Privacy:

Alternatives Exist for Enhancing Protection of Personally Identifiable Information

GAO-08-536: Published: May 19, 2008. Publicly Released: Jun 18, 2008.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6240
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The centerpiece of the federal government's legal framework for privacy protection, the Privacy Act of 1974, provides safeguards for information maintained by federal agencies. In addition, the E-Government Act of 2002 requires federal agencies to conduct privacy impact assessments for systems or collections containing personal information. GAO was asked to determine whether laws and guidance consistently cover the federal government's collection and use of personal information and incorporate key privacy principles. GAO was also asked, in doing so, to identify options for addressing these issues. To achieve these objectives, GAO analyzed the laws and related guidance, obtained an operational perspective from federal agencies, and consulted an expert panel convened by the National Academy of Sciences.

Increasingly sophisticated ways of obtaining and using personally identifiable information have raised concerns about the adequacy of the legal framework for privacy protection. Although the Privacy Act, the E-Government Act, and related guidance from the Office of Management and Budget set minimum privacy requirements for agencies, they may not consistently protect personally identifiable information in all circumstances of its collection and use throughout the federal government and may not fully adhere to key privacy principles. Based on discussions with privacy experts, agency officials, and analysis of laws and related guidance, GAO identified issues in three major areas: Applying privacy protections consistently to all federal collection and use of personal information. The Privacy Act's definition of a "system of records" (any grouping of records containing personal information retrieved by individual identifier), which sets the scope of the act's protections, does not always apply whenever personal information is obtained and processed by federal agencies. One alternative to address this concern would be revising the system-of-records definition to cover all personally identifiable information collected, used, and maintained systematically by the federal government. Ensuring that collection and use of personally identifiable information is limited to a stated purpose. According to generally accepted privacy principles of purpose specification, collection limitation, and use limitation, the collection of personal information should be limited, and its use should be limited to a specified purpose. Yet, current laws and guidance impose only the modest requirements in these areas. While, in the post-9/11 environment, the federal government needs better analysis and sharing of certain personal information, there is general agreement that this need must be balanced with individual privacy rights. Alternatives to address this area of concern include requiring agencies to justify the collection and use of key elements of personally identifiable information and to establish agreements before sharing such information with other agencies. Establishing effective mechanisms for informing the public about privacy protections. Another key privacy principle, the principle of openness, suggests that the public should be informed about privacy policies and practices. Yet, Privacy Act notices may not effectively inform the public about government uses of personal information. For example, system-of-records notices published in the Federal Register (the government's official vehicle for issuing public notices) may be difficult for the general public to fully understand. Layered notices, which provide only the most important summary facts up front, have been used as a solution in the private sector. In addition, publishing such notices at a central location on the Web would help make them more accessible.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendation for Executive Action

    Recommendation: In assessing the appropriate balance between the needs of the federal government to collect personally identifiable information for programmatic purposes and the assurances that individuals should have that their information is being sufficiently protected and properly used, Congress should consider amending applicable laws, such as the Privacy Act and the E-Government Act, according to the alternatives outlined in this report, including: revising the scope of the laws to cover all personally identifiable information collected, used, and maintained by the federal government; setting requirements to ensure that the collection and use of personally identifiable information is limited to a stated purpose; and establishing additional mechanisms for informing the public about privacy protections by revising requirements for the structure and publication of public notices.

    Agency Affected: Congress

    Status: Closed - Not Implemented

    Comments: While the Senate considered amending applicable laws according to the alternatives outlined in our report, no such amendments have been passed by the Congress or enacted into law. Specifically, on October 18, 2011, Sen. Akaka introduced the Privacy Act Modernization for the Information Age Act of 2011, which would amend both the Privacy Act and E-Government Act to cover all personally identifiable information (PII) collected, used, and maintained by the federal government; set requirements to ensure all PII was used for stated purposes; and establish additional mechanisms for informing the public about privacy protections. The proposed act has not been passed.

    Jul 9, 2014

    May 14, 2014

    Apr 30, 2014

    Mar 26, 2014

    Jan 13, 2014

    Dec 9, 2013

    Dec 6, 2013

    Nov 20, 2013

    Oct 29, 2013

    Sep 25, 2013

    Looking for more? Browse all our products here