Agencies' privacy policies found lacking

Preliminary findings from a forthcoming government study on the privacy policies of federal Web sites are causing many leading analysts at the General Accounting Office to recommend the creation of a common standard for federal privacy notices.

In a presentation before a National Institute of Standards and Technology advisory board meeting in Washington last week, Alan Stapleton, GAO's assistant director of information technology, outlined the different privacy projects the agency is spearheading-including an update on a 2000 study of federal agencies' privacy policies.

Three years after the White House Office of Management and Budget instructed agencies to maintain clear and concise privacy policies, GAO is finding that the policies "are not really clear and concise," Stapleton said.

The study is revealing that agencies often stray from the standards of privacy policies and practices, he noted, even as OMB provides the agencies sample language. Government entities often use an array of words and definitions to describe common elements of privacy policy or rely on differing formats for presenting the same information, he said.

Consequently, Stapleton said GAO may recommend that OMB urge agencies to use a consistent privacy template to make their policies clear and concise.

One potential solution would be a "layered notice," where a single Web page would list the elements of the OMB privacy template and also offer a link to supplemental information. The details would describe exceptions to the standard policy or link to areas of the agency's site that collect personal information, Stapleton said.

GAO analysts believe the creation of a privacy template could help ease the burden for Web users and citizens, who often have to read complex privacy notices. "We want to learn everything for the public and private sector that we can learn," Stapleton said, but the template needs to be linked to how federal agencies can use it.

Members of the NIST advisory board cautioned that potential privacy recommendations also should address the security of the data and include a policy for disclosing how information is encrypted. They also urged Stapleton to gather input from privacy groups such as the Electronic Privacy Information Center.

GAO is still conducting a comprehensive survey of the privacy practices of 25 agency Web sites at the request of Sen. Joseph Lieberman, D-Conn., and Rep. Steve Horn, R-Calif., Stapleton said. The survey will cover nearly all departments and a host of independent agencies such as the Federal Emergency Management Agency, National Science Foundation and Securities and Exchange Commission.

While GAO has collected most of the responses to the questions, Stapleton said, "we are going to issue a report early next year. We want to analyze more of the results."