This is the accessible text file for GAO report number GAO-06-609T 
entitled 'Personal Information: Agencies and Resellers Vary in 
Providing Privacy Protections' which was released on April 4, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 

GAO: 

Testimony: 

Before the Subcommittee on Commercial and Administrative Law and the 
Subcommittee on the Constitution, Committee on the Judiciary, House of 
Representatives: 

For Release on Delivery: 

Expected at 12 p.m. EST Tuesday, April 4, 2006: 

Personal Information: 

Agencies and Resellers Vary in Providing Privacy Protections: 

Statement of Linda D. Koontz: 

Director, Information Management Issues: 

GAO-06-609T: 

GAO Highlights: 

Highlights of GAO-06-609T, a report to the Subcommittee on Commercial 
and Administrative Law and the Subcommittee on the Constitution, 
Committee on the Judiciary, House of Representatives: 

Why GAO Did This Study: 

Federal agencies collect and use personal information for various 
purposes from information resellers—companies that amass and sell data 
from many sources. GAO was asked to testify on its report being issued 
today on agency use of reseller data. For that report, GAO was asked to 
determine how the Departments of Justice, Homeland Security, and State 
and the Social Security Administration use personal data from resellers 
and to review the extent to which information resellers’ policies and 
practices reflect the Fair Information Practices, a set of widely 
accepted principles for protecting the privacy and security of personal 
data. GAO also examined agencies’ policies and practices for handling 
personal data from resellers to determine whether these reflect the 
Fair Information Practices. 

What GAO Found: 

In fiscal year 2005, the Departments of Justice, Homeland Security, and 
State and the Social Security Administration reported that they used 
personal information obtained from resellers for a variety of purposes, 
including performing criminal investigations, locating witnesses and 
fugitives, researching assets held by individuals of interest, and 
detecting prescription drug fraud. The agencies spent approximately $30 
million on contractual arrangements with resellers that enabled the 
acquisition and use of such information. About 91 percent of the 
planned fiscal year 2005 spending was for law enforcement (69 percent) 
or counterterrorism (22 percent). 

The major information resellers that do business with the federal 
agencies GAO reviewed have practices in place to protect privacy, but 
these measures are not fully consistent with the Fair Information 
Practices. For example, the principles that the collection and use of 
personal information should be limited and its intended use specified 
are largely at odds with the nature of the information reseller 
business, which is based on obtaining personal information from many 
sources and making it available to multiple customers for multiple 
purposes. Resellers believe it is not appropriate for them to fully 
adhere to these principles because they do not obtain their information 
directly from individuals. Nonetheless, in many cases, resellers take 
steps that address aspects of the Fair Information Practices. For 
example, resellers reported that they have taken steps recently to 
improve their security safeguards, and they generally inform the public 
about key privacy principles and policies. However, resellers generally 
limit the extent to which individuals can gain access to personal 
information held about themselves, as well as the extent to which 
inaccurate information contained in their databases can be corrected or 
deleted. 

Agency practices for handling personal information acquired from 
information resellers did not always fully reflect the Fair Information 
Practices. That is, for some of these principles, agency practices were 
uneven. For example, although agencies issued public notices when they 
systematically collected personal information, these notices did not 
always notify the public that information resellers were among the 
sources to be used. This practice is not consistent with the principle 
that individuals should be informed about privacy policies and the 
collection of information. Contributing to the uneven application of 
the Fair Information Practices are ambiguities in guidance from the 
Office of Management and Budget regarding the applicability of privacy 
requirements to federal agency uses of reseller information. In 
addition, agencies generally lack policies that specifically address 
these uses. 

What GAO Recommends: 

In its report, GAO suggests that the Congress consider the extent to 
which resellers should adhere to the Fair Information Practices. In 
addition, GAO is making recommendations to the Office of Management and 
Budget and the four agencies to establish policy to address agency use 
of personal information from commercial sources. Agency officials 
generally agreed with the content of the report. Resellers questioned 
the applicability of the Fair Information Practices, especially with 
regard to public records. 

www.gao.gov/cgi-bin/getrpt?GAO-06-609T. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Linda Koontz at (202) 
512- 6240 or koontzl@gao.gov. 

[End of section] 

Mr. Chairmen and Members of the Subcommittees: 

I appreciate the opportunity to discuss critical issues surrounding the 
federal government's purchase of personal information[Footnote 1] from 
businesses known as information resellers. As you are aware, the ease 
and speed with which people's personal information can be collected by 
information resellers from a wide variety of sources and made available 
to government and other customers has accelerated with technological 
advances in recent years. Recent security breaches at large information 
resellers such as ChoicePoint and LexisNexis have raised questions 
about how resellers and their federal customers handle people's 
personal information--especially whether their practices are fully 
consistent with widely accepted practices for protecting the privacy 
and security of personal information. 

Federal agency use of such information is governed primarily by the 
Privacy Act of 1974,[Footnote 2] which requires that the use of 
personal information be limited to predefined purposes and involve only 
information germane to those purposes. The provisions of the Privacy 
Act, in turn, are largely based on a set of principles for protecting 
the privacy and security of personal information, known as the Fair 
Information Practices, which were first proposed in 1973 by a U.S. 
government advisory committee.[Footnote 3] These principles, now widely 
accepted, include: 

1. collection limitation, 

2. data quality, 

3. purpose specification, 

4. use limitation, 

5. security safeguards, 

6. openness, 

7. individual participation, and: 

8. accountability.[Footnote 4] 

These principles, with some variation, are used by organizations to 
address privacy considerations in their business practices and are also 
the basis of privacy laws and related policies in many countries, 
including the United States, Germany, Sweden, Australia, New Zealand, 
and the European Union. 

My testimony is based on a report that we are issuing today.[Footnote 
5] In that report, we analyzed fiscal year 2005 contracts and other 
vehicles for the acquisition of personal information from information 
resellers by the Departments of Justice, Homeland Security (DHS), and 
State and the Social Security Administration (SSA). We also compared 
relevant agency guidelines and management policies and procedures to 
the Fair Information Practices. 

We also identified the extent to which reseller[Footnote 6] polices and 
procedures were consistent with the key privacy principles of the Fair 
Information Practices and assessed the potential effect of any 
inconsistencies. However, we did not attempt to determine whether or 
how information reseller practices should change. Such determinations 
are a matter of policy based on balancing the public's right to privacy 
with the value of services provided by resellers to customers such as 
government agencies. Our work was performed in accordance with 
generally accepted government auditing standards. 

Today, after a brief summary and a discussion of how the selected 
agencies use the personal information that they buy from resellers, my 
remarks will focus on the extent to which the agencies and resellers 
have policies and practices that reflect the Fair Information 
Practices. 

Results in Brief: 

In fiscal year 2005, Justice, DHS, State, and SSA reported that they 
planned to spend a combined total of approximately $30 million[Footnote 
7] to purchase personal information from resellers. The vast majority-
-approximately 91 percent--of the planned spending was for purposes of 
law enforcement (69 percent) or counterterrorism (22 percent). For 
example, components of the Department of Justice (the largest user of 
resellers) used the information for criminal investigations, locating 
witnesses and fugitives, researching assets held by individuals of 
interest, and detecting fraud in prescription drug transactions. DHS 
acquired personal information to aid its immigration fraud detection 
and border screening programs. SSA and State purchased personal 
information from information resellers to detect and investigate fraud, 
verify identities, and determine benefit eligibility. 

The major information resellers that do business with the agencies 
reviewed have measures in place to protect privacy, but the measures 
are not always fully consistent with the Fair Information Practices. 
For example, the nature of the information reseller business is largely 
at odds with the principles of collection limitation, data quality, 
purpose specification, and use limitation. These principles center on 
limiting the collection and use of personal information, and they link 
data quality (for example, accuracy) requirements to these limitations. 
Resellers said they believe that it may not be appropriate or practical 
for them to fully adhere to these principles because they do not obtain 
their information directly from individuals. In fact, the information 
reseller industry is based on the multi-purpose collection and use of 
personal information from multiple sources.[Footnote 8] In many cases, 
resellers take steps that address aspects of the Fair Information 
Practices. For example, resellers reported that they have taken steps 
recently to improve their security safeguards, and they generally 
inform the public about key privacy principles and policies. However, 
resellers generally limit the extent to which individuals can gain 
access to their own personal information and the extent to which 
inaccurate information contained in reseller databases can be corrected 
or deleted. 

Agency practices for handling personal information acquired from 
information resellers reflected four of eight principles established by 
the Fair Information Practices. Agency practices generally reflected 
the collection limitation, data quality, use limitation, and security 
safeguards principles. For example, law enforcement agencies (including 
the Federal Bureau of Investigation and the U.S. Secret Service) 
generally reported that they corroborate information obtained from 
resellers to ensure that it is accurate when it is used as part of an 
investigation, reflecting the data quality principle that data should 
be accurate, current, and complete, as needed for the defined purpose. 
However, agencies did not always have practices for handling reseller 
information to fully address the purpose specification, individual 
participation, openness, and accountability principles. For example: 

* Although agencies notify the public through Federal Register notices 
and published privacy impact assessments that they collect personal 
information from various sources, they do not always indicate 
specifically that information resellers are among those sources. 

* Some agencies lack robust audit mechanisms to ensure that use of 
personal information from information resellers is for permissible 
purposes, reflecting an uneven application of the accountability 
principle. 

Contributing to agencies' uneven application of the Fair Information 
Practices are ambiguities in guidance from OMB on how privacy 
requirements apply to federal agency uses of reseller information. In 
addition, agencies generally lack policies that specifically address 
these uses. 

We made recommendations to OMB to revise privacy guidance and to the 
four agencies to develop specific policies for the use of personal 
information from resellers, and suggested that Congress consider the 
extent to which information resellers should adhere to the Fair 
Information Practices. The five agencies generally agreed with the 
report and described actions initiated to address our recommendations. 

We also obtained comments on excerpts of our draft report from the five 
information resellers we reviewed. Several resellers raised concerns 
regarding the version of the Fair Information Practices we used to 
assess their practices. As discussed in our report, the version of the 
Fair Information Practices we used has been widely adopted and cited 
within the federal government as well as internationally. Further, we 
use it as an analytical framework for identifying potential privacy 
issues for further consideration by Congress--not as criteria for 
strict compliance. 

Background: 

Before advanced computerized techniques, obtaining people's personal 
information usually required visiting courthouses or other government 
facilities to inspect paper-based public records, and information 
contained in product registrations and other business records was not 
generally available at all. Automation of the collection and 
aggregation of multiple-source data, combined with the ease and speed 
of its retrieval, have dramatically reduced the time and effort needed 
to obtain such information. Information resellers provide services 
based on these technological advances. 

We use the term "information resellers" to refer to businesses that 
vary in many ways but have in common the fact that they collect and 
aggregate personal information from multiple sources and make it 
available to their customers. These businesses do not all focus 
exclusively on aggregating and reselling personal information. For 
example, Dun & Bradstreet primarily provides information on commercial 
enterprises for the purpose of contributing to decision making 
regarding those enterprises. In doing so, it may supply personal 
information about individuals associated with those commercial 
enterprises. To a certain extent, the activities of information 
resellers may also overlap with the functions of consumer reporting 
agencies, also known as credit bureaus--entities that collect and sell 
information about individuals' creditworthiness, among other things. To 
the extent that information resellers perform the functions of consumer 
reporting agencies, they are subject to legislation specifically 
addressing that industry, particularly the Fair Credit Reporting Act. 

Information resellers have now amassed extensive amounts of personal 
information about large numbers of Americans. They supply it to 
customers in both government and the private sector, typically via a 
centralized online resource. Generally, three types of information are 
collected: 

* Public records such as birth and death records, property records, 
motor vehicle and voter registrations, criminal records, and civil case 
files. 

* Publicly available information not found in public records but 
nevertheless publicly available through other sources, such as 
telephone directories, business directories, classified ads or 
magazines, Internet sites, and other sources accessible by the general 
public. 

* Nonpublic information derived from proprietary or nonpublic sources, 
such as credit header data, product warranty registrations, and other 
application information provided to private businesses directly by 
consumers. 

Figure 1 illustrates how these types of information are collected and 
aggregated into reports that are ultimately accessed by customers, 
including government agencies, through contractual agreements. 

Figure 1: Typical Information Flow through Resellers to Government 
Customers: 

[See PDF for image] 

[End of figure] 

Federal Laws and Guidance Govern Use of Personal Information in Federal 
Agencies: 

No single federal law governs all use or disclosure of personal 
information. The major requirements for the protection of personal 
privacy by federal agencies come from the Privacy Act of 1974 and the 
privacy provisions of the E-Government Act of 2002. 

Federal use of personal information is governed primarily by the 
Privacy Act of 1974,[Footnote 9] which places limitations on agencies' 
collection, disclosure, and use of personal information maintained in 
systems of records. The act describes a "record" as any item, 
collection, or grouping of information about an individual that is 
maintained by an agency and contains his or her name or another 
personal identifier. It also defines "system of records" as a group of 
records under the control of any agency from which information is 
retrieved by the name of the individual or by an individual identifier. 
The Privacy Act requires that when agencies establish or make changes 
to a system of records, they must notify the public by placing a notice 
in the Federal Register identifying, among other things, the type of 
data collected, the types of individuals about whom information is 
collected, the intended uses of data, and procedures that individuals 
can use to review and correct personal information. Additional 
provisions of the Privacy Act are discussed in the report we are 
issuing today. 

The E-Government Act of 2002 requires that agencies conduct privacy 
impact assessments (PIA). A PIA is an analysis of how personal 
information is collected, stored, shared, and managed in a federal 
system. Under the E-Government Act and related OMB guidance, agencies 
must conduct PIAs (1) before developing or procuring information 
technology that collects, maintains, or disseminates information that 
is in a personally identifiable form; (2) before initiating any new 
data collections involving personal information that will be collected, 
maintained, or disseminated using information technology if the same 
questions are asked of 10 or more people; or (3) when a system change 
creates new privacy risks, for example, by changing the way in which 
personal information is being used. 

OMB is tasked with providing guidance to agencies on how to implement 
the provisions of the Privacy Act and the E-Government Act and has done 
so, beginning with guidance on the Privacy Act, issued in 
1975.[Footnote 10] OMB's guidance on implementing the privacy 
provisions of the E-Government Act of 2002 identifies circumstances 
under which agencies must conduct PIAs and explains how to conduct 
them. 

The Fair Information Practices Are Widely Agreed to Be Key Principles 
for Privacy Protection: 

The Privacy Act of 1974 is largely based on a set of internationally 
recognized principles for protecting the privacy and security of 
personal information known as the Fair Information Practices. A U.S. 
government advisory committee first proposed the practices in 1973 to 
address what it termed a poor level of protection afforded to privacy 
under contemporary law.[Footnote 11] The Organization for Economic 
Cooperation and Development (OECD)[Footnote 12] developed a revised 
version of the Fair Information Practices in 1980 that has, with some 
variation, formed the basis of privacy laws and related policies in 
many countries, including the United States, Germany, Sweden, 
Australia, New Zealand, and the European Union.[Footnote 13] The eight 
principles of the OECD Fair Information Practices are shown in table 1. 

Table 1: The OECD Fair Information Practices: 

Principle: Collection limitation; 
Description: The collection of personal information should be limited, 
should be obtained by lawful and fair means, and, where appropriate, 
with the knowledge or consent of the individual. 

Principle: Data quality; 
Description: Personal information should be relevant to the purpose for 
which it is collected, and should be accurate, complete, and current as 
needed for that purpose. 

Principle: Purpose specification; 
Description: The purposes for the collection of personal information 
should be disclosed before collection and upon any change to that 
purpose, and its use should be limited to those purposes and compatible 
purposes. 

Principle: Use limitation; 
Description: Personal information should not be disclosed or otherwise 
used for other than a specified purpose without consent of the 
individual or legal authority. 

Principle: Security safeguards; 
Description: Personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized access, 
destruction, use, modification, or disclosure. 

Principle: Openness; 
Description: The public should be informed about privacy policies and 
practices, and individuals should have ready means of learning about 
the use of personal information. 

Principle: Individual participation; 
Description: Individuals should have the following rights: to know 
about the collection of personal information, to access that 
information, to request correction, and to challenge the denial of 
those rights. 

Principle: Accountability; 
Description: Individuals controlling the collection or use of personal 
information should be accountable for taking steps to ensure the 
implementation of these principles. 

Source: OECD. 

[End of table] 

The Fair Information Practices are not precise legal requirements. 
Rather, they provide a framework of principles for balancing the need 
for privacy with other public policy interests, such as national 
security, law enforcement, and administrative efficiency. Ways to 
strike that balance vary among countries and according to the type of 
information under consideration. 

Agencies Use Governmentwide Contracts to Obtain Personal Information 
from Information Resellers for a Variety of Purposes: 

The Departments of Justice, Homeland Security, State, and the Social 
Security Administration reported approximately $30 million in 
contractual arrangements with information resellers in fiscal year 
2005.[Footnote 14] The agencies reported using personal information 
obtained from resellers for a variety of purposes including law 
enforcement, counterterrorism, fraud detection/prevention, and debt 
collection. In all, approximately 91 percent of agency uses of reseller 
data were in the categories of law enforcement (69 percent) or 
counterterrorism (22 percent). Figure 2 details contract values 
categorized by their reported use. 

Figure 2: Fiscal Year 2005 Contractual Vehicles Enabling the Use of 
Personal Information from Information Resellers, Categorized by 
Reported Use: 

[See PDF for image] 

[End of figure] 

The Department of Justice, which accounted for about 63 percent of the 
funding, mostly used the data for law enforcement and counterterrorism. 
DHS also used reseller information primarily for law enforcement and 
counterterrorism. State and SSA reported acquiring personal information 
from information resellers for fraud prevention and detection, identity 
verification, and benefit eligibility determination. 

Justice and DHS Use Information Resellers Primarily for Law Enforcement 
and Counterterrorism: 

In fiscal year 2005, the Department of Justice and its components 
reported approximately $19 million in acquisitions from a wide variety 
of information resellers, primarily for purposes related to law 
enforcement (75 percent) and counterterrorism (18 percent). The Federal 
Bureau of Investigation (FBI), which is Justice's largest user of 
information resellers, uses reseller information to, among other 
things, analyze intelligence and detect terrorist activities in support 
of ongoing investigations by law enforcement agencies and the 
intelligence community. In this capacity, resellers provide the FBI's 
Foreign Terrorist Tracking Task Force with names, addresses, telephone 
numbers, and other biographical and demographical information as well 
as legal briefs, vehicle and boat registrations, and business ownership 
records.[Footnote 15] 

The Drug Enforcement Administration (DEA), the second largest Justice 
user of information resellers in fiscal year 2005, obtains reseller 
data primarily to detect fraud in prescription drug transactions. 
[Footnote 16] Agents use reseller data to detect irregular prescription 
patterns for specific drugs and trace this information to the pharmacy 
and prescribing doctor.[Footnote 17] 

DHS and its components reported that they used information reseller 
data in fiscal year 2005 primarily for law enforcement purposes, such 
as developing leads on subjects in criminal investigations and 
detecting fraud in immigration benefit applications (part of enforcing 
the immigration laws). DHS's largest investigative component, the U.S. 
Immigration and Customs Enforcement, is also its largest user of 
personal information from resellers. It collects data such as address 
and vehicle information for criminal investigations and background 
security checks. U.S. Customs and Border Protection conducts queries on 
people, businesses, property, and corresponding links via a secure 
Internet connection. The Federal Emergency Management Agency uses an 
information reseller to detect fraud in disaster assistance 
applications. 

DHS also reported using information resellers in its counterterrorism 
efforts. For example, the Transportation Security Administration (TSA) 
used data obtained from information resellers as part of a test 
associated with the development of its domestic passenger prescreening 
program, called "Secure Flight."[Footnote 18] TSA plans for Secure 
Flight to compare domestic flight reservation information submitted to 
TSA by aircraft operators with federal watch lists of individuals known 
or suspected of activities related to terrorism. 

SSA and State Use Information Resellers Primarily for Fraud Prevention 
and Detection: 

In an effort to ensure the accuracy of Social Security benefit 
payments, the Social Security Administration and its components 
reported approximately $1.3 million in contracts with information 
resellers in fiscal year 2005 for purposes relating to fraud prevention 
(such as skiptracing),[Footnote 19] confirming suspected fraud related 
to workers compensation payments, obtaining information on criminal 
suspects for follow-up investigations, and collecting debts. For 
example, the Office of the Inspector General (OIG), the largest user of 
information reseller data at SSA, uses several information resellers to 
assist investigative agents in detecting benefit abuse by Social 
Security claimants and to assist agents in locating claimants. Regional 
office agents may also use reseller data in investigating persons 
suspected of claiming disability fraudulently. 

The Department of State and its components reported approximately 
$569,000 in contracts with information resellers for fiscal year 2005, 
mainly to support investigations of passport-related activities. For 
example, several components accessed personal information to validate 
familial relationships, birth and identity data, and other information 
submitted on immigrant and nonimmigrant visa petitions. State also uses 
reseller data to investigate passport and visa fraud cases. 

Resellers Take Steps to Protect Privacy, but These Measures Are Not 
Fully Consistent With the Fair Information Practices: 

Although the information resellers that do business with the federal 
agencies we reviewed have taken steps to protect privacy, these 
measures were not fully consistent with the Fair Information Practices. 
Most significantly, the first four principles, relating to collection 
limitation, data quality, purpose specification, and use limitation, 
are largely at odds with the nature of the information reseller 
business. These principles center on limiting the collection and use of 
personal information and require data accuracy based on that limited 
purpose and limited use of the information. However, the information 
reseller industry presupposes that the collection and use of personal 
information is not limited to specific purposes, but instead can be 
made available to multiple customers for multiple purposes. Resellers 
make it their business to collect large amounts of personal 
information[Footnote 20] and to combine that information in new ways so 
that it serves purposes other than those for which it was originally 
collected. Further, they are limited in their ability to ensure the 
accuracy, currency, or relevance of their holdings, because these 
qualities may vary based on customers' varying uses. 

Information reseller policies and procedures were consistent with 
aspects of the remaining four Fair Information Practices. Large 
resellers reported implementing a variety of security safeguards, such 
as stringent customer credentialing, to improve protection of personal 
information. Resellers also generally provided public notice of key 
aspects of their privacy policies and practices (relevant to the 
openness principle), and reported taking actions to ensure internal 
compliance with their own privacy policies (relevant to the 
accountability principle). However, while information resellers 
generally allow individuals limited access to their personal 
information, they generally limit the opportunity to correct or delete 
inaccurate information contained in reseller databases (relevant to the 
individual participation principle). 

In brief, reseller practices compare with the Fair Information 
Practices as follows: 

Collection limitation. Resellers do not limit collections to specific 
purposes but collect large amounts of personal information. In 
practice, resellers are limited in the personal information that they 
can obtain by laws that apply to specific kinds of information (for 
example, the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, 
which restrict the collection, use, and disclosure of certain consumer 
and financial data). However, beyond specific legal restrictions, 
information resellers generally attempt to aggregate large amounts of 
personal information so as to provide useful information to a broad 
range of customers. Resellers do not make provisions to notify the 
individuals involved when they obtain personal data from their many 
sources, including public records. Concomitantly, individuals are not 
afforded an opportunity to express or withhold their consent when the 
information is collected. Resellers said they believe it is not 
appropriate or practical for them to provide notice or obtain consent 
from individuals because they do not collect information directly from 
them. 

Under certain conditions, some information resellers offer consumers an 
"opt-out" option--that is, individuals may request that information 
about themselves be suppressed from selected databases. However, 
resellers generally offer this option only with respect to certain 
types of information, such as marketing products, and only under 
limited circumstances, such as if the individual is a law enforcement 
officer or a victim of identity theft. Two resellers stated their 
belief that under certain circumstances it may not be appropriate to 
provide consumers with opportunities for opting out, such as when 
information products are designed to detect fraud or locate criminals. 
These resellers stated that if individuals were permitted to opt out of 
fraud prevention databases, some of those opting out could be 
criminals, which would undermine the effectiveness and utility of these 
databases. 

Data quality. Information resellers reported taking steps to ensure 
that they generally receive accurate data from their sources and that 
they do not introduce errors in the process of transcribing and 
aggregating information. However, they generally provide their 
customers with exactly the same data they obtain and do not claim or 
guarantee that the information is accurate for a specific purpose. Some 
resellers' privacy policies state that they expect their data to 
contain some errors. Further, resellers varied in their policies 
regarding correction of data determined to be inaccurate as obtained by 
them. One reseller stated that it would delete information in its 
databases that was found to be inaccurate. Another stated that even if 
an individual presents persuasive evidence that certain information is 
in error, the reseller generally does not make changes if the 
information comes directly from an official public source (unless 
instructed to do so by that source). Because they are not the original 
source of the personal information, information resellers generally 
direct individuals to the original sources to correct any errors. 
Several resellers stated that they would correct any identified errors 
introduced through their own processing and aggregation of data. 

Purpose specification. While information resellers specify purpose in a 
general way by describing the types of businesses that use their data, 
they generally do not designate specific intended uses for each of 
their data collections. Resellers generally obtain information that has 
already been collected for a specific purpose and make that information 
available to their customers, who in turn have a broader variety of 
purposes for using it. For example, personal information originally 
submitted by a customer to register a product warranty could be 
obtained by a reseller and subsequently made available to another 
business or government agency, which might use it for an unrelated 
purpose, such as identity verification, background checking, or 
marketing. It is difficult for resellers to provide greater specificity 
because they make their data available to many customers for a wide 
range of legitimate purposes. As a result, the public is made aware 
only of the broad range of potential uses to which their personal 
information may be put, rather than a specific use, as envisioned in 
the Fair Information Practices. 

Use limitation. Because information reseller purposes are specified 
very broadly, it is difficult for resellers to ensure that use of the 
information in their databases is limited. As previously discussed, 
information reseller data may have many different uses, depending on 
the types of customers involved. However, resellers do take steps to 
ensure that their customers' use of personal information is limited to 
legally sanctioned purposes. Information resellers pass this 
responsibility to their customers through licensing agreements and 
contract terms and agreements. Customers are usually required to 
certify that they will only use information obtained from the reseller 
in ways permissible under laws such as the Gramm-Leach-Bliley Act and 
the Driver's Privacy Protection Act. The information resellers used by 
the federal agencies we reviewed generally also reported taking steps 
to ensure that access to certain sensitive types of personally 
identifiable information--particularly Social Security numbers--is 
limited to certain customers and uses. 

Security safeguards. While we did not evaluate the effectiveness of 
resellers' information security programs, resellers we spoke with said 
they employ various safeguards to protect consumers' personal 
information. They implemented these safeguards in part for business 
reasons but also because federal laws require such protections. 
Resellers describe these safeguards in various policy statements, such 
as online and data privacy policies or privacy statements posted on 
Internet sites. Given recent incidents, large information resellers 
also reported having recently taken steps to improve their safeguards 
against unauthorized access. Two resellers reported that they had taken 
steps to improve their procedures for authorizing customers to have 
access to sensitive information, such as Social Security numbers. For 
example, one reseller established a credentialing task force with the 
goal of centralizing its customer credentialing process. In addition to 
enhancing safeguards on customer access authorizations, resellers have 
instituted a variety of other security controls. For example, three 
large information resellers have implemented physical safeguards at 
their data centers, such as continuous monitoring of employees entering 
and exiting facilities, monitoring of activity on customer accounts, 
and strong authentication of users entering and exiting secure areas 
within the data centers. 

Openness. To address openness, information resellers took steps to 
inform the public about key aspects of their privacy policies. They 
used means such as company Web sites and brochures to inform the public 
of specific policies and practices regarding the collection and use of 
personal information. Reseller Web sites also generally provided 
information about the types of information products the resellers 
offered--including product samples--as well as general descriptions 
about the types of customers served. 

Individual participation. Although information resellers allow 
individuals access to their personal information, this access is 
generally limited. Resellers may provide an individual a report 
containing certain types of information--such as compilations of public 
records information--however, the report may not include all 
information maintained by the resellers about that individual. Further, 
because they obtain their information from other sources, most 
resellers have limited provisions for correcting or deleting inaccurate 
information contained in their databases. If individuals find 
inaccuracies in such reports, they generally cannot have these 
corrected by the resellers.[Footnote 21] Resellers, as a matter of 
policy, do not make corrections to data obtained from other sources, 
even if the individual provides evidence that the data are wrong. 
Instead, they direct individuals wishing to make corrections to contact 
the original sources of the data. Several resellers stated that they 
would correct any identified errors resulting from their own processing 
and aggregation of data (for example, transposing numbers or letters or 
incorrectly aggregating information). 

Accountability. Although information resellers' overall application of 
the Fair Information Practices varied, each reseller we spoke with 
reported actions to ensure compliance with its own privacy policies. 
For example, resellers reported designating chief privacy officers to 
monitor compliance with internal privacy policies and applicable laws. 
Information resellers reported that these officials had a range of 
responsibilities aimed at ensuring accountability for privacy policies, 
such as establishing consumer access and customer credentialing 
procedures, monitoring compliance with federal and state laws, and 
evaluating new sources of data (for example, cell phone records). 
Although there are no industrywide standards requiring resellers to 
conduct periodic audits of their compliance with privacy policies, one 
information reseller reported using a third party to conduct privacy 
audits on an annual basis. Using a third party to audit compliance with 
privacy policies further helps to ensure that an information reseller 
is accountable for the implementation of its privacy practices. 

In commenting on excerpts of our draft report, several resellers raised 
concerns regarding the version of the Fair Information Practices we 
used to assess their practices, stating their view that it applied more 
appropriately to organizations that collect information directly from 
consumers and that they were not legally bound to adhere to the Fair 
Information Practices. As discussed in our report, the version of the 
Fair Information Practices we used has been widely adopted and cited 
within the federal government as well as internationally. Further, we 
use it as an analytical framework for identifying potential privacy 
issues for further consideration by Congress--not as criteria for 
strict compliance. Resellers also stated that the draft did not take 
into account their view that public record information is open to all 
for any use not prohibited by state or federal law. However, we believe 
it is not clear that individuals give up all privacy rights to personal 
information contained in public records, and we believe it is important 
to assess the status of privacy protections for all personal 
information being offered commercially to the government so that 
informed policy decisions can be made about the appropriate balance 
between resellers' services and the public's right to privacy. In our 
report we suggest that Congress consider the extent to which 
information resellers should adhere to the Fair Information Practices. 

Agencies Lack Policies on Use of Reseller Data, and Practices Do Not 
Consistently Reflect the Fair Information Practices: 

Agencies generally lacked policies that specifically address their use 
of personal information from commercial sources (although DHS Privacy 
Office officials have reported that they are drafting such a policy), 
and agency practices for handling personal information acquired from 
information resellers did not always fully reflect the Fair Information 
Practices. Specifically, agency practices generally reflected four of 
the eight Fair Information Practices. 

As table 2 shows, the collection limitation, data quality, use 
limitation, and security safeguards principles were generally reflected 
in agency practices. For example, several agency components 
(specifically, law enforcement agencies such as the FBI and the U.S. 
Secret Service) reported that in practice, they generally corroborate 
information obtained from resellers when it is used as part of an 
investigation. This practice is consistent with the principle of data 
quality. 

Agency policies and practices with regard to the other four principles 
were uneven. Specifically, agencies did not always have policies or 
practices in place to address the purpose specification, openness, and 
individual participation principles with respect to reseller data. The 
inconsistencies in applying these principles as well as the lack of 
specific agency policies can be attributed in part to ambiguities in 
OMB guidance regarding the applicability of the Privacy Act to 
information obtained from resellers. Further, privacy impact 
assessments, a valuable tool that could address important aspects of 
the Fair Information Practices, are not conducted often. Finally, 
components within each of the four agencies did not consistently hold 
staff accountable by monitoring usage of personal information from 
information resellers and ensuring that it was appropriate; thus, their 
application of the accountability principle was uneven. 

Table 2: Application of Fair Information Practices to the Reported 
Handling of Personal Information from Data Resellers at Four Agencies: 

Principle: Collection limitation. The collection of personal 
information should be limited, should be obtained by lawful and fair 
means, and, where appropriate, with the knowledge or consent of the 
individual; 
Agency application of principle: General; 
Agency practices: Agencies limited personal data collection to 
individuals under investigation or their associates. 

Principle: Data quality. Personal information should be relevant to the 
purpose for which it is collected, and should be accurate, complete, 
and current as needed for that purpose; 
Agency application of principle: General; 
Agency practices: Agencies corroborated information from resellers and 
did not take actions based exclusively on such information. 

Principle: Purpose specification. The purpose for the collection of 
personal information should be disclosed before collection and upon any 
change to that purpose, and its use should be limited to that purpose 
and compatible purposes; 
Agency application of principle: Uneven; 
Agency practices: Agency system of records notices did not generally 
reveal that agency systems could incorporate information from data 
resellers. Agencies also generally did not conduct privacy impact 
assessments for their systems or programs that involve use of reseller 
data. 

Principle: Use limitation. Personal information should not be disclosed 
or otherwise used for other than a specified purpose without consent of 
the individual or legal authority; 
Agency application of principle: General; 
Agency practices: Agencies generally limited their use of personal 
information to specific investigations (including law enforcement, 
counterterrorism, fraud detection, and debt collection). 

Principle: Security safeguards. Personal information should be 
protected with reasonable security safeguards against risks such as 
loss or unauthorized access, destruction, use, modification, or 
disclosure; 
Agency application of principle: General; 
Agency practices: Agencies had security safeguards such as requiring 
passwords to access databases, basing access rights on need to know, 
and logging search activities (including "cloaked logging," which 
prevents the vendor from monitoring search content). 

Principle: Openness. The public should be informed about privacy 
policies and practices, and individuals should have ready means of 
learning about the use of personal information; 
Agency application of principle: Uneven; 
Agency practices: See Purpose specification above. Agencies did not 
have established policies specifically addressing the use of personal 
information obtained from resellers. 

Principle: Individual participation. Individuals should have the 
following rights: to know about the collection of personal information, 
to access that information, to request correction, and to challenge the 
denial of those rights; 
Agency application of principle: Uneven; 
Agency practices: See Purpose specification above. Because agencies 
generally did not disclose their collections of personal information 
from resellers, individuals were often unable to exercise these rights. 

Principle: Accountability. Individuals controlling the collection or 
use of personal information should be accountable for taking steps to 
ensure the implementation of these principles; 
Agency application of principle: Uneven; 
Agency practices: Agencies do not generally monitor usage of personal 
information from information resellers to hold users accountable for 
appropriate use; instead, they rely on users to be responsible for 
their behavior. For example, agencies may instruct users in their 
responsibilities to use personal information appropriately, have them 
sign statements of responsibility, and have them indicate what 
permissible purpose a given search fulfills. 

Legend: 

General = policies or procedures to address all major aspects of a 
particular principle. 

Uneven = policies or procedures addressed some but not all aspects of a 
particular principle or some but not all agencies and components had 
policies or practices in place addressing the principle. 

Source: GAO analysis of agency-supplied data. 

Note: We did not independently assess the effectiveness of agency 
information security programs. Our assessment of overall agency 
application of the Fair Information Practices was based on the policies 
and management practices described by the Department State and SSA as a 
whole and by major components of Justice and DHS. We did not obtain 
information on smaller components of Justice and DHS. 

[End of table] 

Agency procedures generally reflected the collection limitation, data 
quality, use limitation, and security safeguards principles. Regarding 
collection limitation, for most law-enforcement and counterterrorism 
purposes (which accounted for 90 percent of usage in fiscal year 2005), 
agencies generally limited their personal data collection in that they 
reported obtaining information only on specific individuals under 
investigation or associates of those individuals. Regarding data 
quality, agencies reported taking steps to mitigate the risk of 
inaccurate information reseller data by corroborating information 
obtained from resellers. Agency officials described the practice of 
corroborating information as a standard element of conducting 
investigations. Likewise, for non-law-enforcement use, such as debt 
collection and fraud detection and prevention, agency components 
reported that they mitigated potential problems with the accuracy of 
data provided by resellers by obtaining additional information from 
other sources when necessary. As for use limitation, agency officials 
said their use of reseller information was limited to distinct 
purposes, which were generally related to law enforcement or 
counterterrorism. Finally, while we did not assess the effectiveness of 
information security at any of these agencies, we found that all four 
had measures in place intended to safeguard the security of personal 
information obtained from resellers.[Footnote 22] 

Limitations in the Applicability of the Privacy Act and Ambiguities in 
OMB Guidance Contribute to an Uneven Adherence to the Purpose 
Specification, Openness, and Individual Participation Principles: 

The purpose specification, openness, and individual participation 
principles stipulate that individuals should be made aware of the 
purpose and intended uses of the personal information being collected 
about them, and, if necessary, have the ability to access and correct 
their information. These principles are reflected in the Privacy Act 
requirement for agencies to publish in the Federal Register, "upon 
establishment or revision, a notice of the existence and character of a 
system of records." This notice is to include, among other things, the 
categories of records in the system as well as the categories of 
sources of records.[Footnote 23] 

In a number of cases, agencies using reseller information did not 
adhere to the purpose specification or openness principles in that they 
did not notify the public that they were using such information and did 
not specify the purpose for their data collections. Agency officials 
said that they generally did not prepare system-of-records notices that 
would address these principles because they were not required to do so 
by the Privacy Act. The act's vehicle for public notification--the 
system-of-records notice--becomes binding on an agency only when the 
agency collects, maintains, and retrieves personal data in the way 
defined by the act or when a contractor does the same thing explicitly 
on behalf of the government. Agencies generally did not issue system- 
of-records notices specifically for their use of information resellers 
largely because information reseller databases were not considered 
"systems of records operated by or on behalf of a government agency" 
and thus were not considered subject to the provisions of the Privacy 
Act.[Footnote 24] OMB guidance on implementing the Privacy Act does not 
specifically refer to the use of reseller data or how it should be 
treated. According to OMB and other agency officials, information 
resellers operate their databases for multiple customers, and federal 
agency use of these databases does not amount to the operation of a 
system of records on behalf of the government. Further, agency 
officials stated that merely querying information reseller databases 
did not amount to agency "maintenance" of the personal information 
being queried and thus also did not trigger the provisions of the 
Privacy Act. In many cases, agency officials considered their use of 
resellers to be of this type--essentially "ad hoc" querying or 
"pinging" of reseller databases for personal information about specific 
individuals, which they believed they were not doing in connection with 
a formal system of records. 

In other cases, however, agencies maintained information reseller data 
in systems for which system-of-records notices had been previously 
published. For example, law enforcement agency officials stated that, 
to the extent they retain the results of reseller data queries, this 
collection and use is covered by the system of records notices for 
their case file systems. However, in preparing such notices, agencies 
generally did not specify that they were obtaining information from 
resellers. Among system of records notices that were identified by 
agency officials as applying to the use of reseller data, only one-- 
TSA's system of records notice for the test phase of its Secure Flight 
program--specifically identified the use of information reseller 
data.[Footnote 25] 

In several of these cases, agency sources for personal information were 
described only in vague terms, such as "private organizations," "other 
public sources," or "public source material," when information was 
being obtained from information resellers. 

The inconsistency with which agencies specify resellers as a source of 
information in system-of-records notices is due in part to ambiguity in 
OMB guidance, which states that "for systems of records which contain 
information obtained from sources other than the individual to whom the 
records pertain, the notice should list the types of sources 
used."[Footnote 26] Although the guidance is unclear what would 
constitute adequate disclosure of "types of sources," OMB and DHS 
Privacy Office officials agreed that to the extent that reseller data 
is subject to the Privacy Act, agencies should specifically identify 
information resellers as a source and that merely citing public records 
information does not sufficiently describe the source. 

Aside from certain law enforcement exemptions[Footnote 27] to the 
Privacy Act, adherence to the purpose specification and openness 
principles is critical to preserving a measure of individual control 
over the use of personal information. Without clear guidance from OMB 
or specific policies in place, agencies have not consistently reflected 
these principles in their collection and use of reseller information. 
As a result, without being notified of the existence of an agency's 
information collection activities, individuals have no ability to know 
that their personal information could be obtained from commercial 
sources and potentially used as a basis, or partial basis, for taking 
action that could have consequences for their welfare. 

Privacy Impact Assessments Could Address Openness and Purpose 
Specification Principles but Often Are Not Conducted: 

PIAs can be an important tool to help agencies to address openness and 
purpose specification principles early in the process of developing new 
information systems. To the extent that PIAs are made publicly 
available,[Footnote 28] they provide explanations to the public about 
such things as the information that will be collected, why it is being 
collected, how it is to be used, and how the system and data will be 
maintained and protected. 

However, few agency components reported developing PIAs for their 
systems or programs that make use of information reseller data. As with 
system-of-records notices, agencies often did not conduct PIAs because 
officials did not believe they were required. Current OMB guidance on 
conducting PIAs is not always clear about when they should be 
conducted. According to guidance from OMB, a PIA is required by the E- 
Government Act when agencies "systematically incorporate into existing 
information systems databases of information in identifiable form 
purchased or obtained from commercial or public sources."[Footnote 29] 
However, the same guidance also instructs agencies that "merely 
querying a database on an ad hoc basis does not trigger the PIA 
requirement." Reported uses of reseller data were generally not 
described as a "systematic" incorporation of data into existing 
information systems; rather, most involved querying a database and in 
some cases retaining the results of these queries. OMB officials stated 
that agencies would need to make their own judgments on whether 
retaining the results of searches of information reseller databases 
constituted a "systematic incorporation" of information. 

The DHS Privacy Office[Footnote 30] has been working to clarify 
guidance on the use of reseller information in general as well as the 
specific requirements for conducting PIAs. DHS recently issued guidance 
requiring PIAs to be conducted whenever reseller data are involved. 
However, although the DHS guidance clearly states that PIAs are 
required when personally identifiable information is obtained from a 
commercial source, it also states that "merely querying such a source 
on an ad hoc basis using existing technology does not trigger the PIA 
requirement."[Footnote 31] Like OMB's guidance, the DHS guidance is not 
clear, because agency personnel are left to make individual 
determinations as to whether queries are "on an ad hoc basis." 

Until PIAs are conducted more thoroughly and consistently, the public 
is likely to remain incompletely informed about agency purposes and 
uses for obtaining reseller information. 

In our report we recommended that the Director, OMB, revise privacy 
guidance to clarify the applicability of requirements for public 
notices and privacy impact assessments to agency use of personal 
information from resellers and direct agencies to review their uses of 
such information to ensure it is explicitly referenced in privacy 
notices and assessments. Further, we recommended that agencies develop 
specific policies for the use of personal information from resellers. 

Agencies Often Did Not Have Practices in Place to Ensure Accountability 
for Proper Handling of Information Reseller Data: 

According to the accountability principle, individuals controlling the 
collection or use of personal information should be accountable for 
ensuring the implementation of the Fair Information Practices. This 
means that agencies should take steps to ensure that they use personal 
information from information resellers appropriately. 

Agencies described using activities to oversee their use of reseller 
information that were largely based on trust in the individual user to 
use the information appropriately, rather than management oversight of 
usage details. For example, in describing controls placed on the use of 
commercial data, officials from component agencies identified measures 
such as instructing users that reseller data are for official use only, 
and requiring users to sign statements attesting 1) to their need to 
access information reseller databases and 2) that their use will be 
limited to official business. Additionally, agency officials reported 
that their users are required to select from a list of vendor-defined 
"permissible purposes" (for example, law enforcement, transactions 
authorized by the consumer) before conducting a search on reseller 
databases. 

While these practices appear consistent with the accountability 
principle, they are focused on individual user responsibility instead 
of monitoring and oversight. Agencies did not have practices in place 
to obtain reports from resellers that would allow them to monitor usage 
of reseller databases at a detailed level. Although agencies generally 
receive usage reports from the information resellers, these reports are 
designed primarily for monitoring costs. Further, these reports 
generally contained only high-level statistics on the number of 
searches and databases accessed, not the contents of what was actually 
searched, thus limiting their utility in monitoring usage. 

To the extent that federal agencies do not implement methods such as 
user monitoring or auditing of usage records, they provide limited 
accountability for their usage of information reseller data and have 
limited assurance that the information is being used appropriately. 

In summary, services provided by information resellers are important to 
federal agency functions such as law enforcement and fraud protection 
and identification. Resellers have practices in place to protect 
privacy, but these practices are not fully consistent with the Fair 
Information Practices, which resellers are not legally required to 
follow. Among other things, resellers collect large amounts of 
information about individuals without their knowledge or consent, do 
not ensure that the data they make available are accurate for a given 
purpose, and generally do not make corrections to the data when errors 
are identified by individuals. Information resellers believe that 
application of the relevant principles of the Fair Information 
Practices is inappropriate or impractical in these situations. However, 
given that reseller data may be used for a variety of purposes, 
determining the appropriate degree of control or influence individuals 
should have over the way in which their personal information is 
obtained and used--as envisioned in the Fair Information Practices--is 
critical. As Congress weighs various legislative options, adherence to 
the Fair Information Practices will be an important consideration in 
determining the appropriate balance between the services provided by 
information resellers to customers such as government agencies and the 
public's right to privacy. 

While agencies take steps to adhere to Fair Information Practices such 
as the collection limitation, data quality, use limitation, and 
security safeguards principles, they have not taken all the steps they 
could to reflect others--or to comply with specific Privacy Act and e- 
Government Act requirements--in their handling of reseller data. 
Because OMB privacy guidance does not clearly address information 
reseller data, agencies are left largely on their own to determine how 
to satisfy legal requirements and protect privacy when acquiring and 
using reseller data. Without current and specific guidance, the 
government risks continued uneven adherence to important, well-
established privacy principles and lacks assurance that the privacy 
rights of individuals are adequately protected. 

Mr. Chairmen, this concludes my testimony today. I would be happy to 
answer any questions you or other members of the subcommittees may 
have. 

Contacts and Acknowledgements: 

If you have any questions concerning this testimony, please contact 
Linda Koontz, Director, Information Management, at (202) 512-6240, or 
koontzl@gao.gov. Other individuals who made key contributions to this 
testimony were Mathew Bader, Barbara Collier, John de Ferrari, 
Pamlutricia Greenleaf, David Plocher, Jamie Pressman, and Amos Tevelow. 

FOOTNOTES 

[1] For purposes of this statement, the term personal information 
encompasses all information associated with an individual, including 
both identifying and nonidentifying information. Personally identifying 
information, which can be used to locate or identify an individual, 
includes such things as names, aliases, and agency-assigned case 
numbers. Nonidentifying personal information includes such things as 
age, education, finances, criminal history, physical attributes, and 
gender. 

[2] The Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 
(codified as amended at 5 U.S.C. § 552a) provides safeguards against an 
invasion of privacy through the misuse of records by federal agencies 
and allows citizens to learn how their personal information is 
collected, maintained, used, and disseminated by the federal 
government. 

[3] Congress used the committee's final report as a basis for crafting 
the Privacy Act of 1974. See Records, Computers and the Rights of 
Citizens: Report of the Secretary's Advisory Committee on Automated 
Personal Data Systems (Washington, D.C.: U.S. Department of Health, 
Education, and Welfare, July 1973). 

[4] Descriptions of these principles are shown in table 1. 

[5] GAO, Personal Information: Agency and Reseller Adherence to Key 
Privacy Principles, GAO-06-421 (Washington, D.C; Apr. 4, 2006). 

[6] The five information resellers we reviewed were ChoicePoint, 
LexisNexis, Acxiom, Dun & Bradstreet, and West. Our results may not 
apply to other resellers who do very little or no business with the 
federal agencies we reviewed. 

[7] This figure may include uses that do not involve personal 
information. Except for instances where the reported use was primarily 
for legal research, agency officials were unable to separate the dollar 
values associated with use of personal information from uses for other 
purposes (for example, LexisNexis and West provide news and legal 
research in addition to public records). The four agencies obtained 
personal information from resellers primarily through two general- 
purpose governmentwide contract vehicles--the Federal Supply Schedule 
of the General Services Administration and the Library of Congress's 
Federal Library and Information Network. 

[8] In certain circumstances, laws restrict the collection and use of 
specific kinds of personal information. For example, the Fair Credit 
Reporting Act regulates access to and use of consumer information under 
certain circumstances. 

[9] The Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896 
(codified as amended at 5 U.S.C. § 552a) provides safeguards against an 
invasion of privacy through the misuse of records by federal agencies 
and allows citizens to learn how their personal information is 
collected, maintained, used, and disseminated by the federal 
government. 

[10] OMB, "Privacy Act Implementation: Guidelines and 
Responsibilities," Federal Register, Volume 40, Number 132, Part III, 
pages 28948-28978 (Washington, D.C.: July 9, 1975). Since the initial 
Privacy Act guidance of 1975, OMB periodically has published additional 
guidance. Further information regarding OMB Privacy Act guidance can be 
found on the OMB Web site at 
http://www.whitehouse.gov/omb/inforeg/infopoltech.html. 

[11] Records, Computers and the Rights of Citizens: Report of the 
Secretary's Advisory Committee on Automated Personal Data Systems 
(Washington, D.C.: U.S. Department of Health, Education, and Welfare, 
July 1973). 

[12] OECD, Guidelines on the Protection of Privacy and Transborder Flow 
of Personal Data (Sept. 23, 1980). The OECD plays a prominent role in 
fostering good governance in the public service and in corporate 
activity among its 30 member countries. It produces internationally 
agreed-upon instruments, decisions, and recommendations to promote 
rules in areas where multilateral agreement is necessary for individual 
countries to make progress in the global economy. 

[13] European Union Data Protection Directive ("Directive 95/46/EC of 
the European Parliament and of the Council of 24 October 1995 on the 
Protection of Individuals with Regard to the Processing of Personal 
Data and the Free Movement of Such Data") (1995). 

[14] This figure comprises contracts and task orders with information 
resellers that included the acquisition and use of personal 
information. However, some of these funds may have been spent on uses 
that do not involve personal information; we could not omit all such 
uses because agency officials were not always able to separate the 
amounts associated with use of personal information from those for 
other uses (for example, LexisNexis and West provide news and legal 
research in addition to public records). In some instances, where the 
reported use was primarily for legal research, we omitted these funds 
from the total. 

[15] GAO, Data Mining: Agencies Have Taken Key Steps to Protect Privacy 
in Selected Efforts, but Significant Compliance Issues Remain, GAO-05- 
866 (Washington, D.C.: Aug. 15, 2005). 

[16] DEA's mission involves enforcing laws pertaining to the 
manufacture, distribution, and dispensing of legally produced 
controlled substances. 

[17] The personal information contained in this information reseller 
database is limited to the prescribing doctor and does not contain 
personal patient information. 

[18] For an assessment of privacy issues associated with the Secure 
Flight commercial data test, see GAO, Aviation Security: Transportation 
Security Administration Did Not Fully Disclose Uses of Personal 
Information during Secure Flight Program Testing in Initial Privacy 
Notices, but Has Recently Taken Steps to More Fully Inform the Public, 
GAO-05-864R (Washington, D.C.: July 22, 2005). 

[19] Skiptracing is the process of locating people who have fled in 
order to avoid paying debts. 

[20] Resellers are constrained from collecting certain types of 
information and aggregating it with other personal information. For 
example, the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act 
constrain the collection and use of personal information, such as 
financial information. 

[21] One reseller reported that, for certain products, it will delete 
information that has been identified as inaccurate. For example, if the 
reseller is able to verify that data contained within its directory or 
fraud products are inaccurate, it will delete the inaccurate data and 
keep a record of this in a maintenance file so the erroneous data are 
not reentered at a future date. 

[22] Although we did not assess the effectiveness of information 
security at any agency as part of this review, we have previously 
reported on weaknesses in almost all areas of information security 
controls at 24 major agencies, including Justice, DHS, State, and SSA. 
For additional information see GAO, Information Security: Weaknesses 
Persist at Federal Agencies Despite Progress Made in Implementing 
Related Statutory Requirements, GAO-05-552 (Washington, D.C.: July 15, 
2005) and Information Security: Department of Homeland Security Needs 
to Fully Implement Its Security Program, GAO-05-700 (Washington, D.C.: 
June 17, 2005). 

[23] 5 U.S.C. § 552a(e)(4)(C) & (I). The Privacy Act allows agencies to 
claim an exemption from identifying the categories of sources of 
records for records compiled for criminal law enforcement purposes, as 
well as for a broader category of investigative records compiled for 
criminal or civil law enforcement purposes. 

[24] The act provides for its requirements to apply to government 
contractors when agencies contract for the operation by or on behalf of 
the agency, a system of records to accomplish an agency function. 5 
U.S.C. § 552a(m). 

[25] As we previously reported, this notice did not fully disclose the 
scope of the use of reseller data during the test phase. See GAO, 
Aviation Security: Transportation Security Administration Did Not Fully 
Disclose Uses of Personal Information during Secure Flight Program 
Testing in Initial Privacy Notices, but Has Recently Taken Steps to 
More Fully Inform the Public, GAO-05-864R (Washington, D.C.: July 22, 
2005). 

[26] OMB, "Privacy Act Implementation: Guidelines and 
Responsibilities," Federal Register, Volume 40, Number 132, Part III, 
p. 28964 (Washington, D.C.: July 9, 1975). 

[27] The Privacy Act allows agencies to claim exemptions if the records 
are used for certain purposes. 5 U.S.C. § 552a (j) and (k). For 
example, records compiled for criminal law enforcement purposes can be 
exempt from the access and correction provisions. In general, the 
exemptions for law enforcement purposes are intended to prevent the 
disclosure of information collected as part of an ongoing investigation 
that could impair the investigation or allow those under investigation 
to change their behavior or take other actions to escape prosecution. 
In most cases where officials identified system-of-record notices 
associated with reseller data collection for law enforcement purposes, 
agencies claimed this exemption. 

[28] The E-Government Act requires agencies, if practicable, to make 
privacy impact assessments publicly available through agency Web sites, 
publication in the Federal Register, or by other means. Pub. L. No. 107-
347, § 208 (b)(1)(B)(iii). 

[29] OMB, Guidance for Implementing the Privacy Provisions of the E- 
Government Act of 2002, Memorandum M-03-22 (Washington, D.C.: Sept. 26, 
2003). 

[30] The DHS Privacy Officer position was created by the Homeland 
Security Act of 2002, Pub. L. No 107-296, § 222, 116 Stat. 2155. The 
Privacy Officer is responsible for, among other things, "assuring that 
the use of technologies sustain[s], and do[es] not erode privacy 
protections relating to the use, collection, and disclosure of personal 
information, and assuring that personal information contained in 
Privacy Act systems of records is handled in full compliance with Fair 
Information Practices as set out in the Privacy Act of 1974." 

[31] Department of Homeland Security Privacy Office, Privacy Impact 
Assessments: Official Guidance (March 2006), p. 34.