Personal Information:

Agency and Reseller Adherence to Key Privacy Principles

GAO-06-421: Published: Apr 4, 2006. Publicly Released: Apr 4, 2006.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6240
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Federal agencies collect and use personal information for various purposes, both directly from individuals and from other sources, including information resellers--companies that amass and sell data from many sources. In light of concerns raised by recent security breaches involving resellers, GAO was asked to determine how the Departments of Justice, Homeland Security, and State and the Social Security Administration use personal data from these sources. In addition, GAO reviewed the extent to which information resellers' policies and practices reflect the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. GAO also examined agencies' policies and practices for handling personal data from resellers to determine whether these reflect the Fair Information Practices.

In fiscal year 2005, the Departments of Justice, Homeland Security, and State and the Social Security Administration reported that they used personal information obtained from resellers for a variety of purposes. Components of the Department of Justice (the largest user of resellers) used such information in performing criminal investigations, locating witnesses and fugitives, researching assets held by individuals of interest, and detecting prescription drug fraud. The Department of Homeland Security used reseller information for immigration fraud detection and border screening programs. Uses by the Social Security Administration and the Department of State were to prevent and detect fraud, verify identity, and determine eligibility for benefits. The agencies spent approximately $30 million on contractual arrangements with resellers that enabled the acquisition and use of such information. About 91 percent of the planned fiscal year 2005 spending was for law enforcement (69 percent) or counterterrorism (22 percent). The major information resellers that do business with the federal agencies we reviewed have practices in place to protect privacy, but these measures are not fully consistent with the Fair Information Practices. For example, the principles that the collection and use of personal information should be limited and its intended use specified are largely at odds with the nature of the information reseller business, which presupposes that personal information can be made available to multiple customers and for multiple purposes. Resellers said they believe it is not appropriate for them to fully adhere to these principles because they do not obtain their information directly from individuals. Nonetheless, in many cases, resellers take steps that address aspects of the Fair Information Practices. For example, resellers reported that they have taken steps recently to improve their security safeguards, and they generally inform the public about key privacy principles and policies. However, resellers generally limit the extent to which individuals can gain access to personal information held about themselves, as well as the extent to which inaccurate information contained in their databases can be corrected or deleted. Agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices. That is, some of these principles were mirrored in agency practices, but for others, agency practices were uneven. For example, although agencies issued public notices on information collections, these did not always notify the public that information resellers were among the sources to be used. This practice is not consistent with the principle that individuals should be informed about privacy policies and the collection of information. Contributing to the uneven application of the Fair Information Practices are ambiguities in guidance from the Office of Management and Budget (OMB) regarding the applicability of privacy requirements to federal agency uses of reseller information. In addition, agencies generally lack policies that specifically address these uses.

Matter for Congressional Consideration

  1. Status: Closed - Not Implemented

    Comments: In April 2006, we reported on how information resellers-companies that amass and sell data from many sources-collect and use personal information for various purposes, including for sale to federal agencies. We found that information resellers doing business with federal agencies had privacy practices in place that were not fully consistent with the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. We recommended that in considering legislation to address privacy concerns related to the information reseller industry, Congress may wish to consider the extent to which the industry should adhere to the Fair Information Practices. In response to our recommendation, H.R.4127, Data Accountability and Trust Act, was introduced in the House of Representatives and was placed on the Union calendar on June 2, 2006. The proposed bill included requirements for information brokers that mirror the Fair Information Practices. For example, the bill included a requirement for brokers to disclose all personal information to individuals if requested by the individual at no cost and to change any incorrect information contained in the information brokers' records. This requirement addresses the individual participation principle by granting individuals the right to access their personal information and to request correction. The Bill also included a requirement to require information brokers to maintain an audit log of internal and external access to, or transmission of, any data in electronic form containing personal information. This requirement addresses the accountability principle by ensuring the individuals controlling the collection or use of personal information are accountable for taking steps to ensure the implementation of these principles. However, the Congress did not enact the legislation.

    Matter: In considering legislation to address privacy concerns related to the information reseller industry, Congress may wish to consider the extent to which the industry should adhere to the Fair Information Practices.

Recommendations for Executive Action

  1. Status: Closed - Not Implemented

    Comments: SSA agreed to amend Privacy Act system of records notices (SORN) to reflect the use of information from commercial sources. Furthermore, the agency agreed to explore options for enhancing its policies and internal controls over information obtained from commercial resellers, including options for improved audit trail maintenance and review. However, SSA has not yet documented that the SORNs have been revised nor has SSA provided concrete plans for developing a policy addressing the collection, maintenance, and use of personal information from commercial resellers.

    Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.

    Agency Affected: Social Security Administration

  2. Status: Closed - Implemented

    Comments: In April 2006, we reported on how information resellers-companies that amass and sell data from many sources-collect and use personal information for various purposes, including for sale to federal agencies. We found that agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. We recommended that the Secretary of State develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, to improve accountability for agency use of such information. In response to our recommendation, in February 2009, the Department of State updated its internal guidance for conducting privacy impact assessments (PIAs) to include policies for information obtained from commercial or publicly available sources that reflect the Fair Information Practices. The guidance states the SSA Death Master File, commercial data brokers (e.g., Acxiom, ChoicePoint, LexisNexis), and consumer credit reporting agencies (e.g., Experian, TransUnion, Equifax) are what is meant by public or commercial sources. The PIA guidance requires information system owners to document uses of commercially available information in their systems and explain why data from such sources are relevant and necessary. These requirements address the purpose specification and openness principles by ensuring that the department discloses policies and practices regarding information obtained from resellers and ensuring that the purpose for the collection of that information is disclosed.

    Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.

    Agency Affected: Department of State

  3. Status: Closed - Implemented

    Comments: To address our recommendation, the DHS Privacy Office incorporated specific questions in its May 2007 Privacy Impact Assessment (PIA) guidance concerning use of commercial data. The guidance requires programs that use commercial or publicly available data to explain why and how such data are used. Further, the guidance for systems that use or rely on commercial data requires an explanation of how data accuracy and integrity are preserved and the reliability of the data assessed with regard to its value to the purpose of the system. According to Privacy Office officials, after identifying use of commercial data through the PIA process, the Privacy Office works with the relevant DHS component to review uses of commercial data to ensure appropriate controls are in place and that the planned uses are appropriately disclosed in privacy notices.

    Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.

    Agency Affected: Department of Homeland Security

  4. Status: Closed - Not Implemented

    Comments: OMB officials agreed with the importance of proper use of commercial data and stated that they would work with agencies to ensure that they appropriately apply the Fair Information Practices outlined in our report. However, OMB officials stated they did not believe additional direction was required to agencies on reviewing use of information reseller data or specifying its use. As of September 10, 2010, OMB has not issued direction to agencies on reviewing or specifying use of information reseller data.

    Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Director of OMB should direct agencies to review their uses of personal information from information resellers, as well as any associated system of records notices and privacy impact assessments, to ensure that such notices and assessments explicitly reference agency use of information resellers.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  5. Status: Closed - Not Implemented

    Comments: OMB officials agreed with the importance of proper use of commercial data and stated that they would work with agencies to ensure that they appropriately apply the Fair Information Practices outlined in our report. They stated they did not believe additional guidance on agency use of information reseller data was required but would consider issuing clarifying guidance following work on Identity Theft Task force's effort to safeguard against and respond to any breach of personally identifiable information. This effort was completed on May 22, 2007 with the issuance of memorandum M-07-16; however, as of July 8, 2010, OMB has not yet issued clarifying guidance concerning reseller data.

    Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Director of OMB should revise guidance on system of records notices and privacy impact assessments to clarify the applicability of the governing laws (the Privacy Act and the E-Government Act) to the use of personal information from resellers. These clarifications should specify the circumstances under which agencies should make disclosures about their uses of reseller data so that agencies can properly notify the public (for example, what constitutes a "systematic" incorporation of reseller data into a federal system). The guidance should include practical scenarios based on uses agencies are making of personal information from information resellers (for example, visa, criminal, and fraud investigations).

    Agency Affected: Executive Office of the President: Office of Management and Budget

  6. Status: Closed - Implemented

    Comments: The DOJ Privacy and Civil Liberties Office took steps to address our recommendations by revising systems of records notices (SORN) to indicate that "commercial databases" were the source for the information collected. Officials provided citations for systems SORNs that disclose the use of commercial data, this includes the notices for the Warrant Information Network and commercial information resellers, 72 Fed. Reg. 9777 (March 5, 2007)and for the Criminal Division Index File Systems and Associated Records, 72 Fed. Reg. 44182 (Aug. 7, 2007).

    Recommendation: To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.

    Agency Affected: Department of Justice

 

Explore the full database of GAO's Open Recommendations »

Nov 18, 2014

Nov 13, 2014

Oct 10, 2014

Sep 30, 2014

Sep 22, 2014

Jul 9, 2014

May 14, 2014

Apr 30, 2014

Mar 26, 2014

Looking for more? Browse all our products here