Government Use of Data from Information Resellers Could Include Better Protections
GAO-08-543T, Mar 11, 2008
Federal agencies collect and use personal information for various purposes from information resellers--companies that amass and sell data from many sources. GAO was asked to testify on its April 2006 report on agency use of reseller data. For that report, GAO was asked to determine how the Departments of Justice, Homeland Security, and State and the Social Security Administration used personal data from resellers and to review the extent to which agencies' policies and practices for handling this information reflected the Fair Information Practices, a set of widely accepted principles for protecting the privacy and security of personal data. GAO was also asked to provide an update on the implementation status of its recommendations and to comment on provisions of the proposed Federal Agency Data Protection Act. In preparing this testimony, GAO relied primarily on its April 2006 report.
In fiscal year 2005, the Departments of Justice, Homeland Security, and State and the Social Security Administration reported that they used personal information obtained from resellers for a variety of purposes, including performing criminal investigations, locating witnesses and fugitives, researching assets held by individuals of interest, and detecting prescription drug fraud. The agencies planned spending approximately $30 million on contractual arrangements with resellers that enabled the acquisition and use of such information. About 91 percent of the planned fiscal year 2005 spending was for law enforcement (69 percent) or counterterrorism (22 percent). Agency practices for handling personal information acquired from information resellers did not always fully reflect the Fair Information Practices. That is, for some of these principles, agency practices were uneven. For example, although agencies issued public notices when they systematically collected personal information, these notices did not always notify the public that information resellers were among the sources to be used. This practice is not consistent with the principle that individuals should be informed about privacy policies and the collection of information. Contributing to the uneven application of the Fair Information Practices are ambiguities in guidance from the Office of Management and Budget (OMB) regarding the applicability of privacy requirements to federal agency uses of reseller information. In addition, agencies generally lacked policies that specifically address these uses. GAO made recommendations to OMB to revise privacy guidance and to the four agencies to develop specific policies for the use of personal information from resellers. The five agencies generally agreed with the report and described actions initiated to address the recommendations. Since GAO issued its report, agencies have taken steps to address the recommendations. For example, the Department of Homeland Security Privacy Office incorporated specific questions in its May 2007 Privacy Impact Assessment guidance concerning use of commercial data. In addition, the Department of Justice took steps to update its public notices to specify their use of data from information resellers. OMB, however, has not implemented GAO's recommendation to clarify guidance on use of commercial data. The Federal Agency Data Protection Act was introduced on December 18, 2007. The legislation, among other things would require that agencies (1) conduct privacy impact assessments for their uses of commercial data, and (2) promulgate regulations concerning the use of commercial data brokers. GAO considers these requirements to be consistent with the results and the recommendations made to the agencies in its 2006 report