Federal data-mining efforts fail to fully safeguard privacy, GAO says

Federal agencies are not following all laws and adequately protecting individual privacy rights in their data-mining efforts, according to a new report.

The Government Accountability Office reviewed data-mining programs at the State Department, FBI, Internal Revenue Service, Small Business Administration and the Agriculture Department's Risk Management Agency. Data mining is an effort to glean information about individuals and behavior patterns from sources such as government records and private-sector databases.

"While the agencies responsible for these five efforts took many of the key steps required by federal law and executive branch guidance for the protection of personal information, they did not comply with all related laws and guidance," the report (GAO-05-866) concluded. "Those that did not apply key privacy protections limited the ability of the public-including those individuals whose information was used-to participate in the management of that personal information. Those agencies that did not apply the appropriate security protections increased the risk that personal information could be improperly exposed or altered."

The government has increasingly used data-mining tactics since the Sept. 11 attacks. But public and congressional concerns about the collection and protection of personal information have increased, especially in response to recent identity theft cases at ChoicePoint and LexisNexis, two firms with huge data warehouses. ChoicePoint announced in February that about 145,000 personal identities were stolen by members of an organized crime ring. In April, LexisNexis said that personal information on 310,000 people may have been stolen.

"Through data mining, agencies can quickly and efficiently obtain information on individuals or groups by exploiting large databases containing personal information aggregated from public and private records," GAO said. "The ease with which organizations can use automated systems to gather and analyze large amounts of previously isolated information raises concerns about the impact on personal privacy."

The agencies GAO examined did not follow all key provisions of the 1974 Privacy Act, 2002 Federal Information Security Management Act and 2002 E-Government Act. These laws set requirements for the collection, protection, disclosure and use of personal information. The Office of Management and Budget provides additional guidance that agencies must follow. The report made 19 recommendations to help ensure that data-mining efforts include adequate privacy protections.

Each of the agencies took steps to protect personal information, GAO found, but none followed all required procedures.

"Specifically, most agencies notified the general public that they were collecting and using personal information and provided opportunities for individuals to review personal information, when required by the Privacy Act," the report stated. "However, agencies are also required to provide notice to individual respondents explaining why information is being collected: Two agencies provided this notice, one did not provide it, and two claimed an allowable exemption from this requirement because the systems were used for law enforcement."

GAO also found that the agencies were inconsistent in their actions. For example, only the State Department's Citibank Custom Reporting System took the necessary steps to ensure the accuracy, relevance, timeliness and completeness of data used to make determinations about individuals. The system is operated by the General Services Administration and is used to track abuse of government purchase cards.

The Risk Management Agency partially met the requirement to protect personal data, while the IRS, FBI and SBA all claimed exemptions.

GAO also found that no agency did a privacy impact assessment that fully complied with OMB guidance. "The lack of comprehensive assessments is a missed opportunity for agencies to ensure that the data-mining efforts we reviewed are subject to the most appropriate privacy protections," the report stated. "Further, without analyses regarding their approaches to privacy protection, agencies have little assurance that their approaches reflect the appropriate balance between individual privacy rights and the operational needs of the government."

Treasury, USDA, SBA and State generally agreed with the findings and recommendations in the report. Justice had no comments on the report.

GSA and GAO, however, disagreed over some of the study's findings and recommendations. GSA said the Privacy Act does not apply to its Citibank Custom Reporting System. GAO maintains that the system is subject to the law.