This is the accessible text file for GAO report number GAO-03-304 
entitled 'Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance' which was released on July 30, 2003.

This text file was formatted by the U.S. General Accounting Office 
(GAO) to be accessible to users with visual impairments, as part of a 
longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov.

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

Report to the Ranking Minority Member, Committee on Governmental 
Affairs, U.S. Senate:

June 2003:

Privacy Act:

OMB Leadership Needed to Improve Agency Compliance:

GAO-03-304:

GAO Highlights:

Highlights of GAO-03-304, a report to the Ranking Minority Member, 
Committee on Governmental Affairs, U.S. Senate

Why GAO Did This Study:

The Privacy Act regulates how federal agencies may use the personal 
information that individuals supply when obtaining government services 
or fulfilling obligations—for example, applying for a small business 
loan or paying taxes. GAO was asked to review, among other things, 
agency compliance with the Privacy Act and related guidance from the 
Office of Management and Budget (OMB).

What GAO Found:

Based on responses from 25 selected agencies to GAO surveys, 
compliance with Privacy Act requirements and OMB guidance is generally 
high in many areas, but it is uneven across the federal government. 
For example, GAO used agency responses to estimate 100 percent 
compliance with the requirement to issue a rule explaining to the 
public why personal information is exempt from certain provisions of 
the act (see table). In contrast, GAO estimates 71 percent compliance 
with the requirement that personal information should be complete, 
accurate, relevant, and timely before it is disclosed to a nonfederal 
organization. As a result of this uneven compliance, the government 
cannot adequately assure the public that all legislated individual 
privacy rights are being protected.

Agency senior privacy officials acknowledge the uneven compliance but 
report a number of difficult implementation issues in a rapidly 
changing environment. Of these issues, privacy officials gave most 
importance to the need for further OMB leadership and guidance. 
Although agencies are not generally dissatisfied with OMB’s guidance 
on the Privacy Act, they made specific suggestions regarding areas in 
which additional guidancewas  is needed, such as the act’s application 
to electronic records. Besides these gaps in guidance, additional 
issues included the low agency priority given to implementing the act 
and insufficient employee training on the act. If these implementation 
issues and the overall uneven compliance are not addressed, the 
government will not be able to provide the public with sufficient 
assurance that all legislated individual privacy rights are adequately 
protected.  

What GAO Recommends: 

GAO recommends that the Director, OMB, take a number of steps aimed at 
improving agency compliance with the Privacy Act, including overseeing 
and monitoring agency actions, reassessing the need for additional 
guidance to agencies, and raising agency awareness of the importance 
of the act. In  providing comments, OMB officials stated that the 
draft report does not support the conclusion that, without improved 
compliance, the government cannot ensure the protection of individual 
privacy rights; these officials stated that GAO’s treatment of the 
various provisions of the act as equally important in protecting 
privacy is flawed. GAO’s view, however, is that Congress enacted a 
series of requirements designed, in total, to protect privacy; 
accordingly, GAO based its conclusions on a comprehensive analysis of 
agency compliance with a broad range of requirements.

www.gao.gov/cgi-bin/getrpt?GAO-03-304.

To view the full report, including the scope and methodology, click on 
the link above. For more information, contact Linda Koontz at (202) 
512-6240 or koontzl@gao.gov.

[End of section]

Contents:

Letter:

Results in Brief:

Background:

Most Agencies' Systems of Records Contain Electronic Records:

Agency Compliance with the Privacy Act and OMB Guidance Is Uneven:

Agencies Maintain Personal Information outside the Privacy Act in a 
Limited Number of Information Systems:

Conclusions:

Recommendations for Executive Action:

Agency Comments and Our Evaluation:

Appendixes:

Appendix I: Scope and Methodology: 

Surveys: 

Privacy Act Forum: 

Presidential Privacy Initiative: 

Appendix II: Summary of GAO’s February 2003 Privacy Forum on the
Survey Results: 

Major Barriers to Improving Agency Compliance with the Privacy Act and 
Actions That Could Address These Barriers: 

Adequacy of Privacy Act Protection in Today’s Electronic Environment: 

Need for Changes in the Privacy Act for Consistency with the Current 
Environment and Management Practices: 

Appendix III: OMB Guidance on Privacy: 

Appendix IV: Compliance with Privacy Act and Associated Guidance: 

Appendix V: Agency Views on OMB Guidance and Assistance: 

OMB’s Overall Assistance to Agencies Was Frequently Judged “Moderately 
Effective”: 

OMB’s Written Guidance Was Frequently Judged “Mostly Complete”: 

OMB’s Responses to Agency Questions Were Frequently Judged “Moderately 
Timely”: 

OMB’s Assistance on Agencies’ Federal Register Notices Was Frequently 
Judged “Moderately Timely”: 

Appendix VI: Agency Resources and Structure Devoted to Implementation
of the Privacy Act: 

Appendix VII: Comments from the Office of Management and Budget: 

GAO Comments: 

Appendix VIII: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Staff Acknowledgments: 

Tables:  

Table 1: Agencywide Compliance with Training Requirements: 

Table 2: Compliance with Exemption Requirements: 

Table 3: Respondents to Second Survey: 

Table 4: Responses to Agencywide Practices Survey: 

Table 5: Responses to System of Records Survey: 

Figures: 

Figure 1: Policies to Assess Need to Collect Personal
Information: 

Figure 2: Agencies’ Assessments of Security Safeguards: 

Figure 3: Agencies’ Means to Detect Unauthorized Access: 

Figure 4: Information Systems Containing Personal Information
Not in a Privacy Act System of Records: 

Figure 5: Agency Characterization of Overall Effectiveness of OMB
Assistance: 

Figure 6: Agency Characterization of Completeness of OMB’s
Written Guidance: 

Figure 7: Agency Characterization of Timeliness of OMB’s
Response to Questions: 

Figure 8: Agency Characterization of Usefulness of OMB’s
Response to Questions: 

Figure 9: Agency Characterization of Timeliness of OMB’s
Assistance with Federal Register Notices: 

Figure 10: Agency Characterization of Usefulness of OMB’s
Assistance with Federal Register Notices: 

Figure 11: Centralization of Implementation of Privacy Act: 

Abbreviations: 

CIO: chief information officer:

FBI: Federal Bureau of Investigation:

FISMA: Federal Information Security Management Act:

FOIA: Freedom of Information Act:

FTE: full-time equivalent:

OMB: Office of Management and Budget:

OPM: Office of Personnel Management:

SSA: Social Security Administration:

SOR: system of records:

Letter June 30, 2003:

The Honorable Joseph I. Lieberman 
Ranking Minority Member 
Committee on Governmental Affairs 
United States Senate:

Dear Senator Lieberman:

Obtaining government services or fulfilling government obligations--
for example, applying for a small business loan or paying taxes--often 
requires individuals to provide federal agencies with detailed personal 
information about themselves and their spouses, dependents, and 
parents.[Footnote 1] To regulate the federal government's use of this 
personal information, Congress passed the Privacy Act of 1974. You 
asked us to evaluate the compliance of federal agencies with the 
Privacy Act and other issues. Specifically, as agreed with your office, 
our objectives were to determine:

* key characteristics of systems of records[Footnote 2] reported by 
agencies;

* the level of agency compliance with the Privacy Act and related OMB 
guidance; and:

* the extent to which agencies report that they maintain personal 
information that is not subject to the Privacy Act's protections.

To address these objectives, we conducted three surveys at 25 
departments and agencies, which were selected to provide a cross 
section of large and small agencies[Footnote 3] that were likely to 
have different missions and organizational structures and, perhaps, 
different approaches to implementing the Privacy Act. (App. I 
identifies the 25 agencies.) Response rates ranged from 76 to 100 
percent.[Footnote 4] To help verify the accuracy of answers related to 
compliance with the Privacy Act, we randomly selected a sample of 
agencies' responses to the surveys and asked officials to provide 
documentation or additional narrative explanations to support their 
answers for key compliance questions. The results of the verification 
work gave us greater assurance about the accuracy of agencies' survey 
responses. We previously briefed your staff on the results of our 
surveys.

To better understand the results of our surveys, we invited the 25 
agencies to send a representative (mostly Privacy Act officers) to a 
meeting in February 2003 (also referred to as the "forum"), at which we 
presented our survey results and asked the agency representatives for 
their reactions and to identify barriers to compliance with the act. (A 
summary of forum results is presented in app. II.):

Further details on our scope and methodology are provided in appendix 
I. Our work was conducted from May 2001 to May 2003 in accordance with 
generally accepted government auditing standards.

Results in Brief:

Based on survey responses, a key characteristic of agencies' 2,400 
systems of records is that an estimated 70 percent of systems contained 
electronic records. Specifically, 12 percent were exclusively 
electronic records, 58 percent were a combination of paper and 
electronic, and 31 percent were exclusively paper records.[Footnote 5] 
In addition, we estimate that agencies allowed individuals to access 
their personal information electronically via the Internet in about 1 
of every 10 systems of records. Other key characteristics reflected the 
diversity of systems: for example, the number of people whose personal 
information was maintained in the sampled systems of records varied 
significantly, from 5 people to about 290 million, with a median of 
about 3,500. The number of systems per agency also varied 
significantly: from 1 to over 1,000, with a median of 68.

While compliance with Privacy Act provisions and related OMB guidance 
was generally high in many areas, according to agency reports, it was 
uneven across the federal government--ranging from 100 percent to about 
70 percent for the various provisions. For example, we estimate that 
for all systems of records (100 percent), agencies issued the required 
rule that explains to the public why they exempted the system of 
records from one or more of the act's privacy protections. In contrast, 
fewer agencies were compliant with the provision that information 
should be complete, accurate, relevant, and timely before it is 
disclosed to a nonfederal organization; we estimate that agencies took 
steps to comply with this requirement for 71 percent of systems of 
records. At the forum, agency privacy officials acknowledged the uneven 
compliance but reported a number of difficult implementation issues in 
a rapidly changing environment. Of these issues, privacy officials gave 
most importance to the need for further OMB leadership and 
guidance.Although agencies are not generally dissatisfied with OMB's 
guidance on the Privacy Act, they made specific suggestions regarding 
areas in which additional guidance was needed, such as the act's 
application to electronic records. Besides these gaps in guidance, 
additional implementation issues included the low agency priority given 
to implementing the act and insufficient employee training on the act. 
If these issues and the overall uneven compliance are not addressed, 
the government will not be able to provide the public with sufficient 
assurance that individual privacy rights are appropriately protected.

Agencies maintained personal information that was not subject to the 
Privacy Act's protections in an estimated 11 percent of 730 major 
information systems in use during fiscal year 2002. Agencies reported 
that this occurred in various circumstances, the most frequent being 
when information was not retrieved by use of identifying information 
(e.g., name), but rather by other, nonidentifying information (e.g., 
name of a company). Concerns have been raised regarding the scope of 
the Privacy Act, whose coverage is limited to personal information that 
is retrieved by a personal identifier. Our study results are relevant 
to one aspect of this issue, as they provide an indication of the 
extent to which agencies maintain personal information not subject to 
the act's protections. A more complete examination of this topic would 
require additional study.

To improve compliance and address issues reported by agencies, we are 
making recommendations to the Director, OMB, which include directing 
agencies to correct compliance deficiencies, monitoring agency 
compliance, and reassessing OMB guidance.

In commenting on a draft of this report, the Administrators of OMB's 
Offices of Information and Regulatory Affairs and of E-Government and 
Information Technology stated that the information in the draft report 
does not support our conclusion that, without improved compliance, the 
government cannot assure the public that individual privacy rights are 
being protected. Specifically, the Administrators fault what they 
characterize as a fundamental flaw in the draft report: our treatment 
of the various provisions of the act as equally important in protecting 
privacy. In addition, OMB disagrees with our recommendations, stating 
that they are vague and nebulous.

We disagree with OMB's assertion that our conclusion is not supported. 
We continue to believe that, without improved compliance, the 
government cannot adequately assure the public that all legislated 
individual privacy rights are being protected. In enacting the Privacy 
Act, Congress established a framework for ensuring that individuals' 
privacy is protected. Accordingly, we based our conclusions on a 
comprehensive analysis of agency compliance with a broad range of 
requirements contained in the act. With regard to our recommendations, 
the report contains considerable detail including specific compliance 
results and agency suggestions for improvements to OMB guidance. In 
addition, we believe that our recommendations provide the appropriate 
level of detail needed for OMB to address the issues from a 
governmentwide perspective. However, we recognize that the compliance 
results in particular are provided in aggregate form; we will be 
providing additional details to OMB to help it in improving 
governmentwide compliance.

Background:

The Privacy Act of 1974 is the primary act that regulates the federal 
government's use of personal information. The Privacy Act places 
limitations on agencies' collection, disclosure, and use of personal 
information in systems of records. A system of records is a collection 
of information about individuals under the control of an agency from 
which information is actually retrieved by the name of the individual 
or by some identifying number, symbol, or other particular assigned to 
the individual. The act does not apply when there is merely a 
capability or potential for retrieval by identifier, which is often the 
case with electronic records.

Among the major provisions of the Privacy Act are the following:

Collecting only necessary information. Agencies are to maintain 
personal information about an individual only when it is relevant and 
necessary to accomplish a purpose of the agency required to be 
accomplished by statute or executive order of the President. According 
to OMB guidance, the goal of this provision is to reduce the amount of 
personal information that agencies collect in order to reduce the risk 
of agencies' improperly using personal information.

Providing public notice. Agencies are to publish a notice in the 
Federal Register when establishing or revising a system of records. The 
notice is to contain the name and location of the system, the 
categories of individuals on whom records are maintained in the system, 
and each "routine use"[Footnote 6] of the records contained in the 
system.

Providing for informed consent. Agencies are to inform individuals whom 
it asks to supply information of (1) the authority for soliciting the 
information and whether disclosure of such information is mandatory or 
voluntary, (2) the principal purposes for which the information is 
intended to be used, (3) the routine uses that may be made of the 
information, and (4) the effects on the individual, if any, of not 
providing the information.

Protecting against adverse determinations through maintaining accuracy 
of personal information. Agencies are to maintain all records used in 
making any determination about individuals with such accuracy, 
relevance, timeliness, and completeness as is reasonably necessary to 
ensure fairness to the individual.

Safeguarding information. Agencies are to establish appropriate 
administrative, technical, and physical safeguards to ensure the 
security and confidentiality of records and to protect against 
anticipated threats or hazards to their security or integrity that 
could result in substantial harm, embarrassment, inconvenience, or 
unfairness to any individual on whom information is maintained.

Accounting for disclosures of records. Agencies are to keep an 
accounting of the date, nature, and purpose of each disclosure of a 
record, and the name and address of the person or agency to whom the 
disclosure is made (except for disclosures within the agency for 
official purposes or for disclosures required under the Freedom of 
Information Act).

Training employees. Agencies are to instruct persons on the 
requirements of the act if they are involved in the design, 
development, operation, or maintenance of any system of records or in 
maintaining any record.

Providing notice of exemptions of systems of records. When an agency 
uses the authority in the act to exempt a system of records from 
certain provisions, the agency is to issue a rule explaining the 
reasons for the exemption.

Providing for civil remedies and criminal penalties for violating the 
rights granted by the Privacy Act. The act grants individuals the right 
of access to agency records pertaining to themselves; the right to 
amend such a record if it is inaccurate, irrelevant, untimely, or 
incomplete; and the right to sue the government for violations of the 
act. There are civil remedies and criminal penalties for agencies not 
affording individuals these rights.

In 1988, Congress amended the Privacy Act through passage of the 
Computer Matching and Privacy Protection Act, which established 
safeguards regarding an agency's use of Privacy Act records in 
performing certain computerized matching programs. Under the act, a 
written computer matching agreement is required for any computerized 
comparison of two or more automated systems of records for the purposes 
of determining the eligibility of applicants for assistance under 
federal benefits programs or of recouping payments or delinquent debts 
under federal benefits programs. Agreements are also required for any 
computerized comparison of federal personnel or payroll systems.

Computer matching agreements must specify the purpose and legal 
authority for conducting the match and how these matches will be 
performed. Agency Data Integrity Boards are to approve matching 
agreements and assess the costs and benefits of the match. (There are 
some exceptions, such as not assessing costs and benefits where the 
match is required by statute.):

OMB Is Responsible for Guidance on Privacy:

Under the Privacy Act, OMB is responsible for developing guidelines and 
regulations and providing "continuing assistance to and oversight of" 
agencies' implementation of the act. In 1975, OMB issued its initial 
Privacy Act implementing guidance entitled Privacy Act Implementation: 
Guidelines and Responsibilities. In addition, OMB Circular A-130 
(Management of Federal Information Resources) sets forth a number of 
general policies concerning the protection of personal privacy by the 
federal government:

* The individual's right of privacy must be protected in federal 
government information activities involving personal information.

* Agencies shall consider the effects of their actions on the privacy 
rights of individuals and ensure that appropriate legal and technical 
safeguards are implemented.

* Agencies shall limit the collection of information that identifies 
individuals to that which is legally authorized and necessary for the 
proper performance of agency functions.

* Agency heads shall periodically review (1) a random sample of agency 
contracts for maintaining systems of records to ensure that contractors 
are bound by the Privacy Act; (2) routine use disclosures associated 
with each system of records to ensure that they are compatible with 
their original purpose for collection; and (3) training practices to 
ensure that employees are familiar with the Privacy Act and the 
agency's implementing regulation.

As of April 2003, OMB's Web site, www.whitehouse.gov/omb, also provides 
links to documents characterized as "Privacy Guidance" and "Privacy 
Reference Materials" (http://www.whitehouse.gov/omb/inforeg/
infopoltech.html). Those documents include the initial Privacy Act 
guidance, memoranda about privacy policies on federal Web sites, 
interagency sharing of personal data, letters on agency use of Web 
"cookies."[Footnote 7] (See app. III.):

OMB officials stated that one OMB staff person is dedicated to Privacy 
Act issues full time. In addition, according to that one staff person, 
several other OMB staff also devote part of their time to this effort. 
The Privacy Act staff position is located in the Information Policy and 
Technology Branch within the Office of Information and Regulatory 
Affairs. According to OMB, the duties associated with this position 
include:

* reviewing agencies' draft Federal Register notices and systems 
reports for new and altered systems of records and computer matches;

* answering agencies' questions about how to implement the act, and 
responding to questions from federal employees and the public about the 
scope and application of the act;

* monitoring court rulings involving the Privacy Act;

* developing written guidance to agencies on Privacy Act implementation 
issues and federal Internet privacy policy;

* leading interagency work groups on Privacy Act issues;

* providing input to OMB's positions on legislation, rules, 
regulations, and testimony that have privacy policy implications; and:

* participating in interagency discussions and activities concerning 
other privacy policy issues (consumer fraud/identity theft, do-not-call 
lists, medical privacy, financial privacy, etc.).

One body tasked with addressing federal governmentwide issues such as 
privacy and security is the Chief Information Officers (CIO) Council, 
chaired by the Deputy Director for Management in OMB. Initially 
established in 1996 by Executive Order 13011, the CIO Council was 
enacted into law by the E-Government Act of 2002.[Footnote 8] The 
council serves as the principal interagency forum for improving 
practices in the management of federal information resources. Among its 
functions are responsibilities to develop policy recommendations for 
OMB, help coordinate multiagency projects and other innovative 
initiatives, assist in standards development, and work with the Office 
of Personnel Management (OPM) to address hiring and training 
needs.[Footnote 9]

Previous Initiatives and Studies Have Raised Privacy and Security 
Concerns:

Concerns about implementation of the Privacy Act have arisen 
periodically since its passage. In 1983, for example, in a report 
summarizing 9 years (1975-1983) of congressional oversight of the act, 
the House Committee on Government Reform (formerly called the Committee 
on Government Operations) concluded that OMB had not pursued its 
responsibility to revise and update its original guidance from 1975 and 
had not actively monitored agency compliance with its 
guidance.[Footnote 10] It stated "Interest in the Privacy Act at [OMB] 
has diminished steadily since 1975. Each successive Administration has 
shown less concern about Privacy Act oversight.":

A subsequent administration initiative addressed the difficulty of 
assuring privacy in an increasingly electronic environment. In May 
1998, a presidential memorandum was issued stating that increases in 
agencies' use of electronic records permit "this information to be used 
and analyzed in ways that could diminish individual privacy in the 
absence of additional safeguards." Consequently, the heads of executive 
departments and agencies were directed to review their Privacy Act 
systems of records within 1 year, and OMB was directed, among other 
things,[Footnote 11] to issue instructions to agencies on conducting 
and reporting these reviews. In its January 1999 instructions, OMB also 
asked agencies to identify areas where they believe further OMB 
guidance was needed.[Footnote 12]

The resulting responses from 72 agencies highlighted a range of issues. 
For example, in assessing their own compliance with the Privacy Act, 
agencies (1) added 131 systems of records that previously had not been 
properly identified, (2) revised 457 systems of records that were not 
up to date, and (3) deleted 288 systems of records that were no longer 
necessary. In addition, agencies requested centralized, updated 
guidance, particularly with regard to new technologies such as E-mail, 
Web sites, and electronic records. Further, agencies suggested, for 
example, that OMB establish an interagency taskforce on privacy.

In addition, over the past 3 years, we have issued reports that raised 
concerns with the adequacy of selected OMB guidance. In September 2000, 
we reported that OMB's guidance to agencies on Web site privacy 
policies was unclear in several respects and contained undefined 
language. We recommended that OMB clarify its guidance on privacy 
policies for agencies' Web sites.[Footnote 13] In another report, 
issued in April 2001, we said that OMB's guidance on agencies' use of 
cookies on Web sites was fragmented and did not provide clear 
direction.[Footnote 14] We recommended that OMB clarify its guidance. 
Although OMB officials stated that they planned to address these 
recommendations, OMB had not yet implemented them as of May 2003.

We have also consistently reported that security of electronic 
information in computer systems is a high-risk area for the government 
in general, with potentially devastating consequences if it is not 
ensured. When controls over the security of computer systems are not 
adequate, the privacy of the personal information in those systems is 
exposed to potential risks from unauthorized access or alteration. In 
April 2003, at the request of Congress, we testified on our analysis of 
recent information security audits and evaluations at 24 major federal 
departments and agencies.[Footnote 15] We reported that although 
analyses of audit and evaluation reports for the 24 major departments 
and agencies issued from October 2001 to October 2002 indicated some 
individual agency improvements, overall they continued to highlight 
significant information security weaknesses that place a broad array of 
federal operations and assets at risk of fraud, misuse, and disruption. 
We identified significant weaknesses in each of the 24 agencies. As in 
2000 and 2001, weaknesses were most often identified in control areas 
for security program management and access controls. All 24 agencies 
had weaknesses in security program management, which provides the 
framework for ensuring that risks are understood and that effective 
controls are selected and properly implemented.

We further testified that there are a number of important steps that 
the administration and the agencies should take to ensure that 
information security receives appropriate attention and resources and 
that known deficiencies are addressed. These steps include delineating 
the roles and responsibilities of the numerous entities involved in 
federal information security and related aspects of critical 
infrastructure protection; providing more specific guidance on the 
controls agencies need to implement; obtaining adequate technical 
expertise to select, implement, and maintain controls to protect 
information systems; and allocating sufficient agency resources for 
information security.

Although we continue to report significant weaknesses that place 
federal operations and assets at risk, in the past few years agencies 
and the administration have taken actions to improve federal 
information security. As we reported in our April 2003 testimony, OMB 
and agency efforts to implement the information security requirements 
of the Federal Information Security Management Act (FISMA)[Footnote 16] 
have resulted in increased management attention to information security 
and provided an improved baseline for measuring improvements. FISMA 
requires federal agencies to establish agencywide risk-based 
information security programs, which must be independently evaluated 
annually, in order to protect agency information and information 
systems from unauthorized access, use, disclosure, disruption, 
modification, or destruction.

We also reported that the administration has made progress through a 
number of efforts, such as OMB's establishment of requirements for 
agencies to report the results of their annual security program reviews 
and their plans to correct identified weaknesses, as well as its 
emphasis of information security in the budget process and e-government 
initiatives.[Footnote 17] Also, the National Institute of Standards and 
Technology (NIST) has issued additional computer security guidance, 
including its Security Self-Assessment Guide for Information Technology 
Systems,[Footnote 18] which uses an extensive questionnaire containing 
specific control objectives and techniques against which an 
unclassified system or group of interconnected systems can be tested 
and measured.

Most Agencies' Systems of Records Contain Electronic Records:

A key characteristic of agencies' systems of records is that a large 
proportion of them are electronic, reflecting the government's 
significant use of computers and the Internet to collect and share 
personal information. Based on survey responses, we estimate that 70 
percent of the agencies' 2,400 systems of records contain electronic 
records. Specifically, an estimated 12 percent were exclusively 
electronic records, 58 percent were a combination of paper and 
electronic, and 31 percent were exclusively paper records.[Footnote 19] 
In addition, agencies allowed individuals to access their personal 
information via the Internet in an estimated 9 percent of systems of 
records (about 1 in 10).

Our survey results revealed other key characteristics of our population 
of over 2,400 systems of records, which illustrate the diversity across 
agencies:

The median number of people whose personal information was maintained 
in the sampled systems of records was about 3,500, but this number 
varied significantly: the totals ranged from 5 people to about 290 
million people.

* The median number of systems of records at each agency was 68, but 
this number varied significantly: the totals ranged from 1 to over 
1,000.

* Among the electronic records, 66 percent of systems of records 
resided within one information system, and 34 percent resided within 
more than one information system.

* The types of information that agencies used most frequently to 
actually retrieve personal information from the system were the social 
security number and the agency identification number.

* The most frequent source of the personal information in the systems 
of records was the subject individual, followed by the agency, 
individuals other than the subject, and another federal agency.

Agency Compliance with the Privacy Act and OMB Guidance Is Uneven:

While compliance with Privacy Act provisions and related OMB guidance 
was generally high in many areas, according to agency reports, it was 
uneven across the federal government--ranging from 100 percent for some 
requirements to about 70 percent for others. For example, for 100 
percent of agency systems of records, agencies followed the requirement 
to issue a rule that explains to the public why a system of records is 
exempt from one or more of the act's privacy protections. However, for 
other provisions, agencies have not consistently established the 
necessary policies and procedures needed to ensure compliance and 
followed through on required actions. Agency privacy officials 
attending our forum acknowledged this uneven compliance; they pointed 
out, however, that implementation of the Privacy Act in a rapidly 
changing environment presents a number of difficult issues. 
Specifically, these officials identified barriers to improved 
compliance that include a need for more OMB leadership and guidance on 
the act, low agency priority given to implementing the act, and 
insufficient training on the act. In the absence of consistent 
compliance with the Privacy Act, the government cannot adequately 
assure the public that all legislated individual privacy rights are 
being protected.

Compliance Was Uneven among Provisions of the Privacy Act:

Collecting only relevant and necessary information. The Privacy Act 
states that agencies are to collect only information that is relevant 
and necessary to accomplish a purpose of the agency required to be 
accomplished by statute or executive order of the President. This 
provision is aimed at preventing the improper use of personal 
information in ways that could result in substantial harm or 
embarrassment to individuals. OMB guidance states "In simplest terms, 
information not collected about an individual cannot be misused." 
Accordingly, OMB guidance states that agencies are to assess the 
relevance and need for personal information in the initial design of a 
new system of records or whenever any change is proposed in an existing 
system of records. Seventeen of the 25 agencies stated that they did 
have written policies and procedures to determine, before information 
systems become operational, whether any personal information to be 
collected in a new system is needed, as OMB guidance requires. (See 
fig. 1.) The remaining 8 agencies did not have such policies and 
procedures.

Figure 1: Policies to Assess Need to Collect Personal Information:

[See PDF for image]

[End of figure]

Several agencies that did have such procedures in place reported 
positive results from these assessments. These agencies identified 
instances since October 1, 1998, where they decided not to collect or 
retain unnecessary personal information because of Privacy Act 
considerations. For example:

* Transportation took steps to reduce the amount of personal 
information and its availability in designing (1) a new identification 
system for agency employees and (2) a possible Transportation Worker 
Identification Credential (TWIC) and associated systems for the 
Transportation Security Administration. According to agency officials, 
TWIC was initiated at the Department of Transportation, but transferred 
to the Department of Homeland Security with the Transportation Security 
Administration on March 1, 2003.

* The Treasury's Financial Management Service decided not to collect or 
retain social security numbers for its Pay.gov verification[Footnote 
20] or for the Intra-Governmental Payment and Collections 
System.[Footnote 21]

* The Social Security Administration (SSA) decided not to copy (1) a 
State Workers Compensation agency file and (2) a Veterans Benefits 
Administration file containing military discharge records, because SSA 
would need to access only a small percentage of the records.

* The Department of Defense eliminated a database that contained 
information on dependents after finding that the information was 
neither relevant nor necessary. Another component destroyed employees' 
tax return information because it was neither relevant nor necessary.

As these examples show, following procedures to assess the need for 
personal information in systems can effectively avoid privacy risks. 
However, without such procedures consistently in place governmentwide, 
agencies cannot ensure that only relevant personal information is 
collected from individuals.

Providing public notice. A basic objective of the act is to foster 
agency accountability through a system of public scrutiny. Among the 
provisions of the act that provide this system of public scrutiny are 
the act's requirements to (1) issue Federal Register notices so that 
there are no systems of records whose existence is secret and 
(2) publish rules in the Code of Federal Regulations that describe the 
agency's procedures for individuals to determine if they are the 
subject of a record and to access or amend their records. In addition, 
over the course of a year, agencies' use of personal information in 
systems of records may change. Accordingly, OMB Circular A-130 requires 
agencies to review each system of records notice biennially to ensure 
that it accurately describes the system of records.

Agencies reported that they had issued the required Federal Register 
notice for 89 percent of the systems of records. Of the 25 agencies 
surveyed, 24 reported that they had published the required rules in the 
Code of Federal Regulations. Finally, agencies reported they had 
completed reviews of Federal Register notices on an estimated 79 
percent of the 2,400 systems of records. For those systems of records 
for which agencies are not complying with public notice provisions, the 
public cannot obtain current information on the existence of government 
systems that may contain personal information. Without uniform 
compliance with these provisions, agencies cannot consistently ensure 
that citizens can exercise their rights to access, review, and amend 
such records, as guaranteed under the act.

Providing for informed consent. Under the act, individuals have a right 
to be provided with detailed information about the agency's request for 
personal information before making an informed decision whether to 
respond. Accordingly, the act requires agencies to provide individuals 
in writing (1) the authority for soliciting the information and whether 
disclosure of such information is mandatory or voluntary, (2) the 
principal purposes for which the information is intended to be used, 
(3) the routine uses that may be made of the information, and (4) the 
effects on the individual, if any, of not providing the information. In 
addition, agencies' uses of the information may change over time. 
Accordingly, OMB Circular A-130 requires agencies to review the routine 
use disclosures to ensure that they continue to be compatible with the 
purpose for which the information was collected.

We estimate that for 82 percent of the systems of records, agencies did 
provide individuals, in writing, with the information required by the 
act. For the remaining 18 percent, individuals have not been provided 
with full disclosure of the potential uses of their personal 
information.

In addition, of 25 agencies surveyed, 21 reported that they had adhered 
to the OMB guidance to review routine use disclosures. Based on 
responses to our survey of systems of records, we found that agencies 
reviewed these routine use disclosures in an estimated 82 percent of 
the 2,400 systems of records. For the systems for which these reviews 
were not done, agencies cannot assure the public that the potential 
uses of their personal information remains appropriate.

Protection against adverse determinations through maintaining 
accuracy. One purpose of the act is to minimize, if not eliminate, the 
risk that an agency will make an adverse determination about an 
individual on the basis of incorrect information. Accordingly, the act 
requires that agencies, when making determinations about individuals or 
when disclosing personal information to a nonfederal organization, 
maintain all records with such accuracy, relevance, timeliness, and 
completeness as is reasonably necessary to ensure fairness to the 
individual.

Agency-reported compliance with the accuracy requirements varied 
considerably. With regard to determinations made about an individual, 
we estimate that agencies had procedures in place to ensure that the 
personal information about an individual is complete, accurate, 
relevant, and timely in 95 percent of systems of records. However, 
compliance with accuracy requirements was considerably lower when the 
agencies disclosed personal information to nonfederal organizations--
an estimated 71 percent of systems of records.

A related issue is the use of computer matches,[Footnote 22] which are 
generally subject to the act's protections if they are used to make 
determinations that involve (1) applying for federal benefits, 
(2) recouping government payments to individuals, (3) collecting 
delinquent debts the individual owes the government, or (4) federal 
personnel or payroll records. We estimate that less than 5 percent of 
the approximately 2,400 systems of records were involved in one or more 
computer matching programs during 2001; however, this 5 percent 
includes systems containing records on very large numbers of people, 
including one, according to SSA, covering approximately 360 million 
applicants for social security numbers of which 70 million are known to 
be deceased. OMB requires agencies to review each ongoing computer 
matching program to ensure that the requirements of the act and OMB 
guidance had been met. Our survey results indicate that 9 of the 13 
agencies that maintain computer matching programs complied with the OMB 
requirement to make such reviews.

Without consistent reviews of computer matching programs for compliance 
with the act and OMB guidance, the government cannot ensure that 
personal information shared with other entities and used for decision 
making in federal programs is accurate, relevant, timely, and complete.

Safeguarding personal information. Once an agency makes a decision to 
collect personal information, safeguarding the information is vital to 
complying with the Privacy Act. As discussed earlier, our reports have 
consistently found that information security is a high-risk area for 
the government in general, with potentially devastating consequences if 
it is not ensured. Moreover, the importance of adequate safeguards is 
underscored by the types of sensitive personal information most 
frequently found in the systems of records: name, social security 
number, telephone numbers, home address, work address, and demographic 
information (e.g., marital status).

OMB's guidance calls for a detailed assessment of risks and the 
establishment of specific administrative, technical, procedural, and 
physical safeguards. Based on survey responses, we estimate that during 
fiscal years 1999 through 2001, agencies did assess security safeguards 
for 82 percent of systems of records, but did not for the remaining 18 
percent. (See fig. 2.):

Figure 2: Agencies' Assessments of Security Safeguards:

[See PDF for image]

[End of figure]

Protecting personal information that is maintained in automated 
information systems is of particular importance. In response to our 
surveys, agencies generally did not report incidents of unauthorized 
reading, altering, disclosing, or destroying personal information in 
automated information systems.[Footnote 23] However, we also estimate 
that in 21 percent of about 2,400 systems of records, agencies reported 
that they did not have the means to detect when persons, without 
authorization, were reading, altering, disclosing, or destroying 
information in the system. (See fig. 3.):

Figure 3: Agencies' Means to Detect Unauthorized Access:

[See PDF for image]

[End of figure]

Without appropriate security safeguards and the means to assess them, 
agencies cannot ensure that personal information maintained by the 
government is protected from unauthorized access, disclosure, and 
alteration.

Accounting for disclosures. Individuals have a right under the act to 
know to whom records about themselves have been disclosed outside the 
agency, so that (among other purposes) those recipients can be 
subsequently advised of any corrected or disputed records. Accordingly, 
agencies are to maintain an accounting of the date, nature, and purpose 
of each disclosure of a record, and the name and address of the person 
or agency to whom the disclosure is made. We estimate that agencies 
were able to account for such disclosures in 86 percent of their 2,400 
systems of records but were not able to do so for 14 percent. For 
systems for which agencies cannot account for disclosures, agencies 
cannot advise individuals of how and by whom their personal information 
is being used.

Training employees. The Privacy Act states that agencies are to 
establish rules of conduct for persons involved in the design, 
development, operation, or maintenance of systems of records and to 
instruct each person on those rules, including the penalties for 
noncompliance. In discussing the act's requirement for agencies to 
issue rules, OMB guidance states that training employees on the act is 
important for compliance:

Effective compliance with the provisions of this act will require 
informed and active support of a broad cross section of agency 
personnel. It is important that all personnel who in any way have 
access to systems of records or who are engaged in the development of 
procedures or systems for handling records, be informed of the 
requirements of the act and be adequately trained in agency procedures 
developed to implement the act.

As the table shows, one-third of agencies have not issued the act's 
required rules of conduct for employees, and about one out of five had 
not established procedures to ensure adequate training for personnel 
with access to systems of records.

Table 1: Agencywide Compliance with Training Requirements:

Compliance question: Has your agency established rules of conduct for 
persons who are involved in operations and maintenance of records?; 
In compliance: 16 of 24 agencies.

Compliance question: Has your agency established rules of conduct for 
persons involved in design and development of systems of records?; 
In compliance: 15 of 24 agencies.

Compliance question: Does your agency have procedures to ensure that 
personnel with access to systems of records or who are engaged in 
developing procedures are adequately trained?; In compliance: 
20 of 25 agencies.

Source: GAO.

[End of table]

In addition, for an estimated 74 percent of systems of records, 
agencies also reported that they provided "all or almost all" staff 
with such training but did not for an estimated 26 percent. If agency 
employees have not been appropriately trained, they may not be aware of 
their responsibilities under the act and may not fully comply with its 
requirements.

Providing notice of exemptions. The Privacy Act permits certain 
categories of records to be exempted from some requirements of the act 
(e.g., access to records); according to OMB guidance, agencies can make 
exemptions if complying with those requirements could adversely affect 
agencies' conduct of necessary public business. The act contains two 
categories of exemptions: (1) general exemptions that include systems 
of records maintained by the Central Intelligence Agency or for 
criminal law enforcement purposes and (2) specific exemptions for 
systems of records that include classified material, statistical 
records, and certain personnel investigation and evaluation material. 
For example, the act allows agencies to deny a person access to his or 
her law enforcement files if doing so would impair an ongoing 
investigation. Other types of records may be exempted from the 
provision in the act that allows individuals to sue for violations of 
the act and seek civil remedies and from the provision to ensure the 
accuracy of the information disclosed to third parties.

According to OMB guidance, no system of records is automatically exempt 
from any provision of the act. To obtain an exemption for a system from 
any requirement of the act, the head of the agency that maintains the 
system must make a determination that the system falls within one of 
the categories of systems that are permitted to be exempted and publish 
a notice on the determination as a rule. That notice must include why 
the agency considers the exemption necessary and the specific 
provisions proposed to be exempted. OMB Circular A-130 requires 
agencies to review any exemptions every 4 years to determine if they 
are still needed.

As shown in the following table, we estimate that agencies issued the 
required rule explaining why the system of records was exempt for 100 
percent of the systems of records; however, for about one in seven 
systems, agencies did not review the rule every 4 years as OMB 
requires. For systems that are not reviewed periodically as required, 
agencies have diminished assurance that all existing exemptions from 
Privacy Act provisions are still necessary.

Table 2: Compliance with Exemption Requirements:

Compliance question: Has your agency issued a Federal Register notice 
explaining the reasons for exempting the system of records from certain 
provisions of the act?; Results: 24 of 24 agencies in 
compliance.

Compliance question: During fiscal years 1998-2001, did your agency 
review each system of records containing exemptions to determine 
whether such exemptions were still needed?; Results: 19 of 24 
agencies in compliance.

Compliance question: Has your agency issued a rule that explains why 
your agency considers the exemption necessary?; Results: 100 
percent compliance among systems of records.

Compliance question: During fiscal years 1998-2001, did your agency 
review the exemptions to determine whether these exemptions were still 
needed?; Results: 85% of systems of records in compliance;[ A] 
15% not in compliance.

Source: GAO.

[A] The confidence interval is ±15 percent.

[End of table]

The specific compliance questions in our surveys and agency responses 
can be found in appendix IV.

Agencies Believe that Additional OMB Guidance Would Help Improve 
Compliance with the Act:

The 24 agency representatives who attended our February 2003 forum 
acknowledged that compliance was not yet consistent across agencies and 
systems of records. They identified the following as the most 
significant barriers to improving their compliance:

* lack of sufficient OMB leadership, oversight, and guidance on the 
Privacy Act (first choice);

* low agency priority on implementing the act, which adversely affects 
the level of resources devoted to it (second choice); and:

* insufficient training to satisfy the wide range of employee 
involvement with the act (e.g., executives have different training 
needs than do persons designing information systems) (third choice).

OMB Guidance and Oversight Described as Moderately Effective, but 
Agencies Ask for More Attention in Specific Areas:

At our privacy forum, agency representatives reported that the most 
significant factor in uneven agency compliance was the need for 
additional OMB leadership on implementing the Privacy Act in today's 
electronic environment. Because the Privacy Act mandates that OMB 
provide agencies with continuing assistance and oversight, agencies 
look to OMB for additional help and guidance. According to agency 
responses to our surveys, agencies are not generally dissatisfied with 
OMB's guidance and assistance on the Privacy Act: for example, most 
agencies judged that OMB's assistance on the act was at least 
"moderately effective" overall. (See app. V for more detail on agency 
responses in this area.) However, both on the surveys and at the forum 
they named a number of specific areas in which they wanted further 
guidance, including the application of the Privacy Act to electronic 
records.

To address this first barrier, the most important action the agency 
representatives identified was that OMB should become more proactive by 
publishing additional guidance in certain areas and providing increased 
assistance to agencies. Several forum participants also noted the 
abundance of guidance available from the Department of Justice on the 
Freedom of Information Act and expressed interest in having similar 
information made available on the Privacy Act. Forum participants also 
suggested that it would be helpful if OMB were to convene periodic 
meetings of Privacy Act officers to discuss important areas where the 
guidance is not clear. Participants saw such meetings as opportunities 
for agencies to let OMB know where guidance and assistance were needed, 
to pool their knowledge, and to work with OMB to leverage resources 
(such as training information).

In addition, on our surveys, nine agencies reported that specific 
additions or revisions to OMB guidance were needed for them to better 
implement the act. Among the areas of the act cited most frequently 
were:

* how the definition of a system of records applies to electronic 
databases,

* how the disclosure provisions apply to electronic databases,

* coverage of sole proprietors (entrepreneurs) under the act,[Footnote 
24] and:

* cost-benefit guidance for computer matches.[Footnote 25]

The observation that additional OMB guidance on the Privacy Act would 
be helpful is not new. In our previous reports in this area, we have 
recommended that OMB issue guidance on Web site privacy policies and on 
agencies' use of cookies.[Footnote 26] Similarly, in response to the 
May 1998 privacy initiative, agencies requested updated guidance, 
particularly with regard to new technologies, and suggested that OMB 
establish an interagency task force and host periodic conferences on 
privacy. OMB has not yet acted either on our recommendations or on 
previous agency requests for additional guidance.

Agencies See Privacy Act Implementation as Receiving Low Priority:

Forum participants reported that agency management tends to assign low 
priority to implementation of the Privacy Act. They commented that 
implementation was classed among support functions, which are often the 
first to be cut when resources are tight, and that Privacy Act offices 
were often "buried" in agencies. Also, Privacy Act officers may find 
themselves placed in an adversarial position when they tell their 
management not to take certain actions that could violate the act. 
Further, there was general agreement among forum participants that OMB 
officials had not demonstrated that the Privacy Act was a priority, and 
that this low priority tended to result in a similar low priority at 
agencies. One participant cited the minimal level of OMB resources 
devoted to assisting agencies to carry out the act--primarily one 
person--as indicative of the low priority placed on the act. 
Furthermore, participants said this lack of OMB leadership and top 
management attention tended to adversely affect the resources that 
agencies assigned to carrying out the act.

To address this second barrier, the most important action the forum 
participants identified was for agency top managers to place increased 
priority on implementing the act, including making additional resources 
available. However, when asked in the survey about the resources that 
are devoted to implementing the act, most agencies were unable to 
answer many of the questions. Agencies are not required to track such 
resources, and many respondents found estimating the resources 
burdensome. In appendix VI, we provide limited information on this 
topic, as well as on the organizational structures that agencies have 
set up to implement the Privacy Act.

Agencies See a Need for Increased and More Focused Training on the 
Privacy Act:

Forum participants stated that the agencies did not provide sufficient 
training for agency staff who handle personal information subject to 
the act. They stated that the most important action to address this 
barrier was OMB overseeing the development of additional training for 
employees with varying degrees of involvement with the act and making 
the training more readily available (perhaps on the Web or on CD). 
Several participants noted that there should be role-based training 
that varies based on the employees' involvement with the act. For 
example, there could be a general orientation session on the act for 
all employees, and different training for executives, Privacy Act 
officers, and systems managers.

Further details on the forum results are provided in appendix II.

Agencies Maintain Personal Information outside the Privacy Act in a 
Limited Number of Information Systems:

The protections of the Privacy Act are limited to personal information 
that is retrieved by a personal identifier. Over the years since the 
act's passage, concerns have been raised regarding the protection of 
personal information that does not fall within the scope of the act. 
(For example, electronic databases frequently permit the retrieval of 
personal information by search terms other than a personal identifier.) 
A preliminary step to addressing these concerns is to estimate the 
extent of personal information that is maintained outside Privacy Act 
systems. Based on agency responses to our survey, we estimate that 67 
percent of the 730 information systems in use at large agencies during 
fiscal year 2002 contained personal information, regardless of whether 
this personal information was in a Privacy Act system of records. Of 
these 730, we estimate that 11 percent (83) contained personal 
information outside a Privacy Act system of records.[Footnote 27] (See 
fig. 10.):

Figure 4: Information Systems Containing Personal Information Not in a 
Privacy Act System of Records:

[See PDF for image]

[End of figure]

How many of these information systems contain any personal information 
not in a Privacy Act system of records (SOR)?

Agencies reported that they maintain personal information outside a 
system of records when the information:

* is not retrieved by use of identifying information (e.g., name), but 
rather by nonidentifying information (e.g., zip code);

* concerns deceased persons (e.g., deceased recipients of social 
security benefits);

* concerns entrepreneurs acting in a business rather than a personal 
capacity (e.g., persons seeking government business loans); or:

* concerns aliens who are not permanent residents of the United States 
(e.g., persons seeking a visa to enter this country).

The most frequently cited reason why these systems were not considered 
Privacy Act systems of records was that the agency did not use a 
personal identifier to retrieve the personal information. For example, 
the Department of Labor stated that it collects personal information 
from persons who claim not to have been paid all the wages owed them. 
Because it uses company names, rather than the names of individuals, to 
retrieve the information, Labor officials stated they are not required 
to keep this personal information in a Privacy Act system of records.

However, a few agencies reported that, for administrative convenience, 
they put such information in Privacy Act systems of records even when 
not required. (OMB guidance encourages agencies to do this.) For 
example, the Department of Health and Human Service's Center for 
Disease Control maintains records on deceased individuals. These 
records also have information about living persons (for example, the 
next of kin). Therefore, all the information is maintained in a Privacy 
Act system of records.

Other laws besides the Privacy Act provide certain privacy and security 
protections to personal information outside Privacy Act systems of 
records. Under the Freedom of Information Act (FOIA), as amended, the 
public has a right of access to federal agency records, except for 
those records that are protected from disclosure by nine stated 
exemptions. Two exemptions in FOIA protect personal privacy interests 
from disclosure. The first exemption allows the federal government to 
withhold information about individuals in personnel and medical files 
when the disclosure would constitute a clearly unwarranted invasion of 
personal privacy. The second exemption allows the federal government to 
withhold records of information compiled for law enforcement purposes, 
but only to the extent that the production of such law enforcement 
records or information could reasonably be expected to constitute an 
unwarranted invasion of personal privacy.

A second law that protects information in federal records is the 
Federal Information Security Management Act (FISMA),[Footnote 28] which 
requires federal agencies to protect agency information and information 
systems from unauthorized access, use, disclosure, disruption, 
modification, or destruction.

Conclusions:

Agency responses on key characteristics of their systems of records 
highlight the increasingly complex environment in which federal 
agencies must operate. Agencies reported that information is maintained 
on vast numbers of individuals, largely in electronic form, and that a 
single system of records may reside in multiple information systems. 
Understanding this environment--and its potential impact on 
individuals' privacy--will be important as the government continues to 
refine its privacy policies and guidance.

While Privacy Act compliance is generally high in many areas, it is not 
consistent across the federal government and could be improved. 
Agencies bear primary responsibility for compliance with the act, but 
they have not yet fully put into place the processes and follow-through 
needed to ensure compliance. Further, according to agencies, they face 
difficult implementation issues. Specifically, OMB has not responded 
either to long-standing agency requests or to our recommendations for 
improved guidance. In addition, agencies believe that OMB has not 
provided enough assistance in dealing with challenges such as the low 
priority generally accorded to the Privacy Act and the lack of 
appropriate training. Until these issues are addressed by agencies and 
OMB and compliance with the Privacy Act across government is improved, 
the government cannot adequately assure the public that all legislated 
individual privacy rights are being protected.

Agencies reported that about 11 percent of their automated systems 
contain personal information that is not subject to the act's 
protections. In view of the concerns about the scope of the Privacy 
Act, this information may be useful as a first step in understanding 
this issue in the current electronic environment. Further study is 
required, however, to determine what information is maintained, how it 
is used, and the potential effects, if any, on individual privacy 
rights.

Recommendations for Executive Action:

To improve agency compliance with the Privacy Act, we recommend that 
the Director, OMB,

* direct agencies to correct the deficiencies in compliance with the 
Privacy Act that agencies identified in this report,

* oversee agency implementation of actions needed to correct these 
deficiencies, and:

* monitor overall agency compliance with the act.

To address implementation issues related to compliance with the Privacy 
Act, we recommend that the Director:

* assess the need for specific changes to OMB guidance, especially with 
regard to electronic records, and update the guidance, as appropriate;

* raise the awareness and commitment of senior agency officials to the 
importance of the principles that underlie the Privacy Act;

* lead a governmentwide effort to (1) determine the level of resources, 
including human capital, currently devoted to Privacy Act 
implementation by both OMB and the agencies, (2) assess the level of 
resources needed to fully implement the act, (3) identify the gap, if 
any, between current and needed resources, and (4) develop a plan for 
addressing any gap that may exist; and:

* oversee the development of Privacy Act training that meets the needs 
of the wide range of employees who carry out the act and make this 
training readily available to agencies.

Further, we recommend that the Director oversee an assessment of the 
potential impact on individual privacy of federal agencies' maintaining 
personal information that is not subject to the act.

The Director should involve federal agencies as appropriate in 
addressing the above recommendations. One option for doing so would be 
to establish a multiagency working group or forum, perhaps as part of 
the Chief Information Officers Council.

Agency Comments and Our Evaluation:

We provided a draft of this report to OMB for review and comment. In a 
letter dated June 20, 2003, the Administrators of OMB's Offices of 
Information and Regulatory Affairs and of E-Government and Information 
Technology provided comments. This letter is reprinted in appendix VII 
along with our additional analysis of the comments.

The Administrators stated that our report has taken an important first 
step toward identifying areas in which further research and discussion 
can be undertaken, including through a series of meetings with agency 
officials. However, the Administrators stated that the information 
presented does not support the conclusion in the draft report that 
without improved compliance, the government cannot assure the public 
that individual privacy rights are being protected. Specifically, the 
Administrators fault what they characterize as a fundamental flaw in 
the draft report: our treatment of the various provisions of the act as 
equally important in protecting privacy. In addition, they note that 
while compliance may not be perfectly consistent, a lack of perfect 
consistency from one agency to the next "should hardly be surprising" 
across the dozens of agencies that make up the government. Further, the 
Administrators state that the draft report does not indicate whether 
agency compliance with the Privacy Act is more uneven than is agency 
compliance with other laws, such as the Administrative Procedures Act, 
and so our findings on the Privacy Act do "not really say much." 
Finally, OMB disagrees with our recommendations, stating that they are 
vague and nebulous.

We disagree with OMB's overall comment that the information in the 
draft report does not support our conclusion. We continue to believe 
that without improved compliance, the government cannot adequately 
assure the public that all legislated individual privacy rights are 
being protected. In passing the Privacy Act, the Congress enacted a 
series of requirements designed, in total, to ensure protection of 
individuals' privacy. Accordingly, we believe that because agencies did 
not consistently comply with these requirements, it is reasonable to 
conclude that the government lacks adequate assurance that privacy 
rights are being protected. With regard to the lack of consistency 
across agencies, our report does not address whether federal agencies 
have consistent practices, but whether federal agencies are 
consistently following legal requirements imposed by Congress and those 
practices that OMB found sufficiently important to be included in its 
Privacy Act guidance. Further, we believe that federal agencies should 
strive for consistent compliance with these requirements and others 
mandated by the Congress.

Regarding our recommendations, the draft report contains extensive 
details on agency noncompliance with specific provisions of the Privacy 
Act and OMB guidance. In addition, it contains many specifics on 
agencies' suggestions for improvements in guidance. Further, we believe 
our recommendations provide the appropriate level of detail needed for 
OMB to address the issues from a governmentwide perspective. We 
recognize, however, that our compliance results, in particular, are 
presented in aggregate form; we did not include our more detailed 
results in the report because this material is voluminous and because 
agencies are already well aware of the specific shortcomings in 
compliance. Nonetheless, we will be providing OMB with additional 
details to help in its improvement efforts.

As agreed with your office, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
from the date of this letter. At that time, we will send copies of this 
report to the Director of the Office of Management and Budget and the 
heads of other interested congressional committees. We are also sending 
copies to the 25 departments and agencies we surveyed. Copies will be 
made available to others on request. In addition, this report will be 
available at no charge on GAO's Web site at www.gao.gov.

If you have any questions concerning this report, please call me at 
(202) 512-6240 or send E-mail to koontzl@gao.gov. Key contacts and 
major contributors to this report are listed in appendix VIII.

Signed by:

Sincerely yours,

Signed by:

Linda D. Koontz 
Director, Information Management Issues:

[End of section]

Appendixes:

Appendix I: Scope and Methodology:

We asked the following 25 departments and agencies to respond to survey 
questions about their privacy practices and procedures:

* Departments: Agriculture, Commerce, Defense, Education, Energy, 
Health and Human Services, Housing and Urban Development, Interior, 
Justice, Labor, State, Transportation, Treasury, Veterans Affairs:

* Agencies: Equal Employment Opportunity Commission (EEOC), Federal 
Emergency Management Agency (FEMA), Office of Personnel Management 
(OPM), National Science Foundation (NSF), Office of Government Ethics 
(OGE), Small Business Administration (SBA), Social Security 
Administration (SSA), Pension Benefit Guaranty Corporation (PBGC), 
Federal Trade Commission (FTC), Office of Special Counsel (OSC), 
Securities and Exchange Commission (SEC):

We selected these agencies to provide a cross section of large and 
small agencies that were likely to have different missions and 
organizational structures and, perhaps, different approaches to 
implementing the Privacy Act. In fiscal year 2002, the nine small 
agencies--EEOC, FEMA, OPM, NSF, OGE, PBGC, FTC, OSC, and SEC--had a 
median of approximately1,200 full-time equivalent staff years; the 
range of staff years was from 80 (OGE) to approximately 3,000 (SEC). 
For the remaining two large agencies and 14 departments, the median 
number of staff years was 64,268, with a range from approximately 4,517 
(SBA) to approximately 670,166 (Defense). Each agency decided which 
person was best qualified to respond to the survey and who in 
management was to review and approve the response. We use the term 
"agency" to refer to (1) executive departments such as the Department 
of Justice and (2) independent agencies such as OPM.

Surveys:

We used three surveys to obtain information on the following areas: the 
first addressed agencywide practices, and the second addressed systems 
of records; these two surveys contained questions on the 
characteristics of systems of records and compliance with the act and 
related OMB guidance. The third survey focused on information 
technology projects; for these, we asked questions on systems 
containing personal information not subject to the act's protections.

Survey on agencywide practices. We asked these 25 agencies to answer 
questions about agencywide Privacy Act practices and procedures (e.g., 
how many systems of records exist). Each agency decided which person 
was best qualified to respond to the survey and who in management was 
to review and approve the response. In 18 of the 25 agencies, the 
person completing the survey was the person who had day-to-day 
responsibility for implementing the Privacy Act and was also the 
agency's Privacy Act officer. These persons were, on average, three 
levels removed from the head of the agency and had been performing 
these duties at this agency an average of 8 years. The questionnaire 
also contained questions about compliance with specific Privacy Act 
provisions and related OMB guidance. To help ensure that agencies 
understood the questions, we pretested the survey with agency 
officials. We achieved a 100 percent response rate.

Survey on systems of records. We also surveyed agencies to gather 
information about their systems of records' compliance with Privacy Act 
requirements and OMB guidance. The population for this survey consisted 
of all systems of records that existed in the 25 agencies as of 
December 1999. From this population of 3,637 systems of records, we 
selected a probability sample of 204. This was a stratified sample 
consisting of two strata. The following table summarizes the population 
size, sample size, and respondents by sample.

Table 3: Respondents to Second Survey:

Stratum: Certainty; Population: 19; Sample size: 19; Respondents: 18; 
Response rate: 95%.

Stratum: All others; Population: 3618; Sample size: 185; Respondents: 
179; Response rate: 97%.

Stratum: Total; Population: 3637; Sample size: 204; Respondents: 197; 
Response rate: 97%.

Source: GAO.

[End of table]

The certainty sample consisted of 19 systems of records that were 
considered to be large or otherwise important systems for this survey. 
Approximately one-third of the selected systems of records no longer 
existed at the time of the survey. Therefore, estimates from our survey 
project to an estimated population of 2,443 (±244) systems of records 
from 1999 that still existed at the time of the survey.

Because we followed a probability procedure based on random selections, 
our sample is only one of a large number of samples that we might have 
drawn. Since each sample could have provided different estimates, we 
express our confidence in the precision of our particular sample's 
results as a 95 percent confidence interval. This is the interval that 
would contain the actual population value for 95 percent of the samples 
that we could have drawn. As a result, we are 95 percent confident that 
each of the confidence intervals in this report will include the true 
values in the study population. All percentage estimates in this report 
have 95 percent confidence intervals of ±10 percentage points or less, 
unless otherwise noted.

To help ensure that agencies understood the questions, we pretested the 
survey with agency officials. We achieved a 96 percent response rate.

Survey on information technology projects and information outside 
privacy act systems of records. We also surveyed agencies concerning a 
sample of 150 information technology projects randomly selected from 17 
agencies' budget Exhibit 53s for fiscal year 2002 (Exhibit 53 is 
required by OMB Circular A-11).[Footnote 29] We first asked agencies if 
these projects contained any information systems in use; if they did, 
we then asked questions about those information systems. We selected 
our sample of 150 information systems from a population of 730 that 
were in use in fiscal year 2002. To help ensure that agencies 
understood the questions, we pretested the survey with agency 
officials. We achieved a 76 percent response rate.

Analysis of survey results. All of our samples are probability samples 
and produce estimates that could vary for any particular random sample 
chosen. Unless otherwise noted, we are 95 percent confident that the 
true value is within ±10 percentage points of estimated percentages.

To minimize the chances of introducing into our results errors not 
related to sampling, we reviewed the agencies' responses to our 
surveys, asked respondents to clarify answers, validated a sample of 
responses, and verified a sample of the survey data keypunched into our 
database to ensure that it was accurate.

Based on agency responses to each of the compliance questions, we 
developed a compliance score for particular provisions of the Privacy 
Act and related OMB guidance. For example, if agencies returned 180 
surveys that contained answers to a compliance question, the maximum 
number that could comply with the requirement would be 180. Then, if 
agencies reported compliance on a particular question in 140 of the 180 
surveys, we would assign a score of 78 percent (140 divided by 180) to 
that question.

To help ensure the accuracy of answers related to compliance with the 
Privacy Act or OMB guidance, we randomly selected 20 percent of 
agencies' responses to the survey of agencywide practices and 10 
percent of responses to the survey on systems of records and asked 
officials to provide documentation or additional narrative explanations 
to support their answers for key compliance questions. In addition, 
when agencies stated in their responses that they had issued certain 
public documents required under the act (e.g., a regulation), we 
located and reviewed the documents to be certain that they had been 
issued. The results of this validation work gave us greater assurance 
about the accuracy of agencies' survey responses. We also emailed 
relevant portions of the draft report to officials in the Departments 
of Defense, Justice, Health and Human Services, Labor, Transportation, 
Treasury, and officials at OGE, SEC, SBA, SSA, and OPM, that are 
mentioned specifically in the report, for their review and comment. 
Each of the agencies emailed suggestions to clarify particular sections 
of the report, which we included in this report as appropriate.

Privacy Act Forum:

To better understand the implications of our survey results, we invited 
the 25 agencies to send a representative (mostly Privacy Act officers) 
to a meeting in February 2003, and 24 participated. At this meeting, we 
presented the survey results and then asked the participants to 
identify the barriers to improved compliance with the act, actions 
needed to improve compliance, and other issues. After participants 
discussed their answers to these questions, we asked them to use 
electronic devices to anonymously record their "votes" on various 
privacy issues. To identify the relative importance of the barriers to 
agency compliance generated by participants, we assigned different 
point values to the participants' first, second, and third choices. For 
example, we told participants their first choice for the most important 
barrier to improving compliance would receive three points, their 
choice for the second most important barrier would receive two points, 
etc. We also asked participants to discuss the adequacy of the act in 
today's electronic environment and what changes, if any, were needed to 
the act. We incorporated the results of these discussions and votes 
into the appropriate sections of this report. (See app. II for a 
summary of the results.):

Presidential Privacy Initiative:

We reviewed the responses to the President's memorandum of May 14, 
1998; OMB's memorandum of January 7, 1999; and subsequent agency 
reports to OMB regarding their reviews of their Privacy Act systems of 
records and other privacy practices. We entered the 72 executive 
departments and agencies' responses into a database and summarized 
them.

[End of section]

Appendix II: Summary of GAO's February 2003 Privacy Forum on the Survey 
Results:

To better understand the results of our surveys, we invited the 25 
agencies we surveyed to send a representative to a privacy forum at GAO 
headquarters in February 2003. At this forum, we presented the key 
results from our surveys and then asked the following questions:

* What are the major barriers to improving agency compliance with the 
Privacy Act?

* What actions can be taken to address these barriers?

* In view of today's electronic environment, to what extent does the 
Privacy Act provide adequate privacy protections to individuals?

* What changes, if any, should be made to the Privacy Act to make it 
more consistent with the current environment and management practices?

Twenty-four of the 25 agencies sent a representative. (The Department 
of Health and Human Services was not represented.) The key results from 
the discussion of each question are presented below.

Major Barriers to Improving Agency Compliance with the Privacy Act and 
Actions That Could Address These Barriers:

The 24 agency representatives who attended our February 2003 forum on 
the survey results identified the following as the three most 
significant barriers to improving agency compliance:

* lack of sufficient Office of Management and Budget (OMB) leadership, 
oversight, and guidance on the Privacy Act (first choice, with 50 
points);

* low agency priority on implementing the act, which adversely affected 
the level of resources devoted to it (second choice, with 36 points); 
and:

* insufficient training to satisfy the wide range of employee 
involvement with the act (e.g., executives have different training 
needs than do persons designing information systems) (third choice, 
with 23 points).

Each of these barriers and the actions that could address them are 
discussed below.

Lack of Sufficient OMB Leadership, Guidance, and Assistance:

Agency participants were in general agreement that OMB officials had 
not provided sufficient leadership, guidance, and assistance to 
agencies on the Privacy Act. Participants said that these shortcomings 
tended to adversely affect the resources and priorities those agencies 
assigned to the act.

Many representatives cited the lack of sufficient OMB guidance as a 
significant barrier to compliance, particularly guidance on electronic 
records. Among the views that participants expressed were the 
following:

* Agencies do not know how to fit the "paper statute" into the 
electronic realm in which most agencies operate today.

* OMB guidance is crucial to small agencies' successful implementation 
of the act, because they lack the legal resources of larger agencies.

* Lack of sufficient OMB guidance is particularly troublesome in areas 
where various courts have decided differently on privacy issues, and 
agencies need to know which legal ruling is correct.

Agency participants stated that the most important action to address 
this barrier was OMB demonstrating more proactive leadership by 
publishing additional guidance in several areas and providing increased 
assistance to agencies. Several participants noted the abundance of 
guidance available from the Department of Justice's Office of 
Information and Privacy on the Freedom of Information Act and wanted 
similar information available on the Privacy Act. It was also suggested 
that OMB should convene periodic meetings of Privacy Act officers to 
discuss important areas where the guidance is not clear. Participants 
saw such meetings as opportunities for agencies to let OMB know where 
guidance and assistance were needed, to work together by pooling their 
knowledge, and to work with OMB to leverage resources (such as training 
information). Another suggestion was that Congress provide OMB or the 
agencies with additional resources in the privacy area.

Low Agency Priority and Resources Devoted to the Privacy Act:

Agency participants stated that agencies' top management had placed a 
low priority on implementing the act, and that, in turn, had adversely 
affected the level of resources devoted to its implementation in 
agencies. Participants expressed the following views:

* As a support function, Privacy Act implementation is often the first 
area to be cut when resources are tight. Privacy Act offices are 
"buried" in the agency and cannot compete with program offices, which 
carry out the agencies' primary missions and thus have higher priority.

* Privacy Act officers may be placed in an adversarial position when 
they tell their agencies not to take certain actions that could violate 
the act; they may need OMB to provide support for their position.

* Implementing the Privacy Act often has a lower priority than that 
placed on implementing the Freedom of Information Act.

* The resources that OMB devotes to assisting agencies to carry out the 
act suggests that OMB places less priority on the act than on its other 
missions; this perceived priority can affect the resources that 
agencies devote to it.

* In carrying out its responsibilities under the act, OMB is reactive, 
rather than proactive.

Participants stated that the most important action to address this 
barrier was for agencies (including OMB) to provide a higher priority 
to the act, along with the additional monetary and human resources 
associated with that higher priority. Several participants observed 
that additional resources would be made available if their agency's top 
managers or OMB officials placed a higher priority on implementing the 
act.

Insufficient Training on the Act to Meet the Wide Variety of Employee 
Involvement:

Agency participants stated that more training was needed for agency 
staff that handle personal information subject to the act. This 
statement is consistent with the results of our survey, in which 5 of 
the 25 agencies reported that they had less than adequate procedures to 
ensure that personnel with access to systems of records are adequately 
trained.

In particular, forum participants noted the difficulty of communicating 
privacy requirements to technical staff who deal with information 
systems:

* Communication problems arise between Privacy Act officers and system 
managers regarding technology issues; privacy staff may need more 
technical knowledge, and technical staff may need more Privacy Act 
knowledge.

* Because the E-Gov Act[Footnote 30] will require privacy impact 
assessments before information systems are built, system managers and 
privacy officials may have to communicate more often. However, this 
legislation does not affect existing databases, which currently lead to 
many of the communication problems.

* OMB guidance does not sufficiently communicate how to adequately 
protect personal information in large automated databases.

Agency participants stated that the most important action to address 
this barrier was OMB overseeing the development of additional training 
for employees who have varying kinds and degrees of involvement with 
the act and making the training more readily available (perhaps on the 
Web or on CD). Several participants noted that there should be role-
based training that varies based on the employees' involvement with the 
act. For example, there could be a general orientation session on the 
act for all employees, and different training for executives, Privacy 
Act officers, and systems managers.

Adequacy of Privacy Act Protection in Today's Electronic Environment:

Eleven of the 23 agency representatives (48 percent) who attended our 
February 2003 forum (one did not answer the question) believed to a 
"moderate" extent that in today's electronic environment, the Privacy 
Act provides adequate privacy protections to individuals. Among the 
remaining 12, no agency representative chose "very great extent"; 7 
chose "great extent"; 4 chose "some extent"; and 1 chose "little or no 
extent.":

Among the privacy issues that participants said were raised by today's 
electronic environment are the following:

* Electronic records are easier to collect than are paper records, 
perhaps resulting in some information being collected that may not be 
needed. (The Privacy Act states that agencies shall collect only 
information that is relevant and necessary.):

* Electronic records are easier to access and thus might not be 
protected as well as paper records. Participants raised the question of 
whether electronic records should have a different level of protection 
under the act than paper records. (The Privacy Act states that agencies 
are to establish appropriate administrative, technical, and physical 
safeguards for personal information.).

* The aim of some E-government initiatives to increase the collection 
and sharing of personal information among agencies could be in conflict 
with the Privacy Act's goal to constrain the government's ability to 
use personal information.

* The ease with which electronic databases can be created and merged 
may result in "unofficial" systems of records; agencies may not know 
how their data are being used.

* The definition of "record" may need updating, along with other terms 
in the act, to reflect today's electronic environment.

* Homeland security needs may be generating more personal information 
that is maintained outside the act, raising privacy concerns.

* Insufficient attention may have been paid to agencies' collection and 
maintenance of personal information via the Internet and the 
conformance of these activities with the act's requirements.

* Guidance is not available on how to give access to electronic records 
that contain the names of multiple people, each of whom has rights to 
retrieve the same record.

Need for Changes in the Privacy Act for Consistency with the Current 
Environment and Management Practices:

There was no general agreement among participants on desired changes to 
the act; rather, many participants said their concerns could be 
addressed through revisions to OMB guidance and were opposed to making 
any changes to the act. However, other participants suggested that 
Congress revisit several areas of the act, including the following:

* Computer matches. Specifically, Congress should extend the time 
frames for the initial computer match agreements and renewals from 18 
months and 12 months to 3 years and 2 years, respectively. They 
believed this is needed because it would reduce the excessive burden on 
agencies of having to renegotiate these complex documents so 
frequently.

* Disclosures pursuant to courts of competent jurisdiction under 
section (b)-11. There are federal, state, local, and tribal court 
systems in this country. Congress needs to clarify whether requests 
from nonfederal courts are covered under this section.

[End of section]

Appendix III: OMB Guidance on Privacy:

OMB's primary guidance to agencies on implementing the Privacy Act is 
"Privacy Act Implementation, Guidelines and Responsibilities," 40 FR 
28948 (July 9, 1975), and Appendix I to OMB Circular No. A-130, 
"Management of Federal Information Resources," Transmittal Memorandum 
No. 4 (effective Nov. 28, 2000), 65 FR 77677 (Dec. 12, 2000).

In addition, as of April 2003, OMB's Web site had links to the 
following memoranda and other documents categorized as "Privacy 
Guidance," which covered a variety of topics:

* M-01-05, Guidance on Inter-Agency Sharing of Personal Data--
Protecting Personal Privacy (December 20, 2000).

* Letter from John Spotila to Roger Baker, clarification of OMB Cookies 
Policy (September 5, 2000).

* Letter from Roger Baker to John Spotila on federal agency use of Web 
cookies (July 28, 2000).

* Status of Biennial Reporting Requirements under the Privacy Act and 
the Computer Matching and Privacy Protection Act (June 21, 2000).

* M-00-13, Privacy Policies and Data Collection on Federal Web Sites 
(June 22, 2000).

* M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999).

* M-99-05, Instructions on Complying with President's Memorandum of May 
14, 1998, "Privacy and Personal Information in Federal Records" 
(January 7, 1999).

* Biennial Privacy Act and Computer Matching Reports (June 1998).

* Privacy Act Responsibilities for Implementing the Personal 
Responsibility and Work Opportunity Reconciliation Act of 1996 
(November 3, 1997).

Finally, OMB's Web site had other links to "Privacy Reference 
Materials":

* Computer Matching and Privacy Protection Amendments of 1990 and the 
Privacy Act of 1974, 56 FR 18599 (April 23, 1991).

* Final Guidance Interpreting the Provisions of Public Law 100-503, the 
Computer Matching and Privacy Protection Act of 1988, 54 FR 25818 
(June 16, 1989).

* Guidance on Privacy Act Implementations of Call Detail Programs, 
54 FR 12290 (April 20, 1987).

* Privacy Act Guidance--Update (May 24, 1985).

* M-83-11, Guidelines on the Relationship Between the Privacy Act of 
1974 and the Debt Collection Act of 1982, 48 FR 15556, April 11, 1983 
(March 30, 1983).

* Implementation of the Privacy Act of 1974, Supplemental Guidance, 
40 FR 5674 (December 4, 1975).

* Congressional Inquiries which Entail Access to Personal Information 
Subject to the Privacy Act (October 3, 1975).

[End of section]

Appendix IV: Compliance with Privacy Act and Associated Guidance:

Table 4 shows the questions asked on our survey of agencywide 
practices, along with the agency responses that indicated compliance. 
For some questions, the maximum number of agencies that needed to 
answer the question is less than 25 (e.g., certain provisions of the 
act may not apply to all agencies).

Table 4: Responses to Agencywide Practices Survey:

Compliance questions: Does your agency account for disclosures of 
personal information outside of your agency? (Q.3); Compliance: 25 of 
25.

Compliance questions: Has your agency issued a Federal Register notice 
explaining the reasons for exemption? (Q12); Compliance: 24 of 24.

Compliance questions: Under the Privacy Act, does your agency have a 
Data Integrity Board? (Q35)a; Compliance: 13 of 13.

Compliance questions: Has your agency established rules in the Code of 
Federal Regulations for determining if the individual is the subject of 
a record? (Q.1.1); Compliance: 24 of 25.

Compliance questions: Has your agency established rules in the Code of 
Federal Regulations for handling requests for access to records? 
(Q.1.2); Compliance: 24 of 25.

Compliance questions: Has your agency established rules in the Code of 
Federal Regulations for amending records? (Q1.3); Compliance: 24 of 25.

Compliance questions: Has your agency established rules in the Code of 
Federal Regulations for fees for copying records? (Q1.4); Compliance: 
24 of 25.

Compliance questions: Since October 1, 1998, has any court ruled that 
your agency violated any provision of the Privacy Act or found an 
employee criminally liable under the act? (Q16); Compliance: 22 of 25.

Compliance questions: During fiscal years 1998-2001, did your agency 
review the routine use disclosures associated with each system of 
records to ensure that uses were compatible with the original purpose? 
(Q10); Compliance: 21 of 25.

Compliance questions: Does your agency have procedures to ensure 
personnel with access to systems of records or who are engaged in 
developing procedures are adequately trained? (Q.5); Compliance: 20 of 
25.

Compliance questions: Before [new] systems become operational, does 
your agency have written policies or procedures for determining whether 
that personal information is needed?; Compliance: 17 of 25.

Compliance questions: During fiscal years 1998-2001, did your agency 
review each system of records containing exemptions to determine 
whether such exemptions were still needed? (Q.13); Compliance: 19 of 
24.

Compliance questions: During calendar year 2001, did your agency review 
each ongoing matching program to help ensure the requirements of the 
Privacy Act and OMB guidance have been met? (Q.33); Compliance: 9 of 
13.

Compliance questions: Has your agency established rules of conduct for 
persons who are involved in operations and maintenance of records? 
(Q.2.2); Compliance: 16 of 24.

Compliance questions: Has your agency established rules of conduct for 
persons involved in design and development of systems of records? 
(Q.2.1); Compliance: 15 of 24.

Compliance questions: During fiscal year 2001, did your agency review 
each system of records' Federal Register notice to ensure that it 
accurately described the system of records? (Q.8); Compliance: 15 of 
25.

Source: GAO analysis of survey data.

[a] There are other compliance questions that ask about agencies' Data 
Integrity Boards, but the questions are open ended, and the answers 
cannot be given a compliance rating.

[End of table]

Table 5 shows the questions asked on our survey of agencies' systems of 
records along with the calculated compliance scores.[Footnote 31] For 
questions that ask "how" an agency does something, we calculated 
compliance scores based on their responses to the multiple choice 
answers embedded in the question. We have included the multiple choice 
responses in parentheses following those questions.

Table 5: Responses to System of Records Survey:

Compliance questions: Since October 1, 2000, did any persons, without 
authorization, read, alter, disclose, or destroy any personal 
information in the information system? (Q.17); Compliance: 100 percent.

Compliance questions: Has your agency promulgated a final rule under 
the Administrative Procedure Act that explains why your agency 
considers the exemption necessary? (Q.55); Compliance: 100 percent.

Compliance questions: Has any court ruled that your agency violated any 
provision of the Privacy Act or found an employee criminally liable 
regarding this system of records? (Q.48) a; Compliance: 100 percent.

Compliance questions: How does your agency ensure the personal 
information that is used in making a determination about an individual 
is complete, accurate, relevant and timely?; (do not ensure 
completeness, accuracy, relevance and timeliness of the information; 
verify with other records within the agency; verify with other federal 
agencies' records; verify with subject individuals; verify with state 
and local agencies; verify with private-sector records (e.g., banks, 
former employer); system of records is exempt from this requirement; no 
actions are taken; other (please specify); information is not used in 
making a determination) (Q.36); Compliance: 95 percent.

Compliance questions: Is there a plan for the security and privacy of 
the automated information system? (Q.12); Compliance: 94 percent.

Compliance questions: Are there disposition schedules for the records 
in this system of records? (Q.49); Compliance: 91 percent.

Compliance questions: Has your agency issued a Federal Register notice 
containing the following information for this system of records?; (name 
and location of the system of records; categories of individuals 
covered; routine uses that apply; policies and procedures to store, 
retrieve, retain, and dispose of records; how individuals can find out 
if the system contains a record pertaining to them, ask for access to 
any records pertaining to them, or contest the accuracy of any records 
pertaining to them) (Q.2); Compliance: 89 percent.

Compliance questions: Would your agency be able to account for all 
disclosures of individuals' records to organizations or individuals 
outside your agency? (Q.42); Compliance: 86 percent.

Compliance questions: During fiscal years 2000 or 2001, did your agency 
review the performance of [a contractor operating a system of records 
on behalf of the agency] to help ensure that it was complying with the 
Privacy Act? (Q.31)b; Compliance: 85 percent.

Compliance questions: During fiscal years 1998-2001, did your agency 
review the exemptions to determine whether these exemptions were still 
needed? (Q.54)b; Compliance: 85 percent.

Compliance questions: During fiscal years 1999-2001, did your agency 
assess the threats, vulnerabilities, and effectiveness of current or 
proposed safeguards? (Q.13); Compliance: 82 percent.

Compliance questions: For individuals who are asked to supply personal 
information, does your agency inform them, in writing, of the authority 
for requesting the information, how the information may be used, 
whether providing the information is mandatory or voluntary, and the 
consequences of not providing the information? (Q.35); Compliance: 82 
percent.

Compliance questions: During fiscal years 1998-2001, did your agency 
review the routine use disclosures to ensure they continue to be 
compatible with the purpose they were collected for? (Q.37); 
Compliance: 82 percent.

Compliance questions: During fiscal year 2000 or 2001, did your agency 
review the Federal Register notice to ensure that it was accurate? 
(Q.4); Compliance: 79 percent.

Compliance questions: Before disclosing records to a nonfederal 
organization, how does your agency ensure that the information in this 
system is complete, accurate, relevant, and timely?; (do not ensure 
completeness, accuracy, relevance and timeliness of the information; 
verify with other records within the agency; verify with other federal 
agencies' records; verify with subject individuals; verify with state 
and local agencies; comparison with private-sector records (e.g., 
banks, former employer); system of records is exempt from this 
requirement; no actions are taken; other (please specify) (Q.40)b; 
Compliance: 71 percent.

Source: GAO analysis of survey data.

[a] Agencies reported two systems of records where there were court 
rulings that the agency violated the Privacy Act. However, the table 
indicates 100 percent compliance because these two systems of records 
were not in our random sample and thus not weighted sufficiently to 
lower compliance below 100 percent.

[b] Confidence interval of ±15 percent.

[End of table]

[End of section]

Appendix V: Agency Views on OMB Guidance and Assistance:

On our survey, agencies responded to a series of questions regarding 
OMB's guidance and assistance to agencies, with most ratings falling in 
the middle range.

OMB's Overall Assistance to Agencies Was Frequently Judged "Moderately 
Effective":

Of 24 agencies responding,[Footnote 32]11 reported that, overall, OMB's 
assistance on the act was "moderately effective"--that is, a "3" on a 
5-point scale. Figure 5 shows the breakdown of responses.

Figure 5: Agency Characterization of Overall Effectiveness of OMB 
Assistance:

[See PDF for image]

[End of figure]

OMB's Written Guidance Was Frequently Judged "Mostly Complete":

Sixteen agencies stated OMB's written guidance was "mostly complete"--
a "2" on a 5-point scale. Of the remaining nine agencies, seven 
assessed OMB's guidance lower (3 or 4), and two rated it higher as 
shown in the figure below. For example, one agency reported it was 
"mostly incomplete" and stated "Guidance [is needed] on safeguarding 
the security of electronic records and the application of the Privacy 
Act to electronic records." None rated it as "incomplete." In contrast, 
another agency reported the guidance was "mostly complete" and stated 
it was "very useful, especially the 1975 PA guidelines and the 1989 
guidance on computer matching.":

Figure 6: Agency Characterization of Completeness of OMB's Written 
Guidance:

[See PDF for image]

[End of figure]

OMB's Responses to Agency Questions Were Frequently Judged "Moderately 
Timely":

Ten of the 15 agencies that rated OMB's timeliness in responding to 
agency questions about the act chose "moderately timely" a "2" on a 4-
point scale. Of the remaining 5 agencies, 4 assessed OMB's timeliness 
lower (3 or 4), and 1 rated it higher (1), as shown in figure 7. In 
comments regarding this issue, an agency official stated, "In general, 
greater emphasis needs to be placed on the Privacy Act by OMB. In 
particular, additional human resources should be devoted to fulfill 
OMB's responsibilities under subsection (v) of the Act, additional 
written guidance is needed, and oral guidance should be more readily 
accessible and obtainable.":

Figure 7: Agency Characterization of Timeliness of OMB's Response to 
Questions:

[See PDF for image]

[End of figure]

With regard to the usefulness of OMB's responses to agency questions 
about the Privacy Act, 8 of 15 answering the question reported that 
OMB's responses were "moderately useful"--a "2" on a 4-point scale, as 
shown in figure 8.

Figure 8: Agency Characterization of Usefulness of OMB's Response to 
Questions:

[See PDF for image]

[End of figure]

OMB's Assistance on Agencies' Federal Register Notices Was Frequently 
Judged "Moderately Timely":

Under the Privacy Act, agencies' Federal Register notices for systems 
of records are to contain the name and location of the system of 
records, the routine uses of the personal information in the system, 
the categories of persons covered, and procedures for persons to ask 
for access to any records pertaining to them.

We asked about the timeliness of OMB's assistance in writing Federal 
Register notices. Most agencies (18 of 25) did not ask for OMB 
assistance and thus did not answer the question. Among the 7 that did 
answer the question, 5 agencies reported that OMB's assistance was 
"moderately timely"--a "2" on the 4-point scale. (See fig. 9.):

Figure 9: Agency Characterization of Timeliness of OMB's Assistance 
with Federal Register Notices:

[See PDF for image]

[End of figure]

We also asked agencies to assess the usefulness of OMB's assistance in 
writing Federal Register notices using a 4-point extent scale, where 
"1" was "very useful" and "4" was "slightly or not useful." Among those 
seven agencies that answered the question, three reported that OMB's 
assistance was "moderately useful." (See fig. 10.):

Figure 10: Agency Characterization of Usefulness of OMB's Assistance 
with Federal Register Notices:

[See PDF for image]

[End of figure]

[End of section]

Appendix VI: Agency Resources and Structure Devoted to Implementation 
of the Privacy Act:

In response to our survey questions aimed at determining agency 
resources devoted to implementation of the Privacy Act, most agencies 
were unable to answer many of the questions. Of 25 agencies responding, 
7 were able to report the number of employees in their agency who would 
spend half or more of their time on implementation of the act. They 
ranged from 3 employees each at the Department of Defense and the 
Office of Personnel Management (OPM) to 28 employees at the Department 
of Health and Human Services. Among the remaining 18 agencies, 10 
reported that no employees would spend half or more of their time on 
implementation, and 8 agencies reported that they "do not know" how 
many employees in their agency would spend half or more of their time 
on implementation of the act.

Five agencies were able to report the number of full-time equivalent 
(FTE) staff years spent on Privacy Act implementation. The remaining 20 
agencies said it was "too difficult to estimate" how many FTE staff 
years they will spend on the act's implementation.

We also inquired about agencies' structures for implementing the act. 
More than half the agencies reported having a decentralized structure 
to implement their Privacy Act systems of records. (See fig. 11.) 
"Decentralized" was defined in the survey as "Most actions under the 
Privacy Act are implemented at the component, bureau, or field office 
level." "Centralized" was defined as "Most actions under the Privacy 
Act are implemented at headquarters (HQ).":

Figure 11: Centralization of Implementation of Privacy Act:

[See PDF for image]

[End of figure]

The person responsible for implementing the Privacy Act was located in 
the office of the Chief Information Officer (CIO) at seven agencies, 
the General Counsel at three agencies, and Public Affairs at two 
agencies; the remainder were in other offices. One agency suggested 
that for agencies to better implement the act, "Have all Privacy 
Officers report to CIOs in their bureaus." Under the Paperwork 
Reduction Act (44 U.S.C. 3506 (a) and (g)), the agency CIO is required 
to be responsible for carrying out responsibilities for compliance with 
the Privacy Act.

[End of section]

Appendix VII Comments from the Office of Management and Budget:

EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF MANAGEMENT AND BUDGET 
WASHINGTON, D.C. 20503:

June 20, 2003:

Mr. Joel Willemssen 
Managing Director 
Information Technology Team 
U.S. General Accounting Office 441 G Street, NW Washington, DC 20548:

Dear Mr. Willemssen:

Thank you for this opportunity to comment on the draft GAO report on 
Executive Branch compliance with the Privacy Act ("Privacy Act: OMB 
Leadership Needed to Improve Agency Compliance").

The Office of Management and Budget (OMB) welcomes GAO's review of 
Executive Branch compliance with the Privacy Act. We believe that GAO 
has taken an important first step in this review through the survey/
questionnaire that GAO sent to a number of agencies as well as the 
follow-up forum that GAO held with agency representatives to discuss 
their survey answers. The information that GAO has received through the 
survey and forum will be useful in identifying areas in which further 
research and discussion, of a more factual and specific nature, can be 
undertaken. In fact, OMB plans on using the survey/forum information in 
this manner, as the basis for a series of meetings that OMB will 
convene with agencies to discuss the Privacy Act.

However, as we explain below, we believe that the information which GAO 
has collected to date is inadequate to support the draft report's broad 
conclusions and recommendations. Relying on the survey/forum 
information, the draft report claims that there is "uneven compliance" 
by agencies with the Privacy Act's requirements (p.12) and that "until 
... compliance with the Privacy Act across government is improved, the 
government cannot assure the public that individual privacy rights are 
being protected" (p.26). See also the "What GAO Found" cover page: . 
"As a result of this uneven compliance, the government cannot assure 
that individual privacy rights are being protected." With all due 
respect, these statements border on the reckless and irresponsible.

While it may be true that Privacy Act compliance is not perfectly 
consistent within the Federal Government, a lack of perfect consistency 
from one agency to the next should hardly be surprising when one 
considers that the Federal Government is composed of dozens of 
agencies. In addition, the draft report does not indicate whether 
Federal agency compliance with the Privacy Act is any more "uneven" 
than is agency compliance with other government-wide statutes such as 
the Administrative Procedure Act. Thus, pointing out that there is 
"uneven" compliance does not really say much.

The far more important question is to what extent Federal agencies are, 
in fact, protecting the personal information that is contained in 
Privacy Act records. This is a very serious question, which deserves a 
very serious inquiry. The draft report purports to answer this question 
by strongly suggesting - in a backhanded way - that there are 
fundamental problems with Privacy Act compliance that imperil the 
privacy of personal information. How else is the reader to understand 
the draft report when it states (at p.26) that Federal agencies and OMB 
must implement the draft report's recommendations (so that "compliance 
with the Privacy Act across government is improved") or else the 
Federal Government will not be able "to assure the public that 
individual privacy rights are being protected"? This is a very strong 
claim to make, and such a claim should be based on hard evidence, or at 
least on a set of facts that can withstand scrutiny.

The fundamental flaws in the draft report's logic become readily 
apparent through a careful reading of the survey/forum results and by 
recognizing the inherent limitations in GAO's reliance on the survey/
forum for collecting information. With respect to the survey/forum 
results, the draft report understates the extent of the Federal 
Government's protection of privacy, and overstates the claim of "uneven 
compliance," by making the mistake of "mixing apples and oranges" - 
specifically, of treating the various provisions of the Privacy Act as 
if they are all equally important in terms of the ultimate goal of 
protecting privacy. In this regard, we think that one of the most 
important findings in the draft report is that Federal agencies 
reported 100% compliance with the Privacy Act's prohibition against 
unauthorized disclosures of information. See draft GAO report, Appendix 
IV, Table 5 (p. 43) (Q.17 --agencies reported 100% compliance when 
asked "Since October 1, 2000, did any persons, without authorization, 
read, alter, disclose, or destroy any personal information in the 
information system?") The prohibition on disclosures, which is found in 
subsection (b) of the Act, is one of the Act's cornerstones.

Because the Privacy Act's disclosure prohibition is a central component 
of the Act's overall framework for protecting privacy, we think that 
this 100%-compliance response should be given significant weight in 
evaluating the Federal Government's protection of privacy. However, 
this 100%-compliance figure is found nowhere in the main body of the 
draft report. Instead, it is mentioned only once in the whole report, 
in Appendix IV, Table 5. It is unclear why this figure has been buried 
in the appendices. (Similarly, it is unclear why, when three survey 
questions elicited a 100% compliance response, GAO chose to discuss in 
the main body of the report - as an example of a 100% response - the 
question that had the least immediate connection to protecting personal 
privacy.) [NOTE 1] Does the draft report's treatment of the 100% 
compliance figure for the disclosure prohibition reflect a GAO belief 
that the Privacy Act's disclosure prohibition is unimportant, or does 
it instead reflect how information is treated in a draft report when 
it "does not fit" with the report's conclusions and recommendations? 
In any event, the draft report gives no more significance to the 100% 
compliance with the Act's disclosure-prohibition than it gives to the 
79% compliance with the question - "During fiscal year 2000 or 2001, 
did your agency review the Federal Register notice to ensure that it 
was accurate?" See draft GAO report, Appendix IV, Table 5 (p. 43) 
(Q.4). It should be noted that this question does not ask whether 
agencies believe that their Federal Register notices are accurate, but 
only whether the agencies reviewed the notices for accuracy in fiscal 
years 2000 or 2001. We think that, in any fair evaluation of the 
Federal Government's protection of privacy, the level of agency 
compliance with the Act's disclosure prohibition must be considered as 
far more important than whether agencies reviewed their Federal 
Register notices in a specific two-year period.

There are several other reasons for having serious doubts about the 
significance of the survey/forum results, and how much weight should be 
placed on them. First, there is at least one internal inconsistency 
within the responses, and it pertains to a survey result that is 
discussed in the main body of the report. In the "What GAO Found" cover 
page at the beginning, the draft report refers to 86% of agencies being 
in compliance, and 14% not in compliance, with "being able to account 
for all disclosures of individual's records outside the agency." These 
results, which are also reported in Table 5 of Appendix IV (Q.42), do 
not seem to be consistent with the positive response of "25 of 25" 
agencies to the separate question "Does your agency account for 
disclosures of personal information outside of your agency?" Appendix 
IV, Table 4 (Q.3). It is not clear from the draft report how these 
results can be reconciled.

Another problem with the survey responses involves those GAO questions 
that asked "how" an agency does something. The lowest percentage 
response in Table 5 is to a "how" question, namely, the 71 % response 
to the question - "Before disclosing records to a nonfederal 
organization, how does your agency ensure that the information in this 
system is complete, accurate, relevant, and timely?" (Q.40). Since 
"how" questions do not elicit a yes-or-no answer, the draft report 
explains that "For questions that ask `how' an agency does something, 
we calculated the compliance score based on their responses to the 
multiple choice answers embedded in the question." See Appendix IV, 
p.43. The draft report does not provide a further explanation of how 
GAO "calculated the compliance score," and the draft report does not 
enclose the multiple choice answers. In other words, the draft report 
leaves the reader with no choice but to accept the 71 figure. There is 
additional reason to doubt this 71 % figure, which is that Table 5 has 
a 95% "compliance score" for the agencies' responses to the related 
question --"How does your agency ensure the personal information that 
is used in making a determination about an individual is complete, 
accurate, relevant and timely?" (Appendix IV, Table 5, Q.36). Both 
questions address the issue of whether agencies maintain infonnation in 
a "complete, accurate, relevant, and timely" manner, but they result in 
GAO-calculated compliance scores of 71% and 95%.

Another reason to have concerns about the "compliance" ratings in 
Tables 4 and 5 is that many of the questions that had the lowest 
ratings were framed in a very narrow manner, which asked whether each 
agency had undertaken a particular activity in a 
specific fiscal or calendar year. For example, in Table 4, "15 of 25" 
agencies answered 
"yes" to the question (Q.8) --"During fiscal year 2001, did your agency 
review each system of records' Federal Register notice to ensure that 
it accurately described the system of records?" Another example is that 
"20 of 25" agencies answered "yes" to the question (Q.4) - "During 
fiscal year 2001, did your agency review training practices to ensure 
personnel are familiar with the Privacy Act and other special 
requirements of their specific job." Another example is that "9 of 13" 
agencies answered "yes" to the question (Q.33) - "During calendar year 
2001, did your agency review each ongoing matching program to help 
ensure the requirements of the Privacy Act and OMB guidance have been 
met.":

It is not clear what conclusions, if any, should be drawn from the fact 
that 5 of 25 agencies said that they did not review their training 
practices in FY01. After all, it is entirely possible that those 5 
agencies reviewed their training practices in the year before (FY00) 
and/or the year after (FY02). In any event, whether or not the 5 
agencies reviewed their training practices - in any of those years - is 
a different question from whether their training practices are in fact 
appropriate and effective. What does it mean if an agency did not 
review its training practices in FY01, but those practices - if they 
had been reviewed - would have been found to be appropriate and 
effective? The same is true for the other two "review" questions noted 
above. In the absence of additional information, these questions and 
answers do not say much, if anything. And, these answers certainly do 
not support the draft report's broad claim that, "[ajs a result of this 
uneven compliance, the government cannot assure that individual privacy 
rights are being protected." These "review" questions and answers, 
which do not appear to be meaningful in isolation, do not somehow gain 
meaning when they are juxtaposed with other questions and answers that 
do have meaning, such as the 100% figure for agency compliance with the 
Privacy Act's disclosure prohibition. To repeat the point made earlier 
above, the draft report inappropriately "mixes apples and oranges" by 
treating every question and answer as equally significant and 
meaningful.

The final fundamental flaw with the factual underpinnings of the draft 
report is the extremely limited nature and scope of the facts that GAO 
has actually reviewed. By relying so heavily on the results from its 
survey and forum, the draft report has fallen into "the numbers trap" 
of confusing the data that you happen to have at your fingertips with 
the data that is actually relevant and meaningful for evaluating an 
issue. The survey and forum results comprise virtually all the 
information that the draft report relies upon for its broad conclusions 
and recommendations. Two other pieces of information in the report, 
which are given only cursory references, are the prior reports that GAO 
has issued on OMB's website privacy policy and on computer security 
(p.8 and fn.13-15); neither of these issues directly involve the 
Privacy Act. There is also a reference in the draft report to a 1983 
House Committee oversight report on the Privacy Act (p.9 and fn. 10); 
naturally, this 1983 report does not have infornation about the Federal 
Government's efforts for the past 20 years. Thus, in the final 
analysis, there is no factual material in the draft report except for 
the survey and forum results.

It is important, therefore, to recognize all the kinds of factual 
information about the Privacy Act that are not found in the draft 
report. As an initial matter, it is significant 
that the draft report does not point to even a single report issued by 
GAO or by an Inspector General (OIG) that evaluates and finds 
deficiencies with any agency's compliance with the Privacy Act. This is 
quite remarkable. GAO and the OIGs issue reports on a daily basis in 
which they investigate and scrutinize Federal agencies' compliance with 
a wide range of their statutory responsibilities. The absence of any 
GAO and OIG reports on Federal agency compliance with the Privacy Act 
means either that (1) such reports have been issued, but GAO did not 
look for them, (2) such reports have not been prepared, and that is 
because GAO and OIGs do not consider agency compliance with the Privacy 
Act to be important, or (3) such reports have not been prepared, and 
that is because agency compliance with the Privacy Act has generally 
been viewed as being relatively high, and thus has not warranted GAO or 
OIG review. In any event, it is significant that the draft report does 
not point to any GAO or OIG (or congressional) reports that identify 
deficiencies with the Privacy Act compliance at any particular agency 
or program. For how many other statutes that impose government-wide 
requirements can that be said? The absence of any such GAO, OIG, or 
congressional reports undercuts the draft report's claim that, if its 
recommendations are not adopted, "the government cannot assure that 
individual privacy rights are being protected.":

Similarly, the draft report does not discuss even one of the hundreds 
of Privacy Act decisions that Federal courts have issued during the 
past three decades. As these cases make clear, individuals have the 
right to seek judicial review of the agencies' compliance with the 
Privacy Act. It would not have been difficult to review the court 
cases, as a way of evaluating the extent to which Federal agencies are 
complying with their statutory responsibilities. The wide variety of 
legal research materials that are available (both in paper and via 
computer) make it easy to review the Privacy Act case law.

The Justice Department had already carried out extensive research, 
which is contained in the 180-page Privacy Act Overview that the 
Department publishes and makes publicly available on-line, at http://
www.usdoj.gov/04foia/04 7 I.html. An obvious starting point for GAO 
would have been the Privacy Act Overview. Thus, it is remarkable that 
the draft report does not mention a single court case involving the 
Privacy Act. As with the absence of any GAO/OIG/congressional reports 
on specific agency or program compliance, the absence of any discussion 
of the court cases undercuts the draft report's claim that, if its 
recommendations are not adopted, "the government cannot assure that 
individual privacy rights are being protected.":

In addition, the draft report makes no attempt to conduct an actual 
review of any agency's or program's compliance with the Privacy Act. 
One searches in vain through the draft report for the mention of any 
specific agency, or any specific program, or any specific system of 
records that is out of compliance with any of the Privacy Act's 
requirements. Such facts, which one would think are crucial for an 
evaluation of the Federal Government's success in implementing the 
Privacy Act, are nowhere to be found in the draft report. Again, the 
absence of any such facts undermines the draft report's claim that, if 
its recommendations are not adopted, "the government cannot assure that 
individual privacy rights are being protected.":

Finally, the draft report does not even seek to reconcile the survey/
forum results with one of the few real-world facts that are mentioned 
in the report. As the draft report notes, the OMB Director on January 
7, 1999, issued a memorandum that directed the heads of all Federal 
departments and agencies to conduct a review of their systems of 
records and information holdings in order to ensure that they were in 
compliance with the Privacy Act. (OMB Memorandum M-99-05, which is 
available on OMB's website, at http://www.whitehouse.gov/omb/
memoranda/m99-05.html.) This review directed each Federal agency to 
take the following actions, and the memorandum required senior agency 
officials to certify to OMB that the agency had done so:

"An important way for an agency to protect individual privacy is to 
limit the amount of information that the agency maintains about 
individuals. Therefore, each agency shall review its systems of records 
to ensure that they contain only that information about individuals 
that is `relevant and necessary' to accomplish an agency purpose." 
(Attachment B, p.2):

* "For that information which agencies do maintain, agencies must 
ensure 
the information's security and confidentiality. Therefore, each agency 
shall review its systems of records to ensure that safeguards in place 
are appropriate to the types of records and the level of security 
required." (p.3):

* "Non-statutory disclosures created by administrative mechanisms 
should only be made when appropriate. Therefore, each agency shall 
review its `routine uses' to identify any routine uses that are no 
longer justified, or which are no longer compatible with the purpose 
for which the information was collected.":

* "In order to ensure fairness to individuals they must be able to 
determine who has seen their records and when they were seen. 
Therefore, each agency should review its procedures for accounting for 
disclosures to ensure they are working properly." (p.4):

"Groups of records which have different purposes, routine uses, or 
security requirements, or which are regularly accessed by different 
members of the agency staff, should be maintained and managed as 
separate systems of records to avoid lapses in security. Therefore, 
agencies shall ensure that their systems of records do not 
inappropriately combine groups of records which should be segregated. 
This ensures, for example, that routine uses which are appropriate for 
certain groups of records do not also apply to other groups of records 
simply because they have been placed together in a common system of 
records." (p.5):

* "In order to exercise their rights, individuals must have access to 
an up-to-date statement of what types of information are maintained and 
for what reasons. Therefore, each agency shall conduct a review of its 
systems of records 
notices to ensure that they are up-to-date, to conform with any 
necessary changes identified during the review [above]." (p.5):

* "In passing the Privacy Act, the Congress made a strong policy 
statement that in order to ensure fairness, there shall be no record 
keeping systems the very existence of which is secret. Therefore, each 
agency shall review its:

operations to identify any de facto systems of records for which no 
system of records notice has been published. If the agency identifies 
any such unpublished systems of records, then the agency should publish 
a system of records notice for the system promptly. Agencies shall 
implement appropriate measures (e.g., training) to ensure that system 
of records are not inadvertently established, but instead are 
established in accordance with the notice and other requirements of the 
Privacy Act." (p.6):

The draft report acknowledges that OMB directed the agencies to 
undertake this comprehensive Privacy Act compliance exercise, and the 
draft report notes in passing that 72 agencies submitted responses to 
OMB in which - in the words of the draft report (p.9) - the agencies 
"(1) added 131 systems of records that previously had not been properly 
identified, (2) revised 457 systems of records that were not up to 
date, and (3) deleted 288 systems of records that were no longer 
necessary.":

However, the draft report makes absolutely no attempt to reconcile the 
responses to its survey/forum with the actions that agencies undertook 
in compliance with this comprehensive OMB-directed review of the 
agencies' compliance with the Privacy Act. For example, as noted above, 
OMB directed each agency in Fiscal Year 1999 to "review its systems of 
records to ensure that safeguards in place are appropriate to the types 
of records and the level of security required," and agencies certified 
to OMB that they conducted this review. However, according to Table 5 
of the draft report, only 82% of the agencies answered "yes" to the 
survey question (Q.13) - "During fiscal years 1999-2001, did your 
agency assess the threats, vulnerabilities, and effectiveness of 
current or proposed safeguards?" GAO makes no effort to reconcile these 
facts.

Similarly, as noted above, OMB directed each agency in FY99 to "review 
its `routine uses' to identify any routine uses that are no longer 
justified, or which are no longer compatible with the purpose for which 
the information was collected," and agencies certified to OMB that they 
conducted this review. However, according to Table 5, only 82% of the 
agencies answered "yes" to the survey question (Q.37) - "During fiscal 
years 1998-2001, did your agency review the routine use disclosures to 
ensure they continued to be compatible with the purposes they were 
collected for?" GAO makes no effort to reconcile these facts.

In a similar vein, as noted above, OMB directed each agency in FY99 to 
"conduct a review of its systems of records notices to ensure that they 
are up-to-date," and agencies certified to OMB that they conducted this 
review. According to Table 5, only 79% of the agencies answered "yes" 
to the survey question (Q.4) - "During fiscal year 2000 or 2001, did 
your agency review the Federal Register notice to ensure that it was 
accurate?":

These facts are not inconsistent, because the OMB review occurred in 
FY99, and the GAO question focused on FY00 and FY01. However, how 
significant is the 79% rate of conducting a notice review in FY00 and 
FY01 when all the agencies had been directed to conduct a notice review 
in the prior year (FY99)? GAO makes no effort to evaluate the 
significance of this compliance rate.

In sum, by relying entirely on the results from its survey and forum, 
GAO has not taken into consideration, or even acknowledged in the 
report, all the other factual material that is relevant to and 
necessary for carrying out a serious evaluation of the Federal 
Government's implementation of the Privacy Act. Moreover, for the 
reasons discussed above, the survey/forum results are fundamentally 
flawed, both when considered in isolation and when considered in a 
broader factual context. As a result, we believe that the draft 
report's conclusion - namely, that, if its recommendations are not 
adopted, "the government cannot assure that individual privacy rights 
are being protected" - lacks a solid factual foundation and therefore 
borders on the reckless and irresponsible.

Having spent so much time addressing the report's factual analysis and 
conclusions, we will spend only a brief moment addressing the report's 
draft recommendations. As the title of the draft report indicates, GAO 
staff believe that "OMB Leadership" is "Needed to Improve Agency 
Compliance" with the Privacy Act. Since, for the reasons above, it is 
not clear that there is a problem with agency compliance (as opposed to 
GAO's review methodology), it is not clear what actions OMB should take 
to "improve agency compliance." The recommendations themselves are 
extremely vague in this regard, perhaps owing to the draft report's 
failure to pinpoint any real-world compliance problems. The draft 
report does not point to any specific "deficiencies in compliance" with 
reference to any particular agencies or programs (in this regard, the 
agencies' responses, for what they are worth, have been withheld from 
OMB). Thus, it is difficult to understand how OMB is supposed to 
"direct agencies to correct the deficiencies in compliance" or "oversee 
agency implementation of actions needed to correct these deficiencies" 
(p.27).

The other recommendations are equally nebulous. For example, the draft 
report recommends that OMB "assess the need for specific changes to OMB 
guidance" (p.27), even though the draft report does not actually 
identify a single deficiency in any of the Privacy Act guidance that 
OMB has issued, or that the Justice Department has provided in its 
Privacy Act Overview, or that the courts have provided in their 
decisions.[NOTE 2] In this regard, while the draft report notes that 
some agencies had complaints about the adequacy of OMB's written 
guidance, most agencies found it "mostly complete".[NOTE 3](Appendix 
V, Figure 6, p. 46) Again, the draft report makes no attempt to 
reconcile these contrary 
views regarding the guidance. The fact that different agencies could 
view OMB's guidance in sharply different ways argues against drawing 
any firm conclusions from the survey/forum results in the absence of 
additional information.

Our final comment concerns GAO's interactions with OMB during GAO's 
collection of infornation and preparation of the draft report. GAO 
routinely asks OMB to provide GAO with information, including through 
interviews, on a wide range of topics, many of which do not directly 
relate to OMB but instead are really a review of another agency's 
activities. During the past year, OMB has responded to dozens of GAO 
inquiries. Some of them, concerning such OMB activities as the 
Paperwork Reduction Act, Regulatory Review, E-Government initiatives, 
and the Program Assessment Rating Tool (PART) have involved in-depth 
GAO reviews of OMB's activities. In all those cases, GAO initiated a 
fonnal review with OMB and requested the opportunity to interview OMB 
staff.

GAO's conduct in conducting this Privacy Act review was very different, 
and in fact was unprecedented in our experience. During the many months 
of its preparation of this draft report, GAO never initiated a formal 
review with OMB and never requested the opportunity to interview OMB 
staff. In other words, it appears to us that GAO staff made no serious 
attempt to obtain OMB's perspective on agency compliance with the 
Privacy Act and on the adequacy of OMB's guidance to agencies. GAO did 
provide OMB the opportunity to comment on draft materials, such as this 
draft report and last fall's draft briefing slides, but providing us 
with an opportunity to comment on materials that GAO has already 
prepared is far different than requesting information from us to 
incorporate into GAO's review. OMB staff raised on several occasions 
the concerns that are outlined above, and they repeatedly pointed out 
to GAO staff that the scope of its factual review was too narrow and 
that GAO needed to follow-up the survey and forum results by collecting 
further information. OMB staff invited GAO to conduct a review of OMB's 
activities, during which OMB could address the concerns that agencies 
had raised in the survey/forum about OMB's guidance. GAO declined this 
invitation to conduct a review of OMB's activities, and GAO staff did 
not pursue the concerns and issues that OMB raised. OMB has also 
informed GAO staff of our more recent work in privacy, including the 
reinstatement of an interagency Privacy Committee, and OMB's process of 
drafting guidance to agencies on implementation of section 208 of the 
E-government Act of 2002. OMB also recently held an open forum on 
privacy, where GAO staff were present, and two agencies publicly 
praised OMB's leadership in the area of privacy.

In closing, we want to reaffirm that OMB takes seriously its 
responsibilities to provide guidance to the agencies and oversee their 
implementation of the Privacy Act. We would welcome a careful and 
thoughtful GAO report that identifies real-world problems with agency 
compliance in particular agencies and programs (or that identified 
specific problems with OMB's guidance) and that provides concrete 
recommendations for how OMB and/or the agencies could correct these 
problems. However, the draft report does not provide that careful and 
thoughtful analysis. As noted at the beginning, we will be convening a 
series of meetings with the agencies to follow-up on the issues that 
they raised in the survey/forum results.

Thank you again for this opportunity to comment on the draft report.

Sincerely,

Signed by: 

Mark Forman 
Administrator 
Office of E-Government and Information Technology:

John D. Graham,
Administrator:
Office of Information and Regulatory Affairs:

Enclosures:

NOTES: 

[1] In the main report, GAO discussed the 100% compliance figure for 
the question "Has you agency promulgated a final rule under the 
Administrative Procedure Act that explains why your agency considers 
the exemption necessary?" See the "What GAO Found" cover page, and pp. 
3 and 12 of the main report; see also Appendix IV, Table 5 Q.55. The 
third question with a 100% compliance response was "Has any court ruled 
that your agency violated any provision of the Privacy Act or found an 
employee criminally liable regarding this system of records?" See 
Appendix IV, Table 5, Q.48. This question, like the disclosure-
prohibition question, is mentioned only in Appendix IV, and not in the 
main body of the report.

[2] We have enclosed two complete sets of copies of the Privacy Act 
guidance that OMB has issued, as well as two complete copies of the 
Justice Departments' Privacy Act Overview. We request that GAO include 
a complete copy of the OMB and DOJ guidance in GAO's response to the 
congressional requester.

[3] In fact, based on materials that GAO prepared last fall, one of the 
agencies that considered OMB's guidance to be "very useful" and "mostly 
complete" was the Defense Department, which had nearly one-half (1,156) 
of the 2,443 systems of records in GAO's survey (Draft Briefing Slides, 
10/08/02, pp. 29, 45).

GAO Comments:

1. We disagree with OMB that the statements made in our report "border 
on the reckless and irresponsible." Our survey results represent 25 
departments' and agencies' compliance with a broad range of Privacy Act 
provisions. These 25 cover a broad cross section of small, medium, and 
large departments and agencies. In most cases, agencies' Privacy Act 
officers--who had an average of 8 years of experience in that position-
-responded to our survey of agencywide practices; we achieved a 100 
percent response rate on this survey. Our survey concerning a sample 
representing a population of 2,400 systems of record was completed by 
the person the agency deemed as most knowledgeable of that system of 
records; we achieved a 96 percent response rate. These surveys are 
extremely comprehensive and were developed over many months with 
assistance from agency privacy officials. Moreover, to help verify the 
accuracy of agencies' answers related to compliance, we randomly 
selected a sample of agency responses to the surveys and asked 
officials to provide documentation or additional narrative explanations 
to support their answers. We then invited key senior Privacy Act 
officials from all 25 agencies to discuss their responses at an all-day 
forum, where they had a chance to provide additional context for us 
before the preparation of the draft report. Overall, we consider this 
report to be a comprehensive and accurate source of information on 
agencies' implementation of the Privacy Act.

2. We disagree that our draft report, by treating the various 
provisions of the act as equally important, understates the extent of 
agency privacy protections. In passing the Privacy Act, Congress 
enacted a framework designed to protect personal privacy. Accordingly, 
we based our conclusions on the results of a comprehensive analysis of 
agency compliance with a broad range of requirements.

As OMB suggests, we added to the body of our report a statement that 
agencies reported 100 percent compliance with our question concerning 
unauthorized access or disclosure of personal information contained in 
information systems. However, this response should not be interpreted 
as meaning that agencies fully complied with the Privacy Act's 
prohibitions against unauthorized disclosures. The question OMB cites 
is focused on information security controls for protecting personal 
information contained in information systems--which would not include 
the estimated 31 percent of systems of records that were exclusively 
paper records. Further, in response to another question, agencies 
acknowledged that in an estimated 21 percent of their systems of 
records, they did not have the means to detect unauthorized intrusions 
into their information systems, drawing into question whether agencies 
have adequate means to determine whether or not there have been 
unauthorized disclosures. As discussed in our report, we have reported 
extensive weaknesses in information security across government.

3. We disagree that there is inconsistency between the survey responses 
on accounting for disclosures. The two questions asked were similar, 
but not identical. Therefore, there should be no expectation that the 
results would be identical. In our agency survey, we asked agencies a 
general question on whether they account for disclosures outside the 
agency for all systems of records. In the system of records survey, we 
asked agencies about their ability to account for all disclosures for a 
specific system of records that we randomly selected from the 
population.

4. Regarding our questions on maintaining complete, accurate, and 
relevant information, there are again major differences in these two 
questions that explain the differing results. One question asks how 
agencies maintain complete, accurate, and relevant information for 
internal agency determinations about an individual, while the other 
asks how this is done when providing information to a nonfederal 
organization. We do, however, agree with OMB that the readers of our 
report should see the multiple-choice answers that agencies could 
choose from in answering these questions and on which our compliance 
results are based. We have added them to the report.

5. Regarding OMB's concerns about questions that ask about particular 
activities undertaken in specific time frames, we note that these 
questions were directly derived from OMB's guidance to agencies. For 
example, we derived the question concerning reviews of Federal Register 
notices regarding systems of records directly from OMB's guidance. We 
support OMB in believing that such reviews help ensure that the public 
is informed of the existence and uses of systems of records and is thus 
able to access and amend records if necessary.

6. We agree with OMB regarding the question concerning review of 
training practices in fiscal year 2001. We removed this question from 
the report.

7. We disagree with OMB that there is a fundamental flaw in the draft 
report resulting from what is described as "the extremely limited 
nature and scope of the facts that GAO has actually reviewed." Our 
survey results represent 25 departments' and agencies' compliance with 
a broad range of Privacy Act provisions. Our surveys are extremely 
comprehensive, were developed over many months with assistance from 
agency privacy officials, and represent the population of 2,400 systems 
of records covering a broad cross section of small, medium, and large 
departments and agencies. Moreover, to help verify the accuracy of 
agencies' answers related to compliance, we randomly selected a sample 
of agency responses to the surveys and asked officials to provide 
documentation or additional narrative explanations to support their 
answers. We then invited key senior Privacy Act officials from all 25 
agencies to discuss their responses at an all-day forum where they had 
a chance to provide additional context for us before the preparation of 
the draft report. Again, we consider this report to be a comprehensive 
and accurate source of information on agencies' implementation of the 
Privacy Act.

8. One of the first steps that we took when beginning this review of 
the Privacy Act was to contact agency Inspectors General for reports on 
the act. We found only a few reports, which were of limited scope. In 
addition, we acknowledge that GAO has not performed a comprehensive 
review of the Privacy Act in many years. However, as discussed in the 
draft report, we have issued reports over the past 3 years that raised 
concerns with the adequacy of selected OMB guidance concerning privacy. 
These reports contain outstanding recommendations to strengthen 
guidance, which OMB has not yet implemented.

9. One of the first steps we took when beginning this review was to 
examine the Privacy Act Overview from the Department of Justice and to 
meet with the Justice officials who prepared the overview. We used the 
overview, court decisions, and our interview with Justice officials to 
help frame some of the survey questions. However, a detailed analysis 
of these cases was not within the scope of our review nor necessary to 
address the objectives of our study. OMB appropriately pointed out that 
the individuals involved have the right to seek judicial review of 
agencies' compliance with the act; we discuss this point in the 
background section of our report.

10. In doing this work, our intention was to depict a governmentwide 
picture of agency compliance with the Privacy Act and OMB guidance. 
Although we present these results in the aggregate, they are based on 
reviews of 24 individual agencies and a representative sample of 2,400 
systems of records. We will be providing OMB officials with additional 
details so that they can follow up with the specific agencies involved 
and ensure that deficiencies are corrected.

11. OMB's 1999 review did not require agencies to review all systems of 
records. Instead, OMB directed agencies to focus on "…the most probable 
areas of out-of-date information, so that reviews will have the maximum 
impact in ensuring that system of records notices remain accurate and 
complete." The difference in the scope of OMB's review (selective) and 
ours (random sample) explains why agencies reported different results.

12. OMB commented that our draft report does not make clear what 
actions they should take because it does not point to any specific 
"deficiencies in compliance" at specific agencies or programs. The 
draft report contains specific compliance findings related to a broad 
range of Privacy Act requirements. As previously discussed, this 
information is presented in aggregate form; we will be providing 
additional details to help OMB in its improvement efforts.

Regarding OMB guidance, the draft report identifies many of the 
specific deficiencies that agencies noted. We did not include the 
detailed deficiencies that agencies identified in response to OMB's 
January 1999 memorandum because OMB already had this information. Other 
specific deficiencies from our survey were previously shared with OMB 
officials. Nevertheless, we will be providing OMB officials with all 
the additional details on the specific deficiencies in OMB guidance 
that agencies identified in both the OMB and the GAO studies.

13. We disagree with OMB's comment that we never initiated a formal 
review with OMB, never requested the opportunity to interview OMB 
staff, and declined an invitation to review OMB activities. Consistent 
with GAO policy, we held an entrance conference with OMB on May 30, 
2001, to initiate this review. At that meeting, we interviewed the key 
OMB officials who have Privacy Act responsibilities and asked them 
questions covering every aspect of this engagement. During the course 
of our review, we offered to share drafts of our surveys with OMB 
officials to obtain their views and suggestions; they declined this 
opportunity. Since then we have been in frequent communication with OMB 
privacy officials to keep them apprised of our progress and, as OMB's 
comment acknowledges, shared with them the draft briefing slides that 
contained the interim results from our surveys. We met with them to 
discuss the briefing slides on November 14, 2002, and January 7, 2003.

Consistent with GAO policy, we also held an exit conference on April 3, 
2003, to share our preliminary results and conclusions with OMB. At 
that meeting, OMB officials provided us with oral comments and stated 
that they would provide us with additional comments in writing; these 
written comments were not provided. As we began summarizing the results 
from our surveys and forum, we had several conversations with OMB 
officials, including a meeting on May 28, 2003, to discuss their 
concerns about our methodology and preliminary findings; many of the 
concerns were addressed as we drafted the final report.

Overall, OMB had many opportunities to provide us with additional 
evidence to support its view that our results and conclusions were 
inaccurate; however, it provided little additional information except 
to take issue with our study approach. In addition, we note that 
although we informed OMB of our survey approach early in our study, it 
chose to take issue with the approach only after we had obtained 
results.

[End of section]

Appendix VIII: GAO Contact and Staff Acknowledgments:

GAO Contact:

Alan Stapleton, (202) 512-3418:

Staff Acknowledgments:

In addition to the person named above, Bill Bates, Barbara Collier, 
Robert Crocker, John Dale, Neil Doherty, Wilfred Holloway, William 
Isrin, Michael Jarvis, Tuong-Vi La, Alison Martin, Luann Moy, David 
Noone, David Plocher, Mark Ramage, Terry Richardson, Theresa Roberson, 
and Warren Smith made key contributions to this report.

(310358):

FOOTNOTES

[1] Under the Privacy Act, personal information is all information 
associated with an individual and includes both identifying information 
and nonidentifying information. Identifying information, which can be 
used to locate or identify an individual, includes name, aliases, 
social security number, E-mail address, driver's license identification 
number, and agency-assigned case number. Nonidentifying personal 
information includes age, education, finances, criminal history, 
physical attributes, and gender. 

[2] A system of records is a collection of information about 
individuals under the control of an agency from which information is 
retrieved by the name of the individual or by some identifying number, 
symbol, or other particular assigned to the individual.

[3] We use the term "agency" in this report to refer to executive 
departments such as the Department of Justice as well as independent 
agencies such as the Office of Personnel Management (OPM).

[4] We used three surveys to obtain information on the following areas 
(see app. I): the first addressed agencywide practices, and the second 
addressed systems of records; these two surveys addressed 
characteristics of systems of records and compliance with the act and 
related OMB guidance. The third survey focused on information 
technology projects; for these, we obtained information on systems 
containing personal information not subject to the act's protections. 
All percentage estimates in this report have confidence intervals of 
±10 percentage points or less (unless otherwise noted) at the 95 
percent confidence level. In other words, if all the systems of records 
in our population had been in the second survey, the chances are 95 out 
of 100 that the result obtained would not differ from our sample 
estimate by more than ±10 percentage points.

[5] Figures do not add to 100 percent due to rounding.

[6] Under the act, a routine use is a disclosure of personal 
information outside the agency maintaining the information that the 
agency determines is compatible with the purpose for which it was 
collected.

[7] A cookie is a short string of text that is sent from a Web server 
to a Web browser when the browser accesses a page. Certain types of 
cookies may pose privacy risks because they may be used to track 
individuals' browsing habits and keep track of viewed and downloaded 
pages.

[8] Public Law 105-277, Div. C, tit. XVII.

[9] 44 U.S.C. 3603, Public Law 107-347 (Dec. 17, 2002).

[10] House Report No. 98-455.

[11] The President also directed OMB to summarize the results of the 
agency reviews. OMB officials stated that they did not do so. However, 
the OMB official who is responsible for overseeing the Privacy Act 
stated that the Presidential initiative did result in OMB urging 
agencies to include privacy impact assessments when preparing their 
budget Exhibit 300 submissions for information technology purchases. 
She also stated that a similar requirement for privacy impact 
assessments was subsequently enacted into law (P.L. 107-347).

[12] OMB Memorandum M-99-05 (Jan. 7, 1999).

[13] Internet Privacy: Agencies' Efforts to Implement OMB's Privacy 
Policy, GAO/GGD-00-191 (Washington, D.C.: Sept. 5, 2000). 

[14] Internet Privacy: Implementation of Federal Guidance for Agency 
Use of Cookies, GAO-01-424 (Washington, D.C.: Apr. 27, 2001).

[15] Information Security: Progress Made, but Challenges Remain to 
Protect Federal Systems and the Nation's Critical Infrastructures, GAO-
03-564T (Washington, D.C.: Apr. 8, 2003).

[16] Title III of the E-Gov Act (P.L. 107-347).

[17] E-government refers to the use of technology, particularly Web-
based Internet applications, to enhance the access to and delivery of 
government information and services to citizens, business partners, 
employees, other agencies, and other entities.

[18] National Institute of Standards and Technology, Security Self-
Assessment Guide for Information Technology Systems, NIST Special 
Publication 800-26 (November 2001).

[19] Figures do not add to 100 percent due to rounding.

[20] Pay.gov is a service developed by Treasury's Financial Management 
Service that can be used by other federal agencies to allow customers 
to make payments electronically through the Internet. The service also 
includes payment-related functions, such as authenticating users and 
reporting back to agencies about transactions that have transpired. 

[21] The primary purpose of the Intra-Governmental Payment and 
Collection System is to provide a standardized interagency fund 
transfer mechanism for federal program agencies.

[22] Computer matching is the identification of similarities or 
dissimilarities in data found in two or more computer files. However, 
many computer matches fall outside the act, such as matches performed 
to produce aggregate statistical data without any personal identifiers 
and matches performed to support any research or statistical project. 
According to OMB guidance, such data may not be used to make decisions 
concerning the rights, benefits, or privileges of specific individuals. 
(Dec. 20, 2000, memorandum from the Director, OMB, to the heads of 
executive departments and agencies, Guidance on Inter-Agency Sharing of 
Personal Data--Protecting Personal Privacy.)

[23] Agencies reported two incidents. However, these two incidents were 
not in our random sample and thus not weighted sufficiently to lower 
compliance below 100 percent, as shown in appendix IV.

[24] According to OMB guidance, the act only covers individuals acting 
in a personal capacity rather than acting in a business capacity (e.g., 
as entrepreneurs). The guidance states "Agencies should examine the 
content of the records in question to determine whether the information 
being maintained is, in fact, personal in nature. A secondary criterion 
in deciding whether the subject of an agency file is, for purposes of 
the act, an individual, is the manner in which the information is used: 
i.e., is the subject dealt with in a personal or entrepreneurial role." 
Privacy Act Implementation: Guidelines and Responsibilities, Federal 
Register, vol. 40, no. 132 (July 9, 1975).

[25] The Computer Matching Act requires that a benefit/cost analysis be 
part of an agency's decision to conduct or participate in a matching 
program. However, the act authorizes the agency Data Integrity Boards 
to waive this requirement in certain circumstances.

[26] U.S. General Accounting Office, Internet Privacy: Agencies' 
Efforts to Implement OMB's Privacy Policy, GAO/GGD-00-191 (Washington, 
D.C.: Sept. 5, 2000); Internet Privacy: Implementation of Federal 
Guidance for Agency Use of Cookies, GAO-01-424 (Washington, D.C.: Apr. 
27, 2001).

[27] The 95 percent confidence interval of the estimated 11 percent is 
from 6 percent to 19 percent. The corresponding total estimate of 83 
has a confidence interval of 44 to 139.

[28] Title III of the E-Gov Act (P.L. 107-347). 

[29] The 17 agencies that had prepared budget Exhibit 53s were 
(1) Agriculture, (2) Commerce, (3) Defense, (4) Education, (5) Energy, 
(6) Health and Human Services, (7) Interior, (8) Justice, (9) Housing 
and Urban Development, (10) Labor, (11) State, (12) Transportation, 
(13) Treasury, (14) VA, (15) FEMA, (16) OPM, and (17) SSA.

[30] Public Law 107-347 (Dec. 17, 2002). Among other things, this act 
seeks to expand the delivery of government services through greater use 
of the Internet and computer resources.

[31] For some compliance questions, a sufficient number of agencies did 
not respond at a rate that allows us to be 95 percent confident that 
the true value is within ±10 percentage points of estimated 
percentages. Unless otherwise noted, we deleted those questions from 
our analysis and from the table.

[32] One agency did not respond to this question.

GAO's Mission:

The General Accounting Office, the investigative arm of Congress, 
exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony:

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics.

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading.

Order by Mail or Phone:

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:

U.S. General Accounting Office

441 G Street NW,

Room LM Washington,

D.C. 20548:

To order by Phone: 	

	Voice: (202) 512-6000:

	TDD: (202) 512-2537:

	Fax: (202) 512-6061:

To Report Fraud, Waste, and Abuse in Federal Programs:

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470:

Public Affairs:

Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.

General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.

20548: