Summary
Federal agencies collect and use personal information for various purposes, both directly from individuals and from other sources, including information resellers--companies that amass and sell data from many sources. In light of concerns raised by recent security breaches involving resellers, GAO was asked to determine how the Departments of Justice, Homeland Security, and State and the Social Security Administration use personal data from these sources. In addition, GAO reviewed the extent to which information resellers' policies and practices reflect the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. GAO also examined agencies' policies and practices for handling personal data from resellers to determine whether these reflect the Fair Information Practices.
In fiscal year 2005, the Departments of Justice, Homeland Security, and State and the Social Security Administration reported that they used personal information obtained from resellers for a variety of purposes. Components of the Department of Justice (the largest user of resellers) used such information in performing criminal investigations, locating witnesses and fugitives, researching assets held by individuals of interest, and detecting prescription drug fraud. The Department of Homeland Security used reseller information for immigration fraud detection and border screening programs. Uses by the Social Security Administration and the Department of State were to prevent and detect fraud, verify identity, and determine eligibility for benefits. The agencies spent approximately $30 million on contractual arrangements with resellers that enabled the acquisition and use of such information. About 91 percent of the planned fiscal year 2005 spending was for law enforcement (69 percent) or counterterrorism (22 percent). The major information resellers that do business with the federal agencies we reviewed have practices in place to protect privacy, but these measures are not fully consistent with the Fair Information Practices. For example, the principles that the collection and use of personal information should be limited and its intended use specified are largely at odds with the nature of the information reseller business, which presupposes that personal information can be made available to multiple customers and for multiple purposes. Resellers said they believe it is not appropriate for them to fully adhere to these principles because they do not obtain their information directly from individuals. Nonetheless, in many cases, resellers take steps that address aspects of the Fair Information Practices. For example, resellers reported that they have taken steps recently to improve their security safeguards, and they generally inform the public about key privacy principles and policies. However, resellers generally limit the extent to which individuals can gain access to personal information held about themselves, as well as the extent to which inaccurate information contained in their databases can be corrected or deleted. Agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices. That is, some of these principles were mirrored in agency practices, but for others, agency practices were uneven. For example, although agencies issued public notices on information collections, these did not always notify the public that information resellers were among the sources to be used. This practice is not consistent with the principle that individuals should be informed about privacy policies and the collection of information. Contributing to the uneven application of the Fair Information Practices are ambiguities in guidance from the Office of Management and Budget (OMB) regarding the applicability of privacy requirements to federal agency uses of reseller information. In addition, agencies generally lack policies that specifically address these uses.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6240
Matters for Congressional Consideration
Recommendation: In considering legislation to address privacy concerns related to the information reseller industry, Congress may wish to consider the extent to which the industry should adhere to the Fair Information Practices.
Status: Open
Comments: As of September 17, 2009, Congress has not yet passed legislation concerning information resellers.
Recommendations for Executive Action
Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Director of OMB should revise guidance on system of records notices and privacy impact assessments to clarify the applicability of the governing laws (the Privacy Act and the E-Government Act) to the use of personal information from resellers. These clarifications should specify the circumstances under which agencies should make disclosures about their uses of reseller data so that agencies can properly notify the public (for example, what constitutes a "systematic" incorporation of reseller data into a federal system). The guidance should include practical scenarios based on uses agencies are making of personal information from information resellers (for example, visa, criminal, and fraud investigations).
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Open
Comments: In their 60 day letter, OMB agreed with the importance of proper use of commercial data and that it would work with agencies to ensure that they appropriately apply the Fair Information Practices outlined in our report. OMB reiterated their written comments to GAO-06-421 by stating that it did not believe additional guidance on agency use of information reseller data was required but would consider issuing clarifying guidance following work on Identity Theft Task force's effort to safeguard against and respond to any breach of personally identifiable information. This effort was completed on May 22, 2007 with the issuance of memorandum M-07-16; however, as of September 23, 2009, OMB has not yet issued clarifying guidance concerning reseller data.
Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Director of OMB should direct agencies to review their uses of personal information from information resellers, as well as any associated system of records notices and privacy impact assessments, to ensure that such notices and assessments explicitly reference agency use of information resellers.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Open
Comments: In their 60 day letter, OMB agreed with the importance of proper use of commercial data and that it would work with agencies to ensure that they appropriately apply the Fair Information Practices outlined in our report. OMB reiterated their written comments to GAO-06-421 by stating that it did not believe additional guidance on agency use of information reseller data was required but would consider issuing clarifying guidance following work on Identity Theft Task force's effort to safeguard against and respond to any breach of personally identifiable information. This effort was completed on May 22, 2007 with the issuance of memorandum M-07-16; however, as of September 23, 2009, OMB has not yet issued clarifying guidance concerning reseller data.
Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.
Agency Affected: Department of Homeland Security
Status: Closed - implemented
Comments: To address our recommendation, the DHS Privacy Office incorporated specific questions in its May 2007 Privacy Impact Assessment (PIA) guidance concerning use of commercial data. The guidance requires programs that use commercial or publicly available data to explain why and how such data are used. Further, the guidance for systems that use or rely on commercial data requires an explanation of how data accuracy and integrity are preserved and the reliability of the data assessed with regard to its value to the purpose of the system. According to Privacy Office officials, after identifying use of commercial data through the PIA process, the Privacy Office works with the relevant DHS component to review uses of commercial data to ensure appropriate controls are in place and that the planned uses are appropriately disclosed in privacy notices.
Agency Affected: Social Security Administration
Status: Open
Comments: SSA agreed to amend Privacy Act system of records notices (SORN) to reflect the use of information from commercial sources. Furthermore, the agency agreed to explore options for enhancing its policies and internal controls over information obtained from commercial resellers, including options for improved audit trail maintenance and review. However, SSA has not yet documented that the SORNs have been revised nor has SSA provided concrete plans for developing a policy addressing the collection, maintenance, and use of personal information from commercial resellers. As of September 23, 2009, no updated documentation had been produced.
Agency Affected: Department of Justice
Status: Closed - implemented
Comments: The DOJ Privacy and Civil Liberties Office took steps to address our recommendations by revising systems of records notices (SORN) to indicate that "commercial databases" were the source for the information collected. Officials provided citations for systems SORNs that disclose the use of commercial data, this includes the notices for the Warrant Information Network and commercial information resellers, 72 Fed. Reg. 9777 (March 5, 2007)and for the Criminal Division Index File Systems and Associated Records, 72 Fed. Reg. 44182 (Aug. 7, 2007).
Agency Affected: Department of State
Status: Open
Comments: The Department noted that even before the GAO study, bureau-specific internal practices and procedures had already been implemented at the Department to minimize potential misuse of commercial reseller data. For example, the Bureau of Consular Affairs limited their use of commercial databases and has provided written guidance to users to indicate the limitations of these databases and the necessity to confirm all information obtained from them before adjudicating a case. Other measures such as receiving monthly audit reports and corroborating information obtained through reseller databases was noted. Nonetheless, the Department of State is considering developing written agency-wide guidance to ensure that their use of data from commercial resellers remains consistent with established privacy laws and principles. As of September 23, 2009, the Department had not indicated whether it had taken this action.
