Selected Agencies' Handling of Personal Information
GAO-02-1058, Sep 30, 2002
- Accessible Text:
To obtain government services, members of the public must often provide agencies with personal information, which includes both identifying information (such as name or Social Security number, which can be used to locate to identify someone) and nonidentifying information (such as age or gender). GAO was asked to review agencies' handling of the personal information they collect and whether this handling conforms with federal law, regulation, and agency guidance.
GAO reviewed the processes used in handling personal information collected from the public forms at four different agencies--Agriculture, Education, Labor, State. These four agencies were chosen because their forms represent a range of characteristics, including the time needed to fill them out (the total paperwork burden hours) and the purpose of the information they collect. In reviewing these forms, GAO concentrated on four areas (information collection, privacy, security, and records management). Handling of personal information varied among the agencies studied. Overall, agencies collected a substantial amount of personal information of a wide variety of types, including personal identifying information (names and Social Security numbers) and demographic, financial, and legal data. Agency procedures for handling personal information collected were complex, involving numerous processes and a wide range of personnel with access to the information. The personal information collected was shared extensively with other federal agencies, other government entities (state, local, tribal and foreign), and private individuals and organizations through authorized procedures. The agencies generally complied with the key requirements and guidance pertaining to information collection, privacy, security, and records management. However, GAO identified isolated instances of forms that were not accurate or current; other forms did not contain the proper privacy notices.
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: In order to meet the requirements of the Privacy Act and other relevant laws and guidance protecting personally identifiable information, the Secretary of Labor should ensure that the appropriate agency officials review their data collection forms to ensure that the electronic forms (1) include the Paperwork Reduction Act and Privacy Act statements and all notices, as appropriate; and (2) are valid and up to date.
Agency Affected: Department of Labor
Status: Closed - Implemented
Comments: In response to another GAO report (GAO-05-424), the Department of Labor added the required information to all public use forms on its web sites that were identified as lacking information required by the Paperwork Reduction Act. In addition, it has centralized the management of its web sites within the Office of Public Affairs, plans to annually audit its agencies' web sites to ensure that all forms display a currently valid OMB control number and other required information, is amending its policies to require that all discontinued forms be removed from the web site within 5 business days, and is developing a checklist of required PRA information to ensure it is clearly displayed on forms.
Recommendation: The Secretary of Agriculture should ensure that Agriculture officials periodically determine that notices of how they share personal information from their data collections are still valid.
Agency Affected: Department of Agriculture
Status: Closed - Implemented
Comments: In August 2003, USDA's Deputy Chief Information Officer notified GAO that USDA has placed increased emphasis on the requirements of the Privacy Act as they increase electronic interactions with their customers. Also, agency officials have been requested to review their system of record notices including how they share personal information via the "routine use" authority in the Privacy Act. In addition, a memorandum will be sent to all agency privacy officials advising them to review and update the accuracy and relevance of their Privacy Act notices where necessary.