Why You Need to Know What the Government Does With Your Data

Agencies share personally identifiable information with contractors—sometimes for good reasons—but there are serious risks associated with that, and we need guardrails.

Privacy and cybersecurity are a two-sided coin. When a government agency asks individuals to provide personally identifiable information, many may be comfortable doing so. But if those individuals learn that information may be shared with third parties, such as government contractors, who may use it in wholly unintended ways, they likely would feel far less comfortable sharing that information. And if the third-party data storage system is hacked, the breach can raise serious cybersecurity concerns, both for the integrity of the system and the privacy of the individuals whose information has been obtained by bad actors.

This chain reaction begins at the government level—whether federal, state, or local. Government agencies have the highest obligation to provide transparency to the public regarding the personally identifiable information, or PII, they provide to contractors, for what purpose, and with what level of confidence that the contractor has a robust cybersecurity system in place to prevent unauthorized internal and external access. Yet today, once people submit data to complete a government application, there is little if any notice regarding how an agency will provide that information to others. There may be valid reasons for such third-party access, but at a minimum, agencies should be legally obligated to disclose this at the time such information is requested.

Senator Maggie Hassan, D-N.H., is spot on in her recent letter requesting that the Government Accountability Office review Homeland Security Department policies regarding how the department shares PII with government contractors. As a member of the Senate Homeland Security and Governmental Affairs Committee, she said it is essential that DHS “protect PII that is collected on the department’s behalf from improper access or use.” Her letter cited three data breaches of DHS contractors over the past year, including the theft of photos of travelers at the border from a Customs and Border Protection contractor.

Hassan’s inquiry has broader implications. Lawmakers should request that GAO conduct a governmentwide review of how departments and agencies share PII, to develop a comprehensive understanding of how contractors are using this data. Beyond Washington, state and city legislators also should be making similar requests for the same purpose.

With so much attention focused on how Big Tech is using PII on a massive scale, it’s timely to extend this to the public sector, particularly since the PII it requests often is needed for valid operational purposes. The possibility that government contractors may obtain this information, only to have it compromised or stolen due to inadequate cybersecurity measures, is real. It poses an imminent threat, and we lack appropriate measures to limit the transmittal of government-gathered PII, and to protect it once a contractor has access. Agencies need to clarify their policies and share that information with the public. Those are critical next steps needed to address this serious privacy and cybersecurity challenge.

Stuart N. Brotman is a fellow at the Woodrow Wilson International Center for Scholars in Washington. He works in the center’s Science and Technology Innovation Program, focusing on digital privacy policy issues.