act: FTTTF: Foreign Terrorist Tracking Task Force: GSA: General Services Administration: ICE: Immigration and Customs Enforcement: OECD: Organization for Economic Cooperation and Development: OIG: Office of the Inspector General: OMB: Office of Management and Budget: PIA: privacy impact assessment: SSA: Social Security Administration: TSA: Transportation Security Administration: USCIS: Citizenship and Immigration Services: Letter April 4, 2006: Congressional Committees: Recent security breaches at large information resellers, such as ChoicePoint and LexisNexis, have highlighted the extent to which such companies collect and disseminate personal information.[Footnote 1] Information resellers are companies that collect information, including personal information about consumers, from a wide variety of sources for the purpose of reselling such information to their customers, which include both private-sector businesses and government agencies. Before advanced computerized techniques made aggregating and disseminating such information relatively easy, much personal information was less accessible, being stored in paper-based public records at courthouses and other government offices or in the files of nonpublic businesses. However, information resellers have now amassed extensive amounts of personal information about large numbers of Americans, and federal agencies access this information for a variety of reasons. Federal agency use of such information is governed primarily by the Privacy Act of 1974,[Footnote 2] which requires that the use of personal information be limited to predefined purposes and involve only information germane to those purposes. The provisions of the Privacy Act are largely based on a set of principles for protecting the privacy and security of personal information, known as the Fair Information Practices, which were first proposed in 1973 by a U.S. government advisory committee.[Footnote 3] These principles, now widely accepted, include: * collection limitation, * data quality, * purpose specification, * use limitation, * security safeguards, * openness, * individual participation, and: * accountability.[Footnote 4] These principles, with some variation, are used by organizations to address privacy considerations in their business practices and are also the basis of privacy laws and related policies in many countries, including the United States, Germany, Sweden, Australia, New Zealand, and the European Union. Given recent events involving information resellers and federal agencies' use of information obtained from these resellers, you asked us to review how selected federal agencies use such information. Specifically, our objectives were to determine (1) how the Departments of Justice, Homeland Security (DHS), and State and the Social Security Administration (SSA) are making use of personal information obtained through contracts with information resellers; (2) the extent to which information resellers providing personal information to these agencies have policies and practices in place that reflect the Fair Information Practices; and (3) the extent to which these agencies have policies and practices in place for the handling of personal data from resellers that reflect the Fair Information Practices. To address our first objective, we analyzed fiscal year 2005 contracts and other vehicles for the acquisition of personal information from information resellers by DHS, Justice, State, and SSA to identify their purpose, scope, and value. We obtained additional information on these contracts and uses in discussions with agency officials to ensure that all relevant information had been provided to us. To address our second objective, we reviewed documentation from five major information resellers[Footnote 5] and conducted site visits at three of them[Footnote 6] to obtain information on privacy and security policies and procedures and compared these with the Fair Information Practices. In conducting our analysis, we identified the extent to which reseller practices were consistent with the key privacy principles of the Fair Information Practices. We also assessed the potential effect of any inconsistencies; however, we did not attempt to make determinations of whether or how information reseller practices should change. Such determinations are a matter of policy based on balancing the public's right to privacy with the value of services provided by resellers to customers such as government agencies. We determined that the five resellers we reviewed accounted for most of the contract value of personal information obtained from resellers in fiscal year 2005 by the four agencies we reviewed. We did not evaluate the effectiveness of resellers' information security programs. To address our third objective, we identified and evaluated agency guidelines and management policies and procedures governing the use of personal information obtained from information resellers and compared these to the Fair Information Practices. We also conducted interviews at the four agencies with senior agency officials designated for privacy issues as well as officials of the Office of Management and Budget (OMB) to obtain their views on the applicability of federal privacy laws and related guidance to agency use of information resellers. We performed our work from May 2005 to March 2006 in the Washington, D.C., metropolitan area; Little Rock, Arkansas; Alpharetta, Georgia; and Miamisburg, Ohio. Our work was performed in accordance with generally accepted government auditing standards. Our objectives, scope, and methodology are discussed in more detail in appendix I. Results in Brief: In fiscal year 2005, Justice, DHS, State, and SSA reported using personal information from information resellers for a variety of purposes, including law enforcement, counterterrorism, fraud prevention, and debt collection. Taken together, approximately 91 percent of planned spending on resellers reported by the agencies for fiscal year 2005 was for law enforcement (69 percent) or counterterrorism (22 percent). For example, components of the Department of Justice (the largest user of resellers) made use of such information for criminal investigations, location of witnesses and fugitives, research of assets held by individuals of interest, and detection of fraud in prescription drug transactions. Examples of uses by the DHS include immigration fraud detection and border screening programs. SSA and State acquire personal information from information resellers for fraud detection and investigation, identity verification, and benefit eligibility determination. The four agencies obtained personal information from resellers primarily through two general- purpose governmentwide contract vehicles--the Federal Supply Schedule of the General Services Administration (GSA) and the Library of Congress's Federal Library and Information Network. Collectively, the four agencies reported approximately $30 million[Footnote 7] in fiscal year 2005 in contractual arrangements with information resellers that enabled the acquisition and use of personal information. The major information resellers that do business with the federal agencies we reviewed have practices in place to protect privacy, but these measures are not fully consistent with the Fair Information Practices. For example, the nature of the information reseller business is largely at odds with the principles of collection limitation, data quality, purpose specification, and use limitation. These principles center on limiting the collection and use of personal information, and they link data quality (e.g., accuracy) requirements to these limitations. Resellers said they believe it may not be appropriate or practical for them to fully adhere to these principles because they do not obtain their information directly from individuals. In fact, the information reseller industry is based on multipurpose collection and use of personal and other information[Footnote 8] information from multiple sources. In many cases, resellers take steps that address aspects of the Fair Information Practices. For example, resellers reported that they have taken steps recently to improve their security safeguards, and they generally inform the public about key privacy principles and policies (relevant to the openness principle). However, resellers generally limit the extent to which individuals can gain access to personal information held about themselves as well as the extent to which inaccurate information contained in their databases can be corrected or deleted (relevant to the individual participation principle). Agency practices for handling personal information acquired from information resellers reflected the principles of the Fair Information Practices in four cases and in the other four did not. Specifically, regarding the collection limitation, data quality, use limitation, and security safeguards principles, agency practices generally reflected the Fair Information Practices. For example, regarding the data quality principle that data should be accurate, current, and complete, as needed for the defined purpose, law enforcement agencies (including the Federal Bureau of Investigation and the U.S. Secret Service) generally reported that they corroborate information obtained from resellers to ensure that it is accurate when it is used as part of an investigation. Regarding other principles, however, agency practices were uneven. Specifically, agencies did not always have practices in place to fully address the purpose specification, individual participation, openness, and accountability principles with regard to use of reseller information. For example, * although agencies notify the public through Federal Register notices and published privacy impact assessments that they collect personal information from various sources, they do not always indicate specifically that information resellers are among those sources, and: * some agencies lack robust audit mechanisms to ensure that use of personal information from information resellers is for permissible purposes, reflecting an uneven application of the accountability principle. Contributing to the uneven application of the Fair Information Practices are ambiguities in guidance from OMB regarding the applicability of privacy requirements to federal agency uses of reseller information. In addition, agencies generally lack policies that specifically address these uses. The Congress should consider the extent to which information resellers should adhere to the Fair Information Practices. We are also recommending that the Director, OMB, revise privacy guidance to clarify the applicability of requirements for public notices and privacy impact assessments to agency use of personal information from resellers and direct agencies to review their uses of such information to ensure it is explicitly referenced in privacy notices and assessments. Further, we are recommending that agencies develop specific policies for the use of personal information from resellers. We obtained written comments on a draft of this report from Justice, DHS, SSA, and State. We also received comments via E-mail from OMB. Comments from Justice, DHS, SSA, and State are reproduced in appendixes III to VI, respectively. Justice, DHS, SSA, and OMB all generally agreed with the report and described actions initiated to address our recommendations. In its comments, Justice recommended that prior to issuance of any new or revised policy, careful consideration be given to its impact on Justice. We believe the policy clarifications we are proposing are unlikely to result in an adverse impact on law enforcement activities at Justice. Justice and SSA also provided technical comments, which were incorporated in the final report as appropriate. State interpreted our draft report to "rest on the premise that records from 'information resellers' should be accorded special treatment when compared with sensitive information from other sources." State also indicated that it does not distinguish between types of information or sources of information in complying with privacy laws. However, our report does not suggest that data from resellers should receive special treatment. Instead, our report takes the widely accepted Fair Information Practices as a universal benchmark of privacy protections and assesses agency practices in comparison with them. We also obtained comments on excerpts of our draft report from the five information resellers we reviewed. Several resellers raised concerns regarding the version of the Fair Information Practices we used to assess their practices, stating their view that it was more appropriate for organizations that collection information directly from consumers and that they were not legally bound to adhere to the Fair Information Practices. As discussed in our report, the version of the Fair Information Practices we used has been widely adopted and cited within the federal government as well as internationally. Further, we use it as an analytical framework for identifying potential privacy issues for further consideration by Congress--not as criteria for strict compliance. Resellers also stated that the draft did not take into account that public record information is open to all for any use not prohibited by state or federal law. However, we believe it is not clear that individuals give up all privacy rights to personal information contained in public records, and we believe it is important to assess the status of privacy protections for all personal information being offered commercially to the government so that informed policy decision can be made about the appropriate balance between resellers' services and the public's right to privacy. Resellers also offered technical comments, which were incorporated in the final report as appropriate. Background: Before advanced computerized techniques for aggregating, analyzing, and disseminating data came into widespread use, personal information contained in paper-based public records at courthouses or other government offices was relatively difficult to obtain, usually requiring a personal visit to inspect the records. Nonpublic information, such as personal information contained in product registrations, insurance applications, and other business records, was also generally inaccessible. In recent years, however, advances in technology have spawned information reseller businesses that systematically collect extensive amounts of personal information from a wide variety of sources and make it available electronically over the Internet and by other means to customers in both government and the private sector. This automation of the collection and aggregation of multiple-source data, combined with the ease and speed of its retrieval, have dramatically reduced the time and effort needed to obtain information of this type. Among the primary customers of information resellers are financial institutions (including insurance companies), retailers, law offices, telecommunications and technology companies, and marketing firms. We use the term "information resellers" to refer to businesses that vary in many ways but have in common the fact that they collect and aggregate personal information from multiple sources and make it available to their customers. These businesses do not all focus exclusively on aggregating and reselling personal information. For example, Dun & Bradstreet primarily provides information on commercial enterprises for the purpose of contributing to decision making regarding those enterprises. In doing so, it may supply personal information about individuals associated with those commercial enterprises. To a certain extent, the activities of information resellers may also overlap with the functions of consumer reporting agencies, also known as credit bureaus--entities that collect and sell information about individuals' creditworthiness, among other things. As is discussed further below, to the extent that information resellers perform the functions of consumer reporting agencies, they are subject to legislation specifically addressing that industry, particularly the Fair Credit Reporting Act. Information resellers obtain personal information from many different sources. Generally, three types of information are collected: public records, publicly available information, and nonpublic information. * Public records are a primary source of information about consumers, available to anyone, and can be obtained from governmental entities. What constitutes public records is dependent upon state and federal laws, but generally these include birth and death records, property records, tax lien records, motor vehicle registrations, voter registrations, licensing records, and court records (including criminal records, bankruptcy filings, civil case files, and legal judgments). * Publicly available information is information not found in public records but nevertheless publicly available through other sources. These sources include telephone directories, business directories, print publications such as classified ads or magazines, Internet sites, and other sources accessible by the general public. * Nonpublic information is derived from proprietary or nonpublic sources, such as credit header data,[Footnote 9] product warranty registrations, and other application information provided to private businesses directly by consumers. Private sector businesses rely on information resellers for information to support a variety of activities, such as: * conducting pre-employment background checks on prospective employees, * verifying individuals' identities by reviewing records of their personal information; * marketing commercial products to consumers matching specified demographic characteristics; and: * preventing financial fraud by examining insurance, asset, and other financial record information. Typically, while information resellers may collect and maintain personal information in a variety of databases, they provide their customers with a single, consolidated online source for a broad array of personal information. Figure 1 illustrates how information is collected from multiple sources and ultimately accessed by customers, including government agencies, through contractual agreements. Figure 1: Typical Information Flow through Resellers to Government Customers: [See PDF for image] [End of figure] In addition to providing consolidated access to personal information through Internet-based Web sites, information resellers offer a variety of products tailored to the specific needs of various lines of business. For example, an insurance company could obtain different products covering police and accident reports, insurance carrier information, vehicle owner verification or claims history, or online public records. Typically, services offered to law enforcement officers include more information--including sensitive information, such as full Social Security numbers and driver's license numbers--than is offered to other customers. Federal Laws and Guidance Govern Use of Personal Information in Federal Agencies: There is no single federal law that governs all use or disclosure of personal information. Instead, U.S. law includes a number of separate statutes that provide privacy protections for information used for specific purposes or maintained by specific types of entities. The major requirements for the protection of personal privacy by federal agencies come from two laws, the Privacy Act of 1974 and the privacy provisions of the E-Government Act of 2002. The Federal Information Security Management Act of 2002 (FISMA) also addresses the protection of personal information in the context of securing federal agency information and information systems. The Privacy Act places limitations on agencies' collection, disclosure, and use of personal information maintained in systems of records. The act describes a "record" as any item, collection, or grouping of information about an individual that is maintained by an agency and contains his or her name or another personal identifier. It also defines "system of records" as a group of records under the control of any agency from which information is retrieved by the name of the individual or by an individual identifier. The Privacy Act requires that when agencies establish or make changes to a system of records, they must notify the public by a notice in the Federal Register identifying, among other things, the type of data collected, the types of individuals about whom information is collected, the intended "routine" uses of data, and procedures that individuals can use to review and correct personal information.[Footnote 10] The act's requirements also apply to government contractors when agencies contract for the development and maintenance of a system of records to accomplish an agency function.[Footnote 11] The act limits its applicability to cases in which systems of records are maintained specifically on behalf of a government agency. Several provisions of the act require agencies to define and limit themselves to specific predefined purposes. For example, the act requires that to the greatest extent practicable, personal information should be collected directly from the subject individual when it may affect an individual's rights or benefits under a federal program. The act also requires that an agency inform individuals whom it asks to supply information of (1) the authority for soliciting the information and whether disclosure of such information is mandatory or voluntary; (2) the principal purposes for which the information is intended to be used; (3) the routine uses that may be made of the information; and (4) the effects on the individual, if any, of not providing the information. According to OMB, this requirement is based on the assumption that individuals should be provided with sufficient information about the request to make a decision about whether to respond. In handling collected information, the Privacy Act also requires agencies to, among other things, allow individuals to (1) review their records (meaning any information pertaining to them that is contained in the system of records), (2) request a copy of their record or information from the system of records, and (3) request corrections in their information. Such provisions can provide a strong incentive for agencies to correct any identified errors. Agencies are allowed to claim exemptions from some of the provisions of the Privacy Act if the records are used for certain purposes. For example, records compiled for criminal law enforcement purposes can be exempt from a number of provisions, including (1) the requirement to notify individuals of the purposes and uses of the information at the time of collection and (2) the requirement to ensure the accuracy, relevance, timeliness, and completeness of records. A broader category of investigative records compiled for criminal or civil law enforcement purposes can also be exempted from a somewhat smaller number of Privacy Act provisions, including the requirement to provide individuals with access to their records and to inform the public of the categories of sources of records. In general, the exemptions for law enforcement purposes are intended to prevent the disclosure of information collected as part of an ongoing investigation that could impair the investigation or allow those under investigation to change their behavior or take other actions to escape prosecution. The E-Government Act of 2002 strives to enhance protection for personal information in government information systems or information collections by requiring that agencies conduct privacy impact assessments (PIA). A PIA is an analysis of how personal information is collected, stored, shared, and managed in a federal system. More specifically, according to OMB guidance,[Footnote 12] a PIA is an analysis of how information is handled: (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. Agencies must conduct PIAs (1) before developing or procuring information technology that collects, maintains, or disseminates information that is in a personally identifiable form or (2) before initiating any new data collections involving personal information that will be collected, maintained, or disseminated using information technology if the same questions are asked of 10 or more people. OMB guidance also requires agencies to conduct PIAs when a system change creates new privacy risks, for example, changing the way in which personal information is being used. The requirement does not apply to all systems. For example, no assessment is required when the information collected relates to internal government operations, the information has been previously assessed under an evaluation similar to a PIA, or when privacy issues are unchanged. FISMA also addresses the protection of personal information. FISMA defines federal requirements for securing information and information systems that support federal agency operations and assets; it requires agencies to develop agencywide information security programs that extend to contractors and other providers of federal data and systems.[Footnote 13] Under FISMA, information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction, including controls necessary to preserve authorized restrictions on access and disclosure to protect personal privacy, among other things. OMB is tasked with providing guidance to agencies on how to implement the provisions of the Privacy Act and the E-Government Act and has done so, beginning with guidance on the Privacy Act, issued in 1975.[Footnote 14] The guidance provides explanations for the various provisions of the law as well as detailed instructions for how to comply. OMB's guidance on implementing the privacy provisions of the E- Government Act of 2002 identifies circumstances under which agencies must conduct PIAs and explains how to conduct them. OMB has also issued guidance on implementing the provisions of FISMA. Additional Laws Provide Privacy Protections for Specific Types and Uses of Information: Although federal laws do not specifically regulate the information reseller industry as a whole, they provide safeguards for personal information under certain specific circumstances, such as when financial or health information is involved, or for such activities as pre-employment background checks. Specifically, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Driver's Privacy Protection Act, and the Health Insurance Portability and Accountability Act all restrict the ways in which businesses, including information resellers, may use and disclose consumers' personal information (see app. II for more details about these laws). The Gramm-Leach-Bliley Act, for example, limits financial institutions' disclosure of nonpublic personal information to nonaffiliated third parties and requires companies to give consumers privacy notices that explain the institutions' information sharing practices. Consumers then have the right to limit some, but not all, sharing of their nonpublic personal information. As shown in table 1, these laws either restrict the circumstances under which entities such as information resellers are allowed to disclose personal information or restrict the parties with whom they are allowed to share information. Table 1: Federal Laws Addressing Private Sector Disclosure of Personal Information: Federal laws: Fair Credit Reporting Act; Provisions: Consumer reporting agencies are limited to providing data only to their customers that have a permissible purpose for using the data. With few exceptions, government agencies are treated like other parties and must have a permissible purpose in order to obtain a consumer report. Federal laws: Gramm-Leach-Bliley Act; Provisions: Sets limitations on financial institutions' disclosure of customer data to third parties, such as information resellers. Requires companies to give consumers privacy notices that explain the institutions' information-sharing practices. In turn, consumers have the right to limit some, but not all, sharing of their nonpublic personal information. Federal laws: Driver's Privacy Protection Act; Provisions: Restricts a third party's ability to obtain Social Security numbers and other driver's license information from state motor vehicle offices unless doing so for a permissible purpose under the law; restricts state motor vehicle offices' ability to disclose driver's license information. Federal laws: Health Insurance Portability and Accountability Act; Provisions: Health care organizations are restricted from disclosing a patient's health information without the patient's consent, except for permissible reasons, and are required to inform individuals of privacy practices. Federal laws: Fair and Accurate Credit Transactions Act; Provisions: Consumers may obtain one free annual consumer report from nationwide consumer reporting agencies. Source: GAO analysis. Note: Appendix II provides additional details on the requirements of these laws. [End of table] Information resellers are also affected by various state laws. For example, California state law requires businesses to notify consumers about security breaches that could directly affect them. Legal requirements, such as the California law, led ChoicePoint, a large information reseller, to notify its customers in mid-February 2005 of a security breach in which unauthorized persons gained access to personal information from its databases. Since the ChoicePoint notification, bills were introduced in at least 35 states and enacted in at least 22 states[Footnote 15] that require some form of notification upon a security breach. The Fair Information Practices Are Widely Agreed to Be Key Principles for Privacy Protection: The Fair Information Practices are a set of internationally recognized privacy protection principles. First proposed in 1973 by a U.S. government advisory committee, the Fair Information Practices were intended to address what the committee termed a poor level of protection afforded to privacy under contemporary law.[Footnote 16] A revised version of the Fair Information Practices, developed by the Organization for Economic Cooperation and Development (OECD)[Footnote 17] in 1980, has been widely adopted. The OECD principles are shown in table 2. Table 2: The OECD Fair Information Practices: Principle: Collection limitation; Description: The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual. Principle: Data quality; Description: Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose. Principle: Purpose specification; Description: The purposes for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to those purposes and compatible purposes. Principle: Use limitation; Description: Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority. Principle: Security safeguards; Description: Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure. Principle: Openness; Description: The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information. Principle: Individual participation; Description: Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights. Principle: Accountability; Description: Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles. Source: OECD. [End of table] The Fair Information Practices are, with some variation, the basis of privacy laws and related policies in many countries, including the United States, Germany, Sweden, Australia, New Zealand, and the European Union.[Footnote 18] They are also reflected in a variety of federal agency policy statements, beginning with an endorsement of the OECD principles by the Department of Commerce in 1981,[Footnote 19] and including policy statements of the DHS, Justice, Housing and Urban Development, and Health and Human Services.[Footnote 20] In 2004, the Chief Information Officers Council issued a coordinating draft of their Security and Privacy Profile for the Federal Enterprise Architecture[Footnote 21] that links privacy protection with a set of acceptable privacy principles corresponding to the OECD's version of the Fair Information Practices. The Fair Information Practices are not precise legal requirements. Rather, they provide a framework of principles for balancing the need for privacy with other public policy interests, such as national security, law enforcement, and administrative efficiency. Striking that balance varies among countries and among types of information (e.g., medication versus employment information). The Fair Information Practices also underlie the provisions of the Privacy Act of 1974. For example, the system of records notice required under the Privacy Act embodies the purpose specification, openness, and individual participation principles in that it provides a public accounting through the Federal Register of the purpose and uses for personal information, and procedures by which individuals may access and correct, if necessary, information about themselves. Further, the E- Government Act's requirement to conduct PIAs likewise reflects the Fair Information Practices. Under the act, agencies are to make these assessments publicly available, if practicable, through agency Web sites or by publication in the Federal Register, or other means. To the extent that such assessments are made publicly available, they also provide notice to the public about the purpose of planned information collections and the planned uses of the information being collected. Congressional Interest in the Information Reseller Industry Has Been Heightened: A number of congressional hearings were held and bills introduced in 2005 in the wake of widely publicized data security breaches at major information resellers such as ChoicePoint and LexisNexis as well as other firms. In March 2005, the House Subcommittee on Commerce, Trade, and Consumer Protection of the House Energy and Commerce Committee held a hearing entitled "Protecting Consumers' Data: Policy Issues Raised by ChoicePoint," which focused on potential remedies for security and privacy concerns regarding information resellers. Similar hearings were held by the House Energy and Commerce Committee and by the U.S. Senate Committee on Commerce, Science, and Transportation in spring 2005. The heightened interest in this subject led a number of Members of Congress to propose a variety of bills aimed at regulating companies that handle personal information, including information resellers. Several of these bills require companies such as information resellers to notify the public of security breaches, while a few also allow consumers to "freeze" their credit (i.e., prevent new credit accounts from being opened without special forms of authentication), or see and correct personal information contained in reseller data collections. Other proposed legislation includes (1) the Data Accountability and Trust Act,[Footnote 22] requiring security policies and procedures to protect computerized data containing personal information and nationwide notice in the event of a security breach, and (2) the Personal Data Privacy and Security Act of 2005,[Footnote 23] requiring data brokers to disclose personal electronic records pertaining to an individual and inform individuals on procedures for correcting inaccuracies. Using Governmentwide Contracts, Federal Agencies Obtain Personal Information from Information Resellers for a Variety of Purposes: Primarily through governmentwide contracts, Justice, DHS, State, and SSA reported using personal information obtained from resellers for a variety of purposes, including law enforcement, counterterrorism, fraud detection/prevention, and debt collection. Most uses by Justice were for law enforcement and counterterrorism, such as investigations of fugitives and obtaining information on witnesses and assets held by individuals of interest. DHS also used reseller information primarily for law enforcement and counterterrorism, such as screening vehicles entering the United States. State and SSA reported acquiring personal information from information resellers for fraud detection and investigation, identity verification, and benefit eligibility determination. The four agencies reported approximately $30 million in contractual arrangements with information resellers in fiscal year 2005.[Footnote 24] Justice accounted for most of the funding (about 63 percent). Approximately 91 percent of agency uses of reseller data were in the categories of law enforcement (69 percent) or counterterrorism (22 percent). Figure 2 details contract values categorized by their reported use. (Details on uses by each agency are given in the individual agency discussions.) Figure 2: Fiscal Year 2005 Contractual Vehicles Enabling the Use of Personal Information from Information Resellers, Categorized by Reported Use: [See PDF for image] [End of figure] Department of Justice Uses Information Resellers Primarily for Law Enforcement and Counterterrorism Purposes: According to Justice contract documentation, access to up-to-date and comprehensive public record information is a critical ongoing mission requirement, and the department relies on a wide variety of information resellers--including ChoicePoint, Dun & Bradstreet, LexisNexis, and West--to meet that need. Departmental use of information resellers was primarily for purposes related to law enforcement (75 percent) and counterterrorism (18 percent), including support for criminal investigations, location of witnesses and fugitives, information on assets held by individuals under investigation, and detection of fraud in prescription drug transactions. In fiscal year 2005, Justice and its components reported approximately $19 million in acquisitions from information resellers involving personal information. The department acquired these services primarily through use of GSA's Federal Supply Schedule[Footnote 25] offerings including a blanket purchase agreement[Footnote 26] with ChoicePoint valued at approximately $15 million.[Footnote 27] Several component agencies, such as the Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA), and the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) placed orders with information resellers based on the schedules. In addition, for fiscal year 2005, Justice established separate departmentwide contracts with LexisNexis and West valued at $4.5 million and $5.2 million, respectively.[Footnote 28] Tasked to protect and defend the United States against terrorist and foreign intelligence threats and to enforce criminal laws, the FBI is Justice's largest user of information resellers, with about $11 million in contracts in fiscal year 2005. The majority of FBI's use involves two major programs, the Public Source Information Program and the Foreign Terrorist Tracking Task Force (FTTTF). In support of the investigative and intelligence missions of the FBI, the Public Source Information Program provides all offices of the FBI with access via the Internet to public record, legal, and news media information available from various online commercial databases. These databases are used to assist with investigations by identifying the location of individuals and identifying alias names, Social Security numbers, relatives, dates of birth, telephone numbers, vehicles, business affiliations, other associations, and assets. Public Source Information Program officials reported that use of these commercial databases often results in new information regarding the subject of the investigation. Officials noted that commercial databases are used in preliminary investigations, and that subsequently, investigative personnel must verify the results of each search. The FBI's FTTTF also contracts with several information resellers (1) to assist in fulfilling its mission of assisting federal law enforcement and intelligence agencies in locating foreign terrorists and their supporters who are in or have visited the United States and (2) to provide information to other law enforcement and intelligence community agencies that can lead to their surveillance, prosecution, or removal. As we previously reported,[Footnote 29] FTTTF makes use of personal information from several commercial sources to analyze intelligence and detect terrorist activities in support of ongoing investigations by law enforcement agencies and the intelligence community. Information resellers provide FTTTF with names, addresses, telephone numbers, and other biographical and demographical information as well as legal briefs, vehicle and boat registrations, and business ownership records. Other Justice components reported using personal information from information resellers to support the conduct of investigations and other law enforcement-related activities. For example, the U.S. Marshals Service uses an information reseller to, among other things, locate fugitives by identifying a fugitive's relatives and their addresses.[Footnote 30] Through interviews with relatives, a U.S. Marshal may be able to ascertain the location of a fugitive and subsequently apprehend the individual. DEA, the second largest Justice user of information resellers in fiscal year 2005, obtains reseller data to detect fraud in prescription drug transactions.[Footnote 31] Through these data, DEA agents can detect irregular prescription patterns for specific drugs and trace this information to the pharmacy and prescribing doctor.[Footnote 32] DEA also uses an information reseller to locate individuals in asset forfeiture cases.[Footnote 33] Reseller data allows DEA to identify all possible addresses for an individual in order to meet the agency's obligation to make a reasonable effort to notify individuals of seized property and inform them of their rights to contest the seizures. Other uses reported by Justice components are not related to law enforcement. For example, uses by the U.S. Trustees, Antitrust, Civil, Tax, and Criminal Divisions include ascertaining the financial status of individuals for debt collection purposes or bankruptcy proceedings or for the location of individuals for court proceedings. The Executive Office for U.S. Attorneys uses information resellers to ascertain the financial status of those indebted to the United States in order to assess the debtor's ability to repay the debt. According to officials, information reseller databases may reveal assets that a debtor is attempting to conceal. Further, the U.S. Attorneys use information resellers to locate victims of federal crime in order to notify these individuals of relevant court proceedings pursuant to the Justice for All Act.[Footnote 34] Table 3 details in aggregate the vendors, fiscal year 2005 contract values, and reported uses for contracts with information resellers by major Justice components. Table 3: Reported Uses of Personal Information: Department of Justice Contracts with Information Resellers, Fiscal Year 2005: Major component: Federal Bureau of Investigation; Information resellers: ChoicePoint, LexisNexis, West, Credit Bureau Reports, Dun & Bradstreet, Seisint[A]; Aggregate contract value: $11,248,000; Uses involving personal information: Public Source Information Program. Find individuals and identify alias names, Social Security numbers, relatives, dates of birth, telephone numbers, vehicles, business affiliations, associations, and assets. The program provides FBI units with access to public record, legal, and news media information from various online commercial databases; Criminal Investigative Division. Same use. Foreign Terrorist Tracking Task Force. Obtain such information as names, addresses, telephone numbers, other biographical information, vehicle and boat registrations, and business ownership records. Major component: Drug Enforcement Administration; Information resellers: ChoicePoint, LexisNexis, Dun & Bradstreet; Aggregate contract value: $4,283,000; Uses involving personal information: Conduct investigations of drug diversions and improper drug transactions; For example, identifying cases in which physicians sell prescriptions to drug dealers or abusers, pharmacists falsely report legitimate drug sales and subsequently sell the drugs illegally, and employees steal from inventory and falsify orders to hide illicit sales. Support criminal investigations of specific individuals and companies; Locate an individual's address in asset removal cases. Major component: U.S. Marshals Service; Information resellers: ChoicePoint, LexisNexis, West; Aggregate contract value: $1,661,000; Uses involving personal information: Generate leads related to fugitive investigations (e.g., a fugitive's relatives and their contact information). Asset Forfeiture Office. Obtain information on preseized, seized, and forfeited property. The Marshals Service offers property for sale to the public that has been forfeited under laws enforced or administered by Justice and its investigative agencies. Office of General Counsel. Research assets to administer tort claims against the service. For example, if a claimant makes an assertion that the service is responsible for damaging property and does not provide supporting documentation, General Counsel personnel may use commercial data to verify tax assessment records, proof of ownership, etc. Major component: Executive Office for U.S. Attorneys; Information resellers: ChoicePoint, CBR Information Services; Aggregate contract value: $855,000; Uses involving personal information: Financial Litigation Units. Ascertain the financial status of individuals and uncover concealed assets for civil and criminal debt collection efforts; Locate and notify crime victims of relevant court proceedings pursuant to the Justice for All Act of 2004. Major component: Bureau of Alcohol, Tobacco, Firearms, and Explosives; Information resellers: ChoicePoint, Dun & Bradstreet, LexisNexis, West; Aggregate contract value: $791,000; Uses involving personal information: Support investigative activities such as locating and apprehending fugitives or obtaining data on businesses (such as in arson investigations), which may include personal information about business owners. Major component: Executive Office of the United States Trustees; Information resellers: ChoicePoint, Equifax,[B] Real Data Corp, MLS Hawaii; Aggregate contract value: $303,000; Uses involving personal information: Obtain information on assets (openly held or concealed) of individuals in bankruptcy proceedings (as part of office's mission to enforce bankruptcy laws and provide oversight of private trustees). Obtain credit reports on employees as part of a security clearance process. Major component: Office of the Inspector General; Information resellers: ChoicePoint, LexisNexis, West; Aggregate contract value: $43,000; Uses involving personal information: Investigations Division. Support investigations of alleged violations of fraud, abuse, and integrity laws that govern Justice employees, operations, grantees, and contractors. Major component: U.S. National Central Bureau; Information resellers: ChoicePoint; Aggregate contract value: $31,000; Uses involving personal information: Conduct business and address checks on individuals who may be potentially involved in fraud or fugitive cases. The bureau facilitates international law enforcement cooperation as the U.S. representative of the International Criminal Police Organization (INTERPOL). Major component: National Drug Intelligence Center; Information resellers: ChoicePoint; Aggregate contract value: $28,000; Uses involving personal information: Document Exploitation Division. Locate individuals, identify assets, and investigate fraud. The Document Exploitation Division specializes in analyzing information seized in major federal drug investigations. Major component: Office of Justice Programs; Information resellers: Dun & Bradstreet; Aggregate contract value: $22,000; Uses involving personal information: Office of Comptroller, Financial Management Division. Obtain credit reports to assess new grantees' (nongovernmental or nontribal) financial integrity. These credit reports may include personal information on company owners. This information is used to support the new grantee's ability to operate the grant programs of the Office of Justice Programs, to confirm the existence of the company, and to determine any outstanding liens or obligations that might influence the success of the grant program. Major component: Litigating Divisions (Civil, Criminal, Antitrust, and Tax); Information resellers: ChoicePoint, Credit Bureau Reports (division of CBC Companies); Aggregate contract value: $21,000; Uses involving personal information: Civil Division. Locate individuals and assets in connection with litigation for purposes such as obtaining depositions, debt collection, and identifying assets that a debtor may be concealing in bankruptcy proceedings. Criminal Division, Office of Special Investigations. Locate individuals who may have taken part in Nazi-sponsored acts of persecution abroad before and during World War II and who subsequently entered, or seek to enter, the United States illegally and/or fraudulently. Antitrust Division. Locate witnesses for trials. Tax Division. Obtain credit bureau reports for debt collection purposes. Source: Department of Justice. Notes: The table represents fiscal year 2005 contract values and may not reflect actual expenditures. We did not verify the accuracy or completeness of the dollar figures provided to us. Contract values were rounded to the nearest thousand. Several Justice components use departmentwide contracts with LexisNexis and West, which provide, among other things, access to public records information. Several components, including the litigating divisions (Civil, Criminal, Antitrust, and Tax), the Office of Justice Programs, and the Executive Office for U.S. Attorneys, reported that their use of these departmentwide contracts was primarily for legal research, and therefore we did not include these uses in the table. [A] Seisint is now owned by LexisNexis. [B] Equifax is an example of a consumer reporting agency. Consumer reporting agencies, also known as credit bureaus, are entities that collect and sell information about the creditworthiness, among other things, of individuals and are required by the Fair Credit Reporting Act to disclose such information only for permissible purposes. [End of table] DHS Uses Information Resellers Primarily for Law Enforcement and Counterterrorism: In fiscal year 2005, DHS and its components reported that they used information reseller data primarily for law enforcement purposes, such as for developing leads on subjects in criminal investigations and detecting fraud in immigration benefit applications (part of enforcing the immigration laws). Counterterrorism uses involved screening programs at the northern and southern borders as well as at the nation's airports. DHS reported planning to spend about $9 million acquiring personal information from resellers in fiscal year 2005. DHS acquired these services primarily for law enforcement (63 percent) and counterterrorism (35 percent) purposes through FEDLINK--a governmentwide contract vehicle provided by the Library of Congress-- and GSA's Federal Supply Schedule contracts as well as direct purchases by its components. DHS's primary vehicle for acquiring data from information resellers was the FEDLINK contract vehicle, which DHS used to acquire reseller services from Choicepoint ($4.1 million), Dun & Bradstreet ($640,000), LexisNexis ($2 million), and West ($1 million). U.S. Immigration and Customs Enforcement (ICE) is DHS's largest user of personal information from resellers, with acquisitions worth over $4.3 million. The largest investigative component of DHS, ICE has as its mission to prevent acts of terrorism by targeting the people, money, and materials that support terrorist and criminal activities. ICE uses information resellers to collect personal information for criminal investigative purposes and to perform background security checks. Data commonly obtained include address and vehicle information; according to officials, this information is either used to verify data already collected or is itself verified by investigators through other means. For example, ICE's Federal Protective Service has about 50 users who access an information reseller database to assist in properly identifying and locating potential criminal suspects. Investigators may verify an address obtained from the database by confirming billing information with a utility company or by conducting "drive-by" surveillance. The Federal Protective Service views information obtained from resellers as "raw" or "unverified" data, which may or may not be of use to investigators. Other DHS components likewise reported using personal information from resellers to support investigations and other law enforcement-related activities. For example, U.S. Customs and Border Protection (CBP)-- tasked with managing, controlling, and protecting the nation's borders at and between the official ports of entry--uses information resellers for law enforcement, intelligence gathering, and prosecution support. Using these databases, investigators conduct queries on people, businesses, property, and corresponding links via a secure Internet connection. According to officials, information obtained is corroborated with other previously obtained data, open-source information, and investigative leads. CBP also uses a specially developed information reseller product to assist law enforcement officials in vehicle identification at northern and southern land borders. CBP uses electronic readers to capture license plate data on vehicles entering or exiting U.S. borders, converts the data to an electronic format, and transmits the data to an information reseller, which returns U.S. motor vehicle registration information to CBP. The license plate data, merged with the associated motor vehicle registration data provided by the reseller, are then checked against government databases in order to help assess risk related to vehicles (i.e., a vehicle whose license plate is associated with a law enforcement record might be referred for secondary examination). The Federal Emergency Management Agency (FEMA), charged with building and supporting the nation's emergency management system, uses an information reseller to detect fraud in disaster assistance applications. FEMA uses this service to verify information that individuals present in their applications for disaster assistance via the Internet. At the time of application, an individual is required to pass an identity check that determines whether the presented identity exists, followed by an identity validation quiz to better ensure that the applicant corresponds to the identity presented. The information reseller is used to verify the applicant's name, address, and Social Security number. DHS is also using information resellers in its counterterrorism efforts. For example, the Transportation Security Administration (TSA), tasked with protecting the nation's transportation systems, used data obtained from information resellers as part of a test associated with the development of ts domestic passenger prescreening program, called "Secure Flight."[Footnote 35] TSA's plans for Secure Flight involve the submission of passenger information by an aircraft operator to TSA whenever a reservation is made for a flight in which the origin and destination are domestic airports. In the prescreening of airline passengers, this information would be compared with federal watch lists of individuals known or suspected of activities related to terrorism. TSA conducted a test designed to help determine the extent to which information resellers could be used to authenticate passenger identity information provided by air carriers. It plans to use the test results to determine whether commercial data can be used to improve the effectiveness of watch-list matching by identifying passengers who would not have been identified from passenger name records and government data alone. The test results also may be used to identify items of personally identifying information that should be required of passengers to improve aviation security. Table 4 provides detailed information about DHS uses of information resellers in fiscal year 2005, as reported by officials of the department's components. Table 4: Reported Uses of Personal Information: DHS Contracts with Information Resellers, Fiscal Year 2005: Major component: U.S. Immigration and Customs Enforcement; Information reseller: ChoicePoint, Dun & Bradstreet, LexisNexis, West; Aggregate contract value: $4,389,000; Uses involving personal information: Acquire data (generally, address and vehicle information) for criminal investigations and background security checks. According to officials, information is either used to verify data already collected or is itself verified by investigators through other means. Federal Protective Service. Identify and locate potential criminal suspects using address, vehicle, and other information. Office of Detention and Removal. Locate and remove illegal aliens from the United States using address, vehicle, and other information. Major component: U.S. Customs and Border Protection; Information reseller: ChoicePoint, LexisNexis, Dun & Bradstreet, and West; Aggregate contract value: $2,375,000; Uses involving personal information: Conduct queries on people, businesses, property, and corresponding links in support of law enforcement, intelligence gathering, and prosecution support. Border Patrol Del Rio Sector. Obtain information such as addresses, telephone numbers, and names of relatives in support of investigations involving registered owners of seized vehicles and property. National Targeting Center. Look up information associated with license plate data to assist in vehicle identification at northern and southern land borders. License plate readers capture data on vehicles and cross-check against information reseller and government databases. Data captured are used to help assess risk related to these vehicles (e.g., a car whose license plate is associated with a law enforcement record might be referred for secondary examination). Major component: U.S. Citizenship and Immigration Services; Information reseller: ChoicePoint, LexisNexis, West; Aggregate contract value: $960,000; Uses involving personal information: Offices of Fraud Detection and National Security and Asylum. Detect fraud in applications for immigrant benefits and obtain court records (including judgments and conviction documents) to support a broad range of evidentiary requirements for official adjudication proceedings. Major component: Transportation Security Administration; Information reseller: Acxiom, Insight America, Qsent[A]; Aggregate contract value: $897,000; Uses involving personal information: Test the feasibility of using commercial data sources to authenticate identity information contained in passenger records to support passenger prescreening. As part of the Secure Flight Program, TSA conducted a test to determine whether commercial data could be used to improve the effectiveness of watch list matching by identifying passengers who would not have been identified from passenger name records and government data alone. TSA plans to use the results of the test to identify what personally identifying information should be required in passenger name records to maximize aviation security. Major component: U.S. Secret Service; Information reseller: ChoicePoint, Dallas Computer Services, Dun & Bradstreet, LocatePLUS, and APPRISS; Aggregate contract value: $471,000; Uses involving personal information: Provide investigative leads to field agents and other Secret Service personnel in conducting their investigations (e.g., to develop background information on persons, locations, or businesses). Acquire jail data that are used as a cross- check against state and federal databases on warrants, sex offenders, child support, probations, and paroles. Major component: Federal Emergency Management Agency; Information reseller: ChoicePoint; Aggregate contract value: $113,000; Uses involving personal information: Acquire information such as name, address, and Social Security number to help verify and validate the identities of individuals applying for disaster assistance via the Internet. Major component: Office of Inspector General; Information reseller: ChoicePoint, LexisNexis; Aggregate contract value: $39,000; Uses involving personal information: Generate leads in law enforcement investigations. Major component: U.S. Coast Guard; Information reseller: ChoicePoint; Aggregate contract value: $19,000; Uses involving personal information: Obtain up-to-date credit reports as needed to assist in the resolution of financial issues that are of a security concern in adjudications. Major component: Federal Law Enforcement Training Center--Special Investigations Division; Information reseller: ChoicePoint; Aggregate contract value: $7,900; Uses involving personal information: Verify addresses, conduct background checks, criminal and administrative investigations. Source: DHS. Notes: The table represents fiscal year 2005 contract values and may not reflect actual expenditures. We did not verify the accuracy or completeness of the dollar figures provided to us. Contract values were rounded to the nearest thousand. Several DHS components use the departmentwide contracts with LexisNexis and West. Components such as the Science and Technology and Management Directorates reported that their use of these departmentwide contracts did not involve the use of personal information (e.g., reported uses were for legal or scientific research); accordingly, we did not include these values in the table. To the extent possible, we excluded uses that did not involve personal information; however, since DHS officials responsible for administering departmentwide FEDLINK contracts were unable to provide a breakdown of component billings by information reseller, the values reflected in the table may include uses that do not involve personal information. For example, U.S. Citizenship and Immigration Services' fiscal year 2005 use of departmentwide FEDLINK contracts totaled approximately $960,000, but contract officials could not provide specific amounts for this organization's use of ChoicePoint, LexisNexis, and West. Although U.S. Citizenship and Immigration Services described use of West as primarily for legal research, we could not separate costs associated with use of personal information. [A] Acxiom, Insight America (now owned by Acxiom), and Qsent were subcontractors on the EagleForce Associates contract to conduct a commercial data test for the Secure Flight Program. Although EagleForce is not an information reseller, we included the contract value because the commercial data test involved the acquisition of personal information from resellers. [End of table] SSA Uses Information Resellers Primarily for Fraud Prevention and Identity Verification: In an effort to ensure the accuracy of Social Security benefit payments, SSA and its components reported using approximately $1.3 million in contracts in fiscal year 2005 with information resellers for a variety of purposes relating to fraud prevention (66 percent), such as skiptracing,[Footnote 36] confirming suspected fraud related to workers compensation payments, obtaining information on criminal suspects for follow-up investigations (18 percent), and collecting debts (16 percent). SSA and its components acquired these services through the use of the GSA and FEDLINK governmentwide contracts and their own contracts. In fiscal year 2005, SSA contracted with ChoicePoint, LexisNexis, SourceCorp, and Equifax. The Office of the Inspector General (OIG), the largest user of information reseller data at SSA, supports the agency's efforts to prevent fraud, waste, and abuse. The OIG uses several information resellers to assist investigative agents in detecting benefit abuse by Social Security claimants and to assist agents in locating claimants. For example, OIG agents access reseller data to verify the identity of subjects undergoing criminal investigations. Regional office agents may also use reseller data in investigating persons suspected of claiming disability fraudulently and draw upon assistance from OIG headquarters staff and state investigators from the state Attorney General's office in these investigations. For example, the Northeastern Program Service Center, located in the New York branch of SSA, obtains New York State Workers Compensation Board data from SourceCorp, the only company legally permitted to maintain the physical and electronic records for New York State Workers Compensation. Through the use of this information, SSA can identify persons collecting workers compensation benefits but not reporting those benefits, as required, to the SSA. Table 5 details in aggregate the vendors, fiscal year 2005 contract values, and uses of contracts with information resellers reported by major SSA components. Table 5: Reported Uses of Personal Information: SSA Contracts with Information Resellers, Fiscal Year 2005: User: Agencywide; Information reseller: LexisNexis; Contract value: $848,000[A]; Uses involving personal information: Field Office Staff. Obtain resource information (i.e., real property ownership, values, real property transfers, and information concerning the ownership of automobiles and boats) to verify the validity of Supplemental Security Income applicants and recipients. Office of Inspector General. Access public records information to assist with investigations of fraud and abuse within the SSA programs. Office of Hearings and Appeals. Access public records information to locate the addresses of individuals. User: Office of the Inspector General; Information reseller: ChoicePoint; Contract value: $240,000; Uses involving personal information: Acquire information on subjects of criminal investigations (e.g., locations, assets, relatives) and help corroborate fraud allegations that are submitted to the Office of the Inspector General by SSA or the general public.[B]. User: Agencywide[C]; Information reseller: Equifax; Contract value: $204,000; Uses involving personal information: Obtain address verification reports for the most current address of delinquent debtors for undeliverable overpayment-related notices and follow up billing and teleprinter profile reports (standard credit reports) that show the credit history of the debtor referred to Justice for enforced collection via civil suit. User: Northeastern Program Service Center; Information reseller: SourceCorp; Contract value: $14,000; Uses involving personal information: Access New York State Worker Compensation Board payment data to ensure that persons claiming Social Security benefits are correctly reporting workers compensation benefits on their forms. User: Office of the Inspector General New Jersey Cooperative Disability Investigation Unit[D]; Information reseller: ChoicePoint; Contract value: $4,000; Uses involving personal information: Access information on disability claimants and their physicians to determine if the claimants may be hiding assets and other sources of income that may make them ineligible for disability benefits. Source: SSA. Notes: The table represents fiscal year 2005 contract values and may not reflect actual expenditures. We did not verify the accuracy or completeness of the dollar figures provided to us. Contract values were rounded to the nearest thousand. [A] This figure may include uses that do not involve personal information since LexisNexis provides news and legal research in addition to public records. SSA was unable to separate the dollar values associated with use of personal information from uses for other purposes. [B] In addition to initiating its own investigations, the Office of the Inspector General receives notices from the general public about suspected fraud. According to one agency official, a large portion of these fraud allegations are either incomplete or unfounded and must be supported by substantial evidence. Before moving ahead with an investigation, officials obtain data from an information reseller to verify the legitimacy of the fraud allegations, fill in any missing information on the submitted forms and develop leads that would further the development of the allegation and any subsequent investigation if warranted. [C] The Equifax data are accessible by the Northeastern Program Service Center, Mid-Atlantic Program Service Center, Southeastern Program Service Center, Great Lakes Program Service Center, Western Program Service Center, Mid-America Program Service Center, Office of Central Operations, and Office of Financial Policy and Operations. [D] This is an SSA-funded joint investigation between SSA and the New Jersey State Attorney General's Office. [End of table] The Department of State Uses Information Resellers Primarily for Passport Fraud Detection and Investigation: The Department of State and its components reported approximately $569,000 in contracts in fiscal year 2005 with information resellers, primarily for assistance in fraud related activities through criminal investigations (51 percent), fraud detection (26 percent), and other uses (23 percent) such as background screening. State acquired information reseller services through the GSA schedule and a Justice blanket-purchase agreement. In fiscal year 2005, the majority of State contracts were with ChoicePoint; the agency also had contracts with LexisNexis, Equifax and Metronet. State's components reported use of these contracts mainly for passport- related activities. For example, several components of State accessed personal information to validate information submitted on immigrant and nonimmigrant visa petitions, such as marital or familial relationships, birth and identity information, and address validation. A major use of reseller data at State is by investigators acquiring information on suspects in passport and visa fraud cases. According to State, information reseller data are increasingly important to its operations, because the number of passport and visa fraud cases has increased, and successful investigations of passport and visa fraud are critical to combating terrorism. In addition to these uses, State acquires personal information through Equifax to support the financial background screening of its job applicants. Table 6 details the vendors, fiscal year 2005 contract values, and uses of contracts with information resellers reported by major State components. Table 6: Reported Uses of Personal Information: Department of State Contracts with Information Resellers, Fiscal Year 2005: Component: Diplomatic Security; Information reseller: ChoicePoint; Contract value: $288,000; Uses involving personal information: Criminal Investigations Division. Obtain leads on addresses, locations, identity, etc., used in the conduct of criminal investigations of passport and visa fraud. Diplomatic Security Command Center and Diplomatic Security agents at 26 overseas posts. Same use. Component: Office of Personnel Security and Suitability; Information reseller: Equifax; Contract value: $132,000; Uses involving personal information: Obtain credit checks on applicants and new hires to support background screening processes. Component: Bureau of Consular Affairs; Information reseller: ChoicePoint, Metronet; Contract value: $89,000; Uses involving personal information: Check the validity of selected passport applications, particularly two categories of high-risk applications.[A]. Component: National Visa Center; Information reseller: ChoicePoint; Contract value: $40,000; Uses involving personal information: Verify information submitted on immigrant and nonimmigrant visa petitions. Component: Office of Consular Fraud Prevention Programs; Information reseller: LexisNexis; Contract value: $21,000; Uses involving personal information: Investigate claims of marital and familial relationships on immigrant visa applications and determine the bona fides of prospective employers for employment-based nonimmigrant visas. Source: Department of State. Note: The table represents fiscal year 2005 contract values and may not reflect actual expenditures. We did not verify the accuracy or completeness of the dollar figures provided to us. [A] The two categories of high-risk passport applications include those with birth certificates from Puerto Rico and those from applicants lacking acceptable primary identification documents, who include affidavits from family or associates attesting to their identity. [End of table] Agencies Contract with Information Resellers Primarily through Use of GSA's Federal Supply Schedules and the Library of Congress's FEDLINK Service: In fiscal year 2005, the four agencies acquired personal information primarily through governmentwide contracts, including GSA's Federal Supply Schedule (52 percent) contracts and the Library of Congress's FEDLINK contracts (28 percent). Components within these agencies also initiated separate contracts with resellers as well. The Department of Justice was the largest user, accounting for approximately $19 million of the $30 million total for all four agencies. Figure 3 shows the values of reseller data acquisition by agency for fiscal year 2005. Figure 3: Total Dollar Values, Categorized by Agency, of Fiscal Year 2005 Acquisition of Personal Information from Information Resellers: [See PDF for image] [End of figure] In fiscal year 2005, the most common vehicles used among all four agencies to acquire personal information from information resellers were the governmentwide contracts made available through GSA's Federal Supply Schedule. The GSA schedule provides agencies with simplified, streamlined contracting vehicles, allowing them to obtain access to information resellers' services either by issuing task or purchase orders or by establishing blanket purchase agreements based on the schedule contracts. The majority of Justice's acquisition of information reseller services was obtained through the GSA schedule, including a blanket purchase agreement with ChoicePoint that was also made available to non-Justice agencies (for example, the Departments of State and Health and Human Services). In addition, components of DHS such as the U.S. Secret Service and the SSA's Office of Inspector General made use of GSA schedule contracts with information resellers. The Federal Supply Schedule allows agencies to take advantage of prenegotiated contracts with a variety of vendors, including information resellers. GSA does not assess fees for the use of these contracts; rather it funds the operation of the schedules in part by obtaining administrative fees from vendors on a quarterly basis. According to GSA officials, use of the schedule contracts allows agencies to obtain the best price and reduce their procurement lead time. Since these contracts have been prenegotiated, agencies do not need to issue their own solicitation. Instead, agencies may simply place a task order directly with the vendor, citing the schedule number. GSA's role in administering these contracts is primarily to negotiate baseline contract requirements and pricing; it does not monitor which agencies are using its schedule contracts. GSA officials noted that the requirements contained in the schedule contracts are baseline, and agencies may add more stringent requirements to their individual task orders. Another contract vehicle commonly used to obtain personal information from information resellers was the Library of Congress's FEDLINK service (28 percent). This vehicle was used by both DHS and SSA.[Footnote 37] FEDLINK, an intragovernmental revolving fund,[Footnote 38] is a cooperative procurement, accounting, and training program designed to provide access to online databases, periodical subscriptions, books, and other library and information support services from commercial suppliers, including information resellers. At DHS, use of the FEDLINK service was the primary vehicle for contracting with information resellers. DHS also used GSA schedule buys, and some smaller purchases were made directly between DHS components and information resellers. The majority of SSA's fiscal year 2005 acquisitions from information resellers were through FEDLINK, with some use of the GSA schedule contracts. FEDLINK allows agencies to take advantage of prenegotiated contracts at volume discounts with a variety of vendors, including information resellers. As with the GSA schedule contracts, the requirements of the FEDLINK contracts serve as a baseline, and agencies may add more stringent requirements if they so choose. FEDLINK offers two different options for using its contracts: direct express and transfer pay. The direct express option is similar to the GSA schedule process, in which the agency issues a purchase order directly to the vendor and cites the underlying FEDLINK contract. Under direct express, the ordering agency is responsible for managing the delivery of products and services and paying invoices, and the vendor pays an administrative fee to the Library. Under the transfer pay option, ordering agencies must sign an interagency agreement and pay an administrative fee to the Library. In turn, the ordering agencies receive additional administrative services. DHS used both the direct express and transfer pay options in fiscal year 2005, while SSA used transfer pay exclusively. Resellers Take Steps to Protect Privacy, but These Measures Are Not Fully Consistent with the Fair Information Practices: Although the information resellers that do business with the federal agencies we reviewed[Footnote 39] have practices in place to protect privacy, these measures were not fully consistent with the Fair Information Practices. Most significantly, the first four principles, relating to collection limitation, data quality, purpose specification, and use limitation, are largely at odds with the nature of the information reseller business. These principles center on limiting the collection and use of personal information and require data accuracy based on that limited purpose and limited use of the information. However, the information reseller industry presupposes that the collection and use of personal information is not limited to specific purposes, but instead that information can be collected and made available to multiple customers for multiple purposes. Resellers make it their business to collect large amounts of personal information[Footnote 40] and to combine that information in new ways so that it serves purposes other than those for which it was originally collected. Further, they are limited in their ability to ensure the accuracy, currency, or relevance of their holdings, because these qualities may vary based on customers' varying uses. Information reseller policies and procedures were consistent with aspects of the remaining four Fair Information Practices. Large resellers reported implementing a variety of security safeguards, such as stringent customer credentialing, to improve protection of personal information. Resellers also generally provided public notice of key aspects of their privacy policies and practices, (relevant to the openness principle) and reported taking actions to ensure internal compliance with their own privacy policies (relevant to the accountability principle). However, resellers generally limited the extent to which individuals could gain access to personal information held about themselves, and because they obtain their information from other sources, most resellers also had limited provisions for correcting or deleting inaccurate information contained in their databases (relevant to the individual participation principle).[Footnote 41] Instead, they directed individuals wishing to make corrections to contact the original sources of the data. Table 7 provides an overview of information resellers' application of the Fair Information Practices. Table 7: Information Resellers' Application of Principles of the Fair Information Practices: Principle: Collection limitation. The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual; Resellers' application: Resellers do not limit collections to specific purposes but collect large amounts of personal information, within the bounds of the law. Further, in many cases, individuals do not know that their personal information is being collected by the reseller, even though they may have known of the original (source) collection. Principle: Data quality. Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose; Resellers' application: Although they often have measures in place for ensuring data accuracy in the aggregate, resellers do not ensure that the information they provide is accurate, complete, and current for a specific purpose. Instead, they monitor and rely on the quality controls of the original data source. Principle: Purpose specification. The purpose for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to that purpose and compatible purposes; Resellers' application: Resellers disclose general categories of purposes for their data collection rather than specific purposes. They obtain information originally collected for specific purposes and generally offer it for a much wider range of purposes. Principle: Use limitation. Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority; Resellers' application: Resellers generally limit the use of information as required by law rather than on the basis of the purposes originally specified when the information was collected. Resellers generally pass responsibility for legal use restrictions to customers through licensing and contract terms and agreements. Customers must contractually agree to appropriate uses of the data and must agree to comply with applicable laws. Principle: Security safeguards. Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure; Resellers' application: Resellers reported implementing a variety of security safeguards, such as stringent customer credentialing, to improve protection of personal information. Principle: Openness. The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information; Resellers' application: Resellers generally inform the public of key aspects of privacy policies through Web sites, brochures, and so on. Principle: Individual participation. Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights; Resellers' application: Although information resellers allow individuals access to their personal information, this access is generally limited, as is the opportunity to make corrections. Generally, resellers only correct errors they may have introduced in the process of obtaining and aggregating data. Principle: Accountability. Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles; Resellers' application: Resellers reported taking actions, such as designating a chief privacy officer or equivalent, to ensure compliance with their privacy policies. Annual privacy audits were conducted in one case. Source: GAO analysis of reseller information. Note: We did not evaluate the effectiveness of information reseller practices, only the extent to which resellers applied the Fair Information Practices. [End of table] Information Resellers Generally Did Not Report Limiting Their Data Collection to Specific Purposes or Notifying Individuals about Them: According to the collection limitation principle of the Fair Information Practices, the collection of personal information should be limited, information should be obtained by lawful and fair means, and, where appropriate, it should be collected with the knowledge and consent of the individual. The collection limitation principle also suggests that organizations could limit collection to the minimum amount of data necessary to process a transaction. In practice, resellers are limited in the personal information that they can obtain by laws that apply to specific kinds of information (for example, the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, which restrict the collection, use, and disclosure of certain consumer and financial data). One reseller reported that it also restricts collection of Social Security number information from public records, as well as collection of identifying information on children from public sources, such as telephone directories. Beyond specific legal restrictions, information resellers generally attempt to aggregate large amounts of personal information so as to provide useful information to a broad range of customers. For example, resellers collect personal information from a wide variety of sources, including state motor vehicle records; local government records on births, real property, and voter registrations; and various court records. Information resellers may also obtain information from telephone directories, Internet sites, and consumer applications for products or services. The widely varying sources and types of information demonstrate the broad nature of the collection of personal information. The amount and scope of information collected vary from company to company, and resellers use this information to offer a range of products tailored to different markets and uses.[Footnote 42] Regarding the principle that information should be obtained by lawful and fair means, resellers stated that they take steps to ensure that their collection of information is legal. For example, resellers told us that they obtain assurances from their data suppliers that information is legally collected from reputable sources. Further, they design their products and services to ensure they are in conformance with laws such as the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act. Regarding the principle that, where appropriate, information should be collected with the knowledge and consent of the individual, resellers do not make provisions to notify the individuals involved when they obtain personal data from their many sources, including public records. Concomitantly, individuals are not afforded an opportunity to express or withhold their consent when the information is collected. Resellers said they believe it may not be appropriate or practical for them to provide notice or obtain consent from individuals because they do not collect information directly from them. One reseller noted that in many instances the company does not have a direct relationship with the data subject and is therefore not in a position to interact with the consumer for purposes such as providing notice. Further, this reseller stated its belief that requiring resellers to notify and obtain consent from each individual about whom they obtain information would result in consumers being overwhelmed with notices and negate the value of notice. Under certain conditions, some information resellers offer consumers an "opt-out" option--that is, individuals may request that information about themselves be suppressed from selected databases. However, resellers generally offer this option only with respect to certain types of information and only under limited circumstances. For example, one reseller allows consumers to opt out of its marketing products but not other products, such as background screening and fraud detection products. The privacy policy for another information reseller states that it will allow certain individuals to opt out of its nonpublic information databases containing sensitive information under specific conditions: if the individual is a state, local, or federal law enforcement officer or public official whose position exposes him or her to a threat of imminent harm; if the individual is a victim of identity theft; or if the individual is at risk of physical harm. In order to exercise this option, consumers generally must provide satisfactory documentation to support the basis for their request. In any event, the reseller retains the right to determine (1) whether to grant or deny any request, (2) to which databases the request for removal will apply, and (3) the duration of the removal. Two resellers stated their belief that under certain circumstances it may not be appropriate to provide consumers with opportunities for opting out, such as for information products designed to detect fraud or locate criminals. These resellers stated that if individuals were permitted to opt out of fraud prevention databases, some of those opting out could be criminals, which would undermine the effectiveness and utility of these databases. Information Resellers Do Not Ensure That Personal Information They Provide Is Accurate for Specific Purposes: According to the data quality principle, personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose. Information resellers reported taking steps to ensure that they generally receive accurate data from their sources and that they do not introduce errors in the process of transcribing and aggregating information; however, they generally provide their customers with exactly the same data they obtain and do not claim or guarantee that the information is accurate for a specific purpose. Some resellers' privacy policies state that they expect their data to contain some errors. Further, resellers varied in their policies regarding correction of data determined to be inaccurate as obtained by them. One reseller stated that it would delete information in its databases that was found to be inaccurate. Another stated that even if an individual presents persuasive evidence that certain information is in error, the reseller generally does not make changes if the information comes directly from an official public source (unless instructed to do so by that source). Because they are not the original source of the personal information, information resellers generally direct individuals to the original sources to correct any errors. Several resellers stated that they would correct any identified errors introduced through their own processing and aggregation of data. While not providing specific assurance of the accuracy of the data they provide, information resellers reported that they take steps to ensure that their suppliers have data quality controls in place. For example, officials from one information reseller said they use a screening process to help determine whether they should use a particular supplier.[Footnote 43] As part of this process, the reseller assesses whether the supplier has internal controls in place that are in line with the reseller's policies. Information resellers also reported that they conduct annual audits of their suppliers aimed at assessing the integrity and quality of the information they receive. If these audits show that a supplier has failed to provide accurate, complete, and timely information, the reseller may discontinue using that supplier. Resellers also noted that data accuracy is contingent upon intended use. That is, data that may be perfectly adequate for one purpose may not be precise enough or appropriate for another purpose. While end users, such as federal agencies, may address data quality for their specific purposes, resellers--who maintain personal information for multiple purposes--are less able to achieve accuracy because they support multiple uses. Thus, resellers generally disclaim data accuracy and leave it to their customers to ensure that the data are accurate for their intended uses. One reseller stated that their customers understand the accuracy limitations of the data they obtain and take the potential for data inaccuracy into account when using the data. Information Resellers' Specification of the Purpose of Data Collection Consists of Broad Descriptions of Business Categories: According to the purpose specification principle, the purpose for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to that purpose and compatible purposes. While information resellers specify purpose in a general way by describing the types of businesses that use their data, they generally do not designate specific intended uses for each of their data collections. Resellers generally obtain information that has already been collected for a specific purpose and make that information available to their customers, who in turn have a broader variety of purposes for using it. For example, personal information originally submitted by a customer to register a product warranty could be obtained by a reseller and subsequently made available to another business or government agency, which might use it for an unrelated purpose, such as identity verification, background checking, or marketing. In a general sense, information resellers specify their purpose by indicating (on company Web sites, for example) the business categories of the customers for whom they collect information. For example, reseller privacy policies generally state that resellers make personal information available for legitimate uses by business and government organizations. Examples of business categories may be provided, but resellers do not specify which types of information are to be used in which business categories. It is difficult for resellers to provide greater specificity because they make their data available to many customers for a wide range of legitimate purposes. As a result, the public is made aware only of the broad range of potential uses to which their personal information may be applied, rather than a specific use, as envisioned in the Fair Information Practices. Information Resellers Generally Limit the Use of Information as Required by Law, Rather Than on the Basis of Purposes Originally Specified When the Information Was Collected: Under the use limitation principle, personal information should not be disclosed or used for other than the originally specified purpose without consent of the individual or legal authority. However, because information reseller purposes are specified very broadly, it is difficult for resellers to ensure that use of the information in their databases is limited. As previously discussed, information reseller data may have many different uses, depending on the types of customers involved. Resellers do take steps to ensure that their customers' use of personal information is limited to legally sanctioned purposes. Information resellers pass this responsibility to their customers through licensing agreements and contract terms and agreements. According to two large information resellers, customers are generally contractually required to use data from resellers appropriately and must agree to comply with applicable laws, such as the Gramm-Leach- Bliley Act, the Fair Credit Reporting Act, and the Driver's Privacy Protection Act. For example, one information reseller uses a service agreement that includes provisions governing permissible use of information sought by the customer, the confidentiality of information provided, legal requirements under federal and state laws, and other customer obligations. The reseller reported that the company monitors its customers' compliance by conducting periodic audits and taking appropriate actions in response to any audit findings. In a standardized agreement form used by another reseller, federal agencies must certify that they will use information obtained from the reseller only as permissible under the Gramm-Leach-Bliley Act and the Driver's Privacy Protection Act. The service agreement identifies permissible purposes for information whose use is restricted by these laws and requires agencies to agree that they will use the information only in the performance or the furtherance of appropriate government activities. In conformance with the Gramm-Leach-Bliley Act permissible uses, the information reseller requires agencies to certify that they will use personal information "only as requested or authorized by the consumer." The information resellers used by the federal agencies we reviewed generally also reported taking steps to ensure that access to certain sensitive types of personally identifiable information is limited to certain customers and uses. For example, two resellers reported that they provide full Social Security numbers and driver's license numbers only to specific types of customers, including law enforcement agencies and insurance companies, and for purposes such as employment or tenant screening. While actions such as these are useful in protecting privacy and are consistent with the use limitation principle in that they narrow the range of potential uses for this type of information, they are not equivalent to limiting use only to a specific predefined purpose. Without limiting use to predefined purposes, resellers cannot provide individuals with assurance that their information will only be accessed and used for the purpose originally specified when the information was collected. Information Resellers Reported Taking Steps to Improve Security Safeguards: According to the security safeguards principle, personal information should be protected with reasonable safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure. While we did not evaluate the effectiveness of resellers' information security programs, resellers we spoke with said they employ various safeguards to protect consumers' personal information. They implemented these safeguards in part for business reasons but also because federal laws require such protections. Resellers describe these safeguards in various policy statements, such as online and data privacy policies or privacy statements posted on Internet sites. Resellers also generally had information security plans describing, among other things, access controls for information and systems, document management practices, incident reporting, and premises security. Given recent incidents, large information resellers reported having recently taken steps to improve their safeguards against unauthorized access. In a well-publicized incident, in February 2005, ChoicePoint disclosed that unauthorized individuals had gained access to personal information by posing as a firm of private investigators. In the following month, LexisNexis disclosed that unauthorized individuals had gained access to personal information through the misappropriation of user IDs and passwords from legitimate customers. These disclosures were required by state law, as previously discussed. In January 2006, ChoicePoint reached a settlement with the Federal Trade Commission[Footnote 44] over charges that the company did not have reasonable procedures to verify the identity of prospective new users. The company agreed to implement new procedures to ensure that it provides consumer reports only to legitimate business for lawful purposes. In the mean time, both information resellers reported that they had taken steps to improve their procedures for authorizing customers to have access to sensitive information, such as Social Security numbers. For example, one reseller established a credentialing task force with the goal of centralizing its customer credentialing process. In order for customers of this reseller to obtain products and services containing sensitive personal information, they must now undergo a credentialing process involving a site visit by the information reseller to verify the accuracy of information reported about the business. Applicants are then scored against a credentialing checklist to determine whether they will be granted access to sensitive information. In addition, both resellers reported efforts to strengthen user ID and password protections and restrict access to sensitive personal information (including full driver's license numbers and Social Security numbers) to a limited number of customers, such as law enforcement agencies (others would be able to view masked information). Although we did not test the effectiveness of these measures, if implemented correctly, they could help provide assurance that sensitive information is protected appropriately. In addition to enhancing safeguards on customer access authorizations, resellers have instituted a variety of other security controls. For example, three large information resellers have implemented physical safeguards at their data centers, such as continuous monitoring of employees entering and exiting facilities, monitoring of activity on customer accounts, and strong authentication of users entering and exiting secure areas within the data centers. Officials at one reseller told us that security profiles were established for each employee that restrict access to various sections of the center based upon employee job functions. Computer rooms were further protected with a combined system of biometric hand readers and security codes. Security cameras were placed throughout the facility for continuous recording of activity and review by security staff. Information resellers also had contingency plans in place to continue or resume operations in the event of an emergency. Information resellers reported that on an annual basis, or more frequently if needed, they conduct security risk assessments as well as internal and external security audits. These assessments address such topics as vulnerabilities to internal or external security threats, reporting and responding to security incidents, controls for network and physical facilities, and business continuity management. The assessments also addressed strategies for mitigating potential or identified risks. If properly implemented, security measures such as those reported by information resellers could contribute to effective implementation of the security safeguards principle. Information Resellers Generally Informed the Public about Their Privacy Policies and Practices: According to the openness principle, the public should be informed about an organization's privacy policies and practices, and individuals should have ready means of learning about the organization's use of personal information. To address openness, information resellers took steps to inform the public about key aspects of their privacy policies. They used means such as company Web sites and brochures to inform the public of specific policies and practices regarding the collection and use of personal information. Reseller Web sites also generally provided information about the types of information products the resellers offered--including product samples--as well as general descriptions about the types of customers served. Several Web sites also provided advice to consumers on protecting personal information and discussed what to do if individuals suspect they are victims of identity theft. Providing public notice of privacy policies informs individuals of what steps an organization takes to protect the privacy of the personal information it collects and helps to ensure the organization's accountability for its stated policies. Information Reseller Policies Generally Allow Individuals Limited Ability to Access and Correct Their Personal Information: According to the individual participation principle, individuals should have the right to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights. Information resellers generally allow individuals access to their personal information. However, this access is limited, as is the opportunity to make corrections. Resellers may provide an individual a report containing certain types of information- -such as compilations of public records information--however, the report may not include all information maintained by the resellers about that individual. For example, one information reseller stated that it offers a free report, under certain circumstances, on an individual's claims history, employment history, or tenant history. Resellers may offer basic reports to individuals at no cost, but they generally charge for reports on additional information. A free consumer report, such as an employment history report, for example, typically excludes information such as driver's license data, family information, and credit header data that a reseller may possess in other databases. Although individuals can access information about themselves, if they find inaccuracies, they generally cannot have these corrected by the resellers.[Footnote 45] Information resellers direct individuals to take their cases to the original data sources--such as courthouses or other local government agencies--and attempt to have the inaccuracy corrected there. Several resellers stated that they would correct any identified errors introduced through their own processing and aggregation of data. As discussed above, resellers, as a matter of policy, do not make corrections to data obtained from other sources, even if the consumer provides evidence that the data are wrong. According to resellers, making corrections to their own databases is extremely difficult, for several reasons. First, the services these resellers provide concentrate on providing references to a particular individual from many sources, rather than distilling only the most accurate or current reference. For example, a reseller might have many instances in its databases of a particular individual's current address. Although most might be the same, there could be errors as well. Resellers generally would report the information as they have it rather than attempting to determine which entry is correct. This information is important to customers such as law enforcement agencies. Further, resellers stated that making corrections to their databases could be ineffective because the data are continually refreshed with updated data from the source, and thus any correction is likely to be changed back to its original state the next time the data are updated. In addition, as discussed in the collection limitation section, resellers stated their belief that it would not be appropriate to allow the public to access and correct information held for certain purposes, such as fraud detection and locating criminals, since providing such rights could undermine the effectiveness of these uses (e.g., by allowing criminals to access and change their information). However, as a result of these practices, individuals cannot know the full extent of personal information maintained by resellers or ensure its accuracy. Information Resellers Report Measures to Ensure Accountability for the Collection and Use of Personal Information: According to the accountability principle, individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of the Fair Information Practices. Although information resellers' overall application of the Fair Information Practices varied, each reseller we spoke with reported actions to ensure compliance with its own privacy policies. For example, resellers reported designating chief privacy officers to monitor compliance with internal privacy policies and applicable laws (e.g., the Gramm-Leach-Bliley Act and the Driver's Privacy Protection Act). Information resellers reported that these officials had a range of responsibilities aimed at ensuring accountability for privacy policies, such as establishing consumer access and customer credentialing procedures, monitoring compliance with federal and state laws, and evaluating new sources of data (e.g., cell phone records). Auditing of an organization's practices is one way of ensuring accountability for adhering to privacy policies and procedures. Although there are no industrywide standards requiring resellers to conduct periodic audits of their compliance with privacy policies, one information reseller reported using a third party to conduct privacy audits on an annual basis. Using a third party to audit compliance with privacy policies further helps to ensure that an information reseller is accountable for the implementation of its privacy practices. Establishing accountability is critical to the protection of privacy. Actions taken by data resellers should help ensure that their privacy policies are appropriately implemented. Agencies Lack Policies on Use of Reseller Data, and Practices Do Not Consistently Reflect the Fair Information Practices: Agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices. Further, agencies generally lacked policies that specifically address their use of personal information from commercial sources, although DHS Privacy Office officials reported that they were drafting such a policy. As shown in table 8, four of the Fair Information Practices--the collection limitation, data quality, use limitation, and security safeguards principles--were generally reflected in agency practices. For example, several agency components (specifically, law enforcement agencies such as the FBI and the U.S. Secret Service) reported that in practice, they generally corroborate information obtained from resellers when it is used as part of an investigation. This practice is consistent with the data quality principle that data should be accurate, current, and complete. Agency policies and practices with regard to the other four principles, however, were uneven. Specifically, agencies did not always have policies or practices in place to address the purpose specification, openness, and individual participation principles with respect to reseller data. The inconsistencies in application of these principles as well as the lack of specific agency policies can be attributed in part to ambiguities in OMB guidance regarding the applicability of the Privacy Act to information obtained from resellers. Further, privacy impact assessments, which often are not conducted, are a valuable tool that could address important aspects of the Fair Information Practices. Finally, components within each of the four agencies did not consistently hold staff accountable by monitoring usage of personal information from information resellers and ensuring that it was appropriate; thus, their application of the accountability principle was uneven. Table 8: Application of Fair Information Practices to the Reported Handling of Personal Information from Data Resellers at Four Agencies: Principle: Collection limitation. The collection of personal information should be limited, should be obtained by lawful and fair means, and, where appropriate, with the knowledge or consent of the individual; Agency application of principle: General; Agency practices: Agencies limited personal data collection to individuals under investigation or their associates. Principle: Data quality. Personal information should be relevant to the purpose for which it is collected, and should be accurate, complete, and current as needed for that purpose; Agency application of principle: General; Agency practices: Agencies corroborated information from resellers and did not take actions based exclusively on such information. Principle: Purpose specification. The purpose for the collection of personal information should be disclosed before collection and upon any change to that purpose, and its use should be limited to that purpose and compatible purposes; Agency application of principle: Uneven; Agency practices: Agency system of records notices did not generally reveal that agency systems could incorporate information from data resellers. Agencies also generally did not conduct privacy impact assessments for their systems or programs that involve use of reseller data. Principle: Use limitation. Personal information should not be disclosed or otherwise used for other than a specified purpose without consent of the individual or legal authority; Agency application of principle: General; Agency practices: Agencies generally limited their use of personal information to specific investigations (including law enforcement, counterterrorism, fraud detection, and debt collection). Principle: Security safeguards. Personal information should be protected with reasonable security safeguards against risks such as loss or unauthorized access, destruction, use, modification, or disclosure; Agency application of principle: General; Agency practices: Agencies had security safeguards such as requiring passwords to access databases, basing access rights on need to know, and logging search activities (including "cloaked logging," which prevents the vendor from monitoring search content). Principle: Openness. The public should be informed about privacy policies and practices, and individuals should have ready means of learning about the use of personal information; Agency application of principle: Uneven; Agency practices: See Purpose specification above. Agencies did not have established policies specifically addressing the use of personal information obtained from resellers. Principle: Individual participation. Individuals should have the following rights: to know about the collection of personal information, to access that information, to request correction, and to challenge the denial of those rights; Agency application of principle: Uneven; Agency practices: See Purpose specification above. Because agencies generally did not disclose their collections of personal information from resellers, individuals were often unable to exercise these rights. Principle: Accountability. Individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles; Agency application of principle: Uneven; Agency practices: Agencies do not generally monitor usage of personal information from information resellers to hold users accountable for appropriate use; instead, they rely on users to be responsible for their behavior. For example, agencies may instruct users in their responsibilities to use personal information appropriately, have them sign statements of responsibility, and have them indicate what permissible purpose a given search fulfills. Legend: General = policies or procedures to address all major aspects of a particular principle. Uneven = policies or procedures addressed some but not all aspects of a particular principle or some but not all agencies and components had policies or practices in place addressing the principle. Source: GAO analysis of agency-supplied data. Note: We did not independently assess the effectiveness of agency information security programs. Our assessment of overall agency application of the Fair Information Practices was based on the policies and management practices described by the Department State and SSA as a whole and by major components of Justice and DHS (footnote 2 in app. I lists these components). We did not obtain information on smaller components of Justice and DHS. [End of table] Agency Procedures Reflect the Collection Limitation, Data Quality, Use Limitation, and Security Safeguards Principles: The collection limitation principle establishes, among other things, that organizations should obtain only the minimum amount of personal data necessary to process a transaction. This principle also underlies the Privacy Act requirement that agencies maintain in their records "only such information about an individual as is relevant and necessary to accomplish a purpose of the agency."[Footnote 46] Regarding most law- enforcement and counterterrorism purposes, which accounted for 90 percent of usage in fiscal year 2005, agencies generally limited their personal data collection in that they reported obtaining information only on specific individuals under investigation or associates of those individuals.[Footnote 47] Having initiated investigations on specific individuals, however, agencies generally reported that they obtained as much personal information as possible about the individuals being investigated, because law enforcement investigations require pursuing as many investigative leads as possible. The data quality principle states that, among other things, personal information should be relevant to the purpose for which it is collected and be accurate. This principle is mirrored in the Pri