Information Management:

Selected Agencies' Handling of Personal Information

GAO-02-1058: Published: Sep 30, 2002. Publicly Released: Oct 30, 2002.

Additional Materials:


Linda D. Koontz
(202) 512-7487


Office of Public Affairs
(202) 512-4800

To obtain government services, members of the public must often provide agencies with personal information, which includes both identifying information (such as name or Social Security number, which can be used to locate to identify someone) and nonidentifying information (such as age or gender). GAO was asked to review agencies' handling of the personal information they collect and whether this handling conforms with federal law, regulation, and agency guidance.

GAO reviewed the processes used in handling personal information collected from the public forms at four different agencies--Agriculture, Education, Labor, State. These four agencies were chosen because their forms represent a range of characteristics, including the time needed to fill them out (the total paperwork burden hours) and the purpose of the information they collect. In reviewing these forms, GAO concentrated on four areas (information collection, privacy, security, and records management). Handling of personal information varied among the agencies studied. Overall, agencies collected a substantial amount of personal information of a wide variety of types, including personal identifying information (names and Social Security numbers) and demographic, financial, and legal data. Agency procedures for handling personal information collected were complex, involving numerous processes and a wide range of personnel with access to the information. The personal information collected was shared extensively with other federal agencies, other government entities (state, local, tribal and foreign), and private individuals and organizations through authorized procedures. The agencies generally complied with the key requirements and guidance pertaining to information collection, privacy, security, and records management. However, GAO identified isolated instances of forms that were not accurate or current; other forms did not contain the proper privacy notices.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: In order to meet the requirements of the Privacy Act and other relevant laws and guidance protecting personally identifiable information, the Secretary of Labor should ensure that the appropriate agency officials review their data collection forms to ensure that the electronic forms (1) include the Paperwork Reduction Act and Privacy Act statements and all notices, as appropriate; and (2) are valid and up to date.

    Agency Affected: Department of Labor

    Status: Closed - Implemented

    Comments: In response to another GAO report (GAO-05-424), the Department of Labor added the required information to all public use forms on its web sites that were identified as lacking information required by the Paperwork Reduction Act. In addition, it has centralized the management of its web sites within the Office of Public Affairs, plans to annually audit its agencies' web sites to ensure that all forms display a currently valid OMB control number and other required information, is amending its policies to require that all discontinued forms be removed from the web site within 5 business days, and is developing a checklist of required PRA information to ensure it is clearly displayed on forms.

    Recommendation: The Secretary of Agriculture should ensure that Agriculture officials periodically determine that notices of how they share personal information from their data collections are still valid.

    Agency Affected: Department of Agriculture

    Status: Closed - Implemented

    Comments: In August 2003, USDA's Deputy Chief Information Officer notified GAO that USDA has placed increased emphasis on the requirements of the Privacy Act as they increase electronic interactions with their customers. Also, agency officials have been requested to review their system of record notices including how they share personal information via the "routine use" authority in the Privacy Act. In addition, a memorandum will be sent to all agency privacy officials advising them to review and update the accuracy and relevance of their Privacy Act notices where necessary.

    Aug 1, 2014

    Jul 23, 2014

    Jul 8, 2014

    Dec 5, 2013

    Sep 10, 2013

    Aug 22, 2013

    Jun 20, 2013

    May 9, 2013

    Apr 4, 2013

    Looking for more? Browse all our products here