OMB challenges report on Privacy Act compliance

Bush administration officials have rebuked the General Accounting Office for concluding in a new report that agencies are not taking adequate steps to protect private records.

Nearly 30 percent of federal agencies are unable to confirm that the personal data they disclose to outside organizations is "complete, accurate, relevant and timely," GAO concluded in the report (GAO-03-304), issued Wednesday. Fourteen percent fail to note some instances where they share private records with outsiders, and 18 percent do not check to make sure that outsiders are using disclosed information for its intended purpose, according to GAO.

GAO obtained its statistics by questioning officials at 25 agencies about their efforts to comply with the 1974 Privacy Act, which requires agencies to identify systems containing confidential information, limit access to sensitive data and make certain the data is reliable and used properly.

Survey responses showed a mixed record on compliance with the Privacy Act, GAO said. "As a result of this uneven compliance, the government cannot adequately assure the public that all legislated individual privacy rights are being protected," the report concluded.

"With all due respect, these statements border on the reckless and irresponsible," said Mark Forman, administrator of OMB's Office of E-government and Information Technology, and John Graham, administrator of OMB's Office of Information and Regulatory Affairs, in a letter to GAO responding to the report.

The OMB officials complained that GAO did not have adequate information on which to base its conclusion that the government cannot assure citizens that agencies are fully protecting private data. "A lack of perfect consistency from one agency to the next should hardly be surprising when one considers that the federal government is composed of dozens of agencies," they wrote.

The fact that the 25 agencies did not report 100 percent compliance with every facet of the Privacy Act should not have made GAO leap to the conclusion that public information is not protected, Forman and Graham said.

In turn, GAO argued that its survey was "extremely comprehensive" and was developed over "many months with assistance from agency privacy officials." Congress intended the Privacy Act as a "framework" for protecting personal privacy, GAO officials said. Failure to comply with any component of the law, they argued, jeopardizes privacy.

Agencies cited a lack of clear OMB guidance on protecting personal electronic records as one explanation for failure to comply fully with the Privacy Act, GAO reported. OMB, charged with overseeing agencies' adherence to the law, should work on improving this guidance, the report recommended. About 70 percent of 2,400 record systems managed by the agencies GAO surveyed contained electronic records.

Sen. Joseph Lieberman, D-Conn., who requested the report, said that in light of GAO's findings, the "administration needs to act quickly to strengthen privacy protections, by committing more focused leadership and greater resources to [the issue]." He added that the public will "never feel comfortable interacting with the government" unless personal information is kept secure.

In addition to better OMB guidance on handling electronic records, agencies would benefit from placing a higher priority on privacy issues and providing their employees with more comprehensive training on protecting personal information, GAO suggested.