Skip to Highlights
Highlights

Federal agencies collect and use personal information for various purposes, both directly from individuals and from other sources, including information resellers--companies that amass and sell data from many sources. In light of concerns raised by recent security breaches involving resellers, GAO was asked to determine how the Departments of Justice, Homeland Security, and State and the Social Security Administration use personal data from these sources. In addition, GAO reviewed the extent to which information resellers' policies and practices reflect the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. GAO also examined agencies' policies and practices for handling personal data from resellers to determine whether these reflect the Fair Information Practices.

Skip to Recommendations

Recommendations

Matter for Congressional Consideration

Matter Status Comments
In considering legislation to address privacy concerns related to the information reseller industry, Congress may wish to consider the extent to which the industry should adhere to the Fair Information Practices.
Closed - Not Implemented
In April 2006, we reported on how information resellers-companies that amass and sell data from many sources-collect and use personal information for various purposes, including for sale to federal agencies. We found that information resellers doing business with federal agencies had privacy practices in place that were not fully consistent with the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. We recommended that in considering legislation to address privacy concerns related to the information reseller industry, Congress may wish to consider the extent to which the industry should adhere to the Fair Information Practices. In response to our recommendation, H.R.4127, Data Accountability and Trust Act, was introduced in the House of Representatives and was placed on the Union calendar on June 2, 2006. The proposed bill included requirements for information brokers that mirror the Fair Information Practices. For example, the bill included a requirement for brokers to disclose all personal information to individuals if requested by the individual at no cost and to change any incorrect information contained in the information brokers' records. This requirement addresses the individual participation principle by granting individuals the right to access their personal information and to request correction. The Bill also included a requirement to require information brokers to maintain an audit log of internal and external access to, or transmission of, any data in electronic form containing personal information. This requirement addresses the accountability principle by ensuring the individuals controlling the collection or use of personal information are accountable for taking steps to ensure the implementation of these principles. However, the Congress did not enact the legislation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Director of OMB should revise guidance on system of records notices and privacy impact assessments to clarify the applicability of the governing laws (the Privacy Act and the E-Government Act) to the use of personal information from resellers. These clarifications should specify the circumstances under which agencies should make disclosures about their uses of reseller data so that agencies can properly notify the public (for example, what constitutes a "systematic" incorporation of reseller data into a federal system). The guidance should include practical scenarios based on uses agencies are making of personal information from information resellers (for example, visa, criminal, and fraud investigations).
Closed - Not Implemented
OMB officials agreed with the importance of proper use of commercial data and stated that they would work with agencies to ensure that they appropriately apply the Fair Information Practices outlined in our report. They stated they did not believe additional guidance on agency use of information reseller data was required but would consider issuing clarifying guidance following work on Identity Theft Task force's effort to safeguard against and respond to any breach of personally identifiable information. This effort was completed on May 22, 2007 with the issuance of memorandum M-07-16; however, as of July 8, 2010, OMB has not yet issued clarifying guidance concerning reseller data.
Office of Management and Budget To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Director of OMB should direct agencies to review their uses of personal information from information resellers, as well as any associated system of records notices and privacy impact assessments, to ensure that such notices and assessments explicitly reference agency use of information resellers.
Closed - Not Implemented
OMB officials agreed with the importance of proper use of commercial data and stated that they would work with agencies to ensure that they appropriately apply the Fair Information Practices outlined in our report. However, OMB officials stated they did not believe additional direction was required to agencies on reviewing use of information reseller data or specifying its use. As of September 10, 2010, OMB has not issued direction to agencies on reviewing or specifying use of information reseller data.
Department of Homeland Security To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.
Closed - Implemented
To address our recommendation, the DHS Privacy Office incorporated specific questions in its May 2007 Privacy Impact Assessment (PIA) guidance concerning use of commercial data. The guidance requires programs that use commercial or publicly available data to explain why and how such data are used. Further, the guidance for systems that use or rely on commercial data requires an explanation of how data accuracy and integrity are preserved and the reliability of the data assessed with regard to its value to the purpose of the system. According to Privacy Office officials, after identifying use of commercial data through the PIA process, the Privacy Office works with the relevant DHS component to review uses of commercial data to ensure appropriate controls are in place and that the planned uses are appropriately disclosed in privacy notices.
Department of State To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.
Closed - Implemented
In April 2006, we reported on how information resellers-companies that amass and sell data from many sources-collect and use personal information for various purposes, including for sale to federal agencies. We found that agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. We recommended that the Secretary of State develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, to improve accountability for agency use of such information. In response to our recommendation, in February 2009, the Department of State updated its internal guidance for conducting privacy impact assessments (PIAs) to include policies for information obtained from commercial or publicly available sources that reflect the Fair Information Practices. The guidance states the SSA Death Master File, commercial data brokers (e.g., Acxiom, ChoicePoint, LexisNexis), and consumer credit reporting agencies (e.g., Experian, TransUnion, Equifax) are what is meant by public or commercial sources. The PIA guidance requires information system owners to document uses of commercially available information in their systems and explain why data from such sources are relevant and necessary. These requirements address the purpose specification and openness principles by ensuring that the department discloses policies and practices regarding information obtained from resellers and ensuring that the purpose for the collection of that information is disclosed.
Social Security Administration To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.
Closed - Not Implemented
SSA agreed to amend Privacy Act system of records notices (SORN) to reflect the use of information from commercial sources. Furthermore, the agency agreed to explore options for enhancing its policies and internal controls over information obtained from commercial resellers, including options for improved audit trail maintenance and review. However, SSA has not yet documented that the SORNs have been revised nor has SSA provided concrete plans for developing a policy addressing the collection, maintenance, and use of personal information from commercial resellers.
Department of Justice To improve accountability, ensure adequate public notice of agencies' use of personal information from commercial sources, and allay potential privacy concerns arising from agency use of information from such sources, the Attorney General, the Secretary of Homeland Security, the Secretary of State, and the Commissioner of SSA should develop specific policies for the collection, maintenance, and use of personal information obtained from resellers that reflect the Fair Information Practices, including oversight mechanisms such as the maintenance and review of audit logs detailing queries of information reseller databases--to improve accountability for agency use of such information.
Closed - Implemented
The DOJ Privacy and Civil Liberties Office took steps to address our recommendations by revising systems of records notices (SORN) to indicate that "commercial databases" were the source for the information collected. Officials provided citations for systems SORNs that disclose the use of commercial data, this includes the notices for the Warrant Information Network and commercial information resellers, 72 Fed. Reg. 9777 (March 5, 2007)and for the Criminal Division Index File Systems and Associated Records, 72 Fed. Reg. 44182 (Aug. 7, 2007).

Full Report

GAO Contacts