This is the accessible text file for GAO report number GAO-03-304 entitled 'Privacy Act: OMB Leadership Needed to Improve Agency Compliance' which was released on July 30, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Ranking Minority Member, Committee on Governmental Affairs, U.S. Senate: June 2003: Privacy Act: OMB Leadership Needed to Improve Agency Compliance: GAO-03-304: GAO Highlights: Highlights of GAO-03-304, a report to the Ranking Minority Member, Committee on Governmental Affairs, U.S. Senate Why GAO Did This Study: The Privacy Act regulates how federal agencies may use the personal information that individuals supply when obtaining government services or fulfilling obligations—for example, applying for a small business loan or paying taxes. GAO was asked to review, among other things, agency compliance with the Privacy Act and related guidance from the Office of Management and Budget (OMB). What GAO Found: Based on responses from 25 selected agencies to GAO surveys, compliance with Privacy Act requirements and OMB guidance is generally high in many areas, but it is uneven across the federal government. For example, GAO used agency responses to estimate 100 percent compliance with the requirement to issue a rule explaining to the public why personal information is exempt from certain provisions of the act (see table). In contrast, GAO estimates 71 percent compliance with the requirement that personal information should be complete, accurate, relevant, and timely before it is disclosed to a nonfederal organization. As a result of this uneven compliance, the government cannot adequately assure the public that all legislated individual privacy rights are being protected. Agency senior privacy officials acknowledge the uneven compliance but report a number of difficult implementation issues in a rapidly changing environment. Of these issues, privacy officials gave most importance to the need for further OMB leadership and guidance. Although agencies are not generally dissatisfied with OMB’s guidance on the Privacy Act, they made specific suggestions regarding areas in which additional guidancewas is needed, such as the act’s application to electronic records. Besides these gaps in guidance, additional issues included the low agency priority given to implementing the act and insufficient employee training on the act. If these implementation issues and the overall uneven compliance are not addressed, the government will not be able to provide the public with sufficient assurance that all legislated individual privacy rights are adequately protected. What GAO Recommends: GAO recommends that the Director, OMB, take a number of steps aimed at improving agency compliance with the Privacy Act, including overseeing and monitoring agency actions, reassessing the need for additional guidance to agencies, and raising agency awareness of the importance of the act. In providing comments, OMB officials stated that the draft report does not support the conclusion that, without improved compliance, the government cannot ensure the protection of individual privacy rights; these officials stated that GAO’s treatment of the various provisions of the act as equally important in protecting privacy is flawed. GAO’s view, however, is that Congress enacted a series of requirements designed, in total, to protect privacy; accordingly, GAO based its conclusions on a comprehensive analysis of agency compliance with a broad range of requirements. www.gao.gov/cgi-bin/getrpt?GAO-03-304. To view the full report, including the scope and methodology, click on the link above. For more information, contact Linda Koontz at (202) 512-6240 or koontzl@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Most Agencies' Systems of Records Contain Electronic Records: Agency Compliance with the Privacy Act and OMB Guidance Is Uneven: Agencies Maintain Personal Information outside the Privacy Act in a Limited Number of Information Systems: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Scope and Methodology: Surveys: Privacy Act Forum: Presidential Privacy Initiative: Appendix II: Summary of GAO’s February 2003 Privacy Forum on the Survey Results: Major Barriers to Improving Agency Compliance with the Privacy Act and Actions That Could Address These Barriers: Adequacy of Privacy Act Protection in Today’s Electronic Environment: Need for Changes in the Privacy Act for Consistency with the Current Environment and Management Practices: Appendix III: OMB Guidance on Privacy: Appendix IV: Compliance with Privacy Act and Associated Guidance: Appendix V: Agency Views on OMB Guidance and Assistance: OMB’s Overall Assistance to Agencies Was Frequently Judged “Moderately Effective”: OMB’s Written Guidance Was Frequently Judged “Mostly Complete”: OMB’s Responses to Agency Questions Were Frequently Judged “Moderately Timely”: OMB’s Assistance on Agencies’ Federal Register Notices Was Frequently Judged “Moderately Timely”: Appendix VI: Agency Resources and Structure Devoted to Implementation of the Privacy Act: Appendix VII: Comments from the Office of Management and Budget: GAO Comments: Appendix VIII: GAO Contact and Staff Acknowledgments: GAO Contact: Staff Acknowledgments: Tables: Table 1: Agencywide Compliance with Training Requirements: Table 2: Compliance with Exemption Requirements: Table 3: Respondents to Second Survey: Table 4: Responses to Agencywide Practices Survey: Table 5: Responses to System of Records Survey: Figures: Figure 1: Policies to Assess Need to Collect Personal Information: Figure 2: Agencies’ Assessments of Security Safeguards: Figure 3: Agencies’ Means to Detect Unauthorized Access: Figure 4: Information Systems Containing Personal Information Not in a Privacy Act System of Records: Figure 5: Agency Characterization of Overall Effectiveness of OMB Assistance: Figure 6: Agency Characterization of Completeness of OMB’s Written Guidance: Figure 7: Agency Characterization of Timeliness of OMB’s Response to Questions: Figure 8: Agency Characterization of Usefulness of OMB’s Response to Questions: Figure 9: Agency Characterization of Timeliness of OMB’s Assistance with Federal Register Notices: Figure 10: Agency Characterization of Usefulness of OMB’s Assistance with Federal Register Notices: Figure 11: Centralization of Implementation of Privacy Act: Abbreviations: CIO: chief information officer: FBI: Federal Bureau of Investigation: FISMA: Federal Information Security Management Act: FOIA: Freedom of Information Act: FTE: full-time equivalent: OMB: Office of Management and Budget: OPM: Office of Personnel Management: SSA: Social Security Administration: SOR: system of records: Letter June 30, 2003: The Honorable Joseph I. Lieberman Ranking Minority Member Committee on Governmental Affairs United States Senate: Dear Senator Lieberman: Obtaining government services or fulfilling government obligations-- for example, applying for a small business loan or paying taxes--often requires individuals to provide federal agencies with detailed personal information about themselves and their spouses, dependents, and parents.[Footnote 1] To regulate the federal government's use of this personal information, Congress passed the Privacy Act of 1974. You asked us to evaluate the compliance of federal agencies with the Privacy Act and other issues. Specifically, as agreed with your office, our objectives were to determine: * key characteristics of systems of records[Footnote 2] reported by agencies; * the level of agency compliance with the Privacy Act and related OMB guidance; and: * the extent to which agencies report that they maintain personal information that is not subject to the Privacy Act's protections. To address these objectives, we conducted three surveys at 25 departments and agencies, which were selected to provide a cross section of large and small agencies[Footnote 3] that were likely to have different missions and organizational structures and, perhaps, different approaches to implementing the Privacy Act. (App. I identifies the 25 agencies.) Response rates ranged from 76 to 100 percent.[Footnote 4] To help verify the accuracy of answers related to compliance with the Privacy Act, we randomly selected a sample of agencies' responses to the surveys and asked officials to provide documentation or additional narrative explanations to support their answers for key compliance questions. The results of the verification work gave us greater assurance about the accuracy of agencies' survey responses. We previously briefed your staff on the results of our surveys. To better understand the results of our surveys, we invited the 25 agencies to send a representative (mostly Privacy Act officers) to a meeting in February 2003 (also referred to as the "forum"), at which we presented our survey results and asked the agency representatives for their reactions and to identify barriers to compliance with the act. (A summary of forum results is presented in app. II.): Further details on our scope and methodology are provided in appendix I. Our work was conducted from May 2001 to May 2003 in accordance with generally accepted government auditing standards. Results in Brief: Based on survey responses, a key characteristic of agencies' 2,400 systems of records is that an estimated 70 percent of systems contained electronic records. Specifically, 12 percent were exclusively electronic records, 58 percent were a combination of paper and electronic, and 31 percent were exclusively paper records.[Footnote 5] In addition, we estimate that agencies allowed individuals to access their personal information electronically via the Internet in about 1 of every 10 systems of records. Other key characteristics reflected the diversity of systems: for example, the number of people whose personal information was maintained in the sampled systems of records varied significantly, from 5 people to about 290 million, with a median of about 3,500. The number of systems per agency also varied significantly: from 1 to over 1,000, with a median of 68. While compliance with Privacy Act provisions and related OMB guidance was generally high in many areas, according to agency reports, it was uneven across the federal government--ranging from 100 percent to about 70 percent for the various provisions. For example, we estimate that for all systems of records (100 percent), agencies issued the required rule that explains to the public why they exempted the system of records from one or more of the act's privacy protections. In contrast, fewer agencies were compliant with the provision that information should be complete, accurate, relevant, and timely before it is disclosed to a nonfederal organization; we estimate that agencies took steps to comply with this requirement for 71 percent of systems of records. At the forum, agency privacy officials acknowledged the uneven compliance but reported a number of difficult implementation issues in a rapidly changing environment. Of these issues, privacy officials gave most importance to the need for further OMB leadership and guidance.Although agencies are not generally dissatisfied with OMB's guidance on the Privacy Act, they made specific suggestions regarding areas in which additional guidance was needed, such as the act's application to electronic records. Besides these gaps in guidance, additional implementation issues included the low agency priority given to implementing the act and insufficient employee training on the act. If these issues and the overall uneven compliance are not addressed, the government will not be able to provide the public with sufficient assurance that individual privacy rights are appropriately protected. Agencies maintained personal information that was not subject to the Privacy Act's protections in an estimated 11 percent of 730 major information systems in use during fiscal year 2002. Agencies reported that this occurred in various circumstances, the most frequent being when information was not retrieved by use of identifying information (e.g., name), but rather by other, nonidentifying information (e.g., name of a company). Concerns have been raised regarding the scope of the Privacy Act, whose coverage is limited to personal information that is retrieved by a personal identifier. Our study results are relevant to one aspect of this issue, as they provide an indication of the extent to which agencies maintain personal information not subject to the act's protections. A more complete examination of this topic would require additional study. To improve compliance and address issues reported by agencies, we are making recommendations to the Director, OMB, which include directing agencies to correct compliance deficiencies, monitoring agency compliance, and reassessing OMB guidance. In commenting on a draft of this report, the Administrators of OMB's Offices of Information and Regulatory Affairs and of E-Government and Information Technology stated that the information in the draft report does not support our conclusion that, without improved compliance, the government cannot assure the public that individual privacy rights are being protected. Specifically, the Administrators fault what they characterize as a fundamental flaw in the draft report: our treatment of the various provisions of the act as equally important in protecting privacy. In addition, OMB disagrees with our recommendations, stating that they are vague and nebulous. We disagree with OMB's assertion that our conclusion is not supported. We continue to believe that, without improved compliance, the government cannot adequately assure the public that all legislated individual privacy rights are being protected. In enacting the Privacy Act, Congress established a framework for ensuring that individuals' privacy is protected. Accordingly, we based our conclusions on a comprehensive analysis of agency compliance with a broad range of requirements contained in the act. With regard to our recommendations, the report contains considerable detail including specific compliance results and agency suggestions for improvements to OMB guidance. In addition, we believe that our recommendations provide the appropriate level of detail needed for OMB to address the issues from a governmentwide perspective. However, we recognize that the compliance results in particular are provided in aggregate form; we will be providing additional details to OMB to help it in improving governmentwide compliance. Background: The Privacy Act of 1974 is the primary act that regulates the federal government's use of personal information. The Privacy Act places limitations on agencies' collection, disclosure, and use of personal information in systems of records. A system of records is a collection of information about individuals under the control of an agency from which information is actually retrieved by the name of the individual or by some identifying number, symbol, or other particular assigned to the individual. The act does not apply when there is merely a capability or potential for retrieval by identifier, which is often the case with electronic records. Among the major provisions of the Privacy Act are the following: Collecting only necessary information. Agencies are to maintain personal information about an individual only when it is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or executive order of the President. According to OMB guidance, the goal of this provision is to reduce the amount of personal information that agencies collect in order to reduce the risk of agencies' improperly using personal information. Providing public notice. Agencies are to publish a notice in the Federal Register when establishing or revising a system of records. The notice is to contain the name and location of the system, the categories of individuals on whom records are maintained in the system, and each "routine use"[Footnote 6] of the records contained in the system. Providing for informed consent. Agencies are to inform individuals whom it asks to supply information of (1) the authority for soliciting the information and whether disclosure of such information is mandatory or voluntary, (2) the principal purposes for which the information is intended to be used, (3) the routine uses that may be made of the information, and (4) the effects on the individual, if any, of not providing the information. Protecting against adverse determinations through maintaining accuracy of personal information. Agencies are to maintain all records used in making any determination about individuals with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual. Safeguarding information. Agencies are to establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records and to protect against anticipated threats or hazards to their security or integrity that could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. Accounting for disclosures of records. Agencies are to keep an accounting of the date, nature, and purpose of each disclosure of a record, and the name and address of the person or agency to whom the disclosure is made (except for disclosures within the agency for official purposes or for disclosures required under the Freedom of Information Act). Training employees. Agencies are to instruct persons on the requirements of the act if they are involved in the design, development, operation, or maintenance of any system of records or in maintaining any record. Providing notice of exemptions of systems of records. When an agency uses the authority in the act to exempt a system of records from certain provisions, the agency is to issue a rule explaining the reasons for the exemption. Providing for civil remedies and criminal penalties for violating the rights granted by the Privacy Act. The act grants individuals the right of access to agency records pertaining to themselves; the right to amend such a record if it is inaccurate, irrelevant, untimely, or incomplete; and the right to sue the government for violations of the act. There are civil remedies and criminal penalties for agencies not affording individuals these rights. In 1988, Congress amended the Privacy Act through passage of the Computer Matching and Privacy Protection Act, which established safeguards regarding an agency's use of Privacy Act records in performing certain computerized matching programs. Under the act, a written computer matching agreement is required for any computerized comparison of two or more automated systems of records for the purposes of determining the eligibility of applicants for assistance under federal benefits programs or of recouping payments or delinquent debts under federal benefits programs. Agreements are also required for any computerized comparison of federal personnel or payroll systems. Computer matching agreements must specify the purpose and legal authority for conducting the match and how these matches will be performed. Agency Data Integrity Boards are to approve matching agreements and assess the costs and benefits of the match. (There are some exceptions, such as not assessing costs and benefits where the match is required by statute.): OMB Is Responsible for Guidance on Privacy: Under the Privacy Act, OMB is responsible for developing guidelines and regulations and providing "continuing assistance to and oversight of" agencies' implementation of the act. In 1975, OMB issued its initial Privacy Act implementing guidance entitled Privacy Act Implementation: Guidelines and Responsibilities. In addition, OMB Circular A-130 (Management of Federal Information Resources) sets forth a number of general policies concerning the protection of personal privacy by the federal government: * The individual's right of privacy must be protected in federal government information activities involving personal information. * Agencies shall consider the effects of their actions on the privacy rights of individuals and ensure that appropriate legal and technical safeguards are implemented. * Agencies shall limit the collection of information that identifies individuals to that which is legally authorized and necessary for the proper performance of agency functions. * Agency heads shall periodically review (1) a random sample of agency contracts for maintaining systems of records to ensure that contractors are bound by the Privacy Act; (2) routine use disclosures associated with each system of records to ensure that they are compatible with their original purpose for collection; and (3) training practices to ensure that employees are familiar with the Privacy Act and the agency's implementing regulation. As of April 2003, OMB's Web site, www.whitehouse.gov/omb, also provides links to documents characterized as "Privacy Guidance" and "Privacy Reference Materials" (http://www.whitehouse.gov/omb/inforeg/ infopoltech.html). Those documents include the initial Privacy Act guidance, memoranda about privacy policies on federal Web sites, interagency sharing of personal data, letters on agency use of Web "cookies."[Footnote 7] (See app. III.): OMB officials stated that one OMB staff person is dedicated to Privacy Act issues full time. In addition, according to that one staff person, several other OMB staff also devote part of their time to this effort. The Privacy Act staff position is located in the Information Policy and Technology Branch within the Office of Information and Regulatory Affairs. According to OMB, the duties associated with this position include: * reviewing agencies' draft Federal Register notices and systems reports for new and altered systems of records and computer matches; * answering agencies' questions about how to implement the act, and responding to questions from federal employees and the public about the scope and application of the act; * monitoring court rulings involving the Privacy Act; * developing written guidance to agencies on Privacy Act implementation issues and federal Internet privacy policy; * leading interagency work groups on Privacy Act issues; * providing input to OMB's positions on legislation, rules, regulations, and testimony that have privacy policy implications; and: * participating in interagency discussions and activities concerning other privacy policy issues (consumer fraud/identity theft, do-not-call lists, medical privacy, financial privacy, etc.). One body tasked with addressing federal governmentwide issues such as privacy and security is the Chief Information Officers (CIO) Council, chaired by the Deputy Director for Management in OMB. Initially established in 1996 by Executive Order 13011, the CIO Council was enacted into law by the E-Government Act of 2002.[Footnote 8] The council serves as the principal interagency forum for improving practices in the management of federal information resources. Among its functions are responsibilities to develop policy recommendations for OMB, help coordinate multiagency projects and other innovative initiatives, assist in standards development, and work with the Office of Personnel Management (OPM) to address hiring and training needs.[Footnote 9] Previous Initiatives and Studies Have Raised Privacy and Security Concerns: Concerns about implementation of the Privacy Act have arisen periodically since its passage. In 1983, for example, in a report summarizing 9 years (1975-1983) of congressional oversight of the act, the House Committee on Government Reform (formerly called the Committee on Government Operations) concluded that OMB had not pursued its responsibility to revise and update its original guidance from 1975 and had not actively monitored agency compliance with its guidance.[Footnote 10] It stated "Interest in the Privacy Act at [OMB] has diminished steadily since 1975. Each successive Administration has shown less concern about Privacy Act oversight.": A subsequent administration initiative addressed the difficulty of assuring privacy in an increasingly electronic environment. In May 1998, a presidential memorandum was issued stating that increases in agencies' use of electronic records permit "this information to be used and analyzed in ways that could diminish individual privacy in the absence of additional safeguards." Consequently, the heads of executive departments and agencies were directed to review their Privacy Act systems of records within 1 year, and OMB was directed, among other things,[Footnote 11] to issue instructions to agencies on conducting and reporting these reviews. In its January 1999 instructions, OMB also asked agencies to identify areas where they believe further OMB guidance was needed.[Footnote 12] The resulting responses from 72 agencies highlighted a range of issues. For example, in assessing their own compliance with the Privacy Act, agencies (1) added 131 systems of records that previously had not been properly identified, (2) revised 457 systems of records that were not up to date, and (3) deleted 288 systems of records that were no longer necessary. In addition, agencies requested centralized, updated guidance, particularly with regard to new technologies such as E-mail, Web sites, and electronic records. Further, agencies suggested, for example, that OMB establish an interagency taskforce on privacy. In addition, over the past 3 years, we have issued reports that raised concerns with the adequacy of selected OMB guidance. In September 2000, we reported that OMB's guidance to agencies on Web site privacy policies was unclear in several respects and contained undefined language. We recommended that OMB clarify its guidance on privacy policies for agencies' Web sites.[Footnote 13] In another report, issued in April 2001, we said that OMB's guidance on agencies' use of cookies on Web sites was fragmented and did not provide clear direction.[Footnote 14] We recommended that OMB clarify its guidance. Although OMB officials stated that they planned to address these recommendations, OMB had not yet implemented them as of May 2003. We have also consistently reported that security of electronic information in computer systems is a high-risk area for the government in general, with potentially devastating consequences if it is not ensured. When controls over the security of computer systems are not adequate, the privacy of the personal information in those systems is exposed to potential risks from unauthorized access or alteration. In April 2003, at the request of Congress, we testified on our analysis of recent information security audits and evaluations at 24 major federal departments and agencies.[Footnote 15] We reported that although analyses of audit and evaluation reports for the 24 major departments and agencies issued from October 2001 to October 2002 indicated some individual agency improvements, overall they continued to highlight significant information security weaknesses that place a broad array of federal operations and assets at risk of fraud, misuse, and disruption. We identified significant weaknesses in each of the 24 agencies. As in 2000 and 2001, weaknesses were most often identified in control areas for security program management and access controls. All 24 agencies had weaknesses in security program management, which provides the framework for ensuring that risks are understood and that effective controls are selected and properly implemented. We further testified that there are a number of important steps that the administration and the agencies should take to ensure that information security receives appropriate attention and resources and that known deficiencies are addressed. These steps include delineating the roles and responsibilities of the numerous entities involved in federal information security and related aspects of critical infrastructure protection; providing more specific guidance on the controls agencies need to implement; obtaining adequate technical expertise to select, implement, and maintain controls to protect information systems; and allocating sufficient agency resources for information security. Although we continue to report significant weaknesses that place federal operations and assets at risk, in the past few years agencies and the administration have taken actions to improve federal information security. As we reported in our April 2003 testimony, OMB and agency efforts to implement the information security requirements of the Federal Information Security Management Act (FISMA)[Footnote 16] have resulted in increased management attention to information security and provided an improved baseline for measuring improvements. FISMA requires federal agencies to establish agencywide risk-based information security programs, which must be independently evaluated annually, in order to protect agency information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. We also reported that the administration has made progress through a number of efforts, such as OMB's establishment of requirements for agencies to report the results of their annual security program reviews and their plans to correct identified weaknesses, as well as its emphasis of information security in the budget process and e-government initiatives.[Footnote 17] Also, the National Institute of Standards and Technology (NIST) has issued additional computer security guidance, including its Security Self-Assessment Guide for Information Technology Systems,[Footnote 18] which uses an extensive questionnaire containing specific control objectives and techniques against which an unclassified system or group of interconnected systems can be tested and measured. Most Agencies' Systems of Records Contain Electronic Records: A key characteristic of agencies' systems of records is that a large proportion of them are electronic, reflecting the government's significant use of computers and the Internet to collect and share personal information. Based on survey responses, we estimate that 70 percent of the agencies' 2,400 systems of records contain electronic records. Specifically, an estimated 12 percent were exclusively electronic records, 58 percent were a combination of paper and electronic, and 31 percent were exclusively paper records.[Footnote 19] In addition, agencies allowed individuals to access their personal information via the Internet in an estimated 9 percent of systems of records (about 1 in 10). Our survey results revealed other key characteristics of our population of over 2,400 systems of records, which illustrate the diversity across agencies: The median number of people whose personal information was maintained in the sampled systems of records was about 3,500, but this number varied significantly: the totals ranged from 5 people to about 290 million people. * The median number of systems of records at each agency was 68, but this number varied significantly: the totals ranged from 1 to over 1,000. * Among the electronic records, 66 percent of systems of records resided within one information system, and 34 percent resided within more than one information system. * The types of information that agencies used most frequently to actually retrieve personal information from the system were the social security number and the agency identification number. * The most frequent source of the personal information in the systems of records was the subject individual, followed by the agency, individuals other than the subject, and another federal agency. Agency Compliance with the Privacy Act and OMB Guidance Is Uneven: While compliance with Privacy Act provisions and related OMB guidance was generally high in many areas, according to agency reports, it was uneven across the federal government--ranging from 100 percent for some requirements to about 70 percent for others. For example, for 100 percent of agency systems of records, agencies followed the requirement to issue a rule that explains to the public why a system of records is exempt from one or more of the act's privacy protections. However, for other provisions, agencies have not consistently established the necessary policies and procedures needed to ensure compliance and followed through on required actions. Agency privacy officials attending our forum acknowledged this uneven compliance; they pointed out, however, that implementation of the Privacy Act in a rapidly changing environment presents a number of difficult issues. Specifically, these officials identified barriers to improved compliance that include a need for more OMB leadership and guidance on the act, low agency priority given to implementing the act, and insufficient training on the act. In the absence of consistent compliance with the Privacy Act, the government cannot adequately assure the public that all legislated individual privacy rights are being protected. Compliance Was Uneven among Provisions of the Privacy Act: Collecting only relevant and necessary information. The Privacy Act states that agencies are to collect only information that is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or executive order of the President. This provision is aimed at preventing the improper use of personal information in ways that could result in substantial harm or embarrassment to individuals. OMB guidance states "In simplest terms, information not collected about an individual cannot be misused." Accordingly, OMB guidance states that agencies are to assess the relevance and need for personal information in the initial design of a new system of records or whenever any change is proposed in an existing system of records. Seventeen of the 25 agencies stated that they did have written policies and procedures to determine, before information systems become operational, whether any personal information to be collected in a new system is needed, as OMB guidance requires. (See fig. 1.) The remaining 8 agencies did not have such policies and procedures. Figure 1: Policies to Assess Need to Collect Personal Information: [See PDF for image] [End of figure] Several agencies that did have such procedures in place reported positive results from these assessments. These agencies identified instances since October 1, 1998, where they decided not to collect or retain unnecessary personal information because of Privacy Act considerations. For example: * Transportation took steps to reduce the amount of personal information and its availability in designing (1) a new identification system for agency employees and (2) a possible Transportation Worker Identification Credential (TWIC) and associated systems for the Transportation Security Administration. According to agency officials, TWIC was initiated at the Department of Transportation, but transferred to the Department of Homeland Security with the Transportation Security Administration on March 1, 2003. * The Treasury's Financial Management Service decided not to collect or retain social security numbers for its Pay.gov verification[Footnote 20] or for the Intra-Governmental Payment and Collections System.[Footnote 21] * The Social Security Administration (SSA) decided not to copy (1) a State Workers Compensation agency file and (2) a Veterans Benefits Administration file containing military discharge records, because SSA would need to access only a small percentage of the records. * The Department of Defense eliminated a database that contained information on dependents after finding that the information was neither relevant nor necessary. Another component destroyed employees' tax return information because it was neither relevant nor necessary. As these examples show, following procedures to assess the need for personal information in systems can effectively avoid privacy risks. However, without such procedures consistently in place governmentwide, agencies cannot ensure that only relevant personal information is collected from individuals. Providing public notice. A basic objective of the act is to foster agency accountability through a system of public scrutiny. Among the provisions of the act that provide this system of public scrutiny are the act's requirements to (1) issue Federal Register notices so that there are no systems of records whose existence is secret and (2) publish rules in the Code of Federal Regulations that describe the agency's procedures for individuals to determine if they are the subject of a record and to access or amend their records. In addition, over the course of a year, agencies' use of personal information in systems of records may change. Accordingly, OMB Circular A-130 requires agencies to review each system of records notice biennially to ensure that it accurately describes the system of records. Agencies reported that they had issued the required Federal Register notice for 89 percent of the systems of records. Of the 25 agencies surveyed, 24 reported that they had published the required rules in the Code of Federal Regulations. Finally, agencies reported they had completed reviews of Federal Register notices on an estimated 79 percent of the 2,400 systems of records. For those systems of records for which agencies are not complying with public notice provisions, the public cannot obtain current information on the existence of government systems that may contain personal information. Without uniform compliance with these provisions, agencies cannot consistently ensure that citizens can exercise their rights to access, review, and amend such records, as guaranteed under the act. Providing for informed consent. Under the act, individuals have a right to be provided with detailed information about the agency's request for personal information before making an informed decision whether to respond. Accordingly, the act requires agencies to provide individuals in writing (1) the authority for soliciting the information and whether disclosure of such information is mandatory or voluntary, (2) the principal purposes for which the information is intended to be used, (3) the routine uses that may be made of the information, and (4) the effects on the individual, if any, of not providing the information. In addition, agencies' uses of the information may change over time. Accordingly, OMB Circular A-130 requires agencies to review the routine use disclosures to ensure that they continue to be compatible with the purpose for which the information was collected. We estimate that for 82 percent of the systems of records, agencies did provide individuals, in writing, with the information required by the act. For the remaining 18 percent, individuals have not been provided with full disclosure of the potential uses of their personal information. In addition, of 25 agencies surveyed, 21 reported that they had adhered to the OMB guidance to review routine use disclosures. Based on responses to our survey of systems of records, we found that agencies reviewed these routine use disclosures in an estimated 82 percent of the 2,400 systems of records. For the systems for which these reviews were not done, agencies cannot assure the public that the potential uses of their personal information remains appropriate. Protection against adverse determinations through maintaining accuracy. One purpose of the act is to minimize, if not eliminate, the risk that an agency will make an adverse determination about an individual on the basis of incorrect information. Accordingly, the act requires that agencies, when making determinations about individuals or when disclosing personal information to a nonfederal organization, maintain all records with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual. Agency-reported compliance with the accuracy requirements varied considerably. With regard to determinations made about an individual, we estimate that agencies had procedures in place to ensure that the personal information about an individual is complete, accurate, relevant, and timely in 95 percent of systems of records. However, compliance with accuracy requirements was considerably lower when the agencies disclosed personal information to nonfederal organizations-- an estimated 71 percent of systems of records. A related issue is the use of computer matches,[Footnote 22] which are generally subject to the act's protections if they are used to make determinations that involve (1) applying for federal benefits, (2) recouping government payments to individuals, (3) collecting delinquent debts the individual owes the government, or (4) federal personnel or payroll records. We estimate that less than 5 percent of the approximately 2,400 systems of records were involved in one or more computer matching programs during 2001; however, this 5 percent includes systems containing records on very large numbers of people, including one, according to SSA, covering approximately 360 million applicants for social security numbers of which 70 million are known to be deceased. OMB requires agencies to review each ongoing computer matching program to ensure that the requirements of the act and OMB guidance had been met. Our survey results indicate that 9 of the 13 agencies that maintain computer matching programs complied with the OMB requirement to make such reviews. Without consistent reviews of computer matching programs for compliance with the act and OMB guidance, the government cannot ensure that personal information shared with other entities and used for decision making in federal programs is accurate, relevant, timely, and complete. Safeguarding personal information. Once an agency makes a decision to collect personal information, safeguarding the information is vital to complying with the Privacy Act. As discussed earlier, our reports have consistently found that information security is a high-risk area for the government in general, with potentially devastating consequences if it is not ensured. Moreover, the importance of adequate safeguards is underscored by the types of sensitive personal information most frequently found in the systems of records: name, social security number, telephone numbers, home address, work address, and demographic information (e.g., marital status). OMB's guidance calls for a detailed assessment of risks and the establishment of specific administrative, technical, procedural, and physical safeguards. Based on survey responses, we estimate that during fiscal years 1999 through 2001, agencies did assess security safeguards for 82 percent of systems of records, but did not for the remaining 18 percent. (See fig. 2.): Figure 2: Agencies' Assessments of Security Safeguards: [See PDF for image] [End of figure] Protecting personal information that is maintained in automated information systems is of particular importance. In response to our surveys, agencies generally did not report incidents of unauthorized reading, altering, disclosing, or destroying personal information in automated information systems.[Footnote 23] However, we also estimate that in 21 percent of about 2,400 systems of records, agencies reported that they did not have the means to detect when persons, without authorization, were reading, altering, disclosing, or destroying information in the system. (See fig. 3.): Figure 3: Agencies' Means to Detect Unauthorized Access: [See PDF for image] [End of figure] Without appropriate security safeguards and the means to assess them, agencies cannot ensure that personal information maintained by the government is protected from unauthorized access, disclosure, and alteration. Accounting for disclosures. Individuals have a right under the act to know to whom records about themselves have been disclosed outside the agency, so that (among other purposes) those recipients can be subsequently advised of any corrected or disputed records. Accordingly, agencies are to maintain an accounting of the date, nature, and purpose of each disclosure of a record, and the name and address of the person or agency to whom the disclosure is made. We estimate that agencies were able to account for such disclosures in 86 percent of their 2,400 systems of records but were not able to do so for 14 percent. For systems for which agencies cannot account for disclosures, agencies cannot advise individuals of how and by whom their personal information is being used. Training employees. The Privacy Act states that agencies are to establish rules of conduct for persons involved in the design, development, operation, or maintenance of systems of records and to instruct each person on those rules, including the penalties for noncompliance. In discussing the act's requirement for agencies to issue rules, OMB guidance states that training employees on the act is important for compliance: Effective compliance with the provisions of this act will require informed and active support of a broad cross section of agency personnel. It is important that all personnel who in any way have access to systems of records or who are engaged in the development of procedures or systems for handling records, be informed of the requirements of the act and be adequately trained in agency procedures developed to implement the act. As the table shows, one-third of agencies have not issued the act's required rules of conduct for employees, and about one out of five had not established procedures to ensure adequate training for personnel with access to systems of records. Table 1: Agencywide Compliance with Training Requirements: Compliance question: Has your agency established rules of conduct for persons who are involved in operations and maintenance of records?; In compliance: 16 of 24 agencies. Compliance question: Has your agency established rules of conduct for persons involved in design and development of systems of records?; In compliance: 15 of 24 agencies. Compliance question: Does your agency have procedures to ensure that personnel with access to systems of records or who are engaged in developing procedures are adequately trained?; In compliance: 20 of 25 agencies. Source: GAO. [End of table] In addition, for an estimated 74 percent of systems of records, agencies also reported that they provided "all or almost all" staff with such training but did not for an estimated 26 percent. If agency employees have not been appropriately trained, they may not be aware of their responsibilities under the act and may not fully comply with its requirements. Providing notice of exemptions. The Privacy Act permits certain categories of records to be exempted from some requirements of the act (e.g., access to records); according to OMB guidance, agencies can make exemptions if complying with those requirements could adversely affect agencies' conduct of necessary public business. The act contains two categories of exemptions: (1) general exemptions that include systems of records maintained by the Central Intelligence Agency or for criminal law enforcement purposes and (2) specific exemptions for systems of records that include classified material, statistical records, and certain personnel investigation and evaluation material. For example, the act allows agencies to deny a person access to his or her law enforcement files if doing so would impair an ongoing investigation. Other types of records may be exempted from the provision in the act that allows individuals to sue for violations of the act and seek civil remedies and from the provision to ensure the accuracy of the information disclosed to third parties. According to OMB guidance, no system of records is automatically exempt from any provision of the act. To obtain an exemption for a system from any requirement of the act, the head of the agency that maintains the system must make a determination that the system falls within one of the categories of systems that are permitted to be exempted and publish a notice on the determination as a rule. That notice must include why the agency considers the exemption necessary and the specific provisions proposed to be exempted. OMB Circular A-130 requires agencies to review any exemptions every 4 years to determine if they are still needed. As shown in the following table, we estimate that agencies issued the required rule explaining why the system of records was exempt for 100 percent of the systems of records; however, for about one in seven systems, agencies did not review the rule every 4 years as OMB requires. For systems that are not reviewed periodically as required, agencies have diminished assurance that all existing exemptions from Privacy Act provisions are still necessary. Table 2: Compliance with Exemption Requirements: Compliance question: Has your agency issued a Federal Register notice explaining the reasons for exempting the system of records from certain provisions of the act?; Results: 24 of 24 agencies in compliance. Compliance question: During fiscal years 1998-2001, did your agency review each system of records containing exemptions to determine whether such exemptions were still needed?; Results: 19 of 24 agencies in compliance. Compliance question: Has your agency issued a rule that explains why your agency considers the exemption necessary?; Results: 100 percent compliance among systems of records. Compliance question: During fiscal years 1998-2001, did your agency review the exemptions to determine whether these exemptions were still needed?; Results: 85% of systems of records in compliance;[ A] 15% not in compliance. Source: GAO. [A] The confidence interval is ±15 percent. [End of table] The specific compliance questions in our surveys and agency responses can be found in appendix IV. Agencies Believe that Additional OMB Guidance Would Help Improve Compliance with the Act: The 24 agency representatives who attended our February 2003 forum acknowledged that compliance was not yet consistent across agencies and systems of records. They identified the following as the most significant barriers to improving their compliance: * lack of sufficient OMB leadership, oversight, and guidance on the Privacy Act (first choice); * low agency priority on implementing the act, which adversely affects the level of resources devoted to it (second choice); and: * insufficient training to satisfy the wide range of employee involvement with the act (e.g., executives have different training needs than do persons designing information systems) (third choice). OMB Guidance and Oversight Described as Moderately Effective, but Agencies Ask for More Attention in Specific Areas: At our privacy forum, agency representatives reported that the most significant factor in uneven agency compliance was the need for additional OMB leadership on implementing the Privacy Act in today's electronic environment. Because the Privacy Act mandates that OMB provide agencies with continuing assistance and oversight, agencies look to OMB for additional help and guidance. According to agency responses to our surveys, agencies are not generally dissatisfied with OMB's guidance and assistance on the Privacy Act: for example, most agencies judged that OMB's assistance on the act was at least "moderately effective" overall. (See app. V for more detail on agency responses in this area.) However, both on the surveys and at the forum they named a number of specific areas in which they wanted further guidance, including the application of the Privacy Act to electronic records. To address this first barrier, the most important action the agency representatives identified was that OMB should become more proactive by publishing additional guidance in certain areas and providing increased assistance to agencies. Several forum participants also noted the abundance of guidance available from the Department of Justice on the Freedom of Information Act and expressed interest in having similar information made available on the Privacy Act. Forum participants also suggested that it would be helpful if OMB were to convene periodic meetings of Privacy Act officers to discuss important areas where the guidance is not clear. Participants saw such meetings as opportunities for agencies to let OMB know where guidance and assistance were needed, to pool their knowledge, and to work with OMB to leverage resources (such as training information). In addition, on our surveys, nine agencies reported that specific additions or revisions to OMB guidance were needed for them to better implement the act. Among the areas of the act cited most frequently were: * how the definition of a system of records applies to electronic databases, * how the disclosure provisions apply to electronic databases, * coverage of sole proprietors (entrepreneurs) under the act,[Footnote 24] and: * cost-benefit guidance for computer matches.[Footnote 25] The observation that additional OMB guidance on the Privacy Act would be helpful is not new. In our previous reports in this area, we have recommended that OMB issue guidance on Web site privacy policies and on agencies' use of cookies.[Footnote 26] Similarly, in response to the May 1998 privacy initiative, agencies requested updated guidance, particularly with regard to new technologies, and suggested that OMB establish an interagency task force and host periodic conferences on privacy. OMB has not yet acted either on our recommendations or on previous agency requests for additional guidance. Agencies See Privacy Act Implementation as Receiving Low Priority: Forum participants reported that agency management tends to assign low priority to implementation of the Privacy Act. They commented that implementation was classed among support functions, which are often the first to be cut when resources are tight, and that Privacy Act offices were often "buried" in agencies. Also, Privacy Act officers may find themselves placed in an adversarial position when they tell their management not to take certain actions that could violate the act. Further, there was general agreement among forum participants that OMB officials had not demonstrated that the Privacy Act was a priority, and that this low priority tended to result in a similar low priority at agencies. One participant cited the minimal level of OMB resources devoted to assisting agencies to carry out the act--primarily one person--as indicative of the low priority placed on the act. Furthermore, participants said this lack of OMB leadership and top management attention tended to adversely affect the resources that agencies assigned to carrying out the act. To address this second barrier, the most important action the forum participants identified was for agency top managers to place increased priority on implementing the act, including making additional resources available. However, when asked in the survey about the resources that are devoted to implementing the act, most agencies were unable to answer many of the questions. Agencies are not required to track such resources, and many respondents found estimating the resources burdensome. In appendix VI, we provide limited information on this topic, as well as on the organizational structures that agencies have set up to implement the Privacy Act. Agencies See a Need for Increased and More Focused Training on the Privacy Act: Forum participants stated that the agencies did not provide sufficient training for agency staff who handle personal information subject to the act. They stated that the most important action to address this barrier was OMB overseeing the development of additional training for employees with varying degrees of involvement with the act and making the training more readily available (perhaps on the Web or on CD). Several participants noted that there should be role-based training that varies based on the employees' involvement with the act. For example, there could be a general orientation session on the act for all employees, and different training for executives, Privacy Act officers, and systems managers. Further details on the forum results are provided in appendix II. Agencies Maintain Personal Information outside the Privacy Act in a Limited Number of Information Systems: The protections of the Privacy Act are limited to personal information that is retrieved by a personal identifier. Over the years since the act's passage, concerns have been raised regarding the protection of personal information that does not fall within the scope of the act. (For example, electronic databases frequently permit the retrieval of personal information by search terms other than a personal identifier.) A preliminary step to addressing these concerns is to estimate the extent of personal information that is maintained outside Privacy Act systems. Based on agency responses to our survey, we estimate that 67 percent of the 730 information systems in use at large agencies during fiscal year 2002 contained personal information, regardless of whether this personal information was in a Privacy Act system of records. Of these 730, we estimate that 11 percent (83) contained personal information outside a Privacy Act system of records.[Footnote 27] (See fig. 10.): Figure 4: Information Systems Containing Personal Information Not in a Privacy Act System of Records: [See PDF for image] [End of figure] How many of these information systems contain any personal information not in a Privacy Act system of records (SOR)? Agencies reported that they maintain personal information outside a system of records when the information: * is not retrieved by use of identifying information (e.g., name), but rather by nonidentifying information (e.g., zip code); * concerns deceased persons (e.g., deceased recipients of social security benefits); * concerns entrepreneurs acting in a business rather than a personal capacity (e.g., persons seeking government business loans); or: * concerns aliens who are not permanent residents of the United States (e.g., persons seeking a visa to enter this country). The most frequently cited reason why these systems were not considered Privacy Act systems of records was that the agency did not use a personal identifier to retrieve the personal information. For example, the Department of Labor stated that it collects personal information from persons who claim not to have been paid all the wages owed them. Because it uses company names, rather than the names of individuals, to retrieve the information, Labor officials stated they are not required to keep this personal information in a Privacy Act system of records. However, a few agencies reported that, for administrative convenience, they put such information in Privacy Act systems of records even when not required. (OMB guidance encourages agencies to do this.) For example, the Department of Health and Human Service's Center for Disease Control maintains records on deceased individuals. These records also have information about living persons (for example, the next of kin). Therefore, all the information is maintained in a Privacy Act system of records. Other laws besides the Privacy Act provide certain privacy and security protections to personal information outside Privacy Act systems of records. Under the Freedom of Information Act (FOIA), as amended, the public has a right of access to federal agency records, except for those records that are protected from disclosure by nine stated exemptions. Two exemptions in FOIA protect personal privacy interests from disclosure. The first exemption allows the federal government to withhold information about individuals in personnel and medical files when the disclosure would constitute a clearly unwarranted invasion of personal privacy. The second exemption allows the federal government to withhold records of information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information could reasonably be expected to constitute an unwarranted invasion of personal privacy. A second law that protects information in federal records is the Federal Information Security Management Act (FISMA),[Footnote 28] which requires federal agencies to protect agency information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Conclusions: Agency responses on key characteristics of their systems of records highlight the increasingly complex environment in which federal agencies must operate. Agencies reported that information is maintained on vast numbers of individuals, largely in electronic form, and that a single system of records may reside in multiple information systems. Understanding this environment--and its potential impact on individuals' privacy--will be important as the government continues to refine its privacy policies and guidance. While Privacy Act compliance is generally high in many areas, it is not consistent across the federal government and could be improved. Agencies bear primary responsibility for compliance with the act, but they have not yet fully put into place the processes and follow-through needed to ensure compliance. Further, according to agencies, they face difficult implementation issues. Specifically, OMB has not responded either to long-standing agency requests or to our recommendations for improved guidance. In addition, agencies believe that OMB has not provided enough assistance in dealing with challenges such as the low priority generally accorded to the Privacy Act and the lack of appropriate training. Until these issues are addressed by agencies and OMB and compliance with the Privacy Act across government is improved, the government cannot adequately assure the public that all legislated individual privacy rights are being protected. Agencies reported that about 11 percent of their automated systems contain personal information that is not subject to the act's protections. In view of the concerns about the scope of the Privacy Act, this information may be useful as a first step in understanding this issue in the current electronic environment. Further study is required, however, to determine what information is maintained, how it is used, and the potential effects, if any, on individual privacy rights. Recommendations for Executive Action: To improve agency compliance with the Privacy Act, we recommend that the Director, OMB, * direct agencies to correct the deficiencies in compliance with the Privacy Act that agencies identified in this report, * oversee agency implementation of actions needed to correct these deficiencies, and: * monitor overall agency compliance with the act. To address implementation issues related to compliance with the Privacy Act, we recommend that the Director: * assess the need for specific changes to OMB guidance, especially with regard to electronic records, and update the guidance, as appropriate; * raise the awareness and commitment of senior agency officials to the importance of the principles that underlie the Privacy Act; * lead a governmentwide effort to (1) determine the level of resources, including human capital, currently devoted to Privacy Act implementation by both OMB and the agencies, (2) assess the level of resources needed to fully implement the act, (3) identify the gap, if any, between current and needed resources, and (4) develop a plan for addressing any gap that may exist; and: * oversee the development of Privacy Act training that meets the needs of the wide range of employees who carry out the act and make this training readily available to agencies. Further, we recommend that the Director oversee an assessment of the potential impact on individual privacy of federal agencies' maintaining personal information that is not subject to the act. The Director should involve federal agencies as appropriate in addressing the above recommendations. One option for doing so would be to establish a multiagency working group or forum, perhaps as part of the Chief Information Officers Council. Agency Comments and Our Evaluation: We provided a draft of this report to OMB for review and comment. In a letter dated June 20, 2003, the Administrators of OMB's Offices of Information and Regulatory Affairs and of E-Government and Information Technology provided comments. This letter is reprinted in appendix VII along with our additional analysis of the comments. The Administrators stated that our report has taken an important first step toward identifying areas in which further research and discussion can be undertaken, including through a series of meetings with agency officials. However, the Administrators stated that the information presented does not support the conclusion in the draft report that without improved compliance, the government cannot assure the public that individual privacy rights are being protected. Specifically, the Administrators fault what they characterize as a fundamental flaw in the draft report: our treatment of the various provisions of the act as equally important in protecting privacy. In addition, they note that while compliance may not be perfectly consistent, a lack of perfect consistency from one agency to the next "should hardly be surprising" across the dozens of agencies that make up the government. Further, the Administrators state that the draft report does not indicate whether agency compliance with the Privacy Act is more uneven than is agency compliance with other laws, such as the Administrative Procedures Act, and so our findings on the Privacy Act do "not really say much." Finally, OMB disagrees with our recommendations, stating that they are vague and nebulous. We disagree with OMB's overall comment that the information in the draft report does not support our conclusion. We continue to believe that without improved compliance, the government cannot adequately assure the public that all legislated individual privacy rights are being protected. In passing the Privacy Act, the Congress enacted a series of requirements designed, in total, to ensure protection of individuals' privacy. Accordingly, we believe that because agencies did not consistently comply with these requirements, it is reasonable to conclude that the government lacks adequate assurance that privacy rights are being protected. With regard to the lack of consistency across agencies, our report does not address whether federal agencies have consistent practices, but whether federal agencies are consistently following legal requirements imposed by Congress and those practices that OMB found sufficiently important to be included in its Privacy Act guidance. Further, we believe that federal agencies should strive for consistent compliance with these requirements and others mandated by the Congress. Regarding our recommendations, the draft report contains extensive details on agency noncompliance with specific provisions of the Privacy Act and OMB guidance. In addition, it contains many specifics on agencies' suggestions for improvements in guidance. Further, we believe our recommendations provide the appropriate level of detail needed for OMB to address the issues from a governmentwide perspective. We recognize, however, that our compliance results, in particular, are presented in aggregate form; we did not include our more detailed results in the report because this material is voluminous and because agencies are already well aware of the specific shortcomings in compliance. Nonetheless, we will be providing OMB with additional details to help in its improvement efforts. As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from the date of this letter. At that time, we will send copies of this report to the Director of the Office of Management and Budget and the heads of other interested congressional committees. We are also sending copies to the 25 departments and agencies we surveyed. Copies will be made available to others on request. In addition, this report will be available at no charge on GAO's Web site at www.gao.gov. If you have any questions concerning this report, please call me at (202) 512-6240 or send E-mail to koontzl@gao.gov. Key contacts and major contributors to this report are listed in appendix VIII. Signed by: Sincerely yours, Signed by: Linda D. Koontz Director, Information Management Issues: [End of section] Appendixes: Appendix I: Scope and Methodology: We asked the following 25 departments and agencies to respond to survey questions about their privacy practices and procedures: * Departments: Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Housing and Urban Development, Interior, Justice, Labor, State, Transportation, Treasury, Veterans Affairs: * Agencies: Equal Employment Opportunity Commission (EEOC), Federal Emergency Management Agency (FEMA), Office of Personnel Management (OPM), National Science Foundation (NSF), Office of Government Ethics (OGE), Small Business Administration (SBA), Social Security Administration (SSA), Pension Benefit Guaranty Corporation (PBGC), Federal Trade Commission (FTC), Office of Special Counsel (OSC), Securities and Exchange Commission (SEC): We selected these agencies to provide a cross section of large and small agencies that were likely to have different missions and organizational structures and, perhaps, different approaches to implementing the Privacy Act. In fiscal year 2002, the nine small agencies--EEOC, FEMA, OPM, NSF, OGE, PBGC, FTC, OSC, and SEC--had a median of approximately1,200 full-time equivalent staff years; the range of staff years was from 80 (OGE) to approximately 3,000 (SEC). For the remaining two large agencies and 14 departments, the median number of staff years was 64,268, with a range from approximately 4,517 (SBA) to approximately 670,166 (Defense). Each agency decided which person was best qualified to respond to the survey and who in management was to review and approve the response. We use the term "agency" to refer to (1) executive departments such as the Department of Justice and (2) independent agencies such as OPM. Surveys: We used three surveys to obtain information on the following areas: the first addressed agencywide practices, and the second addressed systems of records; these two surveys contained questions on the characteristics of systems of records and compliance with the act and related OMB guidance. The third survey focused on information technology projects; for these, we asked questions on systems containing personal information not subject to the act's protections. Survey on agencywide practices. We asked these 25 agencies to answer questions about agencywide Privacy Act practices and procedures (e.g., how many systems of records exist). Each agency decided which person was best qualified to respond to the survey and who in management was to review and approve the response. In 18 of the 25 agencies, the person completing the survey was the person who had day-to-day responsibility for implementing the Privacy Act and was also the agency's Privacy Act officer. These persons were, on average, three levels removed from the head of the agency and had been performing these duties at this agency an average of 8 years. The questionnaire also contained questions about compliance with specific Privacy Act provisions and related OMB guidance. To help ensure that agencies understood the questions, we pretested the survey with agency officials. We achieved a 100 percent response rate. Survey on systems of records. We also surveyed agencies to gather information about their systems of records' compliance with Privacy Act requirements and OMB guidance. The population for this survey consisted of all systems of records that existed in the 25 agencies as of December 1999. From this population of 3,637 systems of records, we selected a probability sample of 204. This was a stratified sample consisting of two strata. The following table summarizes the population size, sample size, and respondents by sample. Table 3: Respondents to Second Survey: Stratum: Certainty; Population: 19; Sample size: 19; Respondents: 18; Response rate: 95%. Stratum: All others; Population: 3618; Sample size: 185; Respondents: 179; Response rate: 97%. Stratum: Total; Population: 3637; Sample size: 204; Respondents: 197; Response rate: 97%. Source: GAO. [End of table] The certainty sample consisted of 19 systems of records that were considered to be large or otherwise important systems for this survey. Approximately one-third of the selected systems of records no longer existed at the time of the survey. Therefore, estimates from our survey project to an estimated population of 2,443 (±244) systems of records from 1999 that still existed at the time of the survey. Because we followed a probability procedure based on random selections, our sample is only one of a large number of samples that we might have drawn. Since each sample could have provided different estimates, we express our confidence in the precision of our particular sample's results as a 95 percent confidence interval. This is the interval that would contain the actual population value for 95 percent of the samples that we could have drawn. As a result, we are 95 percent confident that each of the confidence intervals in this report will include the true values in the study population. All percentage estimates in this report have 95 percent confidence intervals of ±10 percentage points or less, unless otherwise noted. To help ensure that agencies understood the questions, we pretested the survey with agency officials. We achieved a 96 percent response rate. Survey on information technology projects and information outside privacy act systems of records. We also surveyed agencies concerning a sample of 150 information technology projects randomly selected from 17 agencies' budget Exhibit 53s for fiscal year 2002 (Exhibit 53 is required by OMB Circular A-11).[Footnote 29] We first asked agencies if these projects contained any information systems in use; if they did, we then asked questions about those information systems. We selected our sample of 150 information systems from a population of 730 that were in use in fiscal year 2002. To help ensure that agencies understood the questions, we pretested the survey with agency officials. We achieved a 76 percent response rate. Analysis of survey results. All of our samples are probability samples and produce estimates that could vary for any particular random sample chosen. Unless otherwise noted, we are 95 percent confident that the true value is within ±10 percentage points of estimated percentages. To minimize the chances of introducing into our results errors not related to sampling, we reviewed the agencies' responses to our surveys, asked respondents to clarify answers, validated a sample of responses, and verified a sample of the survey data keypunched into our database to ensure that it was accurate. Based on agency responses to each of the compliance questions, we developed a compliance score for particular provisions of the Privacy Act and related OMB guidance. For example, if agencies returned 180 surveys that contained answers to a compliance question, the maximum number that could comply with the requirement would be 180. Then, if agencies reported compliance on a particular question in 140 of the 180 surveys, we would assign a score of 78 percent (140 divided by 180) to that question. To help ensure the accuracy of answers related to compliance with the Privacy Act or OMB guidance, we randomly selected 20 percent of agencies' responses to the survey of agencywide practices and 10 percent of responses to the survey on systems of records and asked officials to provide documentation or additional narrative explanations to support their answers for key compliance questions. In addition, when agencies stated in their responses that they had issued certain public documents required under the act (e.g., a regulation), we located and reviewed the documents to be certain that they had been issued. The results of this validation work gave us greater assurance about the accuracy of agencies' survey responses. We also emailed relevant portions of the draft report to officials in the Departments of Defense, Justice, Health and Human Services, Labor, Transportation, Treasury, and officials at OGE, SEC, SBA, SSA, and OPM, that are mentioned specifically in the report, for their review and comment. Each of the agencies emailed suggestions to clarify particular sections of the report, which we included in this report as appropriate. Privacy Act Forum: To better understand the implications of our survey results, we invited the 25 agencies to send a representative (mostly Privacy Act officers) to a meeting in February 2003, and 24 participated. At this meeting, we presented the survey results and then asked the participants to identify the barriers to improved compliance with the act, actions needed to improve compliance, and other issues. After participants discussed their answers to these questions, we asked them to use electronic devices to anonymously record their "votes" on various privacy issues. To identify the relative importance of the barriers to agency compliance generated by participants, we assigned different point values to the participants' first, second, and third choices. For example, we told participants their first choice for the most important barrier to improving compliance would receive three points, their choice for the second most important barrier would receive two points, etc. We also asked participants to discuss the adequacy of the act in today's electronic environment and what changes, if any, were needed to the act. We incorporated the results of these discussions and votes into the appropriate sections of this report. (See app. II for a summary of the results.): Presidential Privacy Initiative: We reviewed the responses to the President's memorandum of May 14, 1998; OMB's memorandum of January 7, 1999; and subsequent agency reports to OMB regarding their reviews of their Privacy Act systems of records and other privacy practices. We entered the 72 executive departments and agencies' responses into a database and summarized them. [End of section] Appendix II: Summary of GAO's February 2003 Privacy Forum on the Survey Results: To better understand the results of our surveys, we invited the 25 agencies we surveyed to send a representative to a privacy forum at GAO headquarters in February 2003. At this forum, we presented the key results from our surveys and then asked the following questions: * What are the major barriers to improving agency compliance with the Privacy Act? * What actions can be taken to address these barriers? * In view of today's electronic environment, to what extent does the Privacy Act provide adequate privacy protections to individuals? * What changes, if any, should be made to the Privacy Act to make it more consistent with the current environment and management practices? Twenty-four of the 25 agencies sent a representative. (The Department of Health and Human Services was not represented.) The key results from the discussion of each question are presented below. Major Barriers to Improving Agency Compliance with the Privacy Act and Actions That Could Address These Barriers: The 24 agency representatives who attended our February 2003 forum on the survey results identified the following as the three most significant barriers to improving agency compliance: * lack of sufficient Office of Management and Budget (OMB) leadership, oversight, and guidance on the Privacy Act (first choice, with 50 points); * low agency priority on implementing the act, which adversely affected the level of resources devoted to it (second choice, with 36 points); and: * insufficient training to satisfy the wide range of employee involvement with the act (e.g., executives have different training needs than do persons designing information systems) (third choice, with 23 points). Each of these barriers and the actions that could address them are discussed below. Lack of Sufficient OMB Leadership, Guidance, and Assistance: Agency participants were in general agreement that OMB officials had not provided sufficient leadership, guidance, and assistance to agencies on the Privacy Act. Participants said that these shortcomings tended to adversely affect the resources and priorities those agencies assigned to the act. Many representatives cited the lack of sufficient OMB guidance as a significant barrier to compliance, particularly guidance on electronic records. Among the views that participants expressed were the following: * Agencies do not know how to fit the "paper statute" into the electronic realm in which most agencies operate today. * OMB guidance is crucial to small agencies' successful implementation of the act, because they lack the legal resources of larger agencies. * Lack of sufficient OMB guidance is particularly troublesome in areas where various courts have decided differently on privacy issues, and agencies need to know which legal ruling is correct. Agency participants stated that the most important action to address this barrier was OMB demonstrating more proactive leadership by publishing additional guidance in several areas and providing increased assistance to agencies. Several participants noted the abundance of guidance available from the Department of Justice's Office of Information and Privacy on the Freedom of Information Act and wanted similar information available on the Privacy Act. It was also suggested that OMB should convene periodic meetings of Privacy Act officers to discuss important areas where the guidance is not clear. Participants saw such meetings as opportunities for agencies to let OMB know where guidance and assistance were needed, to work together by pooling their knowledge, and to work with OMB to leverage resources (such as training information). Another suggestion was that Congress provide OMB or the agencies with additional resources in the privacy area. Low Agency Priority and Resources Devoted to the Privacy Act: Agency participants stated that agencies' top management had placed a low priority on implementing the act, and that, in turn, had adversely affected the level of resources devoted to its implementation in agencies. Participants expressed the following views: * As a support function, Privacy Act implementation is often the first area to be cut when resources are tight. Privacy Act offices are "buried" in the agency and cannot compete with program offices, which carry out the agencies' primary missions and thus have higher priority. * Privacy Act officers may be placed in an adversarial position when they tell their agencies not to take certain actions that could violate the act; they may need OMB to provide support for their position. * Implementing the Privacy Act often has a lower priority than that placed on implementing the Freedom of Information Act. * The resources that OMB devotes to assisting agencies to carry out the act suggests that OMB places less priority on the act than on its other missions; this perceived priority can affect the resources that agencies devote to it. * In carrying out its responsibilities under the act, OMB is reactive, rather than proactive. Participants stated that the most important action to address this barrier was for agencies (including OMB) to provide a higher priority to the act, along with the additional monetary and human resources associated with that higher priority. Several participants observed that additional resources would be made available if their agency's top managers or OMB officials placed a higher priority on implementing the act. Insufficient Training on the Act to Meet the Wide Variety of Employee Involvement: Agency participants stated that more training was needed for agency staff that handle personal information subject to the act. This statement is consistent with the results of our survey, in which 5 of the 25 agencies reported that they had less than adequate procedures to ensure that personnel with access to systems of records are adequately trained. In particular, forum participants noted the difficulty of communicating privacy requirements to technical staff who deal with information systems: * Communication problems arise between Privacy Act officers and system managers regarding technology issues; privacy staff may need more technical knowledge, and technical staff may need more Privacy Act knowledge. * Because the E-Gov Act[Footnote 30] will require privacy impact assessments before information systems are built, system managers and privacy officials may have to communicate more often. However, this legislation does not affect existing databases, which currently lead to many of the communication problems. * OMB guidance does not sufficiently communicate how to adequately protect personal information in large automated databases. Agency participants stated that the most important action to address this barrier was OMB overseeing the development of additional training for employees who have varying kinds and degrees of involvement with the act and making the training more readily available (perhaps on the Web or on CD). Several participants noted that there should be role- based training that varies based on the employees' involvement with the act. For example, there could be a general orientation session on the act for all employees, and different training for executives, Privacy Act officers, and systems managers. Adequacy of Privacy Act Protection in Today's Electronic Environment: Eleven of the 23 agency representatives (48 percent) who attended our February 2003 forum (one did not answer the question) believed to a "moderate" extent that in today's electronic environment, the Privacy Act provides adequate privacy protections to individuals. Among the remaining 12, no agency representative chose "very great extent"; 7 chose "great extent"; 4 chose "some extent"; and 1 chose "little or no extent.": Among the privacy issues that participants said were raised by today's electronic environment are the following: * Electronic records are easier to collect than are paper records, perhaps resulting in some information being collected that may not be needed. (The Privacy Act states that agencies shall collect only information that is relevant and necessary.): * Electronic records are easier to access and thus might not be protected as well as paper records. Participants raised the question of whether electronic records should have a different level of protection under the act than paper records. (The Privacy Act states that agencies are to establish appropriate administrative, technical, and physical safeguards for personal information.). * The aim of some E-government initiatives to increase the collection and sharing of personal information among agencies could be in conflict with the Privacy Act's goal to constrain the government's ability to use personal information. * The ease with which electronic databases can be created and merged may result in "unofficial" systems of records; agencies may not know how their data are being used. * The definition of "record" may need updating, along with other terms in the act, to reflect today's electronic environment. * Homeland security needs may be generating more personal information that is maintained outside the act, raising privacy concerns. * Insufficient attention may have been paid to agencies' collection and maintenance of personal information via the Internet and the conformance of these activities with the act's requirements. * Guidance is not available on how to give access to electronic records that contain the names of multiple people, each of whom has rights to retrieve the same record. Need for Changes in the Privacy Act for Consistency with the Current Environment and Management Practices: There was no general agreement among participants on desired changes to the act; rather, many participants said their concerns could be addressed through revisions to OMB guidance and were opposed to making any changes to the act. However, other participants suggested that Congress revisit several areas of the act, including the following: * Computer matches. Specifically, Congress should extend the time frames for the initial computer match agreements and renewals from 18 months and 12 months to 3 years and 2 years, respectively. They believed this is needed because it would reduce the excessive burden on agencies of having to renegotiate these complex documents so frequently. * Disclosures pursuant to courts of competent jurisdiction under section (b)-11. There are federal, state, local, and tribal court systems in this country. Congress needs to clarify whether requests from nonfederal courts are covered under this section. [End of section] Appendix III: OMB Guidance on Privacy: OMB's primary guidance to agencies on implementing the Privacy Act is "Privacy Act Implementation, Guidelines and Responsibilities," 40 FR 28948 (July 9, 1975), and Appendix I to OMB Circular No. A-130, "Management of Federal Information Resources," Transmittal Memorandum No. 4 (effective Nov. 28, 2000), 65 FR 77677 (Dec. 12, 2000). In addition, as of April 2003, OMB's Web site had links to the following memoranda and other documents categorized as "Privacy Guidance," which covered a variety of topics: * M-01-05, Guidance on Inter-Agency Sharing of Personal Data-- Protecting Personal Privacy (December 20, 2000). * Letter from John Spotila to Roger Baker, clarification of OMB Cookies Policy (September 5, 2000). * Letter from Roger Baker to John Spotila on federal agency use of Web cookies (July 28, 2000). * Status of Biennial Reporting Requirements under the Privacy Act and the Computer Matching and Privacy Protection Act (June 21, 2000). * M-00-13, Privacy Policies and Data Collection on Federal Web Sites (June 22, 2000). * M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999). * M-99-05, Instructions on Complying with President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records" (January 7, 1999). * Biennial Privacy Act and Computer Matching Reports (June 1998). * Privacy Act Responsibilities for Implementing the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (November 3, 1997). Finally, OMB's Web site had other links to "Privacy Reference Materials": * Computer Matching and Privacy Protection Amendments of 1990 and the Privacy Act of 1974, 56 FR 18599 (April 23, 1991). * Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 FR 25818 (June 16, 1989). * Guidance on Privacy Act Implementations of Call Detail Programs, 54 FR 12290 (April 20, 1987). * Privacy Act Guidance--Update (May 24, 1985). * M-83-11, Guidelines on the Relationship Between the Privacy Act of 1974 and the Debt Collection Act of 1982, 48 FR 15556, April 11, 1983 (March 30, 1983). * Implementation of the Privacy Act of 1974, Supplemental Guidance, 40 FR 5674 (December 4, 1975). * Congressional Inquiries which Entail Access to Personal Information Subject to the Privacy Act (October 3, 1975). [End of section] Appendix IV: Compliance with Privacy Act and Associated Guidance: Table 4 shows the questions asked on our survey of agencywide practices, along with the agency responses that indicated compliance. For some questions, the maximum number of agencies that needed to answer the question is less than 25 (e.g., certain provisions of the act may not apply to all agencies). Table 4: Responses to Agencywide Practices Survey: Compliance questions: Does your agency account for disclosures of personal information outside of your agency? (Q.3); Compliance: 25 of 25. Compliance questions: Has your agency issued a Federal Register notice explaining the reasons for exemption? (Q12); Compliance: 24 of 24. Compliance questions: Under the Privacy Act, does your agency have a Data Integrity Board? (Q35)a; Compliance: 13 of 13. Compliance questions: Has your agency established rules in the Code of Federal Regulations for determining if the individual is the subject of a record? (Q.1.1); Compliance: 24 of 25. Compliance questions: Has your agency established rules in the Code of Federal Regulations for handling requests for access to records? (Q.1.2); Compliance: 24 of 25. Compliance questions: Has your agency established rules in the Code of Federal Regulations for amending records? (Q1.3); Compliance: 24 of 25. Compliance questions: Has your agency established rules in the Code of Federal Regulations for fees for copying records? (Q1.4); Compliance: 24 of 25. Compliance questions: Since October 1, 1998, has any court ruled that your agency violated any provision of the Privacy Act or found an employee criminally liable under the act? (Q16); Compliance: 22 of 25. Compliance questions: During fiscal years 1998-2001, did your agency review the routine use disclosures associated with each system of records to ensure that uses were compatible with the original purpose? (Q10); Compliance: 21 of 25. Compliance questions: Does your agency have procedures to ensure personnel with access to systems of records or who are engaged in developing procedures are adequately trained? (Q.5); Compliance: 20 of 25. Compliance questions: Before [new] systems become operational, does your agency have written policies or procedures for determining whether that personal information is needed?; Compliance: 17 of 25. Compliance questions: During fiscal years 1998-2001, did your agency review each system of records containing exemptions to determine whether such exemptions were still needed? (Q.13); Compliance: 19 of 24. Compliance questions: During calendar year 2001, did your agency review each ongoing matching program to help ensure the requirements of the Privacy Act and OMB guidance have been met? (Q.33); Compliance: 9 of 13. Compliance questions: Has your agency established rules of conduct for persons who are involved in operations and maintenance of records? (Q.2.2); Compliance: 16 of 24. Compliance questions: Has your agency established rules of conduct for persons involved in design and development of systems of records? (Q.2.1); Compliance: 15 of 24. Compliance questions: During fiscal year 2001, did your agency review each system of records' Federal Register notice to ensure that it accurately described the system of records? (Q.8); Compliance: 15 of 25. Source: GAO analysis of survey data. [a] There are other compliance questions that ask about agencies' Data Integrity Boards, but the questions are open ended, and the answers cannot be given a compliance rating. [End of table] Table 5 shows the questions asked on our survey of agencies' systems of records along with the calculated compliance scores.[Footnote 31] For questions that ask "how" an agency does something, we calculated compliance scores based on their responses to the multiple choice answers embedded in the question. We have included the multiple choice responses in parentheses following those questions. Table 5: Responses to System of Records Survey: Compliance questions: Since October 1, 2000, did any persons, without authorization, read, alter, disclose, or destroy any personal information in the information system? (Q.17); Compliance: 100 percent. Compliance questions: Has your agency promulgated a final rule under the Administrative Procedure Act that explains why your agency considers the exemption necessary? (Q.55); Compliance: 100 percent. Compliance questions: Has any court ruled that your agency violated any provision of the Privacy Act or found an employee criminally liable regarding this system of records? (Q.48) a; Compliance: 100 percent. Compliance questions: How does your agency ensure the personal information that is used in making a determination about an individual is complete, accurate, relevant and timely?; (do not ensure completeness, accuracy, relevance and timeliness of the information; verify with other records within the agency; verify with other federal agencies' records; verify with subject individuals; verify with state and local agencies; verify with private-sector records (e.g., banks, former employer); system of records is exempt from this requirement; no actions are taken; other (please specify); information is not used in making a determination) (Q.36); Compliance: 95 percent. Compliance questions: Is there a plan for the security and privacy of the automated information system? (Q.12); Compliance: 94 percent. Compliance questions: Are there disposition schedules for the records in this system of records? (Q.49); Compliance: 91 percent. Compliance questions: Has your agency issued a Federal Register notice containing the following information for this system of records?; (name and location of the system of records; categories of individuals covered; routine uses that apply; policies and procedures to store, retrieve, retain, and dispose of records; how individuals can find out if the system contains a record pertaining to them, ask for access to any records pertaining to them, or contest the accuracy of any records pertaining to them) (Q.2); Compliance: 89 percent. Compliance questions: Would your agency be able to account for all disclosures of individuals' records to organizations or individuals outside your agency? (Q.42); Compliance: 86 percent. Compliance questions: During fiscal years 2000 or 2001, did your agency review the performance of [a contractor operating a system of records on behalf of the agency] to help ensure that it was complying with the Privacy Act? (Q.31)b; Compliance: 85 percent. Compliance questions: During fiscal years 1998-2001, did your agency review the exemptions to determine whether these exemptions were still needed? (Q.54)b; Compliance: 85 percent. Compliance questions: During fiscal years 1999-2001, did your agency assess the threats, vulnerabilities, and effectiveness of current or proposed safeguards? (Q.13); Compliance: 82 percent. Compliance questions: For individuals who are asked to supply personal information, does your agency inform them, in writing, of the authority for requesting the information, how the information may be used, whether providing the information is mandatory or voluntary, and the consequences of not providing the information? (Q.35); Compliance: 82 percent. Compliance questions: During fiscal years 1998-2001, did your agency review the routine use disclosures to ensure they continue to be compatible with the purpose they were collected for? (Q.37); Compliance: 82 percent. Compliance questions: During fiscal year 2000 or 2001, did your agency review the Federal Register notice to ensure that it was accurate? (Q.4); Compliance: 79 percent. Compliance questions: Before disclosing records to a nonfederal organization, how does your agency ensure that the information in this system is complete, accurate, relevant, and timely?; (do not ensure completeness, accuracy, relevance and timeliness of the information; verify with other records within the agency; verify with other federal agencies' records; verify with subject individuals; verify with state and local agencies; comparison with private-sector records (e.g., banks, former employer); system of records is exempt from this requirement; no actions are taken; other (please specify) (Q.40)b; Compliance: 71 percent. Source: GAO analysis of survey data. [a] Agencies reported two systems of records where there were court rulings that the agency violated the Privacy Act. However, the table indicates 100 percent compliance because these two systems of records were not in our random sample and thus not weighted sufficiently to lower compliance below 100 percent. [b] Confidence interval of ±15 percent. [End of table] [End of section] Appendix V: Agency Views on OMB Guidance and Assistance: On our survey, agencies responded to a series of questions regarding OMB's guidance and assistance to agencies, with most ratings falling in the middle range. OMB's Overall Assistance to Agencies Was Frequently Judged "Moderately Effective": Of 24 agencies responding,[Footnote 32]11 reported that, overall, OMB's assistance on the act was "moderately effective"--that is, a "3" on a 5-point scale. Figure 5 shows the breakdown of responses. Figure 5: Agency Characterization of Overall Effectiveness of OMB Assistance: [See PDF for image] [End of figure] OMB's Written Guidance Was Frequently Judged "Mostly Complete": Sixteen agencies stated OMB's written guidance was "mostly complete"-- a "2" on a 5-point scale. Of the remaining nine agencies, seven assessed OMB's guidance lower (3 or 4), and two rated it higher as shown in the figure below. For example, one agency reported it was "mostly incomplete" and stated "Guidance [is needed] on safeguarding the security of electronic records and the application of the Privacy Act to electronic records." None rated it as "incomplete." In contrast, another agency reported the guidance was "mostly complete" and stated it was "very useful, especially the 1975 PA guidelines and the 1989 guidance on computer matching.": Figure 6: Agency Characterization of Completeness of OMB's Written Guidance: [See PDF for image] [End of figure] OMB's Responses to Agency Questions Were Frequently Judged "Moderately Timely": Ten of the 15 agencies that rated OMB's timeliness in responding to agency questions about the act chose "moderately timely" a "2" on a 4- point scale. Of the remaining 5 agencies, 4 assessed OMB's timeliness lower (3 or 4), and 1 rated it higher (1), as shown in figure 7. In comments regarding this issue, an agency official stated, "In general, greater emphasis needs to be placed on the Privacy Act by OMB. In particular, additional human resources should be devoted to fulfill OMB's responsibilities under subsection (v) of the Act, additional written guidance is needed, and oral guidance should be more readily accessible and obtainable.": Figure 7: Agency Characterization of Timeliness of OMB's Response to Questions: [See PDF for image] [End of figure] With regard to the usefulness of OMB's responses to agency questions about the Privacy Act, 8 of 15 answering the question reported that OMB's responses were "moderately useful"--a "2" on a 4-point scale, as shown in figure 8. Figure 8: Agency Characterization of Usefulness of OMB's Response to Questions: [See PDF for image] [End of figure] OMB's Assistance on Agencies' Federal Register Notices Was Frequently Judged "Moderately Timely": Under the Privacy Act, agencies' Federal Register notices for systems of records are to contain the name and location of the system of records, the routine uses of the personal information in the system, the categories of persons covered, and procedures for persons to ask for access to any records pertaining to them. We asked about the timeliness of OMB's assistance in writing Federal Register notices. Most agencies (18 of 25) did not ask for OMB assistance and thus did not answer the question. Among the 7 that did answer the question, 5 agencies reported that OMB's assistance was "moderately timely"--a "2" on the 4-point scale. (See fig. 9.): Figure 9: Agency Characterization of Timeliness of OMB's Assistance with Federal Register Notices: [See PDF for image] [End of figure] We also asked agencies to assess the usefulness of OMB's assistance in writing Federal Register notices using a 4-point extent scale, where "1" was "very useful" and "4" was "slightly or not useful." Among those seven agencies that answered the question, three reported that OMB's assistance was "moderately useful." (See fig. 10.): Figure 10: Agency Characterization of Usefulness of OMB's Assistance with Federal Register Notices: [See PDF for image] [End of figure] [End of section] Appendix VI: Agency Resources and Structure Devoted to Implementation of the Privacy Act: In response to our survey questions aimed at determining agency resources devoted to implementation of the Privacy Act, most agencies were unable to answer many of the questions. Of 25 agencies responding, 7 were able to report the number of employees in their agency who would spend half or more of their time on implementation of the act. They ranged from 3 employees each at the Department of Defense and the Office of Personnel Management (OPM) to 28 employees at the Department of Health and Human Services. Among the remaining 18 agencies, 10 reported that no employees would spend half or more of their time on implementation, and 8 agencies reported that they "do not know" how many employees in their agency would spend half or more of their time on implementation of the act. Five agencies were able to report the number of full-time equivalent (FTE) staff years spent on Privacy Act implementation. The remaining 20 agencies said it was "too difficult to estimate" how many FTE staff years they will spend on the act's implementation. We also inquired about agencies' structures for implementing the act. More than half the agencies reported having a decentralized structure to implement their Privacy Act systems of records. (See fig. 11.) "Decentralized" was defined in the survey as "Most actions under the Privacy Act are implemented at the component, bureau, or field office level." "Centralized" was defined as "Most actions under the Privacy Act are implemented at headquarters (HQ).": Figure 11: Centralization of Implementation of Privacy Act: [See PDF for image] [End of figure] The person responsible for implementing the Privacy Act was located in the office of the Chief Information Officer (CIO) at seven agencies, the General Counsel at three agencies, and Public Affairs at two agencies; the remainder were in other offices. One agency suggested that for agencies to better implement the act, "Have all Privacy Officers report to CIOs in their bureaus." Under the Paperwork Reduction Act (44 U.S.C. 3506 (a) and (g)), the agency CIO is required to be responsible for carrying out responsibilities for compliance with the Privacy Act. [End of section] Appendix VII Comments from the Office of Management and Budget: EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C. 20503: June 20, 2003: Mr. Joel Willemssen Managing Director Information Technology Team U.S. General Accounting Office 441 G Street, NW Washington, DC 20548: Dear Mr. Willemssen: Thank you for this opportunity to comment on the draft GAO report on Executive Branch compliance with the Privacy Act ("Privacy Act: OMB Leadership Needed to Improve Agency Compliance"). The Office of Management and Budget (OMB) welcomes GAO's review of Executive Branch compliance with the Privacy Act. We believe that GAO has taken an important first step in this review through the survey/ questionnaire that GAO sent to a number of agencies as well as the follow-up forum that GAO held with agency representatives to discuss their survey answers. The information that GAO has received through the survey and forum will be useful in identifying areas in which further research and discussion, of a more factual and specific nature, can be undertaken. In fact, OMB plans on using the survey/forum information in this manner, as the basis for a series of meetings that OMB will convene with agencies to discuss the Privacy Act. However, as we explain below, we believe that the information which GAO has collected to date is inadequate to support the draft report's broad conclusions and recommendations. Relying on the survey/forum information, the draft report claims that there is "uneven compliance" by agencies with the Privacy Act's requirements (p.12) and that "until ... compliance with the Privacy Act across government is improved, the government cannot assure the public that individual privacy rights are being protected" (p.26). See also the "What GAO Found" cover page: . "As a result of this uneven compliance, the government cannot assure that individual privacy rights are being protected." With all due respect, these statements border on the reckless and irresponsible. While it may be true that Privacy Act compliance is not perfectly consistent within the Federal Government, a lack of perfect consistency from one agency to the next should hardly be surprising when one considers that the Federal Government is composed of dozens of agencies. In addition, the draft report does not indicate whether Federal agency compliance with the Privacy Act is any more "uneven" than is agency compliance with other government-wide statutes such as the Administrative Procedure Act. Thus, pointing out that there is "uneven" compliance does not really say much. The far more important question is to what extent Federal agencies are, in fact, protecting the personal information that is contained in Privacy Act records. This is a very serious question, which deserves a very serious inquiry. The draft report purports to answer this question by strongly suggesting - in a backhanded way - that there are fundamental problems with Privacy Act compliance that imperil the privacy of personal information. How else is the reader to understand the draft report when it states (at p.26) that Federal agencies and OMB must implement the draft report's recommendations (so that "compliance with the Privacy Act across government is improved") or else the Federal Government will not be able "to assure the public that individual privacy rights are being protected"? This is a very strong claim to make, and such a claim should be based on hard evidence, or at least on a set of facts that can withstand scrutiny. The fundamental flaws in the draft report's logic become readily apparent through a careful reading of the survey/forum results and by recognizing the inherent limitations in GAO's reliance on the survey/ forum for collecting information. With respect to the survey/forum results, the draft report understates the extent of the Federal Government's protection of privacy, and overstates the claim of "uneven compliance," by making the mistake of "mixing apples and oranges" - specifically, of treating the various provisions of the Privacy Act as if they are all equally important in terms of the ultimate goal of protecting privacy. In this regard, we think that one of the most important findings in the draft report is that Federal agencies reported 100% compliance with the Privacy Act's prohibition against unauthorized disclosures of information. See draft GAO report, Appendix IV, Table 5 (p. 43) (Q.17 --agencies reported 100% compliance when asked "Since October 1, 2000, did any persons, without authorization, read, alter, disclose, or destroy any personal information in the information system?") The prohibition on disclosures, which is found in subsection (b) of the Act, is one of the Act's cornerstones. Because the Privacy Act's disclosure prohibition is a central component of the Act's overall framework for protecting privacy, we think that this 100%-compliance response should be given significant weight in evaluating the Federal Government's protection of privacy. However, this 100%-compliance figure is found nowhere in the main body of the draft report. Instead, it is mentioned only once in the whole report, in Appendix IV, Table 5. It is unclear why this figure has been buried in the appendices. (Similarly, it is unclear why, when three survey questions elicited a 100% compliance response, GAO chose to discuss in the main body of the report - as an example of a 100% response - the question that had the least immediate connection to protecting personal privacy.) [NOTE 1] Does the draft report's treatment of the 100% compliance figure for the disclosure prohibition reflect a GAO belief that the Privacy Act's disclosure prohibition is unimportant, or does it instead reflect how information is treated in a draft report when it "does not fit" with the report's conclusions and recommendations? In any event, the draft report gives no more significance to the 100% compliance with the Act's disclosure-prohibition than it gives to the 79% compliance with the question - "During fiscal year 2000 or 2001, did your agency review the Federal Register notice to ensure that it was accurate?" See draft GAO report, Appendix IV, Table 5 (p. 43) (Q.4). It should be noted that this question does not ask whether agencies believe that their Federal Register notices are accurate, but only whether the agencies reviewed the notices for accuracy in fiscal years 2000 or 2001. We think that, in any fair evaluation of the Federal Government's protection of privacy, the level of agency compliance with the Act's disclosure prohibition must be considered as far more important than whether agencies reviewed their Federal Register notices in a specific two-year period. There are several other reasons for having serious doubts about the significance of the survey/forum results, and how much weight should be placed on them. First, there is at least one internal inconsistency within the responses, and it pertains to a survey result that is discussed in the main body of the report. In the "What GAO Found" cover page at the beginning, the draft report refers to 86% of agencies being in compliance, and 14% not in compliance, with "being able to account for all disclosures of individual's records outside the agency." These results, which are also reported in Table 5 of Appendix IV (Q.42), do not seem to be consistent with the positive response of "25 of 25" agencies to the separate question "Does your agency account for disclosures of personal information outside of your agency?" Appendix IV, Table 4 (Q.3). It is not clear from the draft report how these results can be reconciled. Another problem with the survey responses involves those GAO questions that asked "how" an agency does something. The lowest percentage response in Table 5 is to a "how" question, namely, the 71 % response to the question - "Before disclosing records to a nonfederal organization, how does your agency ensure that the information in this system is complete, accurate, relevant, and timely?" (Q.40). Since "how" questions do not elicit a yes-or-no answer, the draft report explains that "For questions that ask `how' an agency does something, we calculated the compliance score based on their responses to the multiple choice answers embedded in the question." See Appendix IV, p.43. The draft report does not provide a further explanation of how GAO "calculated the compliance score," and the draft report does not enclose the multiple choice answers. In other words, the draft report leaves the reader with no choice but to accept the 71 figure. There is additional reason to doubt this 71 % figure, which is that Table 5 has a 95% "compliance score" for the agencies' responses to the related question --"How does your agency ensure the personal information that is used in making a determination about an individual is complete, accurate, relevant and timely?" (Appendix IV, Table 5, Q.36). Both questions address the issue of whether agencies maintain infonnation in a "complete, accurate, relevant, and timely" manner, but they result in GAO-calculated compliance scores of 71% and 95%. Another reason to have concerns about the "compliance" ratings in Tables 4 and 5 is that many of the questions that had the lowest ratings were framed in a very narrow manner, which asked whether each agency had undertaken a particular activity in a specific fiscal or calendar year. For example, in Table 4, "15 of 25" agencies answered "yes" to the question (Q.8) --"During fiscal year 2001, did your agency review each system of records' Federal Register notice to ensure that it accurately described the system of records?" Another example is that "20 of 25" agencies answered "yes" to the question (Q.4) - "During fiscal year 2001, did your agency review training practices to ensure personnel are familiar with the Privacy Act and other special requirements of their specific job." Another example is that "9 of 13" agencies answered "yes" to the question (Q.33) - "During calendar year 2001, did your agency review each ongoing matching program to help ensure the requirements of the Privacy Act and OMB guidance have been met.": It is not clear what conclusions, if any, should be drawn from the fact that 5 of 25 agencies said that they did not review their training practices in FY01. After all, it is entirely possible that those 5 agencies reviewed their training practices in the year before (FY00) and/or the year after (FY02). In any event, whether or not the 5 agencies reviewed their training practices - in any of those years - is a different question from whether their training practices are in fact appropriate and effective. What does it mean if an agency did not review its training practices in FY01, but those practices - if they had been reviewed - would have been found to be appropriate and effective? The same is true for the other two "review" questions noted above. In the absence of additional information, these questions and answers do not say much, if anything. And, these answers certainly do not support the draft report's broad claim that, "[ajs a result of this uneven compliance, the government cannot assure that individual privacy rights are being protected." These "review" questions and answers, which do not appear to be meaningful in isolation, do not somehow gain meaning when they are juxtaposed with other questions and answers that do have meaning, such as the 100% figure for agency compliance with the Privacy Act's disclosure prohibition. To repeat the point made earlier above, the draft report inappropriately "mixes apples and oranges" by treating every question and answer as equally significant and meaningful. The final fundamental flaw with the factual underpinnings of the draft report is the extremely limited nature and scope of the facts that GAO has actually reviewed. By relying so heavily on the results from its survey and forum, the draft report has fallen into "the numbers trap" of confusing the data that you happen to have at your fingertips with the data that is actually relevant and meaningful for evaluating an issue. The survey and forum results comprise virtually all the information that the draft report relies upon for its broad conclusions and recommendations. Two other pieces of information in the report, which are given only cursory references, are the prior reports that GAO has issued on OMB's website privacy policy and on computer security (p.8 and fn.13-15); neither of these issues directly involve the Privacy Act. There is also a reference in the draft report to a 1983 House Committee oversight report on the Privacy Act (p.9 and fn. 10); naturally, this 1983 report does not have infornation about the Federal Government's efforts for the past 20 years. Thus, in the final analysis, there is no factual material in the draft report except for the survey and forum results. It is important, therefore, to recognize all the kinds of factual information about the Privacy Act that are not found in the draft report. As an initial matter, it is significant that the draft report does not point to even a single report issued by GAO or by an Inspector General (OIG) that evaluates and finds deficiencies with any agency's compliance with the Privacy Act. This is quite remarkable. GAO and the OIGs issue reports on a daily basis in which they investigate and scrutinize Federal agencies' compliance with a wide range of their statutory responsibilities. The absence of any GAO and OIG reports on Federal agency compliance with the Privacy Act means either that (1) such reports have been issued, but GAO did not look for them, (2) such reports have not been prepared, and that is because GAO and OIGs do not consider agency compliance with the Privacy Act to be important, or (3) such reports have not been prepared, and that is because agency compliance with the Privacy Act has generally been viewed as being relatively high, and thus has not warranted GAO or OIG review. In any event, it is significant that the draft report does not point to any GAO or OIG (or congressional) reports that identify deficiencies with the Privacy Act compliance at any particular agency or program. For how many other statutes that impose government-wide requirements can that be said? The absence of any such GAO, OIG, or congressional reports undercuts the draft report's claim that, if its recommendations are not adopted, "the government cannot assure that individual privacy rights are being protected.": Similarly, the draft report does not discuss even one of the hundreds of Privacy Act decisions that Federal courts have issued during the past three decades. As these cases make clear, individuals have the right to seek judicial review of the agencies' compliance with the Privacy Act. It would not have been difficult to review the court cases, as a way of evaluating the extent to which Federal agencies are complying with their statutory responsibilities. The wide variety of legal research materials that are available (both in paper and via computer) make it easy to review the Privacy Act case law. The Justice Department had already carried out extensive research, which is contained in the 180-page Privacy Act Overview that the Department publishes and makes publicly available on-line, at http:// www.usdoj.gov/04foia/04 7 I.html. An obvious starting point for GAO would have been the Privacy Act Overview. Thus, it is remarkable that the draft report does not mention a single court case involving the Privacy Act. As with the absence of any GAO/OIG/congressional reports on specific agency or program compliance, the absence of any discussion of the court cases undercuts the draft report's claim that, if its recommendations are not adopted, "the government cannot assure that individual privacy rights are being protected.": In addition, the draft report makes no attempt to conduct an actual review of any agency's or program's compliance with the Privacy Act. One searches in vain through the draft report for the mention of any specific agency, or any specific program, or any specific system of records that is out of compliance with any of the Privacy Act's requirements. Such facts, which one would think are crucial for an evaluation of the Federal Government's success in implementing the Privacy Act, are nowhere to be found in the draft report. Again, the absence of any such facts undermines the draft report's claim that, if its recommendations are not adopted, "the government cannot assure that individual privacy rights are being protected.": Finally, the draft report does not even seek to reconcile the survey/ forum results with one of the few real-world facts that are mentioned in the report. As the draft report notes, the OMB Director on January 7, 1999, issued a memorandum that directed the heads of all Federal departments and agencies to conduct a review of their systems of records and information holdings in order to ensure that they were in compliance with the Privacy Act. (OMB Memorandum M-99-05, which is available on OMB's website, at http://www.whitehouse.gov/omb/ memoranda/m99-05.html.) This review directed each Federal agency to take the following actions, and the memorandum required senior agency officials to certify to OMB that the agency had done so: "An important way for an agency to protect individual privacy is to limit the amount of information that the agency maintains about individuals. Therefore, each agency shall review its systems of records to ensure that they contain only that information about individuals that is `relevant and necessary' to accomplish an agency purpose." (Attachment B, p.2): * "For that information which agencies do maintain, agencies must ensure the information's security and confidentiality. Therefore, each agency shall review its systems of records to ensure that safeguards in place are appropriate to the types of records and the level of security required." (p.3): * "Non-statutory disclosures created by administrative mechanisms should only be made when appropriate. Therefore, each agency shall review its `routine uses' to identify any routine uses that are no longer justified, or which are no longer compatible with the purpose for which the information was collected.": * "In order to ensure fairness to individuals they must be able to determine who has seen their records and when they were seen. Therefore, each agency should review its procedures for accounting for disclosures to ensure they are working properly." (p.4): "Groups of records which have different purposes, routine uses, or security requirements, or which are regularly accessed by different members of the agency staff, should be maintained and managed as separate systems of records to avoid lapses in security. Therefore, agencies shall ensure that their systems of records do not inappropriately combine groups of records which should be segregated. This ensures, for example, that routine uses which are appropriate for certain groups of records do not also apply to other groups of records simply because they have been placed together in a common system of records." (p.5): * "In order to exercise their rights, individuals must have access to an up-to-date statement of what types of information are maintained and for what reasons. Therefore, each agency shall conduct a review of its systems of records notices to ensure that they are up-to-date, to conform with any necessary changes identified during the review [above]." (p.5): * "In passing the Privacy Act, the Congress made a strong policy statement that in order to ensure fairness, there shall be no record keeping systems the very existence of which is secret. Therefore, each agency shall review its: operations to identify any de facto systems of records for which no system of records notice has been published. If the agency identifies any such unpublished systems of records, then the agency should publish a system of records notice for the system promptly. Agencies shall implement appropriate measures (e.g., training) to ensure that system of records are not inadvertently established, but instead are established in accordance with the notice and other requirements of the Privacy Act." (p.6): The draft report acknowledges that OMB directed the agencies to undertake this comprehensive Privacy Act compliance exercise, and the draft report notes in passing that 72 agencies submitted responses to OMB in which - in the words of the draft report (p.9) - the agencies "(1) added 131 systems of records that previously had not been properly identified, (2) revised 457 systems of records that were not up to date, and (3) deleted 288 systems of records that were no longer necessary.": However, the draft report makes absolutely no attempt to reconcile the responses to its survey/forum with the actions that agencies undertook in compliance with this comprehensive OMB-directed review of the agencies' compliance with the Privacy Act. For example, as noted above, OMB directed each agency in Fiscal Year 1999 to "review its systems of records to ensure that safeguards in place are appropriate to the types of records and the level of security required," and agencies certified to OMB that they conducted this review. However, according to Table 5 of the draft report, only 82% of the agencies answered "yes" to the survey question (Q.13) - "During fiscal years 1999-2001, did your agency assess the threats, vulnerabilities, and effectiveness of current or proposed safeguards?" GAO makes no effort to reconcile these facts. Similarly, as noted above, OMB directed each agency in FY99 to "review its `routine uses' to identify any routine uses that are no longer justified, or which are no longer compatible with the purpose for which the information was collected," and agencies certified to OMB that they conducted this review. However, according to Table 5, only 82% of the agencies answered "yes" to the survey question (Q.37) - "During fiscal years 1998-2001, did your agency review the routine use disclosures to ensure they continued to be compatible with the purposes they were collected for?" GAO makes no effort to reconcile these facts. In a similar vein, as noted above, OMB directed each agency in FY99 to "conduct a review of its systems of records notices to ensure that they are up-to-date," and agencies certified to OMB that they conducted this review. According to Table 5, only 79% of the agencies answered "yes" to the survey question (Q.4) - "During fiscal year 2000 or 2001, did your agency review the Federal Register notice to ensure that it was accurate?": These facts are not inconsistent, because the OMB review occurred in FY99, and the GAO question focused on FY00 and FY01. However, how significant is the 79% rate of conducting a notice review in FY00 and FY01 when all the agencies had been directed to conduct a notice review in the prior year (FY99)? GAO makes no effort to evaluate the significance of this compliance rate. In sum, by relying entirely on the results from its survey and forum, GAO has not taken into consideration, or even acknowledged in the report, all the other factual material that is relevant to and necessary for carrying out a serious evaluation of the Federal Government's implementation of the Privacy Act. Moreover, for the reasons discussed above, the survey/forum results are fundamentally flawed, both when considered in isolation and when considered in a broader factual context. As a result, we believe that the draft report's conclusion - namely, that, if its recommendations are not adopted, "the government cannot assure that individual privacy rights are being protected" - lacks a solid factual foundation and therefore borders on the reckless and irresponsible. Having spent so much time addressing the report's factual analysis and conclusions, we will spend only a brief moment addressing the report's draft recommendations. As the title of the draft report indicates, GAO staff believe that "OMB Leadership" is "Needed to Improve Agency Compliance" with the Privacy Act. Since, for the reasons above, it is not clear that there is a problem with agency compliance (as opposed to GAO's review methodology), it is not clear what actions OMB should take to "improve agency compliance." The recommendations themselves are extremely vague in this regard, perhaps owing to the draft report's failure to pinpoint any real-world compliance problems. The draft report does not point to any specific "deficiencies in compliance" with reference to any particular agencies or programs (in this regard, the agencies' responses, for what they are worth, have been withheld from OMB). Thus, it is difficult to understand how OMB is supposed to "direct agencies to correct the deficiencies in compliance" or "oversee agency implementation of actions needed to correct these deficiencies" (p.27). The other recommendations are equally nebulous. For example, the draft report recommends that OMB "assess the need for specific changes to OMB guidance" (p.27), even though the draft report does not actually identify a single deficiency in any of the Privacy Act guidance that OMB has issued, or that the Justice Department has provided in its Privacy Act Overview, or that the courts have provided in their decisions.[NOTE 2] In this regard, while the draft report notes that some agencies had complaints about the adequacy of OMB's written guidance, most agencies found it "mostly complete".[NOTE 3](Appendix V, Figure 6, p. 46) Again, the draft report makes no attempt to reconcile these contrary views regarding the guidance. The fact that different agencies could view OMB's guidance in sharply different ways argues against drawing any firm conclusions from the survey/forum results in the absence of additional information. Our final comment concerns GAO's interactions with OMB during GAO's collection of infornation and preparation of the draft report. GAO routinely asks OMB to provide GAO with information, including through interviews, on a wide range of topics, many of which do not directly relate to OMB but instead are really a review of another agency's activities. During the past year, OMB has responded to dozens of GAO inquiries. Some of them, concerning such OMB activities as the Paperwork Reduction Act, Regulatory Review, E-Government initiatives, and the Program Assessment Rating Tool (PART) have involved in-depth GAO reviews of OMB's activities. In all those cases, GAO initiated a fonnal review with OMB and requested the opportunity to interview OMB staff. GAO's conduct in conducting this Privacy Act review was very different, and in fact was unprecedented in our experience. During the many months of its preparation of this draft report, GAO never initiated a formal review with OMB and never requested the opportunity to interview OMB staff. In other words, it appears to us that GAO staff made no serious attempt to obtain OMB's perspective on agency compliance with the Privacy Act and on the adequacy of OMB's guidance to agencies. GAO did provide OMB the opportunity to comment on draft materials, such as this draft report and last fall's draft briefing slides, but providing us with an opportunity to comment on materials that GAO has already prepared is far different than requesting information from us to incorporate into GAO's review. OMB staff raised on several occasions the concerns that are outlined above, and they repeatedly pointed out to GAO staff that the scope of its factual review was too narrow and that GAO needed to follow-up the survey and forum results by collecting further information. OMB staff invited GAO to conduct a review of OMB's activities, during which OMB could address the concerns that agencies had raised in the survey/forum about OMB's guidance. GAO declined this invitation to conduct a review of OMB's activities, and GAO staff did not pursue the concerns and issues that OMB raised. OMB has also informed GAO staff of our more recent work in privacy, including the reinstatement of an interagency Privacy Committee, and OMB's process of drafting guidance to agencies on implementation of section 208 of the E-government Act of 2002. OMB also recently held an open forum on privacy, where GAO staff were present, and two agencies publicly praised OMB's leadership in the area of privacy. In closing, we want to reaffirm that OMB takes seriously its responsibilities to provide guidance to the agencies and oversee their implementation of the Privacy Act. We would welcome a careful and thoughtful GAO report that identifies real-world problems with agency compliance in particular agencies and programs (or that identified specific problems with OMB's guidance) and that provides concrete recommendations for how OMB and/or the agencies could correct these problems. However, the draft report does not provide that careful and thoughtful analysis. As noted at the beginning, we will be convening a series of meetings with the agencies to follow-up on the issues that they raised in the survey/forum results. Thank you again for this opportunity to comment on the draft report. Sincerely, Signed by: Mark Forman Administrator Office of E-Government and Information Technology: John D. Graham, Administrator: Office of Information and Regulatory Affairs: Enclosures: NOTES: [1] In the main report, GAO discussed the 100% compliance figure for the question "Has you agency promulgated a final rule under the Administrative Procedure Act that explains why your agency considers the exemption necessary?" See the "What GAO Found" cover page, and pp. 3 and 12 of the main report; see also Appendix IV, Table 5 Q.55. The third question with a 100% compliance response was "Has any court ruled that your agency violated any provision of the Privacy Act or found an employee criminally liable regarding this system of records?" See Appendix IV, Table 5, Q.48. This question, like the disclosure- prohibition question, is mentioned only in Appendix IV, and not in the main body of the report. [2] We have enclosed two complete sets of copies of the Privacy Act guidance that OMB has issued, as well as two complete copies of the Justice Departments' Privacy Act Overview. We request that GAO include a complete copy of the OMB and DOJ guidance in GAO's response to the congressional requester. [3] In fact, based on materials that GAO prepared last fall, one of the agencies that considered OMB's guidance to be "very useful" and "mostly complete" was the Defense Department, which had nearly one-half (1,156) of the 2,443 systems of records in GAO's survey (Draft Briefing Slides, 10/08/02, pp. 29, 45). GAO Comments: 1. We disagree with OMB that the statements made in our report "border on the reckless and irresponsible." Our survey results represent 25 departments' and agencies' compliance with a broad range of Privacy Act provisions. These 25 cover a broad cross section of small, medium, and large departments and agencies. In most cases, agencies' Privacy Act officers--who had an average of 8 years of experience in that position- -responded to our survey of agencywide practices; we achieved a 100 percent response rate on this survey. Our survey concerning a sample representing a population of 2,400 systems of record was completed by the person the agency deemed as most knowledgeable of that system of records; we achieved a 96 percent response rate. These surveys are extremely comprehensive and were developed over many months with assistance from agency privacy officials. Moreover, to help verify the accuracy of agencies' answers related to compliance, we randomly selected a sample of agency responses to the surveys and asked officials to provide documentation or additional narrative explanations to support their answers. We then invited key senior Privacy Act officials from all 25 agencies to discuss their responses at an all-day forum, where they had a chance to provide additional context for us before the preparation of the draft report. Overall, we consider this report to be a comprehensive and accurate source of information on agencies' implementation of the Privacy Act. 2. We disagree that our draft report, by treating the various provisions of the act as equally important, understates the extent of agency privacy protections. In passing the Privacy Act, Congress enacted a framework designed to protect personal privacy. Accordingly, we based our conclusions on the results of a comprehensive analysis of agency compliance with a broad range of requirements. As OMB suggests, we added to the body of our report a statement that agencies reported 100 percent compliance with our question concerning unauthorized access or disclosure of personal information contained in information systems. However, this response should not be interpreted as meaning that agencies fully complied with the Privacy Act's prohibitions against unauthorized disclosures. The question OMB cites is focused on information security controls for protecting personal information contained in information systems--which would not include the estimated 31 percent of systems of records that were exclusively paper records. Further, in response to another question, agencies acknowledged that in an estimated 21 percent of their systems of records, they did not have the means to detect unauthorized intrusions into their information systems, drawing into question whether agencies have adequate means to determine whether or not there have been unauthorized disclosures. As discussed in our report, we have reported extensive weaknesses in information security across government. 3. We disagree that there is inconsistency between the survey responses on accounting for disclosures. The two questions asked were similar, but not identical. Therefore, there should be no expectation that the results would be identical. In our agency survey, we asked agencies a general question on whether they account for disclosures outside the agency for all systems of records. In the system of records survey, we asked agencies about their ability to account for all disclosures for a specific system of records that we randomly selected from the population. 4. Regarding our questions on maintaining complete, accurate, and relevant information, there are again major differences in these two questions that explain the differing results. One question asks how agencies maintain complete, accurate, and relevant information for internal agency determinations about an individual, while the other asks how this is done when providing information to a nonfederal organization. We do, however, agree with OMB that the readers of our report should see the multiple-choice answers that agencies could choose from in answering these questions and on which our compliance results are based. We have added them to the report. 5. Regarding OMB's concerns about questions that ask about particular activities undertaken in specific time frames, we note that these questions were directly derived from OMB's guidance to agencies. For example, we derived the question concerning reviews of Federal Register notices regarding systems of records directly from OMB's guidance. We support OMB in believing that such reviews help ensure that the public is informed of the existence and uses of systems of records and is thus able to access and amend records if necessary. 6. We agree with OMB regarding the question concerning review of training practices in fiscal year 2001. We removed this question from the report. 7. We disagree with OMB that there is a fundamental flaw in the draft report resulting from what is described as "the extremely limited nature and scope of the facts that GAO has actually reviewed." Our survey results represent 25 departments' and agencies' compliance with a broad range of Privacy Act provisions. Our surveys are extremely comprehensive, were developed over many months with assistance from agency privacy officials, and represent the population of 2,400 systems of records covering a broad cross section of small, medium, and large departments and agencies. Moreover, to help verify the accuracy of agencies' answers related to compliance, we randomly selected a sample of agency responses to the surveys and asked officials to provide documentation or additional narrative explanations to support their answers. We then invited key senior Privacy Act officials from all 25 agencies to discuss their responses at an all-day forum where they had a chance to provide additional context for us before the preparation of the draft report. Again, we consider this report to be a comprehensive and accurate source of information on agencies' implementation of the Privacy Act. 8. One of the first steps that we took when beginning this review of the Privacy Act was to contact agency Inspectors General for reports on the act. We found only a few reports, which were of limited scope. In addition, we acknowledge that GAO has not performed a comprehensive review of the Privacy Act in many years. However, as discussed in the draft report, we have issued reports over the past 3 years that raised concerns with the adequacy of selected OMB guidance concerning privacy. These reports contain outstanding recommendations to strengthen guidance, which OMB has not yet implemented. 9. One of the first steps we took when beginning this review was to examine the Privacy Act Overview from the Department of Justice and to meet with the Justice officials who prepared the overview. We used the overview, court decisions, and our interview with Justice officials to help frame some of the survey questions. However, a detailed analysis of these cases was not within the scope of our review nor necessary to address the objectives of our study. OMB appropriately pointed out that the individuals involved have the right to seek judicial review of agencies' compliance with the act; we discuss this point in the background section of our report. 10. In doing this work, our intention was to depict a governmentwide picture of agency compliance with the Privacy Act and OMB guidance. Although we present these results in the aggregate, they are based on reviews of 24 individual agencies and a representative sample of 2,400 systems of records. We will be providing OMB officials with additional details so that they can follow up with the specific agencies involved and ensure that deficiencies are corrected. 11. OMB's 1999 review did not require agencies to review all systems of records. Instead, OMB directed agencies to focus on "…the most probable areas of out-of-date information, so that reviews will have the maximum impact in ensuring that system of records notices remain accurate and complete." The difference in the scope of OMB's review (selective) and ours (random sample) explains why agencies reported different results. 12. OMB commented that our draft report does not make clear what actions they should take because it does not point to any specific "deficiencies in compliance" at specific agencies or programs. The draft report contains specific compliance findings related to a broad range of Privacy Act requirements. As previously discussed, this information is presented in aggregate form; we will be providing additional details to help OMB in its improvement efforts. Regarding OMB guidance, the draft report identifies many of the specific deficiencies that agencies noted. We did not include the detailed deficiencies that agencies identified in response to OMB's January 1999 memorandum because OMB already had this information. Other specific deficiencies from our survey were previously shared with OMB officials. Nevertheless, we will be providing OMB officials with all the additional details on the specific deficiencies in OMB guidance that agencies identified in both the OMB and the GAO studies. 13. We disagree with OMB's comment that we never initiated a formal review with OMB, never requested the opportunity to interview OMB staff, and declined an invitation to review OMB activities. Consistent with GAO policy, we held an entrance conference with OMB on May 30, 2001, to initiate this review. At that meeting, we interviewed the key OMB officials who have Privacy Act responsibilities and asked them questions covering every aspect of this engagement. During the course of our review, we offered to share drafts of our surveys with OMB officials to obtain their views and suggestions; they declined this opportunity. Since then we have been in frequent communication with OMB privacy officials to keep them apprised of our progress and, as OMB's comment acknowledges, shared with them the draft briefing slides that contained the interim results from our surveys. We met with them to discuss the briefing slides on November 14, 2002, and January 7, 2003. Consistent with GAO policy, we also held an exit conference on April 3, 2003, to share our preliminary results and conclusions with OMB. At that meeting, OMB officials provided us with oral comments and stated that they would provide us with additional comments in writing; these written comments were not provided. As we began summarizing the results from our surveys and forum, we had several conversations with OMB officials, including a meeting on May 28, 2003, to discuss their concerns about our methodology and preliminary findings; many of the concerns were addressed as we drafted the final report. Overall, OMB had many opportunities to provide us with additional evidence to support its view that our results and conclusions were inaccurate; however, it provided little additional information except to take issue with our study approach. In addition, we note that although we informed OMB of our survey approach early in our study, it chose to take issue with the approach only after we had obtained results. [End of section] Appendix VIII: GAO Contact and Staff Acknowledgments: GAO Contact: Alan Stapleton, (202) 512-3418: Staff Acknowledgments: In addition to the person named above, Bill Bates, Barbara Collier, Robert Crocker, John Dale, Neil Doherty, Wilfred Holloway, William Isrin, Michael Jarvis, Tuong-Vi La, Alison Martin, Luann Moy, David Noone, David Plocher, Mark Ramage, Terry Richardson, Theresa Roberson, and Warren Smith made key contributions to this report. (310358): FOOTNOTES [1] Under the Privacy Act, personal information is all information associated with an individual and includes both identifying information and nonidentifying information. Identifying information, which can be used to locate or identify an individual, includes name, aliases, social security number, E-mail address, driver's license identification number, and agency-assigned case number. Nonidentifying personal information includes age, education, finances, criminal history, physical attributes, and gender. [2] A system of records is a collection of information about individuals under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other particular assigned to the individual. [3] We use the term "agency" in this report to refer to executive departments such as the Department of Justice as well as independent agencies such as the Office of Personnel Management (OPM). [4] We used three surveys to obtain information on the following areas (see app. I): the first addressed agencywide practices, and the second addressed systems of records; these two surveys addressed characteristics of systems of records and compliance with the act and related OMB guidance. The third survey focused on information technology projects; for these, we obtained information on systems containing personal information not subject to the act's protections. All percentage estimates in this report have confidence intervals of ±10 percentage points or less (unless otherwise noted) at the 95 percent confidence level. In other words, if all the systems of records in our population had been in the second survey, the chances are 95 out of 100 that the result obtained would not differ from our sample estimate by more than ±10 percentage points. [5] Figures do not add to 100 percent due to rounding. [6] Under the act, a routine use is a disclosure of personal information outside the agency maintaining the information that the agency determines is compatible with the purpose for which it was collected. [7] A cookie is a short string of text that is sent from a Web server to a Web browser when the browser accesses a page. Certain types of cookies may pose privacy risks because they may be used to track individuals' browsing habits and keep track of viewed and downloaded pages. [8] Public Law 105-277, Div. C, tit. XVII. [9] 44 U.S.C. 3603, Public Law 107-347 (Dec. 17, 2002). [10] House Report No. 98-455. [11] The President also directed OMB to summarize the results of the agency reviews. OMB officials stated that they did not do so. However, the OMB official who is responsible for overseeing the Privacy Act stated that the Presidential initiative did result in OMB urging agencies to include privacy impact assessments when preparing their budget Exhibit 300 submissions for information technology purchases. She also stated that a similar requirement for privacy impact assessments was subsequently enacted into law (P.L. 107-347). [12] OMB Memorandum M-99-05 (Jan. 7, 1999). [13] Internet Privacy: Agencies' Efforts to Implement OMB's Privacy Policy, GAO/GGD-00-191 (Washington, D.C.: Sept. 5, 2000). [14] Internet Privacy: Implementation of Federal Guidance for Agency Use of Cookies, GAO-01-424 (Washington, D.C.: Apr. 27, 2001). [15] Information Security: Progress Made, but Challenges Remain to Protect Federal Systems and the Nation's Critical Infrastructures, GAO- 03-564T (Washington, D.C.: Apr. 8, 2003). [16] Title III of the E-Gov Act (P.L. 107-347). [17] E-government refers to the use of technology, particularly Web- based Internet applications, to enhance the access to and delivery of government information and services to citizens, business partners, employees, other agencies, and other entities. [18] National Institute of Standards and Technology, Security Self- Assessment Guide for Information Technology Systems, NIST Special Publication 800-26 (November 2001). [19] Figures do not add to 100 percent due to rounding. [20] Pay.gov is a service developed by Treasury's Financial Management Service that can be used by other federal agencies to allow customers to make payments electronically through the Internet. The service also includes payment-related functions, such as authenticating users and reporting back to agencies about transactions that have transpired. [21] The primary purpose of the Intra-Governmental Payment and Collection System is to provide a standardized interagency fund transfer mechanism for federal program agencies. [22] Computer matching is the identification of similarities or dissimilarities in data found in two or more computer files. However, many computer matches fall outside the act, such as matches performed to produce aggregate statistical data without any personal identifiers and matches performed to support any research or statistical project. According to OMB guidance, such data may not be used to make decisions concerning the rights, benefits, or privileges of specific individuals. (Dec. 20, 2000, memorandum from the Director, OMB, to the heads of executive departments and agencies, Guidance on Inter-Agency Sharing of Personal Data--Protecting Personal Privacy.) [23] Agencies reported two incidents. However, these two incidents were not in our random sample and thus not weighted sufficiently to lower compliance below 100 percent, as shown in appendix IV. [24] According to OMB guidance, the act only covers individuals acting in a personal capacity rather than acting in a business capacity (e.g., as entrepreneurs). The guidance states "Agencies should examine the content of the records in question to determine whether the information being maintained is, in fact, personal in nature. A secondary criterion in deciding whether the subject of an agency file is, for purposes of the act, an individual, is the manner in which the information is used: i.e., is the subject dealt with in a personal or entrepreneurial role." Privacy Act Implementation: Guidelines and Responsibilities, Federal Register, vol. 40, no. 132 (July 9, 1975). [25] The Computer Matching Act requires that a benefit/cost analysis be part of an agency's decision to conduct or participate in a matching program. However, the act authorizes the agency Data Integrity Boards to waive this requirement in certain circumstances. [26] U.S. General Accounting Office, Internet Privacy: Agencies' Efforts to Implement OMB's Privacy Policy, GAO/GGD-00-191 (Washington, D.C.: Sept. 5, 2000); Internet Privacy: Implementation of Federal Guidance for Agency Use of Cookies, GAO-01-424 (Washington, D.C.: Apr. 27, 2001). [27] The 95 percent confidence interval of the estimated 11 percent is from 6 percent to 19 percent. The corresponding total estimate of 83 has a confidence interval of 44 to 139. [28] Title III of the E-Gov Act (P.L. 107-347). [29] The 17 agencies that had prepared budget Exhibit 53s were (1) Agriculture, (2) Commerce, (3) Defense, (4) Education, (5) Energy, (6) Health and Human Services, (7) Interior, (8) Justice, (9) Housing and Urban Development, (10) Labor, (11) State, (12) Transportation, (13) Treasury, (14) VA, (15) FEMA, (16) OPM, and (17) SSA. [30] Public Law 107-347 (Dec. 17, 2002). Among other things, this act seeks to expand the delivery of government services through greater use of the Internet and computer resources. [31] For some compliance questions, a sufficient number of agencies did not respond at a rate that allows us to be 95 percent confident that the true value is within ±10 percentage points of estimated percentages. Unless otherwise noted, we deleted those questions from our analysis and from the table. [32] One agency did not respond to this question. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: