This is the accessible text file for GAO report number GAO-08-536 
entitled 'Privacy: Alternatives Exist for Enhancing Protection of 
Personally Identifiable Information' which was released on June 18, 
2008.

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

May 2008: 

Privacy: 

Alternatives Exist for Enhancing Protection of Personally Identifiable 
Information: 

GAO-08-536: 

GAO Highlights: 

Highlights of GAO-08-536, a report to congressional requesters. 

Why GAO Did This Study: 

The centerpiece of the federal government’s legal framework for privacy 
protection, the Privacy Act of 1974, provides safeguards for 
information maintained by federal agencies. In addition, the E-
Government Act of 2002 requires federal agencies to conduct privacy 
impact assessments for systems or collections containing personal 
information. 

GAO was asked to determine whether laws and guidance consistently cover 
the federal government’s collection and use of personal information and 
incorporate key privacy principles. GAO was also asked, in doing so, to 
identify options for addressing these issues. 

To achieve these objectives, GAO analyzed the laws and related 
guidance, obtained an operational perspective from federal agencies, 
and consulted an expert panel convened by the National Academy of 
Sciences. 

What GAO Found: 

Increasingly sophisticated ways of obtaining and using personally 
identifiable information have raised concerns about the adequacy of the 
legal framework for privacy protection. Although the Privacy Act, the E-
Government Act, and related guidance from the Office of Management and 
Budget set minimum privacy requirements for agencies, they may not 
consistently protect personally identifiable information in all 
circumstances of its collection and use throughout the federal 
government and may not fully adhere to key privacy principles. Based on 
discussions with privacy experts, agency officials, and analysis of 
laws and related guidance, GAO identified issues in three major areas: 

Applying privacy protections consistently to all federal collection and 
use of personal information: The Privacy Act’s definition of a “system 
of records” (any grouping of records containing personal information 
retrieved by individual identifier), which sets the scope of the act’s 
protections, does not always apply whenever personal information is 
obtained and processed by federal agencies. One alternative to address 
this concern would be revising the system-of-records definition to 
cover all personally identifiable information collected, used, and 
maintained systematically by the federal government. 

Ensuring that collection and use of personally identifiable information 
is limited to a stated purpose: According to generally accepted privacy 
principles of purpose specification, collection limitation, and use 
limitation, the collection of personal information should be limited, 
and its use should be limited to a specified purpose. Yet, current laws 
and guidance impose only the modest requirements in these areas. While, 
in the post-9/11 environment, the federal government needs better 
analysis and sharing of certain personal information, there is general 
agreement that this need must be balanced with individual privacy 
rights. Alternatives to address this area of concern include requiring 
agencies to justify the collection and use of key elements of 
personally identifiable information and to establish agreements before 
sharing such information with other agencies. 

Establishing effective mechanisms for informing the public about 
privacy protections: Another key privacy principle, the principle of 
openness, suggests that the public should be informed about privacy 
policies and practices. Yet, Privacy Act notices may not effectively 
inform the public about government uses of personal information. For 
example, system-of-records notices published in the Federal Register 
(the government’s official vehicle for issuing public notices) may be 
difficult for the general public to fully understand. Layered notices, 
which provide only the most important summary facts up front, have been 
used as a solution in the private sector. In addition, publishing such 
notices at a central location on the Web would help make them more 
accessible. 

What GAO Recommends: 

To address the issues identified by GAO, Congress should consider 
revising privacy laws in accordance with the alternatives outlined in 
the report. While OMB could address some of these issues in its 
guidance to federal agencies, Congress is ultimately responsible for 
balancing the needs of government and individual privacy rights. OMB 
commented that the Congress should consider these alternatives in the 
broader context of all privacy and related statutes. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-536]. For more 
information, contact Linda Koontz at (202) 512-6240 or koontzl@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

The Privacy Act and E-Government Act Do Not Always Provide Protections 
for Federal Uses of Personal Information: 

Laws and Guidance May Not Effectively Limit Agency Collection and Use 
of Personal Information to Specific Purposes: 

The Privacy Act May Not Include Effective Mechanisms for Informing the 
Public: 

Conclusions: 

Matter for Congressional Consideration: 

Agency Comments and Our Evaluation: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: National Academy of Sciences Expert Panel Participants: 

Appendix III: Privacy Act Exemptions and Exceptions to the Prohibition 
Against Disclosure without Consent of the Individual: 

Appendix IV: OMB Privacy Guidance: 

Appendix V: Comments from the Office of Management and Budget: 

Appendix VI: GAO Contact and Staff Acknowledgments: 

Related GAO Products: 

Tables: 

Table 1: The Fair Information Practices: 

Table 2: Major Federal Laws That Address Federal Agency Use of Personal 
Information: 

Table 3: Recent OMB Guidance on the Protection of Personally 
Identifiable Information: 

Table 4: Sample Descriptions from Five Agencies of a Standard Routine 
Use for Hiring or Retention of an Individual or the Issuance of a 
Security Clearance, Contract, Grant, or Other Benefit: 

Table 5: Privacy Act Provisions Agencies May Claim an Exemption under 
Subsection (k): 

Table 6: Privacy Act Provisions from Which Agencies May Not Claim 
Exemptions: 

Abbreviations: 

ADVISE: Analysis Dissemination Visualization Insight and Semantic 
Enhancement: 

CBP: Customs and Border Protection: 

CIPSEA: Confidential Information Protection and Statistical Efficiency 
Act: 

DHS: Department of Homeland Security: 

DOJ: Department of Justice: 

DOT: Department of Transportation: 

FBI: Federal Bureau of Investigation: 

FISMA: Federal Information Security Management Act: 

HHS: Department of Health and Human Services: 

HIPAA: Health Insurance Portability and Accountability Act of 1996: 

IRS: Internal Revenue Service: 

ISPAB: Information Security and Privacy Advisory Board: 

NAS: National Academy of Sciences: 

NIST: National Institute of Standards and Technology: 

NRC: National Research Council: 

OCED: Organization for Economic Cooperation and Development: 

OMB: Office of Management and Budget: 

PIA: privacy impact assessment: 

PPSC: Privacy Protection Study Commission: 

PRA: Paperwork Reduction Act: 

SSA: Social Security Administration: 

TSA: Transportation Security Administration: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

May 19, 2008: 

Congressional Requesters: 

The increasingly sophisticated ways in which personally identifiable 
information[Footnote 1] is obtained and used by the federal government 
has the potential to assist in performing critical functions, such as 
preventing terrorism, but also can pose challenges in ensuring the 
protection of citizens' privacy. In this regard, concerns have been 
raised that the framework of legal mechanisms for protecting personal 
privacy that has been developed over the years may no longer be 
sufficient, given current practices. 

Federal agency use of personal information is governed primarily by the 
Privacy Act of 1974 and the E-Government Act of 2002.[Footnote 2] The 
Privacy Act of 1974 serves as the major mechanism for controlling the 
collection, use, and disclosure of personally identifiable information 
within the federal government. The act provides safeguards for 
information in a system of records (any grouping of records containing 
personal information retrieved by individual identifier) maintained by 
a federal agency. The act also allows citizens to learn how their 
personal information is collected, maintained, used, and disseminated 
by the federal government. As a result of the act's requirements, the 
public has benefited from privacy protections applied to countless 
government systems of records. 

The E-Government Act of 2002 strives to enhance protection of personal 
information in government information systems by requiring that 
agencies conduct privacy impact assessments (PIA).[Footnote 3] This 
provision has led to the preparation of many PIAs that provide in-depth 
discussions of protections for personally identifiable information 
maintained in automated systems. 

The Office of Management and Budget (OMB) is charged with ensuring 
implementation of the PIA requirement and the Privacy Act by federal 
agencies and is also responsible for providing guidance to agencies. In 
1975, OMB issued Privacy Act Implementation Guidelines. Since that 
time, it has provided periodic supplemental guidance related to privacy 
on specific subjects. 

The provisions of the Privacy Act are largely based on a set of 
principles for protecting the privacy and security of personal 
information, known as the Fair Information Practices, which were first 
proposed in 1973 by a U.S. government advisory committee.[Footnote 4] 
These principles, now widely accepted, include: 

* collection limitation; 
* data quality; 
* purpose specification; 
* use limitation; 
* security safeguards; 
* openness; 
* individual participation, and; 
* accountability.[Footnote 5] 

These principles, with some variation, are used by organizations to 
address privacy considerations in their business practices and are also 
the basis of privacy laws and related policies in many countries, 
including the United States, Germany, Sweden, Australia, and New 
Zealand, as well as the European Union. 

Since enactment of the Privacy Act nearly 35 years ago, both the 
techniques employed by the federal government to obtain and process 
personally identifiable information and the technology used to support 
its collection, maintenance, dissemination, and use have changed 
dramatically. Advances in information technology have enabled agencies 
to more easily acquire, analyze, and share personally identifiable 
information from a variety of sources in increasingly diverse ways and 
for increasingly sophisticated purposes. 

Given the advances in technology used to process, store, share, and 
manipulate personal information, you asked us to identify major issues 
regarding whether the Privacy Act of 1974, the E-Government Act of 
2002, and related guidance consistently cover the federal government's 
collection and use of personal information and incorporate key privacy 
principles. Our objective was not focused on evaluating compliance with 
these laws; rather, it was to identify major issues concerning their 
sufficiency in light of current uses of personal information by the 
federal government. You also asked us to identify options for 
addressing these issues. 

To address our objective, we analyzed the Privacy Act of 1974, section 
208 of the E-Government Act, and related guidance to identify any 
inconsistencies or gaps in the coverage of these laws as they apply to 
uses of personal information by federal agencies. We also compared 
these laws and related guidance with the fair information practices to 
identify any significant gaps, including assessing the role of the 
Paperwork Reduction Act (PRA) in protecting privacy by limiting 
collection of information. We obtained an operational perspective on 
the sufficiency of these laws from six departments and agencies with 
large inventories of information collections, prominent privacy issues, 
and varied missions: the Departments of Health and Human Services 
(HHS), Homeland Security (DHS), Justice (DOJ), and Transportation 
(DOT); the Internal Revenue Service (IRS); and the Social Security 
Administration (SSA). We also obtained expert perspective on key issues 
through use of an expert panel, convened for us by the National Academy 
of Sciences (NAS). A full description of our objective, scope, and 
methodology can be found in appendix I. In addition, the names of 
privacy experts participating in the NAS expert forum can be found in 
appendix II. 

We conducted this performance audit from March 2007 to May 2008 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Results in Brief: 

Although the Privacy Act, the E-Government Act, and related OMB 
guidance set minimum requirements for agencies, they may not 
consistently protect personally identifiable information in all 
circumstances of its collection and use throughout the federal 
government and may not fully adhere to key privacy principles. Based on 
discussions with privacy experts, agency officials, and analysis of 
laws and related guidance, we identified issues in three major areas: 

Applying privacy protections consistently to all federal collection and 
use of personal information. The Privacy Act's definition of a "system 
of records" (any grouping of records containing personal information 
retrieved by individual identifier), which sets the scope of the act's 
protections, does not always apply whenever personal information is 
obtained and processed by federal agencies. For example, if agencies do 
not retrieve personal information by identifier, the act's protections 
do not apply. Our 2003 report concerning compliance with the Privacy 
Act found that among the agencies surveyed, the most frequently cited 
reason for systems not being considered Privacy Act systems of records 
was that the agency did not use a personal identifier to retrieve the 
information.[Footnote 6] Further, recent OMB guidance reflects an 
acknowledgement that, although personally identifiable information does 
not always reside in Privacy Act systems of records, it should 
nevertheless be protected. In addition, as we previously reported, 
[Footnote 7] federal agencies have not always implemented Privacy Act 
requirements because they did not clearly apply to their use of 
personal information from information resellers. Factors such as these 
have led experts to agree that the Privacy Act's system-of-records 
construct is too narrowly defined. The E-Government Act's privacy 
provisions, in contrast, apply more broadly; however, the E-Government 
Act does not include the specific constraints on how information is to 
be collected, maintained, and shared that are included in the Privacy 
Act nor does it address federal rulemaking, in which federal agencies 
can influence how other entities, including state and local government 
agencies, collect and use personal information. Alternatives for 
addressing these issues could include revising the system-of-records 
definition to cover all personally identifiable information collected, 
used, and maintained systematically by the federal government, and 
revising the E-Government Act's scope to cover federal rulemaking. 

Ensuring that collection and use of personally identifiable information 
is limited to a stated purpose. According to the purpose specification, 
collection limitation, and use limitation principles, the collection of 
personal information should be limited, and its use should be limited 
to a specified purpose. Yet, current laws and guidance impose only 
modest requirements for describing the purposes for collecting and 
using personal information and limiting how that information is 
collected and used. For example, agencies are not required to be 
specific in formulating purpose descriptions in their public notices. 
While purpose statements for certain law enforcement and anti-terrorism 
systems might need to be phrased broadly enough so as not to reveal 
investigative techniques or the details of ongoing cases, overly 
broadly defined purposes could allow for unnecessarily broad 
collections of information and ranges of subsequent uses, thus calling 
into question whether meaningful limitations had been imposed. 

Laws and guidance also may not effectively limit the collection of 
personal information. For example, the Privacy Act's requirement that 
information be "relevant and necessary" gives broad latitude to 
agencies in determining the amount of information to collect. Under 
these criteria, agency officials do not have specific requirements for 
justifying how much information to collect. Without establishing more 
specific requirements for justifying information collections, it may 
difficult to ensure that agencies limit collection of personal 
information to what is relevant and necessary. 

In addition, mechanisms to limit use to a specified purpose may be 
weak. For example, the Privacy Act does not limit agency internal use 
of information, as long as it is needed for an official purpose. 
Recognizing that information sharing is critically important to certain 
government functions such as homeland security and anti-terrorism, it 
has also been established that protecting privacy in these functions is 
an equally important goal. However, the Privacy Act does not include 
provisions addressing external sharing with other entities to ensure 
that the information's new custodians preserve the act's protections. 

Examples of alternatives for addressing these issues include setting 
specific limits on routine uses and use of information within agencies 
to include more specific limits, requiring agencies to limit collection 
of personally identifiable information and to explain how such 
collection has been limited in privacy notices, and requiring agencies 
to establish formal agreements with external governmental entities 
before sharing personally identifiable information with them. 

Establishing effective mechanisms for informing the public about 
privacy protections. According to the openness principle, the public 
should be informed about privacy polices and practices, and the 
accountability principle calls for those who control the collection or 
use of personal information to be held accountable for taking steps to 
ensure privacy protection. Public notices are a primary means of 
establishing accountability for privacy protections and giving 
individuals a measure of control over the use of their personal 
information. Yet concerns have been raised that Privacy Act notices may 
not serve this function well. Although the Federal Register is the 
government's official vehicle for issuing public notices, critics have 
questioned whether system-of-records notices published in the Federal 
Register effectively inform the public about government uses of 
personal information. Among others, options for addressing concerns 
about public notice could include setting requirements to ensure that 
purpose, collection limitations, and use limitations are better 
addressed in the content of privacy notices, and revising the Privacy 
Act to require that all notices be published on a standard Web site, 
such as [hyperlink, http://www.privacy.gov]. 

Some of these issues--particularly those dealing with limitations on 
collection and use as well as mechanisms for informing the public-- 
could be addressed by OMB through revisions or supplements to guidance. 
However, unilateral actions by OMB would not have the benefit of public 
deliberations regarding how best to achieve an appropriate balance 
between the government's need to collect, process, and share personally 
identifiable information and the rights of individuals to know about 
such collections and be assured that they are only for limited purposes 
and uses. In assessing such a balance, Congress should consider 
amending applicable laws, such as the Privacy Act and the E-Government 
Act, according to the alternatives outlined in this report, including: 

* revising the scope of the laws to cover all personally identifiable 
information collected, used, and maintained by the federal government; 

* setting requirements to ensure that the collection and use of 
personally identifiable information is limited to a stated purpose; 
and; 

* establishing additional mechanisms for informing the public about 
privacy protections by revising requirements for the structure and 
publication of public notices. 

We received written comments on a draft of this report from the Deputy 
Administrator of the Office of E-Government and Information Technology 
and the Deputy Administrator of the Office of Information and 
Regulatory Affairs of OMB. The letter is reprinted in appendix V. In 
their comments, the officials noted that they shared our concerns about 
privacy and stated they believe it would be important for Congress to 
consider potential amendments to the Privacy Act and the E-Government 
Act in the broader context of the several privacy statutes that 
Congress has enacted. 

Though we did not make specific recommendations to OMB, the agency 
provided comments on the alternatives identified in conjunction with 
our matter for congressional consideration. Regarding alternatives for 
revising the scope of laws to cover all personally identifiable 
information collected, used, and maintained by the federal government, 
OMB stated that it would be important for Congress to evaluate fully 
the potential implications of revisions such as amending the Privacy 
Act's system-of-records definition. We agree with OMB that such 
consideration should be thorough and include further public debate. 

Regarding alternatives for setting requirements to ensure that the 
collection and use of personally identifiable information is limited to 
a stated purpose, OMB stated that agencies are working to implement a 
requirement in a recent OMB memorandum to review and reduce the volume 
of personally identifiable information they handle "to the minimum 
necessary." The draft report notes that this requirement is in place; 
however, because significant concerns have been raised in this area by 
our previous work and by experts at our forum, we believe Congress 
should consider additional alternatives for ensuring that the 
collection and use of personally identifiable information is limited to 
a stated purpose. 

Finally, regarding effective mechanisms for informing the public, OMB 
stated that it supports ensuring that the public is appropriately 
informed of how agencies are using their information. OMB stated that 
they will review agency practices in informing the public and review 
the alternatives outlined in our report. 

OMB provided additional technical comments, which are addressed in 
appendix V. We also received technical comments from DHS, DOJ, DOT, and 
IRS. We have addressed these comments in the final report as 
appropriate. 

Background: 

In response to growing concern about the harmful consequences that 
computerized data systems could have on the privacy of personal 
information, the Secretary of Health, Education, and Welfare 
commissioned an advisory committee in 1972 to examine to what extent 
limitations should be placed on the application of computer technology 
to record keeping about people. The committee's final report[Footnote 
8] proposed a set of principles for protecting the privacy and security 
of personal information, known as the Fair Information Practices. These 
practices were intended to address what the committee termed a poor 
level of protection afforded to privacy under existing law, and they 
underlie the major provisions of the Privacy Act, which was enacted the 
following year. A revised version of the Fair Information Practices, 
developed by the Organization for Economic Cooperation and Development 
(OECD) in 1980, has been widely adopted.[Footnote 9] This version of 
the principles was reaffirmed by OECD ministers in a 1998 declaration 
and further endorsed in a 2006 OECD report.[Footnote 10] The OECD 
version of the principles is shown table 1. 

Table 1: The Fair Information Practices: 

Principle: Collection limitation; 
Description: The collection of personal information should be limited, 
should be obtained by lawful and fair means, and, where appropriate, 
with the knowledge or consent of the individual. 

Principle: Data quality; 
Description: Personal information should be relevant to the purpose for 
which it is collected, and should be accurate, complete, and current as 
needed for that purpose. 

Principle: Purpose specification; 
Description: The purposes for the collection of personal information 
should be disclosed before collection and upon any change to that 
purpose, and its use should be limited to those purposes and compatible 
purposes. 

Principle: Use limitation; 
Description: Personal information should not be disclosed or otherwise 
used for other than a specified purpose without consent of the 
individual or legal authority. 

Principle: Security safeguards; 
Description: Personal information should be protected with reasonable 
security safeguards against risks such as loss or unauthorized access, 
destruction, use, modification, or disclosure. 

Principle: Openness; 
Description: The public should be informed about privacy policies and 
practices, and individuals should have ready means of learning about 
the use of personal information. 

Principle: Individual participation; 
Description: Individuals should have the following rights: to know 
about the collection of personal information, to access that 
information, to request correction, and to challenge the denial of 
those rights. 

Principle: Accountability; 
Description: Individuals controlling the collection or use of personal 
information should be accountable for taking steps to ensure the 
implementation of these principles. 

Source: Organization for Economic Cooperation and Development. 

[End of table] 

The Fair Information Practices are, with some variation, the basis of 
privacy laws and related policies in many countries, including the 
United States, Germany, Sweden, Australia, and New Zealand, as well as 
the European Union.[Footnote 11] They are also reflected in a variety 
of federal agency policy statements, beginning with an endorsement of 
the OECD principles by the Department of Commerce in 1981,[Footnote 12] 
and including policy statements from DHS, DOJ, and the Department of 
Housing and Urban Development.[Footnote 13] In 2004, the Chief 
Information Officers Council issued a coordinating draft of its 
Security and Privacy Profile for the Federal Enterprise Architecture 
[Footnote 14] that links privacy protection with a set of acceptable 
privacy principles corresponding to the OECD's version of the Fair 
Information Practices. 

In addition, in a 2007 report on "Engaging Privacy and Information 
Technology in a Digital Age," the National Research Council found that 
the principles of fair information practice for the protection of 
personal information are as relevant today as they were in 1973. 
[Footnote 15] Accordingly, the committee recommended that the fair 
information practices should be extended as far as reasonably feasible 
to apply to private-sector organizations that collect and use personal 
information. 

The Fair Information Practices are not precise legal requirements. 
Rather, they provide a framework of principles for balancing the need 
for privacy with other public policy interests, such as national 
security, law enforcement, and administrative efficiency. Striking that 
balance varies among countries and among types of information (e.g., 
medical, employment information). 

Federal Laws and Guidance Govern Use of Personal Information in Federal 
Agencies: 

There is no single federal law that governs all use or disclosure of 
personal information. Instead, U.S. law includes a number of separate 
statutes that provide privacy protections for information used for 
specific purposes or maintained by specific entities. The major 
requirements for the protection of personal privacy by federal agencies 
come from two laws, the Privacy Act of 1974 and the privacy provisions 
of the E-Government Act of 2002. 

The Privacy Act places limitations on agencies' collection, disclosure, 
and use of personal information maintained in systems of records. The 
act describes a "record" as any item, collection, or grouping of 
information about an individual that is maintained by an agency and 
contains his or her name or another personal identifier. It also 
defines "system of records" as a group of records under the control of 
any agency from which information is retrieved by the name of the 
individual or by an individual identifier. The Privacy Act requires 
that when agencies establish or make changes to a system of records, 
they must notify the public through a system-of-records notice in the 
Federal Register that identifies, among other things, the categories of 
data collected, the categories of individuals about whom information is 
collected, the intended "routine" uses of data, and procedures that 
individuals can use to review and correct personally identifiable 
information.[Footnote 16] 

The act's requirements also apply to government contractors when 
agencies contract for the operation of a system of records to 
accomplish an agency function. According to OMB guidance, in these 
situations the contractual instrument between the agency and the 
contractor must specify that such records are to be maintained in 
accordance with the act. As explained by OMB, this requirement was not 
intended to cover private-sector record-keeping systems, but only those 
systems actually taking the place of a federal system that, but for the 
contract, would have been performed by an agency and covered by the 
Privacy Act. 

Several provisions of the act require agencies to define and limit 
collection and use to predefined purposes. For example, the act 
requires that to the greatest extent practicable, personal information 
should be collected directly from the subject individual when it may 
affect an individual's rights or benefits under a federal program. The 
act also requires that an agency inform individuals whom it asks to 
supply information of (1) the authority for soliciting the information 
and whether disclosure of such information is mandatory or voluntary; 
(2) the principal purposes for which the information is intended to be 
used; (3) the routine uses that may be made of the information; and (4) 
the effects on the individual, if any, of not providing the 
information. According to OMB, this requirement is based on the 
assumption that individuals should be provided with sufficient 
information about the request to make a decision about whether to 
respond. 

In handling collected information, agencies are generally required by 
the Privacy Act to, among other things, allow individuals to (1) review 
their records (meaning any information pertaining to them that is 
contained in the system of records), (2) request a copy of their record 
or information from the system of records, and (3) request corrections 
to their information. 

Agencies are allowed to claim exemptions from some of the provisions of 
the Privacy Act if the records are used for certain purposes. For 
example, records compiled by criminal law enforcement agencies for 
criminal law enforcement purposes can be exempt from a number of 
provisions, including (1) the requirement to notify individuals of the 
purposes and uses of the information at the time of collection and (2) 
the requirement to ensure the accuracy, relevance, timeliness, and 
completeness of records. A broader category of investigative records 
compiled for criminal or civil law enforcement purposes can also be 
exempted from a somewhat smaller number of Privacy Act provisions, 
including the requirement to provide individuals with access to their 
records and to inform the public of the categories of sources of 
records. In general, the exemptions for law enforcement purposes are 
intended to prevent the disclosure of information collected as part of 
an ongoing investigation that could impair the investigation or allow 
those under investigation to change their behavior or take other 
actions to escape prosecution. Statutory exemptions under the Privacy 
Act are summarized in appendix III. 

In 1988, Congress passed the Computer Matching and Privacy Protection 
Act as an amendment to the Privacy Act, to establish procedural 
safeguards that affect agencies' use of Privacy Act records from 
benefit programs in performing certain types of computerized matching 
programs. For example, the 1988 act requires agencies to create written 
agreements specifying the terms under which matches are to be done. 

More recently, in 2002, Congress enacted the E-Government Act to, among 
other things, enhance protection for personal information in government 
information systems or information collections by requiring that 
agencies conduct PIAs. A PIA is an analysis of how personal information 
is collected, stored, shared, and managed in a federal system. More 
specifically, according to OMB guidance,[Footnote 17] a PIA is an 
analysis of how: 

"information is handled: (i) to ensure handling conforms to applicable 
legal, regulatory, and policy requirements regarding privacy; (ii) to 
determine the risks and effects of collecting, maintaining, and 
disseminating information in identifiable form in an electronic 
information system; and (iii) to examine and evaluate protections and 
alternative processes for handling information to mitigate potential 
privacy risks." 

Agencies must conduct PIAs (1) before developing or procuring 
information technology that collects, maintains, or disseminates 
information that is in identifiable form or (2) before initiating any 
new data collections of information in an identifiable form that will 
be collected, maintained, or disseminated using information technology 
if the same questions are asked of 10 or more people. OMB guidance also 
requires agencies to conduct PIAs when a system change creates new 
privacy risks, for example, changing the way in which personal 
information is being used. According to OMB, no assessment is required 
when the information relates to internal government operations, the 
information has been previously assessed under an evaluation similar to 
a PIA, or when privacy issues are unchanged. 

The PRA applies to federal information collections and was designed to 
help ensure that when the government asks the public for information, 
the burden of providing this information is as small as possible and 
the information itself is used effectively.[Footnote 18] Such 
collections may have a range of purposes, which may or may not involve 
the collection of personal information, including applications for 
government benefits, program evaluation, general purpose statistics, 
research and regulation or compliance; all of these information 
collections may occur in a variety of forms, including questionnaires 
and telephone surveys. To achieve the goal of minimizing paperwork 
burden while maximizing the public benefit and utility of the 
information collected, the act includes provisions that establish 
standards and procedures for effective implementation and oversight of 
information collections. Among these provisions is the requirement that 
agencies not establish information collections without having them 
approved by OMB, and that before submitting them for approval, 
agencies' chief information officers certify that the collections meet 
10 specified standards, including that the collection is necessary for 
the proper performance of agency functions and avoids unnecessary 
duplication. The law also requires agencies both to publish notices in 
the Federal Register and to otherwise consult with the public about 
their planned collections. 

Privacy is also addressed in the legal framework for the emerging 
information sharing environment. As directed by the Intelligence Reform 
and Terrorism Prevention Act of 2004,[Footnote 19] the administration 
has taken steps, beginning in 2005, to establish an information sharing 
environment to facilitate the sharing of terrorism-related information 
with protections for privacy and civil liberties. The move was driven 
by the recognition that before the attacks of September 11, 2001, 
federal agencies had been unable to effectively share information about 
suspected terrorists and their activities. In addressing this problem, 
the National Commission on Terrorist Attacks Upon the United States (9/ 
11 Commission) recommended that the sharing and uses of information be 
guided by a set of practical policy guidelines that would 
simultaneously empower and constrain officials, closely circumscribing 
what types of information they would be permitted to share as well as 
the types of information they would need to protect. Exchanging 
terrorism-related information continues to be a significant challenge 
for federal, state, and local governments--one that we recognize is not 
easily addressed. Accordingly, since January 2005, we have designated 
information sharing for homeland security a high-risk area.[Footnote 
20] 

OMB Has Primary Responsibility for Oversight of the Privacy, E- 
Government, and Paperwork Reduction Acts: 

The Privacy Act gives OMB responsibility for developing guidelines and 
providing "continuing assistance to and oversight of" agencies' 
implementation of the Privacy Act. The E-Government Act of 2002 also 
assigns OMB responsibility for developing PIA guidance and ensuring 
agency implementation of the privacy impact assessment requirement. In 
July 1975, OMB published guidance for implementing the provisions of 
the Privacy Act. Since then, OMB has periodically issued additional 
guidance. For example, in 1991, OMB provided guidance to assist 
agencies in complying with the Computer Matching and Privacy Protection 
Act. In September 2003, consistent with its responsibility under 
section 208 of the E-Government Act, OMB issued guidance to agencies on 
conducting privacy impact assessments. 

Enacted in 1980, the PRA made virtually all federal agency information 
collection activities subject to OMB review and established broad 
objectives for OMB oversight of the management of federal information 
resources. The act established the Office of Information and Regulatory 
Affairs within OMB and gave this office a variety of oversight 
responsibilities over federal information functions, including general 
information policy, reduction of paperwork burden, and information 
privacy. To assist agencies in fulfilling their responsibilities under 
the act, OMB took various steps. It issued a regulation[Footnote 21] 
and provided agencies with instructions on filling out a standard form 
for submissions and providing supporting statements. 

OMB has also periodically issued guidance on other privacy-related 
issues, including: 

* federal agency Web site privacy policies;
* interagency sharing of personal information;
* designation of senior staff responsible for privacy; and; 
* data breach notification. 

A list of privacy guidance from OMB can be found in appendix IV. 

Previous Studies Have Raised Concerns about the Sufficiency of Privacy 
Laws: 

Concerns about the Privacy Act have arisen periodically since its 
passage. The Privacy Act established a temporary national study 
commission to conduct a comprehensive assessment of privacy policy and 
to make recommendations for better protecting the privacy of 
individuals. This commission, called the Privacy Protection Study 
Commission (PPSC), was to study privacy issues and recommend future 
legislation. 

In its final report,[Footnote 22] the PPSC concluded that, as 
transactions involving personal information have proliferated, there 
has been no compensating tendency to give the individual the kind of 
control over the collection, use, and disclosure of personal 
information that natural, or face-to-face, encounters normally entail. 
The PPSC found that if informational privacy is to be protected, public 
policy must focus on certain systemic features such as the 
proliferating use of information for a different purpose than for what 
it was originally collected, and the greater use of third-party 
reporting. 

The commission concluded that it would be beneficial to create a 
federal body to oversee, regulate, and enforce compliance with the 
commission's recommendations. The PPSC formally recommended that the 
President and Congress create an independent entity to participate in 
any federal proceeding that would affect personal privacy, including 
the issuance of rules that must be followed by federal agencies in 
interpreting the Privacy Act. 

As another example, in a 1983 report summarizing 9 years (1975 to1983) 
of congressional oversight of the Privacy Act, the House Committee on 
Government Operations concluded that OMB had not pursued its 
responsibility to revise and update its original guidance from 1975 and 
had not actively monitored agency compliance with its guidance. It 
stated "Interest in the Privacy Act at [OMB] has diminished steadily 
since 1975. Each successive Administration has shown less concern about 
Privacy Act oversight."[Footnote 23] 

More recently, in 2002, the Information Security and Privacy Advisory 
Board (ISPAB), a federal advisory committee originally established by 
the Computer Security Act of 1987,[Footnote 24] issued a report on 
government privacy policy setting and management. In its report, the 
ISPAB raised a number of concerns about advances in technology and its 
impact on privacy. Specifically, ISPAB observed that "with the 
migration toward e-government services, greater demands will be placed 
on the government's privacy policies and systems." ISPAB further 
observed that the public's willingness to use such services will depend 
"in large measure on their confidence that the information that they 
disclose will be safeguarded."[Footnote 25] 

The ISPAB report further stated that, "changes in technology, the 
privacy management challenges stemming from expanded e-government 
services, the accelerated interaction of networked information systems 
within and across critical infrastructure boundaries, and the extended, 
routine exchange of data among Federal and non-Federal government and 
non-government systems - all mandate immediate and serious attention to 
Federal government's data privacy policies and operational controls." 
Among the issues identified was a need for a review of the sufficiency 
and relevance of the Privacy Act to determine whether modifications 
were required, given the numerous changes affecting privacy that had 
occurred since the act was passed. 

Following up on its 2002 report, in 2005 ISPAB issued a "Privacy Act 
White Paper" raising the question of whether the existing legal and 
policy framework governing the information practices of federal 
agencies was sufficient to protect the privacy of individuals about 
whom the federal government maintained or used personal information. 
The paper postulated that "laws and policies have not kept pace with 
changes in technology and information and handling processes and 
suggests the need for an open dialogue on what changes in law and 
policy are needed and how to best make those changes." Accordingly, in 
2006 ISPAB initiated a partnership with the DHS Data Privacy and 
Integrity Advisory Committee[Footnote 26] to develop recommendations on 
a 21ST century framework for revisions to the Privacy Act and other 
federal privacy statutes. Work on this initiative was ongoing at the 
time of our review. 

In 2007, the National Research Council[Footnote 27] issued a report 
entitled Engaging Privacy and Information Technology in a Digital Age. 
[Footnote 28] The report identified a number of issues related to the 
implications of advances in technology on privacy. With regard to 
government use of personal information, the committee found that the 
government has important roles to play in protecting the privacy of 
individuals and groups and in ensuring that decisions concerning 
privacy are made in an informed fashion. However, the report 
characterized the U.S. legal and regulatory framework as "a patchwork 
that lacks consistent principles or unifying themes." The committee 
concluded that a less decentralized and more integrated approach to 
privacy policy in the United States could bring a greater degree of 
coherence to the subject of privacy. The committee recommended that the 
U.S. government undertake a broad systematic review of national privacy 
laws and regulations. 

Further, with regard specifically to government use of personal 
information, the committee found that "because the benefits of privacy 
often are less tangible and immediate than the perceived benefits of 
other interests, such as public security and economic efficiency, 
privacy is at an inherent disadvantage when decision makers weigh 
privacy against these other interests." The committee concluded that, 
to reduce this inherent disadvantage, governments at federal, state, 
and local levels should establish mechanisms for the institutional 
advocacy of privacy within government. Much as the PPSC had recommended 
in 1977, the NRC recommended that a national privacy commissioner or 
standing privacy commission be established to provide ongoing and 
periodic assessments of privacy developments. 

We have previously reported on a number of agency-specific and 
governmentwide privacy-related issues at federal agencies. For example, 
in 2003,[Footnote 29] we reported that agencies generally did well with 
certain aspects of the Privacy Act's requirements--such as issuing 
systems-of-records notices when required--but did less well at other 
requirements, such as ensuring that information is complete, accurate, 
relevant, and timely before it is disclosed to a nonfederal 
organization. In discussing this uneven compliance agency officials 
reported the need for additional OMB leadership and guidance to assist 
in difficult implementation issues in a rapidly changing environment. 
For example, officials had questions about the act's applicability to 
electronic records. We have also reported on key privacy challenges 
facing federal agencies, federal Web site privacy, notification of 
individuals in the event of a data breach, and government data-mining 
initiatives. A list of our privacy-related products can be found in 
appendix V. 

Additional Laws Provide Protections for Federal Agency Use of Personal 
Information: 

Other federal laws address privacy protection for personal information 
with respect to information security requirements as well as for 
certain types of information, such as when taxpayer, statistical, or 
health information is involved. 

The Federal Information Security Management Act (FISMA) addresses the 
protection of personal information by defining federal requirements for 
securing information and information systems that support federal 
agency operations and assets; it requires agencies to develop 
agencywide information security programs that extend to contractors and 
other providers of federal data and systems.[Footnote 30] Under FISMA, 
information security means protecting information and information 
systems from unauthorized access, use, disclosure, disruption, 
modification, or destruction, including controls necessary to preserve 
authorized restrictions on access and disclosure to protect personal 
privacy, among other things.[Footnote 31] 

Other laws address protection of personal information by federal 
agencies in specific circumstances and are described in table 2. 

Table 2: Major Federal Laws That Address Federal Agency Use of Personal 
Information: 

Information covered: Patient health information; 
Applicable law: To the extent a federal agency is a covered entity 
under the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), e.g., a provider of health care programs or services, it may 
not use or disclose an individual's health information without the 
individual's authorization, except for certain reasons, and is required 
to inform individuals of its privacy practices. 42 U.S.C. §§ 1320d - d-
7; 45 C.F.R. Part 164. 

Information covered: Statistical information; 
Applicable law: The Confidential Information Protection and Statistical 
Efficiency Act (CIPSEA) requires that information acquired by an agency 
under a pledge of confidentiality and for exclusively statistical 
purposes shall be used by the agency only for such purposes and shall 
not be disclosed in identifiable form for any other use, except with 
the informed consent of the respondent. Sec. 512, Title V, Pub. L. No. 
107-347, Dec. 17, 2002; 44 U.S.C. § 3501 note. 

Information covered: Census data; 
Applicable law: Except as specifically authorized by law, the Census 
Bureau may not disclose identifiable census data. Penalties of up to 
$5,000 and 5 years in prison apply for violating the law. 13 U.S.C. §§ 
9 & 214. 

Information covered: Taxpayer data; 
Applicable law: The IRS must keep taxpayer information confidential and 
may only disclose it under limited circumstances, e.g., for federal or 
state tax administration, to assist in the enforcement of child support 
programs, to verify eligibility for public assistance programs, and for 
use in a criminal investigation. Individuals or agencies receiving 
taxpayer data must, as a condition of receiving such data, have 
safeguards for the protection of, and for accounting for, the use of 
such data. 26 U.S.C. § 6103. 

Information covered: Social Security information; 
Applicable law: Social Security numbers and related records must be 
treated as confidential and may not be disclosed, except as authorized. 
42 U.S.C. §§ 405 & 1306. Such other authorized uses include disclosures 
for bankruptcy proceedings (11 U.S.C. 342(c)), enforcement of child 
support programs (42 U.S.C. §§ 653, 653a, & 666(a)(13)), and 
enforcement of immigration laws (8 U.S.C. §§ 1304 & 1360). 

Source: GAO analysis. 

[End of table] 

The Privacy Act and E-Government Act Do Not Always Provide Protections 
for Federal Uses of Personal Information: 

The Privacy Act's controls on the collection, use, and disclosure of 
personally identifiable information do not consistently protect such 
information in all circumstances of its collection and use throughout 
the federal government. Issues have largely centered on the Privacy 
Act's definition of a "system of records" (any grouping of records 
containing personal information retrieved by individual identifier), 
which triggers the act's protections. Personal information is not 
always obtained and processed by federal agencies in ways that conform 
to the definition of a system of records, and in cases where such 
information falls outside this definition, it may not receive the full 
privacy protections established by the act. In contrast, the E- 
Government Act of 2002 sets broader terms for its requirement to 
conduct PIAs--namely, (1) before an agency develops or procures 
information technology that collects, maintains, or disseminates 
information that is in identifiable form, or (2) before an agency 
collects information in identifiable form using information technology. 
Although the E-Government Act's broader definition is more inclusive 
than the system-of-records concept, its requirements are more limited 
because it imposes no restrictions on agency collection and use of 
personally identifiable information. Alternatives for addressing these 
issues could include revising the system-of-records definition to cover 
all personally identifiable information collected, used, and maintained 
systematically by the federal government, and revising the E-Government 
Act's scope to cover federal rulemaking. 

Key Terms in the Privacy Act May Be Defined Too Narrowly: 

The Privacy Act's controls on the collection, use, and disclosure of 
personally identifiable information only apply when such information is 
covered by the act's key terms, especially the "system-of-records" 
construct. There are several different ways in which federal collection 
and use of personally identifiable information could be outside of such 
a construct and thus not receive the Privacy Act's protections: 

* Personally identifiable information held by the government is not 
always retrieved by identifier. The Privacy Act defines a system of 
records as "a group of records[Footnote 32] under the control of any 
agency from which information is retrieved by the name of the 
individual or by some identifying number, symbol, or other identifying 
particular assigned to the individual." If personally identifiable 
information (records) is not retrieved by identifier but instead 
accessed through some other method or criteria--for example, by 
searching for all individuals who have a certain medical condition or 
who applied for benefits on a certain date--the system would not meet 
the Privacy Act's system-of-records definition and therefore would not 
be governed by the act's protections. OMB's 1975 Privacy Act 
implementation guidance reflects an acknowledgement that agencies could 
potentially evade the act's requirements by organizing personal 
information in ways that may not be considered to be retrieved by 
identifier.[Footnote 33] 

This scope of the system-of-records definition has been an issue since 
the Privacy Act became law in 1974. In its 1977 report, the PPSC 
pointed out that retrieval by name or identifier reflected a manual 
rather than a computer-based model of information processing and did 
not take into account emerging computing technology. As the study 
explained, while manual record-keeping systems are likely to store and 
retrieve information by reference to a unique identifier, this is 
unnecessary in computer-based systems that permit attribute searches. 
[Footnote 34] The PPSC noted that retrieval of individually 
identifiable information by scanning (or searching) large volumes of 
computer records was not only possible but an ever-increasing agency 
practice. 

Our 2003 report concerning compliance with the Privacy Act found that 
the PPSC's observations had been borne out across federal agencies. A 
key characteristic of agencies' systems of records at the time was that 
a large proportion of them were electronic, reflecting the government's 
significant use of computers and the Internet to collect and share 
personal information. Based on survey responses from 25 agencies in 
2002, we estimated that 70 percent of the agencies' systems of records 
contained electronic records and that 11 percent of information systems 
in use at those agencies contained personal information that was 
outside a Privacy Act system of records. We also reported that among 
the agencies we surveyed, the most frequently cited reason for systems 
not being considered Privacy Act systems of records was that the agency 
did not use a personal identifier to retrieve the personal information. 
[Footnote 35] 

Recent OMB guidance reflects an acknowledgement that, although 
personally identifiable information does not always reside in Privacy 
Act systems of records, it should nevertheless be protected. Following 
a number of highly publicized data breaches at government agencies, OMB 
issued guidance instructing agencies to take action to safeguard 
"personally identifiable information." Beginning in May 2006, OMB 
required senior agency privacy officials to "conduct a review of 
policies and processes and take corrective action as appropriate to 
ensure adequate safeguards to prevent the intentional or negligent 
misuse of, or unauthorized access to personally identifiable 
information." Most recently, in May 2007, OMB required agencies to 
review and reduce "all current holding of personally identifiable 
information." This guidance is not limited to information that is 
"retrieved by identifier" or contained within systems of records. 

* The Privacy Act's protections may not apply to contemporary data 
processing technologies and applications. In today's highly 
interconnected environment, information can be gathered from many 
different sources, analyzed, and redistributed in very dynamic, 
unstructured ways that may have little to do with the file-oriented 
concept of a Privacy Act system of records. For example, data mining, a 
prevalent technique used by federal agencies[Footnote 36] for 
extracting useful information from large volumes of data, may escape 
the purview of the Privacy Act's protections. Specifically, a data- 
mining system that performs analysis by looking for patterns in 
personal information located in other systems of records or that 
performs subject-based queries across multiple data sources may not 
constitute a system of records under the act. 

In recent years, reports required by law on data mining have described 
activities that had not been identified as systems of records covered 
by the Privacy Act. In one example, DHS reported that all the data 
sources for the planned Analysis Dissemination Visualization Insight 
and Semantic Enhancement (ADVISE) data mining program were covered by 
existing system-of-records notices; however, the system itself was not 
covered, and no system of records notice was created specifically to 
document protections under the Privacy Act governing the specific 
activities of the system.[Footnote 37] ADVISE was a data-mining tool 
intended to allow an analyst to search for patterns in data--such as 
relationships among people, organizations, and events--and to produce 
visual representations of those patterns. 

This was also the case with other data mining programs reported by DHS 
and DOJ.[Footnote 38] For example, DHS reported on a data mining system 
known as Intelligence and Information Fusion--which provides 
intelligence analysts with an ability to view, query, and analyze 
multiple data sources from within the government--that is not 
considered a Privacy Act system of records. While DHS reported that the 
system was "covered" by the system-of-records notice for the Homeland 
Security Operations Center Database,[Footnote 39] that notice does not 
specifically describe the uses of the Intelligence and Information 
Fusion system. Thus, while the underlying data sources are subject to 
the protections of the act, the uses of the Intelligence and 
Information Fusion system have not been specifically addressed. 

Likewise, DOJ reported that its Foreign Terrorist Tracking Task Force 
[Footnote 40] was developing a data mining system, known as the System 
to Assess Risk, to assist analysts in prioritizing persons of possible 
investigative interest in support of a specified terrorist threat. DOJ 
reported that the system's data sources were covered by the system-of-
records notice for the Federal Bureau of Investigation's (FBI) Central 
Records System.[Footnote 41] However, the Central Records System notice 
does not specifically describe the uses of the System to Assess Risk 
and thus provides no evidence that the Privacy Act's protections are 
being applied to the system. The fact that these notices do not 
specifically describe data-mining systems that they are said to include 
reflects the limitations of the system-of-records construct as a way to 
identify, assess, and report on the protections being applied to these 
types of analytical uses. As a result, personally identifiable 
information collected and processed by such systems may be less well 
protected than if it were more specifically addressed by the Privacy 
Act. 

* Use of personal information from third party sources is not 
consistently covered by the Privacy Act. The Privacy Act requires 
agencies to collect information to the greatest extent practicable 
directly from the subject individual when the information may result in 
adverse determinations about an individual's rights, benefits, and 
privileges under federal programs. Yet agencies have increasingly 
turned to other sources to collect personal information, particularly 
third-party sources such as information resellers--companies that amass 
and sell personal information from many sources. Concerns were raised 
in our expert forum that government agencies may be using such third- 
party sources as a way to avoid the constraints of the Privacy Act. 

In our 2006 report on federal agency use of personal information from 
information resellers,[Footnote 42] we noted that agency officials said 
they generally did not prepare system-of-records notices for the use of 
information resellers because they were not required to do so by the 
Privacy Act. The Privacy Act makes its provisions applicable to third- 
party systems when "an agency provides by a contract for the operation 
by or on behalf of the agency a system of records to accomplish an 
agency function." According to agency officials, information reseller 
databases were not considered systems of records operated "by or on 
behalf of a government agency" because resellers develop their 
databases for multiple customers, not the federal government 
exclusively. Further, agency officials stated that merely querying 
information reseller databases did not amount to maintaining the 
information that was obtained, and thus the provisions of the Privacy 
Act did not apply. In many cases, agency officials considered their use 
of reseller data to be of this type--essentially "ad hoc" querying or 
"pinging" of databases for personal information about specific 
individuals, which they were not doing in connection with a designated 
system of records. Thus, these sources, which agencies use for many 
purposes, have not been considered subject to the provisions of the 
Privacy Act. As a result, individuals may be limited in their ability 
to learn that information is being collected about them, because the 
information is being obtained from other sources and the activity is 
not publicly described in a system-of-records notice. Further, the 
Privacy Act's constraints on collection, use, and disclosure would not 
apply. 

In our 2006 report, we made recommendations to OMB to revise its 
guidance to clarify the applicability of requirements for public 
notices and privacy impact assessments with respect to agency use of 
personal information from resellers. We also recommended that OMB 
direct agencies to review their uses of such information to ensure it 
is explicitly referenced in privacy notices and assessments. However, 
OMB has not addressed our recommendations. OMB stated that following 
the completion of work on the protection of personal information 
through the Identity Theft Task Force, it would consider issuing 
appropriate guidance concerning reseller data. OMB issued guidance 
based on the work of the Identity Theft Task Force in May 2007; 
however, it did not include clarifying guidance concerning reseller 
data. Without clarifying guidance, agencies may continue to consider 
use of reseller data as not covered by the Privacy Act and thus may not 
apply the Privacy Act's protections to this use. 

The E-Government Act Applies More Broadly Than the Privacy Act but 
Lacks Explicit Constraints on Agency Actions: 

The E-Government Act's requirements for the conduct of PIAs apply to a 
broader range of government activities than are currently covered by 
the Privacy Act's definition of a system of records. Specifically, the 
E-Government Act requires agencies to conduct PIAs before (1) 
developing or procuring information technology that collects, 
maintains, or disseminates information that is in individually 
identifiable form or (2) initiating data collections involving personal 
information that will be collected, maintained or disseminated using 
information technology if the same questions are asked of 10 or more 
people. 

The PIA requirement has provided a mechanism for agencies to consider 
privacy protections during the earliest stages of development of their 
systems, when it may be relatively easy to make critical adjustments. 
Senior agency privacy officials at several agencies reported that their 
PIA processes are incorporated into key stages in systems development. 
For example, senior agency privacy officials at the IRS reported that 
PIAs are required at every stage of the systems development life cycle 
for new systems or systems undergoing major modifications. In addition, 
five of the six agencies we interviewed reported that they use a 
privacy threshold analysis, a brief assessment that requires system 
owners to answer basic questions on the nature of their systems and 
whether the systems contain personally identifiable information, to 
identify systems that require a PIA; this approach enables agencies to 
ensure that systems undergo the PIA process at the earliest stages of 
development. 

Privacy experts and senior agency privacy officials we interviewed also 
noted that the E-Government Act provides a mechanism to address certain 
uses of personal information that might not have been covered by the 
Privacy Act. According to OMB guidance, PIAs are required to be 
performed and updated whenever a system change creates new privacy 
risks. Among the types of changes identified in OMB guidance that might 
require conducting a PIA are when converting from paper to electronic 
records, when applying new technologies that significantly change how 
information in identifiable form is managed in the system, and when 
merging databases to create one central source of information. 
Typically, under the Privacy Act changes of this nature could result in 
limited modifications to a system-of-records notice to reflect 
additional categories of records and/or routine uses. It would not 
result in a reassessment of privacy risks, as is required for a PIA. 

Because the E-Government Act's PIA requirement applies more broadly 
than the Privacy Act, it may help in part to address concerns about the 
narrow definition of terms in the Privacy Act. Specifically, a well- 
written PIA can inform the public about such things as what information 
is being collected, why it is being collected, and how it is to be 
used. However, the E-Government Act does not include the specific 
constraints on how information is to be collected, maintained, and 
shared that are included in the Privacy Act--such as restrictions on 
disclosure of personal information and requirements to allow for access 
to and correction of records by individuals, among other things. 
Further, the E-Government Act only applies to information technology 
systems and therefore does not address personal information contained 
in paper records. 

In addition, the E-Government Act may not be broad enough to cover all 
cases in which the federal government makes determinations about what 
personal information is to be collected and how it is to be protected. 
A major function that is not covered is rulemaking that involves the 
collection of personally identifiable information. Rulemaking is the 
process by which federal agencies establish regulations that can govern 
individual behavior as well as commercial and other activities. For 
example, DHS is required by the Homeland Security Act to conduct PIAs 
for all of its proposed rules,[Footnote 43] and, as a result, PIAs have 
been conducted for major initiatives, including the REAL ID Act, which 
required DHS to establish minimum standards for state-issued drivers' 
licenses and identification cards that federal agencies would accept 
for official purposes, and the Western Hemisphere Travel Initiative, 
aimed at strengthening border security and facilitating entry into the 
United States for U.S. citizens and certain foreign visitors through a 
standardized identification card. These PIAs have provided for the 
evaluation of privacy considerations before final decisions are made 
concerning specific technologies to be used in drivers' licenses and 
border-crossing identification cards issued by state governments. 
However, DHS, DOT, Treasury, and a number of smaller agencies are 
currently the only agencies required to conduct PIAs on proposed rules. 
Other agencies may be issuing rules that have privacy implications 
without conducting privacy assessments of them. 

Alternatives for Broadening the Coverage of Privacy Laws: 

A number of alternatives exist to address the issues associated with 
the coverage of existing privacy laws governing federal use of personal 
information. These alternatives involve revisions to the Privacy Act 
and E-Government Act, as follows: 

* Revise the system of records definition to cover all personally 
identifiable information collected, used, and maintained by the federal 
government. Like the Privacy Protection Study Commission, which 
believed in 1977 that the act's definition of a system of records 
should be revised, experts at our forum were in agreement that the 
system-of-records definition is outdated and flawed. The experts agreed 
that the act's protections should be applied whenever agencies obtain, 
process, store, or share personally identifiable information--not just 
when records are retrieved by personal identifier. Such an approach 
could address concerns that certain activities, such as data mining or 
retrieving information from commercial information resellers could 
avoid the protections of the act. As shown in table 3, several recent 
OMB memoranda providing direction to federal agencies on privacy 
protection reflects this approach. 

Table 3: Recent OMB Guidance on the Protection of Personally 
Identifiable Information: 

Memorandum: OMB M-06-15: Safeguarding Personally Identifiable 
Information; 
Major requirement: Requires the Senior Official for Privacy at each 
agency to conduct a review of agency policies and processes, and take 
corrective action as appropriate, to ensure adequate safeguards to 
prevent the intentional or negligent misuse of, or unauthorized access 
to, personally identifiable information. 

Memorandum: OMB M-06-19: Reporting Incidents Involving Personally 
Identifiable Information and Incorporating the Cost for Security in 
Agency Information Technology Investments; 
Major requirement: Requires agencies to report all incidents involving 
personally identifiable information to the federal incident response 
center at DHS within 1 hour of discovering the incident. The guidance 
defines personally identifiable information as "any information about 
an individual maintained by an agency, including, but not limited to, 
education, financial transactions, medical history, and criminal or 
employment history and information which can be used to distinguish or 
trace an individual's identity, such as their name, social security 
number, date and place of birth, mother's maiden name, biometric 
records, etc., including any other personal information which is linked 
or linkable to an individual." 

Memorandum: OMB M-07-16: Safeguarding against and Responding to the 
Breach of Personally Identifiable Information; 
Major requirement: Requires agencies to develop a policy for handling 
breaches of personally identifiable information as well as policies 
concerning the responsibilities of individuals authorized to access 
such information. Agencies are urged to reduce the volume of collected 
and retained information to the minimum necessary, limit access to only 
those individuals who must have such access, and use encryption, strong 
authentication procedures, and other security controls to make 
information unusable by unauthorized individuals. 

Source: OMB. 

[End of table] 

The Privacy Act's narrowly scoped system-of-records definition does not 
match OMB's broadened approach to protecting personally identifiable 
information. Changing the system-of-records definition is an option 
that could help ensure that the act's protections are consistently 
applied to all personally identifiable information. 

* Revise the E-Government Act's scope to cover federal rulemaking. The 
E-Government Act's privacy provisions could be broadened to apply to 
all federal rulemaking involving the collection of personally 
identifiable information, as the Homeland Security Act currently 
requires of DHS and the Transportation, Treasury, Independent Agencies 
and General Government Appropriations Act of 2005 requires of 
Transportation, Treasury, and certain other agencies. This change would 
ensure that privacy concerns are addressed as the federal government 
proposes and adopts rules that affect how other entities, including 
state and local government agencies, collect and use personally 
identifying information. 

Laws and Guidance May Not Effectively Limit Agency Collection and Use 
of Personal Information to Specific Purposes: 

Current laws and guidance impose only modest requirements for 
describing the purposes for collecting and using personal information 
and limiting how that information is collected and used. For example, 
agencies are not required to be specific in formulating purpose 
descriptions in their public notices. Laws and guidance also may not 
effectively limit the collection of personal information. For example, 
the Privacy Act's requirement that information be "relevant and 
necessary" gives broad latitude to agencies in determining the amount 
of information to collect. In addition, mechanisms to limit use to a 
specified purpose may be weak. For example, the Privacy Act does not 
limit agency internal use of information, as long as it is needed for 
an official purpose or include provisions addressing external sharing 
with other entities to ensure that the information's new custodians 
preserve the act's protections. Examples of alternatives for addressing 
these issues include setting specific limits on routine uses and use of 
information within agencies to include more specific limits, requiring 
agencies to justify how collection has been limited in privacy notices, 
and requiring agencies to establish formal agreements with external 
governmental entities before sharing personally identifiable 
information with them. 

Fair Information Practices Call for Purpose Specification and 
Limitations on Collection and Use of Personal Information: 

A key area of concern about personal information maintained by 
government agencies is to ensure that limits are placed on what the 
government acquires and how it uses the information--thus giving 
individuals a measure of control over their own personal information. 
Two of the fair information practices relate specifically to limiting 
the way the government collects and uses personal information: 
collection limitation and use limitation. A third principle--purpose 
specification--is critical to ensuring that the other two are applied 
effectively. 

The purpose specification principle states that the purpose for the 
collection of personal information should be disclosed before the 
collection is made and upon any change to that purpose, and its use 
should be limited to that purpose and compatible purposes. Clearly 
specifying the purpose of a given activity establishes the measure for 
determining whether the collection of information has been sufficiently 
limited to what is relevant for the purpose and whether the ways in 
which the information is used have also been limited to what is 
appropriate for the same purpose. 

The collection limitation principle states that the collection of 
personal information should be limited, should be obtained by lawful 
and fair means, and, where appropriate, with the knowledge or consent 
of the individual. When the collection limitation principle is applied, 
individuals can gain assurance that the information about them that is 
being collected is only what is needed to perform a specific, 
predisclosed function. In the government arena, this mitigates the risk 
that an over-collection of personal information could facilitate the 
improper use of that information to make adverse determinations. For 
example, the Transportation Security Administration (TSA) received 
criticism about its now-canceled Computer-Assisted Passenger Pre- 
screening System II because it proposed to collect information from 
third-party sources in addition to airline passengers themselves. 
Concerns were raised that individuals could be delayed or denied 
boarding their airline flights based on third-party information that 
was potentially inaccurate. In developing a successor project, called 
Secure Flight, TSA responded to privacy concerns by planning to collect 
far less information and to focus on information collected directly 
from individuals.[Footnote 44] 

A closely related principle--the use limitation principle--provides 
that personal information, once collected, should not be disclosed or 
used for other than a specified purpose without consent of the 
individual or legal authority. The use limitation principle is arguably 
of heightened importance in the government arena because the government 
has many functions that affect numerous aspects of an individual's well-
being. Hence, it is important to ensure that information the government 
collects for one function is not used indiscriminately for other 
unrelated functions. By requiring the government to define a specific 
purpose for the collection of personal information and limit its use to 
that specified purpose, individuals gain assurance that their privacy 
will be protected and their information will not be used in ways that 
could jeopardize their rights or otherwise unfairly affect them. 

The Privacy Act Does Not Ensure That Purposes Are Always Stated and Are 
Specific: 

The Privacy Act includes requirements that agencies (1) inform 
individuals from whom information is being collected of the principal 
purpose or purposes for which the information is intended to be used 
and (2) publish a system-of-records notice in the Federal Register of 
the existence and character of the system of records, including planned 
routine uses of the records and the purpose of each of these routine 
uses. Concerns have been raised that the act's requirements do not go 
far enough in ensuring that the government's planned purposes are 
sufficiently specified: 

* Statements of overall purpose are not always required. The Privacy 
Act requires agencies to inform individuals on forms used to collect 
information from them of the principal purpose or purposes for which 
the information is intended to be used. This is an important provision 
that protects individuals when the government is collecting information 
directly from them. However, in many cases, agencies obtain information 
about individuals from other sources, such as commercial entities 
(including information resellers) and other governmental entities. In 
those cases, no overall declaration of purpose is required in the 
system-of-records notice. For each of the stated routine uses a 
description is required of the potential purposes for which the records 
may be used; however, there is no requirement for a declaration of the 
purpose or purposes for the system of records as a whole. Given that 
individuals may be especially concerned about how their information is 
collected from different government and commercial entities, not having 
an overall purpose associated with this information raises concerns. 

* Purpose descriptions in public notices are not required to be 
specific. As mentioned above, while there is no requirement for an 
overall statement of purpose, Privacy Act notices may contain multiple 
descriptions of purposes associated with routine uses, and agencies are 
not required to be specific in formulating these purposes. OMB guidance 
on the act gives agencies discretion to determine how to define the 
range of appropriate uses and associated purposes that it intends for a 
given system of records. For example, purpose statements for certain 
law enforcement and anti-terrorism systems might need to be phrased 
broadly enough so as not to reveal investigative techniques or the 
details of ongoing cases. However, overly broadly-defined purposes 
could allow for unnecessarily broad collections of information and 
ranges of subsequent uses, thus calling into question whether 
meaningful limitations had been imposed. 

For example, in previous work on international passenger prescreening 
by DHS's Customs and Border Protection (CBP),[Footnote 45] we reported 
that CBP's public notices and reports regarding its international 
prescreening process did not fully or accurately describe CBP's use of 
personal data throughout the passenger prescreening process. In that 
case, CBP relied on a system-of-records notice for the Treasury 
Enforcement Communications System--one of several data sources used in 
the prescreening process--to notify the public about the purpose of the 
international prescreening program. The notice, however, did not 
mention CBP's passenger prescreening purpose but simply included a 
broad statement about its law enforcement purpose, namely that "every 
possible type of information from a variety of Federal, state and local 
sources, which contributes to effective law enforcement may be 
maintained in this system of records."[Footnote 46] Use of such a 
sweeping purpose statement obscured its use in international passenger 
prescreening and did not establish a basis for limiting use of the 
information in the system. Its use shows that the act does not require 
the government to clearly state its purposes for collecting and using 
personal information. 

Another example can be found in the system-of-records notice for the 
FBI's Central Records System. The FBI relies on this notice to inform 
the public about a broad range of files it maintains and uses for a 
variety of different purposes. According to the notice, the Central 
Records System contains investigative, personnel, applicant, 
administrative, and "general" files.[Footnote 47] In addition to 
information within 281 different categories of legal violations over 
which the FBI has investigative jurisdiction, the files also include 
information pertaining to personnel, applicant, and administrative 
matters. As a result, it is unclear from the notice how any given 
record in this system is to be used. While law enforcement agencies are 
often concerned about revealing their methods to criminals, 
descriptions of the specific purposes of FBI systems could be crafted 
to avoid revealing what information had been collected about any 
specific individual or how it was being used by the agency. DOJ 
officials acknowledged that there has been frequent criticism of the 
broad scope of the Central Records System notice but said the notice 
had been structured that way because all the records covered by the 
notice are organized according to that same indexing hierarchy. More 
significantly, the Privacy Act does not require that systems of records 
be defined and described more specifically. Like the CBP notice, the 
FBI notice demonstrates that the act does not require the government to 
clearly state its purposes for collecting and using personal 
information. 

Laws and Guidance May Not Effectively Limit Collection of Personal 
Information: 

Regarding collection limitation, the Privacy Act states that each 
agency should maintain only such information about individuals in its 
systems of records that is "relevant and necessary" to accomplish a 
purpose the agency is required to accomplish by statute or executive 
order of the President. The act further states that agencies generally 
cannot disclose records about an individual without his or her consent, 
except under a number of specific conditions.[Footnote 48] 

Collection limitation may also be addressed indirectly as part of 
agency procedures under the E-Government Act for conducting PIAs. Based 
on OMB guidance, PIAs are required to include explanations regarding 
what information is being collected, why it is being collected, and 
what the intended uses are. According to agency privacy officials, they 
often question agency program officials about whether planned 
collections are really necessary or could be reduced during the process 
of reviewing draft PIAs. 

The Paperwork Reduction Act also addresses collection limitation when 
information is to be collected individually from 10 or more people. It 
requires agency chief information officers to determine whether the 
information has practical utility and is necessary for the proper 
performance of agency functions. Once a chief information officer has 
certified that a planned information collection meets 10 standards set 
forth in the act, the collection is submitted to OMB for review. The 
agency may not collect the information without OMB's approval. 

Finally, OMB also has issued guidance instructing agencies to limit the 
collection of personally identifiable information. In early 2007, OMB 
issued Memorandum M-07-16, which required agencies to review and reduce 
the volume of their holdings of personally identifiable information to 
the minimum necessary for the proper performance of documented agency 
functions. The memorandum noted that "by collecting only the 
information necessary and managing it properly, agencies can often 
reduce the volume of information they possess, the risk to the 
information, and the burden of safeguarding it." The memorandum also 
required agencies to develop a plan to reduce their use of Social 
Security numbers and to make public a schedule by which they would 
periodically update the review of their overall holdings of personally 
identifiable information. 

Nothwithstanding these various provisions in law and guidance, the 
government's collection of personal information may not be effectively 
limited: 

* The Privacy Act's "relevant and necessary" provision gives broad 
latitude to agencies in determining the amount of information to 
collect. The Privacy Act states that each agency shall "maintain in its 
records only such information about an individual as is relevant and 
necessary to accomplish a purpose of the agency required to be 
accomplished by statute or by Executive order of the President." Under 
these criteria, agency officials do not have specific requirements for 
justifying how much information to collect; instead, it is a matter of 
judgment whether any specific piece of information is relevant and 
necessary. OMB's implementation guidance advises agencies to identify 
the specific provisions in law that authorize a collection before it is 
implemented and provides questions that agencies should consider in 
determining what information to collect but concludes that a final 
decision on what is relevant and necessary is a matter of judgment. For 
certain functions, such as homeland security, new and varied 
collections of personal information may be relevant and necessary. 
However, several experts at our forum expressed concern about what they 
view as an increasing trend in the post-9/11 era for federal agencies 
to collect as much information as possible in the event that such 
information might be needed at a future date. Without establishing more 
specific requirements for justifying information collections, it may be 
difficult to ensure that agencies collect only relevant and necessary 
personal information. 

* The Paperwork Reduction Act information collection review process has 
not always been effective at limiting collection. In addition to 
provisions in the Privacy Act, the PRA has the potential to serve as a 
useful control for ensuring that agencies make reasoned judgments about 
what personal information to collect. However, it has not always 
achieved this objective. As we reported in 2005, the PRA's constraints 
on information collection are not always completely followed.[Footnote 
49] For our previous report, we examined a sample of 12 approved 
information collections to assess the effectiveness of the PRA review 
process. We found that while chief information officers reviewed 
information collections regularly, support for a particular collection 
was often partial. For example, of the 12 approved data collections we 
reviewed, 6 provided only partial support for determining whether the 
collection was necessary for the proper performance of agency functions 
and 8 had only partial support for determining whether a collection 
provided the information it was intended to provide. Despite these 
shortcomings, all 12 data collections were certified by agency chief 
information officers, and all 12 were also approved by OMB. The fact 
that agencies are able to have information collections approved despite 
incomplete justification contributes to concern that the PRA 
information collection review process may not be effective at limiting 
collection of personally identifiable information by the government. We 
recommended that OMB take steps to improve the review process, and OMB 
responded that it was considering changing its instructions to align 
them more closely with 10 standards specified in the act. However, OMB 
has not yet addressed our recommendation. 

* OMB guidance does not provide specific measures for limiting 
information collections. Although agency privacy officials believe the 
PIA process gives them the opportunity to address collection 
limitation, the requirements of the E-Government Act do not 
specifically address collection limitation, and OMB PIA guidance 
accordingly does not include requirements for limiting information 
collection, and the process does not include criteria for making 
determinations as to whether specific planned data elements are 
necessary. The lack of specific control mechanisms contributes to 
concerns by privacy experts that collection of personally identifiable 
information is not being effectively limited. Similarly, OMB's recent 
guidance to limit collection of personally identifiable information did 
not include plans to monitor agency actions or take other proactive 
steps to ensure that agencies are effectively limiting their 
collections of personally identifiable information. OMB has not 
reported publicly on agencies' progress in responding to its guidance, 
and thus it remains unclear what steps agencies have taken. Finally, 
like previous guidance, M-07-16 did not provide any criteria for making 
determinations about whether specific data elements are needed. Without 
a legal requirement to limit collection of personally identifiable 
information, it is unclear the extent to which agencies will follow 
OMB's guidance. 

Mechanisms to Limit Use of Personally Identifiable Information to a 
Specified Purpose May Be Ineffective: 

The Privacy Act generally prevents agencies from sharing personal 
information in systems of records, except pursuant to a written request 
by, or with prior written consent of, the affected individual. There 
are, however, a number of specific conditions defined by the Privacy 
Act under which federal agencies may share information from systems of 
records with other government agencies without the affected 
individuals' consent. For example, agencies may share information with 
another agency for civil or criminal law enforcement activity.[Footnote 
50] Sharing is also allowed if it is for a purpose that is "compatible" 
with the purpose for which the information was collected, referred to 
as a "routine use." Agencies are required to enumerate these routine 
uses in their system-of-records notices[Footnote 51] and publish the 
notice in the Federal Register for public comment. According to OMB's 
1975 implementation guidance, the routine use provisions were intended 
to "serve as a caution to agencies to think out in advance what uses it 
will make of information" and was intended "to discourage the 
unnecessary exchange of information to other persons or to agencies who 
may not be as sensitive to the collecting agency's reasons for using 
and interpreting the material." Section 208 of the E-Government Act of 
2002 and related OMB guidance also have provisions that implement the 
use limitation principle, chiefly by requiring that PIAs include the 
intended uses of the information and with whom the information will be 
shared. 

Although the Privacy Act and E-Government Act have provisions for 
limiting the use of personally identifiable information to a specified 
purpose, these mechanisms may not always be effective for the following 
reasons: 

* Unconstrained application of pre-defined "routine" uses may weaken 
use limitations. A number of concerns have been raised about the impact 
on privacy of potentially unnecessary routine uses for agency systems 
of records, particularly through the application of "standard" routine 
uses that are developed for general use on multiple systems of records. 
This practice is not prohibited by the Privacy Act. All six agencies we 
reviewed had lists of standard routine uses for application to their 
systems of records. However, the language of these standard routine 
uses varies from agency to agency. For example, as shown in table 4, 
several agencies have a routine use allowing them to share information 
about individuals with other governmental entities for purposes of 
decision-making about hiring or retention of an individual, issuance of 
a security clearance, license, contract, grant, or other benefit. 

Table 4: Sample Descriptions from Five Agencies of a Standard Routine 
Use for Hiring or Retention of an Individual or the Issuance of a 
Security Clearance, Contract, Grant, or Other Benefit: 

Agency: DHS; 
Standard routine use: To appropriate federal, state, local, tribal, 
territorial, foreign, or international agency, if the information is 
relevant and necessary to a requesting agency's decision concerning the 
hiring or retention of an individual, or issuance of a security 
clearance, license, contract, grant or other benefit, or if the 
information is relevant and necessary to a DHS decision concerning the 
hiring or retention of an employee, the issuance of a security 
clearance, the reporting of an investigation of an employee, the 
letting of a contract, or the issuance of a license, grant, or other 
benefit and when disclosure is appropriate to the proper performance of 
the official duties of the person making the request. 

Agency: DOT; 
Standard routine use: A record from this system of records may be 
disclosed, as a routine use, to a federal agency, in response to its 
request, in connection with the hiring or retention of an employee, the 
issuance of a security clearance, the reporting of an investigation of 
an employee, the letting of a contract, or the issuance of a license, 
grant, or other benefit by the requesting agency, to the extent that 
the information is relevant and necessary to the requesting agency's 
decision on the matter. 

Agency: HHS; 
Standard routine use: Disclosure may be made to a federal, state, 
local, foreign, or tribal or other public authority of the fact that 
this system of records contains information relevant to the retention 
of an employee, the retention of a security clearance, the letting of a 
contract, or the issuance or retention of a license, grant, or other 
benefit. The other agency or licensing organization may then make a 
request supported by the written consent of the individual for the 
entire record if it so chooses. No disclosure will be made unless the 
information has been determined to be sufficiently reliable to support 
a referral to another office within the agency or to another federal 
agency for criminal, civil, administrative personnel, or regulatory 
action. 

Agency: IRS; 
Standard routine use: Disclose to a federal, state, local, or tribal 
agency, or other public authority, which has requested information 
relevant or necessary to hiring or retaining an employee, or issuing or 
continuing a contract, security clearance, license, grant, or other 
benefit. This is compatible with the purpose for which the records were 
collected because the disclosure permits the IRS to assist another 
agency or authority in ensuring that it only hires or issues benefits 
to eligible individuals. 

Agency: DOJ; 
Standard routine use: To appropriate officials and employees of a 
federal agency or entity that requires information relevant to a 
decision concerning the hiring, appointment, or retention of an 
employee; the issuance, renewal, suspension, or revocation of a 
security clearance; the execution of a security or suitability 
investigation; the letting of a contract; or the issuance of a grant or 
benefit. 

Source: DHS, DOT, HHS, IRS, and DOJ. 

[End of table] 

As shown in the table, one agency (HHS) includes a provision that 
sharing of this information will occur only after the requesting agency 
has submitted a request supported by written consent of the affected 
individual. In contrast, similar routine uses at other agencies (DHS, 
DOJ, IRS, and DOT) have no requirement for the written consent of the 
individual. Still another agency (SSA) has no comparable standard 
routine use at all. Experts expressed concern that "standard" routine 
uses such as these vary so much from agency to agency, with no specific 
legal requirement that they be formulated consistently. 

Further, agencies do not apply these uses consistently. DHS, for 
example, has a "library" of routine uses that are applied selectively 
to systems of records on a case-by-case basis. In contrast, DOT applies 
its list of general routine uses to all of its systems of records, 
unless explicitly disavowed in the system's public notice. Similarly, 
the FBI applies its "blanket" routine uses to "every existing FBI 
Privacy Act system of records and to all FBI systems of records created 
or modified in the future." As a result, use may not always be limited 
as the Privacy Act intended. 

* The Privacy Act sets only modest limits on the use of personal 
information for multiple purposes within an agency. Recognizing the 
need for agency personnel to access records to carry out their duties, 
the Privacy Act permits disclosures from agency systems of records "to 
those officers and employees of the agency which maintains the record 
who have a need for the record in the performance of their duties." 
However, without additional limits, internal uses could go beyond uses 
that are related to the purpose of the original collection. In our 
interviews with senior agency privacy officials, we asked what, if any, 
limits were placed on internal agency uses of information. Several 
agencies responded that, consistent with the Privacy Act and OMB 
guidance, internal agency usage of personal information was limited to 
those personnel with a "need to know."[Footnote 52] Because the Privacy 
Act and related guidance do not require it, none of these agencies took 
steps to determine whether internal uses were consistent with the 
purposes originally stated for the collection of information. Reliance 
on the "need to know" criteria for sharing information does not require 
a determination regarding compatibility with the original collection. 

The potential that personal information could be used for multiple, 
unspecified purposes is especially heightened in large agencies with 
multiple components that may collect personal information in many 
different ways for disparate purposes. For example, the establishment 
of DHS in March 2003 brought 22 agencies with varied missions and 
180,000 employees into a single agency. These agencies collect personal 
information for a range of purposes, including administering 
citizenship, enforcing immigration laws, protecting land and sea ports 
of entry, and protecting against threats to aviation security. The 
Privacy Act does not constrain DHS or other agencies from using 
information obtained for one of these specific missions for another 
agency mission. As a result, individuals do not have assurance that 
their information will be used only for the purpose for which it was 
collected. 

* The Privacy Act's provisions may not apply when data are shared for 
use by another agency. In addition to concerns about limiting use to a 
specified purpose within an agency, more extensive issues have been 
raised when data are shared outside an agency, even when such sharing 
is pursuant to a predefined "routine" use. Although the Privacy Act 
provides assurance that the information in systems of records cannot be 
disclosed unless it is pursuant to either a routine use or another 
statutorily allowed condition, the act does not attach its protections 
to data after they have been disclosed.[Footnote 53] Despite the lack 
of requirements, agencies we reviewed reported taking measures to 
ensure the data are used appropriately by recipients. For example, 
agencies reported using mechanisms such as computer matching agreements 
under the matching provisions of the Privacy Act or other types of data-
sharing agreements to impose privacy protections on recipients of 
shared data. However, absent these measures taken by agencies, data 
shared outside federal agencies would not always have sufficient 
protections. 

Data sharing among agencies is central to the emerging information 
sharing environment intended to facilitate the sharing of terrorism 
information. If the information sharing environment is to be effective, 
it will require policies, procedures, and technologies that link 
people, systems, and information among all appropriate federal, state, 
local, and tribal entities and the private sector. In the recent 
development of guidelines for the information-sharing environment, 
there has been general agreement that privacy considerations must also 
be addressed alongside measures for enhancing the exchange of 
information among agencies. The Intelligence Reform and Terrorism 
Prevention Act of 2004 called for the issuance of guidelines to protect 
privacy and civil liberties in the development of the information 
sharing environment, and the President reiterated that requirement in 
an October 2005 directive to federal departments and agencies. Based on 
the President's directive, a committee within the Office of the 
Director of National Intelligence was established to develop such 
guidelines, and they were approved by the President in November 2006. 
[Footnote 54] However, as we previously testified,[Footnote 55] the 
guidelines as issued provide only a high-level framework for addressing 
privacy protection and do not include all of the Fair Information 
Practices. 

More recently, in September 2007, the Program Manager for the 
Information Sharing Environment released a Privacy and Civil Liberties 
Implementation Guide for the Information Sharing Environment.[Footnote 
56] The guide describes the processes for information-sharing 
environment participants to follow when integrating privacy and civil 
liberties safeguards into their information sharing efforts, including 
an assessment of whether current activities comply with the privacy 
guidelines. However, as noted by our expert panel, these guidelines do 
not address the application of protections to Privacy Act data as they 
are shared within the information sharing environment, mentioning the 
act only in passing. In the absence of the adoption of more specific 
implementation guidelines or more explicit protections in the Privacy 
Act for data that are disclosed, agency information-sharing activities 
may not ensure that the use of personal information is sufficiently 
limited. 

Alternatives for Better Ensuring That Purpose Is Specified and That 
Collection and Use of Personal Information Are Limited: 

A number of options exist for addressing the issues associated with 
specifying the purpose for obtaining personal information, limiting the 
collection of such information, and limiting its use to specified 
purposes. Alternatives in each of these categories are as follows: 

Purpose Specification: 

* Require agencies to state the principal purpose for each system of 
records. Having a specific stated purpose for each system of records 
would make it easier to determine whether planned uses were consistent 
with that purpose. 

Collection Limitation: 

* Require agencies to limit collection of personally identifiable 
information and to explain how such collection has been limited in 
system-of-records notices. This requirement would more directly require 
agencies to limit their collection of personally identifiable 
information than the current requirement, which is simply to maintain 
only such information as is relevant and necessary to accomplish a 
purpose of the agency. 

* Revise the Paperwork Reduction Act to include specific requirements 
for limiting the collection of personally identifiable information. The 
Paperwork Reduction Act currently does not specifically address 
limiting the collection of personally identifiable information but 
could serve as an established mechanism for incorporating such limits. 

Use Limitation: 

* Require agencies to justify the use of key elements of personally 
identifiable information. Agencies could be required to state their 
reasons for collecting specific personally identifiable information, 
such as Social Security numbers and dates of birth. The Secure Flight 
program within DHS, for example, recently went through a process of 
analyzing specific data elements to be collected from airline 
passengers for pre-screening purposes and was able as a result to limit 
its requirements to only a few key elements for most passengers. Given 
concerns about data collection, it is likely that other government data 
collections could also be reduced based on such an analysis. 

* Set specific limits on routine uses and internal uses of information 
within agencies. Sharing of information within an agency could be 
limited to purposes clearly compatible with the original purpose of a 
system of records. Agencies could also be required to be specific in 
describing purposes associated with routine uses. 

* Require agencies to establish formal agreements with external 
governmental entities before sharing personally identifiable 
information with them, as is already done at certain agencies. These 
formal agreements would be a means to carry forward to external 
entities the privacy controls that applied to the information when it 
was in an agency system of records. 

These requirements could be set explicitly in law or a legal 
requirement could be set for another agency, such as OMB, to develop 
specific implementation guidelines for agencies. Setting such 
requirements could help ensure that a proper balance exists in allowing 
government agencies to collect and use personally identifiable 
information while also limiting that collection and use to what is 
necessary and relevant. 

The Privacy Act May Not Include Effective Mechanisms for Informing the 
Public: 

Transparency about government programs and systems that collect and use 
personal information is a key element in maintaining public trust and 
support for programs that use such information. A primary method for 
providing transparency is through public written notices. A clear and 
effective notice can provide individuals with critical information 
about what personal data are to be collected, how they are to be used, 
and the circumstances under which they may be shared. An effective 
notice can also provide individuals with information they need to 
determine whether to provide their personal information (if voluntary), 
or who to contact to correct any errors that could result in an adverse 
determination about them. 

In formal terms, the openness principle states that the public should 
be informed about privacy policies and practices and that individuals 
should have a ready means of learning about the use of personal 
information. The openness principle underlies the public notice 
provisions of the Privacy Act. Specifically, the Privacy Act requires 
agencies to publish in the Federal Register, "upon establishment or 
revision, a notice of the existence and character of a system of 
records." This notice is to include, among other things, the categories 
of records in the system as well as the categories of sources of 
records. The notice is also required to explain agency procedures 
whereby an individual can gain access to any record pertaining to him 
or her contained in the system of records and contest its content. 
Agencies are further required to publish notice of any new use or 
intended use of the information in the system and provide an 
opportunity for interested persons to submit written data, views, or 
arguments to the agency.[Footnote 57] 

In addition, when collection of personal information is received 
directly from the affected individual, agencies are required to notify 
the individual of the primary purposes for the collection and the 
planned routine uses of the information. The act encourages agencies, 
to the extent practicable, to collect information directly from the 
subject individual when the information may result in adverse 
determinations about the individual's rights, benefits, and privileges 
under federal programs. 

It is critical that Privacy Act notices effectively communicate to the 
public the nature of agency collection and use of personal information 
because such notices are the fundamental mechanisms by which agencies 
are held accountable for specifying purpose, limiting collection and 
use, and providing a means to access and correct records. These notices 
can be seen as agreements between agencies and the public to provide 
protections for the data in the custody of the government. 

System-of-records notices are especially important in cases where 
information is not obtained directly from individuals because there is 
no opportunity for them to be informed directly. As experts noted, 
collection from individuals may be less prevalent in an environment 
where agencies are encouraged to participate in cross agency e- 
government initiatives that promote a "collect once, use many" 
approach. Experts also noted that since the terrorist attacks on 9/11, 
agencies are charged with sharing information more readily, one of the 
major goals of the information sharing environment. In situations such 
as these, the system-of-records notice may be one of the only ways for 
individuals to learn about the collection of their personal 
information. 

However, experts at our forum as well as agency privacy officials 
questioned the value of system-of-records notices as vehicles for 
providing information to the general public. Specifically, concerns 
were raised that the content of these notices and their publication in 
the Federal Register may not fully inform the public about planned 
government uses of personal information, for the following reasons: 

* System of record notices may be difficult to understand. As with 
other legally-required privacy notices, such as the annual privacy 
notices provided to consumers by banks and other financial 
institutions, system-of-records notices have been criticized as hard to 
read and understand. For example, lay readers may have difficulty 
understanding the extent to which lists of "routine" uses actually 
explain how the government intends to collect and use personal 
information. Likewise, for an uninformed reader, a list of exemptions 
claimed for the system--cited only by the corresponding paragraph 
number in the Privacy Act--could raise more questions than it answers. 
Agency senior privacy officials we interviewed frequently cited legal 
compliance as the primary function of a system-of-records notice, thus 
leading to legalistic descriptions of the controls on collection and 
use of personal information. These officials acknowledged that these 
descriptions of privacy protections may not be very useful to the 
general public. Privacy experts at our forum likewise viewed system-of- 
records notices as having limited value as a vehicle for public 
notification. 

* System-of-records notices do not always contain complete and useful 
information about privacy protections. As discussed earlier in this 
report, system-of-records notices can be written to describe purposes 
and uses of information in such broad terms that it becomes 
questionable whether those purposes and uses have been significantly 
limited. Likewise, broad purpose statements contained in system-of- 
records notices may not contain enough information to usefully inform 
the public of the government's intended purposes, and the citation of 
multiple routine uses does little to aid individuals in learning about 
how the government is using their personal information. The Privacy Act 
does not require agencies to be specific in describing the purposes 
associated with routine uses. Further, individuals are limited in their 
ability to know how extensively their information may be used within an 
agency, since there are no requirements to publish all expected 
internal agency uses of personal information. 

Several agency privacy officials as well as experts at our forum noted 
that privacy impact assessments, when properly prepared, can lead to 
more meaningful discussions about privacy protections and may serve as 
a better vehicle to convey purposes and uses of information to the 
public. OMB guidance requires agency PIAs to identify what choices were 
made regarding an IT system or information collection as a result of 
performing a PIA, while a system-of-records notice contains no 
comparable requirement. As a result, a well-crafted PIA may provide 
more meaningful notice to the public not only about the planned 
purposes and uses of personal information, but also about how an 
agency's assessment was used to drive decisions about the system. 

* Publication in the Federal Register May Reach Only a Limited 
Audience. Agency privacy officials questioned whether the required 
publication of system-of-records notices in the Federal Register would 
be useful to a broader audience than federal agency officials and 
public interest groups, such as privacy advocacy groups. Notices 
published in the Federal Register may not be very accessible and 
readable. The Federal Register Web site does not provide a ready means 
of determining what system-of-records notices are current, when they 
were last updated, or which ones apply to any specific governmental 
function. Officials agreed that it can be difficult to locate a system- 
of-records notice on the Federal Register Web site, even when the name 
of the relevant system of records is known in advance. Privacy experts 
at our forum likewise agreed that the Federal Register is probably not 
effective with the general public and that a more effective technique 
for reaching a wide audience in today's environment is via consolidated 
publication on a governmentwide Web site devoted to privacy. Both 
agency officials and privacy experts also agreed, however, that the 
Federal Register serves a separate but important role as the official 
public record of federal agencies, and thus it would not be advisable 
to cease publishing system-of-records notices in the Federal Register. 
Notice in the Federal Register also serves an important role as the 
official basis for soliciting comments from the public on proposed 
systems of records. 

Alternatives for Improving Notice to the Public: 

Based on discussions with privacy experts, agency officials, and 
analysis of laws and related guidance, a number of options exist for 
addressing the issues associated with improving public notice regarding 
federal collection and use of personal information. As with the 
alternatives previously discussed, these could be addressed explicitly 
in law or a legal requirement could be set for another agency, such as 
OMB, to develop specific implementation guidelines for agencies. These 
alternatives are as follows: 

* Require layered public notices in conjunction with system-of-records 
notices. Given the difficulty that a lay audience may face in trying to 
understand the content of notices, experts at our forum agreed that a 
new approach ought to be taken to designing notices for the public 
about use of personal information. Specifically, the use of layered 
notices, an approach that is actively being pursued in the private 
sector for consumer privacy notices, could also be effective for 
Privacy Act notices. Layering involves providing only the most 
important summary facts up front--often in a graphically oriented 
format--followed by one or more lengthier, more narrative versions. By 
offering both types of notices, the benefits of each can be realized: 
long notices have the advantage of being complete, but may not be as 
easy to understand, while brief notices may be easier to understand but 
may not capture all the detail that needs to be conveyed. A recent 
interagency research project on the design of easy-to-understand 
consumer financial privacy notices found, among other things, that 
providing context to the notice (explaining to consumers why they are 
receiving the notice and what to do with it) was key to comprehension, 
and that comprehension was aided by incorporating key visual design 
elements, such as use of a tabular format, large and legible fonts, and 
appropriate use of white space and simple headings.[Footnote 58] 

The multilayered approach discussed and lessons learned could be 
applied to government privacy notices. For example, a multilayered 
government privacy notice could provide a brief description of the 
information required, the primary purpose for the collection, and 
associated uses and sharing of such data at one layer. The notice could 
also provide additional details about the system or program's uses and 
the circumstances under which data could be shared at a second layer. 
This would accomplish the purpose of communicating the key details in a 
brief format, while still providing complete information to those who 
require it. Aiming to improve comprehension of notices by citizens 
through clearer descriptions could better achieve the Privacy Act's 
objective of publishing a public notice of the "existence and 
character" of systems of records. 

* Set requirements to ensure that purpose, collection limitations, and 
use limitations are better addressed in the content of privacy notices. 
Additional requirements could be established for the content and 
preparation of system-of-records notices, to include a specific 
description of the planned purpose of a system as well as what data 
needs to be collected to serve that purpose and how its use will be 
limited to that purpose, including descriptions of primary and 
secondary uses of information. Agencies may be able to use material 
developed for PIAs to help meet these requirements. Setting these 
requirements could spur agencies to prepare notices that include more 
meaningful descriptions of the intents and purposes of their systems of 
records. 

* Make all notices available on a governmentwide privacy Web site. 
Experts at our forum and agency officials also agreed that the most 
effective and practical method for sharing information with the public 
is through the Web. Relevant privacy notices could be published at a 
central governmentwide location, such as [hyperlink, 
http://www.privacy.gov], and at corresponding standard locations on 
agency Web sites, such as [hyperlink, http://www.agency.gov/privacy]. 
Given that adequate attention is paid to making the information 
searchable as well as easy to locate and peruse, such a Web site has 
the potential to reach a far broader spectrum of users than the Federal 
Register. 

Conclusions: 

Current laws and guidance governing the federal government's 
collection, use, and disclosure of personal information have gaps and 
other potential shortcomings in three broad categories: (1) the Privacy 
Act and E-Government Act do not always provide protections for federal 
uses of personal information, (2) laws and guidance may not effectively 
limit agency collection and use of personal information to specific 
purposes, and (3) the Privacy Act may not include effective mechanisms 
for informing the public. 

These issues merit congressional attention as well as continued public 
debate. Some of these issues--particularly those dealing with 
limitations on collection and use as well as mechanisms for informing 
the public--could be addressed by OMB through revisions or supplements 
to guidance. However, unilateral actions by OMB would not have the 
benefit of public deliberations regarding how best to achieve an 
appropriate balance between the government's need to collect, process, 
and share personally identifiable information and the rights of 
individuals to know about such collections and be assured that they are 
only for limited purposes and uses. Striking such a balance is properly 
the responsibility of Congress. 

Matter for Congressional Consideration: 

In assessing the appropriate balance between the needs of the federal 
government to collect personally identifiable information for 
programmatic purposes and the assurances that individuals should have 
that their information is being sufficiently protected and properly 
used, Congress should consider amending applicable laws, such as the 
Privacy Act and the E-Government Act, according to the alternatives 
outlined in this report, including: 

* revising the scope of the laws to cover all personally identifiable 
information collected, used, and maintained by the federal government; 

* setting requirements to ensure that the collection and use of 
personally identifiable information is limited to a stated purpose; 
and; 

* establishing additional mechanisms for informing the public about 
privacy protections by revising requirements for the structure and 
publication of public notices. 

Agency Comments and Our Evaluation: 

We received written comments on a draft of this report from the Deputy 
Administrator of the Office of E-Government and Information Technology 
and the Deputy Administrator of the Office of Information and 
Regulatory Affairs of OMB. The letter is reprinted in appendix V. In 
their comments, the officials noted that they shared our concerns about 
privacy and listed guidance the agency has issued in the areas of 
privacy and information security. The officials stated they believe it 
would be important for Congress to consider potential amendments to the 
Privacy Act and the E-Government Act in the broader context of the 
several privacy statutes that Congress has enacted. 

Though we did not make specific recommendations to OMB, the agency 
provided comments on the alternatives identified in conjunction with 
our matter for congressional consideration. Regarding alternatives for 
revising the scope of laws to cover all personally identifiable 
information collected, used, and maintained by the federal government, 
OMB stated that it would be important for Congress to evaluate fully 
the potential implications of revisions such as amending the Privacy 
Act's system-of-records definition. We believe that, given the Privacy 
Act's controls on the collection, use, and disclosure of personally 
identifiable information do not consistently protect such information 
in all circumstances of its collection and use throughout the federal 
government, amending the act's definition of a system of records is an 
important alternative for Congress to consider. However, we agree with 
OMB that such consideration should be thorough and include further 
public debate on all relevant issues. 

Regarding alternatives for setting requirements to ensure that the 
collection and use of personally identifiable information is limited to 
a stated purpose, OMB stated that agencies are working to implement a 
requirement in a recent OMB memorandum to review and reduce the volume 
of personally identifiable information they handle "to the minimum 
necessary." The draft report notes that this requirement is in place; 
however, because significant concerns were raised about this issue by 
our previous work and by experts at our forum, we believe Congress 
should consider additional alternatives for ensuring that the 
collection and use of personally identifiable information is limited to 
a stated purpose. 

Finally, regarding effective mechanisms for informing the public, OMB 
stated that it supports ensuring that the public is appropriately 
informed of how agencies are using their information. OMB stated that 
they will review agency practices in informing the public and review 
the alternatives outlined in our report. 

OMB provided additional technical comments, which are addressed in 
appendix V. We also received technical comments from DHS, DOJ, DOT, and 
IRS. We have addressed these comments in the final report as 
appropriate. 

Unless you publicly announce the content of this report earlier, we 
plan no further distribution until 30 days from the report date. At 
that time, we will send copies of this report to the Attorney General, 
the Secretaries of Homeland Security, Health and Human Services, and 
Transportation; the Commissioners of the Internal Revenue Service and 
the Social Security Administration; the Director, Office of Management 
and Budget; and other interested congressional committees. Copies will 
be made available at no charge on our Web site, [hyperlink, 
http://www.gao.gov]. 

If you have any questions concerning this report, please call me at 
(202) 512-6240 or send e-mail to koontzl@gao.gov. Contact points for 
our office of Congressional Relations and Public Affairs may be found 
on the last page of this report. Key contributors to this report are 
listed in appendix VI. 

Signed by: 

Linda D. Koontz: 
Director, Information Management Issues: 

List of Congressional Requesters: 

The Honorable Harry Reid: 
Senate Majority Leader: 
United States Senate: 

The Honorable Daniel K. Akaka: 
Chairman: 
Committee on Veterans' Affairs: 
United States Senate: 

The Honorable Joseph I. Lieberman: 
Chairman: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Bob Filner: 
Chairman: 
Committee on Veterans' Affairs: 
House of Representatives: 

The Honorable Hillary Rodham: 
Clinton United States Senate: 

The Honorable Byron L. Dorgan: 
United States Senate: 

The Honorable Patty Murray: 
United States Senate: 

The Honorable Barack Obama: 
United States Senate: 

The Honorable John D. Rockefeller, IV: 
United States Senate: 

The Honorable Ken Salazar: 
United States Senate: 

The Honorable Charles E. Schumer: 
United States Senate: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

Our objective was to identify major issues regarding whether the 
Privacy Act of 1974, the E-Government Act of 2002, and related guidance 
consistently cover the federal government's collection and use of 
personal information and incorporate key privacy principles, and in 
doing so, to identify options for addressing these issues. Our 
objective was not focused on evaluating compliance with these laws; 
rather, it was to identify major issues concerning their sufficiency in 
light of current uses of personal information by the federal 
government. 

To address our objective, we reviewed and analyzed the Privacy Act, 
section 208 of the E-Government Act, and related Office of Management 
and Budget (OMB) guidance to determine the types of activities and 
information they apply to and to identify federal agency privacy 
responsibilities. We compared privacy protection requirements of these 
laws and related OMB guidance with the Fair Information Practices to 
identify any issues or gaps in privacy protections for personal 
information controlled by the federal government. In this regard, we 
also assessed the role of the Paperwork Reduction Act in protecting 
privacy by limiting collection of information. We also drew upon our 
prior work to identify examples of potential gaps in addressing the 
Fair Information Practices. A list of related GAO products can be found 
at the end of this report. 

We also obtained an operational perspective on these issues by 
analyzing agency privacy-related polices and procedures and through 
discussion sessions on the sufficiency of these laws with senior agency 
privacy officials at six federal agencies. These agencies were the 
Departments of Health and Human Services, Homeland Security, Justice, 
and Transportation; the Internal Revenue Service; and the Social 
Security Administration. We selected these agencies because they have 
large inventories of information collections, prominent privacy issues, 
and varied missions. Additionally, our colleagues at the National 
Academy of Sciences (NAS) agreed that this selection was appropriate 
for obtaining an operational perspective on these issues. The 
perspective obtained from the six agencies is not representative 
governmentwide. However, because we selected these agencies based on a 
rigorous set of selection criteria, the information we gathered during 
this discussion session provided us with an overview and operational 
perspective of key privacy-related policies and procedures. The design 
of our discussion session was informed by a small group meeting held 
with several agency privacy officials in June 2007. 

To obtain a citizen-centered perspective on the impact of gaps in 
privacy laws and guidance, we contracted with NAS to convene an expert 
panel. The panel, which was held in October 2007, consisted of 12 
privacy experts, who were selected by NAS and were from varying 
backgrounds, such as academic, commercial, advocacy, and other private- 
sector communities. A list of the individuals participating in the 
expert forum can be found in appendix II. We developed an agenda and 
facilitated a detailed discussion concerning major issues with the 
existing framework of privacy laws. In addition, we met separately with 
Franklin Reeder, an expert involved in development of the Privacy Act 
and OMB guidance on the act, who was unable to participate in the 
expert forum. 

To identify options for addressing major issues identified, we drew 
from our own analysis, our interviews with senior agency privacy 
officials, as well as feedback and suggestions brought forth during the 
expert forum. 

We conducted this performance audit from March 2007 to May 2008, in 
Washington, D.C., in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objectives. 

[End of section] 

Appendix II: National Academy of Sciences Expert Panel Participants: 

We contracted with NAS to convene a panel of privacy experts outside 
government to obtain a citizen-centered perspective on the impact of 
gaps in privacy laws and guidance. Below is a listing of panel 
participants and their current affiliations: 

Jennifer Barrett: 
Privacy Leader: 
Acxiom Corporation: 

Fred Cate: 
Distinguished Professor: 
Indiana University School of Law-Bloomington: 

Daniel Chenok: 
Senior Vice President, Pragmatics: 

Robert Gellman: 
Privacy and Information Policy Consultant: 

Jim Harper: 
Director: 
Cato Institute, Information Policy Studies: 

Nuala O'Connor Kelly: 
Chief Privacy Leader: 
General Electric Company: 

Priscilla M. Regan: 
Professor of Government and Politics: 
George Mason University: 
Department of Public and International Affairs: 

Leslie Ann Reis: 
Director & Adjunct Professor of Law: 
The John Marshall Law School: 
Center for Information Technology and Privacy Law: 

David Sobel: 
Senior Counsel: 
Electronic Frontier Foundation: 

John T. Sabo: 
Director: 
Global Government Relations: 
Computer Associates, Inc. 

Barry Steinhardt: 
American Civil Liberties Union: 
Technology and Liberty Program: 

Peter Swire: 
C. William O'Neill Professor of Law: 
Ohio State University: 
Moritz College of Law: 

NAS staff assisting in coordinating the selection of experts and 
organizing the forum included, Joan Winston, Program Officer; Kristen 
Batch, Associate Program Officer; and Margaret Huynh, Senior Program 
Assistant. 

Forum Facilitators: 

John de Ferrari, Assistant Director: 

David Plocher, Senior Attorney: 

Andrew Stavisky, Methodologist: 

[End of section] 

Appendix III: Privacy Act Exemptions and Exceptions to the Prohibition 
Against Disclosure without Consent of the Individual: 

Agencies are allowed to claim exemptions from some of the provisions of 
the Privacy Act if the records are used for certain purposes such as 
law enforcement. The Privacy Act also provides that agencies not 
disclose information from a system of records without prior written 
consent of the individual to whom the record pertains, unless the 
disclosure falls under 1 of 12 exceptions defined by the act. 

The Privacy Act Provides Exemptions for Certain Sensitive Activities: 

Subsections (j) and (k) of the Privacy Act prescribe the circumstances 
under which exemptions can be claimed and identify the provisions of 
the act from which agencies can claim exemptions. When an agency uses 
the authority in the act to exempt a system of records from certain 
provisions, it is to issue a rule explaining the reasons for the 
exemption. 

Subsection (k) of the Privacy Act permits agencies to claim specific 
exemptions from seven provisions of the act that relate to notice to an 
individual concerning the use of personal information, requirements 
that agencies maintain only relevant and necessary information, and 
procedures for permitting access to and correction of an individual's 
records, when the records are: 

1. subject to the exemption for classified information in b(1) of the 
Freedom of Information Act; 

2. certain investigatory material compiled for law enforcement purposes 
other than material within the scope of a broader category of 
investigative records compiled for civil or criminal law enforcement 
purposes addressed in subsection (j); 

3. maintained in connection with providing protective services to the 
President of the United States; 

4. required by statute to be maintained and used solely as statistical 
records; 

5. certain investigatory material compiled solely for the purpose of 
determining suitability, eligibility, or qualifications for federal 
civilian employment, military service, federal contracts, or access to 
classified information; 

6. certain testing or examination material used solely to determine 
individual qualifications for appointment or promotion in the federal 
service; and; 

7. certain evaluation material used to determine potential promotion in 
the armed services: 

Under these circumstances, agencies may claim exemptions from the 
provisions of the act, described in table 5. 

Table 5: Privacy Act Provisions Agencies May Claim an Exemption under 
Subsection (k): 

Citation: 5 U.S. C. §552a(c)(3); 
Description of provision: Agencies must make an accounting of 
disclosures available to the individual named in the record at his 
request. 

Citation: 5 U.S.C. § 552a(d); 
Description of provision: Agencies must permit an individual to have 
access to his record, request amendment, if necessary, and if the 
agency refuses to amend the record, permit the individual to request, 
review of such refusal. If a contested record is disclosed, agencies 
must note any portion of the record that is disputed prior making a 
disclosure. 

Citation: 5 U.S.C. § 552a(e)(1); 
Description of provision: Agencies must maintain in their records only 
such information about an individual as is relevant and necessary to 
accomplish a purpose of the agency required to be accomplished by 
statute or by executive order of the President. 

Citation: 5 U.S.C. § 552a(e)(4)(G),(H), and (I); 
Description of provision: Agencies must publish a system-of-records 
notice including the procedures by which an individual can be notified 
at his request if the system of records contains a record pertaining to 
him; the procedures by which an individual can be notified at his 
request how he can gain access to any record pertaining to him and how 
he can contest its content; and the categories of sources in the 
system. 

Citation: 5 U.S.C. §552a(f); 
Description of provision: Agencies must issue rules to establish, among 
other things, procedures whereby an individual can gain access to his 
records and request amendment. 

Source: The Privacy Act of 1974. 

[End of table] 

Subsection (j) provides a broader set of general exemptions, which 
permits records maintained by the Central Intelligence Agency or 
certain records maintained by an agency which has enforcement of 
criminal laws as its principal function to be exempted from any 
provision of the act, except those described in table 6. 

Table 6: Privacy Act Provisions from Which Agencies May Not Claim 
Exemptions: 

Citation: 5 U.S.C. § 552a(b); 
Description of provision: Agencies cannot disclose records without 
prior written consent of the individual to whom the record pertains 
unless disclosure of the records falls under 1 of 12 exceptions. 

Citation: 5 U.S.C. § 552a(c)(1) and (2); 
Description of provision: Agencies must account for certain disclosures 
including the date, nature, and purpose of each disclosure and the name 
and address of the person or agency to whom the disclosure is made. 
Agencies must retain the accounting for at least five years or the life 
of the record, whichever is longer. 

Citation: 5 U.S.C. § 552a(e)(4)(A) through (F); 
Description of provision: Agencies must publish a systems of records 
notice in the Federal Register including; the name and location of the 
system; the categories of individuals on whom records are maintained in 
the system; the categories of records maintained in the system; each 
routine use of the records contained in the system, including the 
categories of users and the purpose of such use; the policies and 
practices of the agency regarding storage, retrievability, access 
controls, retention, and disposal of the records; and the title and 
business address of the agency official who is responsible for the 
system of records. 

Citation: U.S.C. §552a(e)(6),(7), (9), (10) and (11); 
Description of provision: Agencies: 
* must make reasonable efforts to assure that records are accurate, 
complete, timely, and relevant for agency purposes prior to 
disseminating any record to any person other than an agency; 
* may not maintain records describing how an individual exercises 
rights guaranteed by the First Amendment; 
* must establish rules of conduct for persons involved in the design, 
development, operation or maintenance of any system of records; 
* must establish appropriate administrative, technical, and physical 
safeguards to insure the security and confidentiality of records; and; 
* must publish a notice of any new or intended routine use or intended 
use of the information in the system in the Federal Register and 
provide an opportunity for interested persons to comment at least 30 
days before publication of the final notice. 

Citation: U.S.C. §552a(i); 
Description of provision: Criminal penalties shall be imposed when: 
* an employee of the agency knowingly and willfully discloses 
individually identifiable information from agency records in any manner 
to any person or agency not entitled to receive it; 
* an employee of any agency willfully maintains a system of records 
without meeting the notice requirements of the act; and; 
* any person who knowingly and willfully requests or obtains any record 
concerning an individual from an agency under false pretenses. 

Source: The Privacy Act of 1974, 5.U.S.C. §552a. 

[End of table] 

In general, the exemptions for law enforcement purposes are intended to 
prevent the disclosure of information collected as part of an ongoing 
investigation that could impair the investigation or allow those under 
investigation to change their behavior or take other actions to escape 
prosecution. 

Exceptions to the Prohibition against Disclosure without Prior Written 
Consent of the Individual: 

Subsection (b) of the Privacy Act provides that "No agency shall 
disclose any record which is contained in a system of records by any 
means of communication to any person, or to another agency, except 
pursuant to a written request by, or with the prior written consent of, 
the individual to whom the record pertains, unless disclosure of the 
record would be: 

1. to those officers and employees of the agency which maintains the 
record who have a need for the record in the performance of their 
duties; 

2. required under the Freedom of Information Act; 

3. for a routine use as defined in the act; 

4. to the Bureau of the Census for planning or carrying out a census or 
survey or related activity; 

5. for statistical research, provided the information is not 
individually identifiable; 

6. to the National Archives and Records Administration for historical 
preservation purposes; 

7. to any government agency (e.g., federal, state, or local) for a 
civil or criminal law enforcement activity if the head of the agency 
has made a written request specifying the information desired and the 
law enforcement activity for which the record is sought; 

8. to a person upon showing compelling circumstances affecting the 
health or safety of an individual if notice is transmitted to the last 
known address of such individual; 

9. to either House of Congress or any committee or subcommittee with 
related jurisdiction; 

10. to the Government Accountability Office; 

11. pursuant to a court order; or; 

12. to a consumer reporting agency for the purpose of collecting a 
claim of the government." 

[End of section] 

Appendix IV: OMB Privacy Guidance: 

Since its 1975 Privacy Act Implementation Guidelines, OMB has 
periodically issued guidance related to privacy addressing specific 
issues as they have arisen. Nearly all of this guidance can be found on 
the OMB Web site, [hyperlink, http://www.whitehouse.gov/omb], by 
searching in the "Agency Information" and "Information and Regulatory 
Affairs" sections of the Web site. 

Memorandum M-08-09: New FISMA Privacy Reporting Requirements for FY 
2008. January 18, 2008. 

Top Ten Risks Impeding the Adequate Protection of Government 
Information. July 2007. 

Memorandum M-07-19: FY 2007 Reporting Instructions for the Federal 
Information Security Management Act and Agency Privacy Management. July 
25, 2007. 

Guidance on Protecting Federal Employee Social Security Numbers and 
Combating Identity Theft. June 18, 2007. 

OMB Implementation Guidance for Title V of the E-Government Act of 
2002. June 15, 2007. 

Memorandum M-07-16: Safeguarding Against and Responding to the Breach 
of Personally Identifiable Information. May 22, 2007. 

Use of Commercial Credit Monitoring Services Blanket Purchase 
Agreements (BPA). December 22, 2006. 

Recommendations for Identity Theft Related Data Breach Notification. 
September 20, 2006. 

Memorandum M-06-20: FY 2006 Reporting Instructions for FISMA. July 17, 
2006. 

Memorandum M-06-19: Reporting Incidents Involving Personally 
Identifiable Information and Incorporating the Cost for Security in 
Agency Information Technology Investments. July 12, 2006. 

Memorandum M-06-16: Protection of Sensitive Agency Information. June 
23, 2006. 

Memorandum M-06-15: Safeguarding Personally Identifiable Information. 
May 22, 2006. 

Memorandum M-06-06: Sample Privacy Documents for Agency Implementation 
of HSPD-12 Common Identification Standard. February 17, 2006. 

Memorandum M-05-15: FY 2005 Reporting Instructions for the Federal 
Information Security Management Act and Agency Privacy Management. June 
13, 2005. 

Memorandum M-05-08: Designation of Senior Agency Officials for Privacy. 
February 11, 2005. 

Memorandum M-03-22: Guidance for Implementing the Privacy Provisions of 
the E-Government Act. September 26, 2003. 

Memorandum M-03-18: Implementation Guidance for the E-Government Act of 
2002. August 1, 2003. 

Guidance on Inter-Agency Sharing of Personal Data--Protection Personal 
Privacy. December 20, 2000. 

Baker/Spotila Letters and Memorandum M-00-13: Privacy Policies and Date 
Collection on Federal Websites. June 22, July 28, and September 5, 
2000. 

Status of Biennial Reporting Requirements Under the Privacy Act and the 
Computer Matching and Privacy Protection Act. June 21, 2000. 

Memorandum M-99-18: Privacy Policies on Federal Web Sites. June 2, 
1999. 

Memorandum M-99-05: Instructions on Complying with "Privacy and 
Personal Information in Federal Records." January 7, 1999. 

Biennial Privacy Act and Computer Matching Reports. June 1998. 

Privacy in Personal Information in Federal Records. May 4, 1998. 

Privacy Act Responsibilities for Implementing the Personal 
Responsibility and Work Opportunity Reconciliation Act (PRWORA) of 
1996. November 3, 1997. 

Office of Management and Budget Order Providing for the Confidentiality 
of Statistical Information and Extending the Coverage of Energy 
Statistical Programs Under the Federal Statistical Confidentiality 
Order. June 27, 1997. 

Report of the Privacy Working Group: Principles for Providing and Using 
Personal Information. June 1995. 

OMB Guidance on Computer Matching and Privacy Protection Amendments of 
1990 and Privacy Act of 1974. April 23, 1991. 

Office of Management and Budget Final Guidance Interpreting the 
Provisions of the Computer Matching and Privacy Protection Act of 1988. 
June 19, 1989. 

OMB Guidance on the Privacy Act Implications of "Call Detail" Programs. 
April 20, 1987. 

OMB Circular A-130, Management of Federal Information Resources, 
including Federal Agency Responsibilities for Maintaining Records About 
Individuals, and Implementation of the Paperwork Elimination Act. 
November 28, 2000. 

Updates to Original OMB Privacy Act Guidance. May 24, 1985. 

Revised Supplemental Guidance on Implementation of the Privacy Act of 
1974. March 29, 1984. 

Guidelines on the Relationship of the Debt Collection Act of 1982 to 
the Privacy Act of 1974. April 11, 1983. 

OMB Supplemental Guidance for Conducting Matching Programs. May 14, 
1982. 

Supplementary Guidance for Implementation of the Privacy Act of 1974. 
November 21, 1975. 

Congressional Inquiries Which Entail Access to Personal Information 
Subject to the Privacy Act. October 3, 1975. 

Privacy Act Implementation Guidelines and Responsibilities. July 9, 
1975. 

[End of section] 

Appendix V: Comments from the Office of Management and Budget: 

Note: GAO comments supplementing those in the report text appear at the 
end of this appendix. 

Executive Office Of The President: 
Office Of Management And Budget: 
Washington, D.C. 20503: 

May 2, 2008: 

Ms. Linda D. Koontz: 
Director: 
Information Management Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Ms. Koontz: 

Thank you for the opportunity to comment on the draft GAO report 
"Privacy: Alternatives Exist for Enhancing Protection of Personally 
Identifiable Information" (GAO-08-536). The Office of Management and 
Budget (OMB) welcomes GAO's review of alternatives for better 
safeguarding individuals' personally identifiable information (P11). 

OMB shares your concerns about privacy and information security, and we 
take seriously our responsibilities under the Privacy Act of 1974, the 
E-Government Act of 2002, and the Federal Information Security 
Management Act of 2002. In recent years, OMB has issued several 
memoranda addressing privacy and information security, including: 

* M-08-16 of April 4, 2008, Guidance for Trusted Internet Connection 
Statement of Capability Form (SOC); 

* M-08-10 of February 4, 2008, Use of Commercial Independent Risk 
Analysis Services Blanket Purchase Agreements (BPA); 

* M-08-09 of January 18, 2008, New FISMA Privacy Reporting Requirements 
for FY 2008; 

* M-08-05 of November 20, 2007, Implementation of Trusted Internet 
Connections (TIC); 

* M-07-20 of August 14, 2007, FY 2007 E-Government Act Reporting 
Instructions; 

* M-07-19 of July 25, 2007, FY 2007 Reporting Instructions for the 
Federal Information Security Management Act and Agency Privacy 
Management; 

* M-07-18 of June 1, 2007, Ensuring New Acquisitions Include Common 
Security Configurations; 

* M-07-16 of May 22, 2007, Safeguarding Against and Responding to the 
Breach of Personally Identifiable Information; 

* M-07-11 of March 22, 2007, Implementation of Commonly Accepted 
Security Configurations for Windows Operating Systems; 

* M-07-04 of December 22, 2006, Use of Commercial Credit Monitoring 
Services Blanket Purchase Agreements (BPA); 

* Memorandum for the Heads of Departments and Agencies of September 20, 
2006, Recommendations for Identity Theft Related Data Breach 
Notification; 

* M-06-25 of August 25, 2006, FY 2006 E-Government Act Reporting 
Instructions; 

* M-06-20 of July 17, 2006, FY 2006 Reporting Instructions for the 
Federal Information Security Management Act and Agency Privacy 
Management; 

* M-06-19 of July 12, 2006, Reporting Incidents Involving Personally 
Identifiable Information Incorporating the Cost for Security in Agency 
Information Technology Investments; 

* M-06-16 of June 23, 2006, Protection of Sensitive Agency Information; 

* M-06-15 of May 22, 2006, Safeguarding Personally Identifiable 
Information; 

* M-05-15 of June 13, 2005, FY 2005 Reporting Instructions for the 
Federal Information Security Management Act and Agency Privacy 
Management, and; 

* M-05-08 of February 11, 2005, Designation of Senior Agency Officials 
for Privacy. 

We appreciate the careful consideration of privacy issues in the draft 
report. The draft report provides several matters for congressional 
consideration regarding privacy, specifically, suggesting Congress 
should consider revising the Privacy Act and the E-Government Act. 
Among the alternatives the draft report discusses would be for Congress 
to amend the Privacy Act so that it would apply to all PII collected, 
maintained, and used by Federal agencies. 

During the course of a legislative consideration of possible amendments 
to the Privacy Act and the E-Government Act, along the lines of the 
alternatives in the draft report, we believe it would be important for 
Congress to consider these issues in the broader context of the several 
privacy statutes that Congress has enacted. In addition to such 
government-wide statutes as the Privacy Act, the Privacy Impact 
Assessment requirements of the E-Government Act, and the Federal 
Information Security Management Act (FISMA), Congress has also enacted 
privacy laws covering such areas as health-related information (the 
Health Insurance Portability and Accountability Act of 1996), 
statistical information about individuals (the Confidential Information 
Protection and Statistical Efficiency Act of 2002), and intelligence, 
law enforcement, and homeland security (the Intelligence Reform and 
Terrorism Prevention Act of 2004 and the Implementing Recommendations 
of the 9/11 Commission Act of 2007), as well as statutes that apply 
specifically to information about individuals that is collected by 
particular agencies, such as the Census Bureau, the Internal Revenue 
Service, and the Social Security Administration. 

In addition, during legislative consideration of possible revisions to 
privacy laws, we believe that it would be important for Congress to 
evaluate fully the potential implications of such revisions. For 
example, one of the alternatives that the draft report discusses would 
have Congress amend the Privacy Act in a very fundamental way. This 
alternative would involve safeguard information about individuals that 
is found in a "system of records," and instead to have the Act apply to 
all Pit, however maintained by an agency. We believe it would be 
important for Congress, in considering such a fundamental change to the 
Privacy Act, to consider the full range of implications flowing from 
that change. It maybe that, based on this consideration, other 
legislative alternatives might be identified that would be more 
desirable in terms of strengthening privacy protections in the most 
effective and efficient manner. 

The draft report also offers alternatives for ensuring that the purpose 
of agency use of PII is specified and agency collection and use of 
personal information is limited. As OMB stated in recent guidance in 
response to recommendations from the President's Identity Theft Task 
Force, agencies must review and reduce the volume of PII they handle 
"to the minimum necessary for the proper performance of a documented 
agency function." (Please see OMB Memorandum M-07-16 of May 22, 2007, 
Safeguarding Against and Responding to the Breach of Personally 
Identifiable Information.) Agencies are currently working to implement 
this guidance and the recommendations of the Task Force. In our annual 
reporting instructions last year to agencies on FISMA and privacy 
management, OMB required agencies to submit copies of policies and 
plans required by M-07-16, including an agency breach notification 
policy, an implementation plan to eliminate unnecessary use of social 
security numbers, an implementation plan and progress update on the 
review and reduction of agency holdings of PII, and an agency policy 
outlining rules of behavior for safeguarding PII. (Please see OMB 
Memorandum M-07-19 of July 25, 2007, FY 2007 Reporting Instructions for 
the Federal Information Security Management Act and Agency Privacy 
Management.) 

We also support ensuring the public is appropriately informed of how 
agencies are using their information. The publication of System of 
Records Notices and Privacy Impact Assessments is a crucial piece of 
the Federal privacy framework. We will review agency practices in 
informing the public and review the alternatives the draft report 
provides. 

Finally, we would like to respond to several statements in the draft 
report. 

On page 19, [See comment 1; now on page 15] the draft report discusses 
draft guidance on the Paperwork Reduction Act (PRA) that OMB had 
prepared in 1999: "Further, [OMB] developed guidance, which while 
remaining in draft, is widely used as a handbook for agencies on 
compliance with the law, according to OMB officials." The draft report 
continues by stating in footnote 23 that "although this guidance is 
draft, OMB officials stated that agencies are generally aware of the 
guidance and are expected to follow it." 

The draft report is incorrect when it states that agencies "are 
expected to follow" the draft 1999 guidance. The draft guidance has not 
been finalized, and thus remains a draft. GAO made this exact same 
(incorrect) statement in its draft of a 2005 report on the Paperwork 
Reduction Act, and OMB pointed out its disagreement with this statement 
in OMB comments to GAO on the draft report. (See "Paperwork Reduction 
Act: New Approach May Be Needed to Reduce Government Burden on Public," 
GAO 05-424 (May 2005), Appendix III (OMB letter of April 20, 2005), 
pages 53-54.) However, GAO did not correct this statement in the final 
version of the 2005 report (see page 22 footnote 34), and the current 
draft report repeats this incorrect statement. To be clear, agencies 
are expected to follow the Paperwork Reduction Act, OMB's implementing 
PRA regulations at 5 C.F.R. Part 1320, and OMB's January 2006 guidance 
to agencies on surveys conducted under the PRA. 

On page 23, [See comment 2; now on page 19] the draft report refers to 
a prior GAO conclusion from a 2003 GAO report: "In discussing this 
uneven compliance, agency officials reported the need for additional 
OMB leadership and guidance to assist in difficult implementation 
issues in a rapidly changing environment." We would note here that, in 
the comment letter that OMB submitted to GAO on the draft of the 
referenced 2003 report, OMB expressed concerns with the report's 
methodology and conclusions. (OMB's comment letter of June 20, 2003, is 
enclosed as Appendix VII of the final report.) 

On page 48, the draft report states that "OMB guidance does not provide 
specific measures for limiting information collections . . . OMB's 
recent guidance to limit collection of personally identifiable 
information did not include plans to monitor agency actions or take 
other proactive steps to ensure that agencies are effectively limiting 
their collections of personally identifiable information. Without a 
legal requirement to limit collection of personally identifiable 
information, it is unclear the extent to which agencies will follow 
OMB's guidance." 

As noted earlier in our letter, Federal agencies are working diligently 
to implement the OMB Memorandum M-07-16 requirement to review and 
reduce the volume of P11 they handle "to the minimum necessary for the 
proper performance of a documented agency function." In the aftermath 
of major data breaches in 2006 and the findings of the President's 
Identity Theft Task Force, agencies have become sensitized to limiting 
collections of personally identifiable information. Limiting the 
collection of personally identifiable information to what is authorized 
and necessary will require on-going attention by departments and 
oversight by OMB, as part of its Paperwork Reduction Act and Privacy 
Act responsibilities. [See comment 3; now on page 36] 

In closing, thank you again for the opportunity to comment on the draft 
report. 

Sincerely, 

Signed by: 

Kevin F. Neyland: 
Deputy Administrator:	
Office of Information and Regulatory Affairs: 

Signed by: 

Tim K. Young:
Deputy Administrator: 
Office of E-Government and Information Technology: 

The following is GAO's response to OMB's additional comments. 

GAO Comments: 

1. Statements in the 2005 report regarding the draft OMB Paperwork 
Reduction Act guidance were accurate for that review and supported by 
the evidence gathered. For that report, among other things, we selected 
detailed case reviews of 12 OMB-approved collections and compared the 
agencies' processes and practices in these case studies with the (1) 
act's requirements, (2) OMB's regulation and draft guidance to 
agencies, and (3) agencies' written directives and orders. 
Nevertheless, in its written response to the 2005 report, OMB officials 
stated that OMB's draft PRA guidance to agencies had become outmoded. 
Further, in its response, OMB stated that the report had convinced them 
that its draft PRA guidance did not serve its intended purpose and that 
it would explore alternative approaches to advising agencies on their 
PRA responsibilities. Accordingly, because the draft guidance has not 
been in effect since the 2005 report was issued, we have removed 
statements from our current draft regarding this guidance. 

2. As we stated in our response to OMB's comments on our 2003 report, 
[Footnote 59] we consider this report to be a comprehensive and 
accurate source of information on agencies' implementation of the 
Privacy Act. Our conclusions were based on the results of a 
comprehensive analysis of agency compliance with a broad range of 
requirements. 

3. We agree that the responsibility for limiting the collection of 
personally identifiable information to what is authorized and necessary 
will require ongoing attention by agencies and oversight by OMB. We 
also believe that Congress should consider alternatives, as identified 
in our report, to improve controls on the collection and use of 
personally identifiable information. 

[End of section] 

Appendix VI: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Linda D. Koontz (202) 512-6240 or KoontzL@gao.gov: 

Staff Acknowledgments: 

In addition to the contact person named above, John de Ferrari 
(Assistant Director), Shaun Byrnes, Susan Czachor, Barbara Collier, Tim 
Eagle, Matt Grote, Rebecca LaPaze, David Plocher, Jamie Pressman, and 
Andrew Stavisky made key contributions to this report. 

[End of section] 

Related GAO Products: 

Aviation Security: Efforts to Strengthen International Passenger 
Prescreening Are Under Way, but Planning and Implementation Issues 
Remain. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-346]. 
Washington, D.C.: May 16, 2007. 

DHS Privacy Office: Progress Made but Challenges Remain in Notifying 
and Reporting to the Public. [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-07-522], Washington, D.C.: April 27, 2007. 

Homeland Security: Continuing Attention to Privacy Concerns Is Needed 
as Programs Are Developed. [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-07-630T]. Washington, D.C: March 21, 2007. 

Data Mining: Early Attention to Privacy in Developing a Key DHS Program 
Could Reduce Risks. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
07-293]. Washington, D.C.: February 28, 2007. 

Border Security: US-VISIT Program Faces Strategic, Operational, and 
Technological Challenges at Land Ports of Entry. [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-248]. Washington, D.C.: 
December 6, 2006. 

Personal Information: Key Federal Privacy Laws Do Not Require 
Information Resellers to Safeguard All Sensitive Data. [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-06-674]. Washington, D.C.: June 
26, 2006. 

Veterans Affairs: Leadership Needed to Address Information Security 
Weaknesses and Privacy Issues. [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-06-866T]. Washington, D.C.: June 14, 2006. 

Privacy: Preventing and Responding to Improper Disclosures of Personal 
Information. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-
833T]. Washington, D.C.: June 8, 2006. 

Privacy: Key Challenges Facing Federal Agencies. [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-06-777T]. Washington, D.C.: May 
17, 2006. 

Personal Information: Agencies and Resellers Vary in Providing Privacy 
Protections. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-
609T]. Washington, D.C.: April 4, 2006. 

Personal Information: Agency and Reseller Adherence to Key Privacy 
Principles. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-421]. 
Washington, D.C.: April 4, 2006. 

Information Sharing: The Federal Government Needs to Establish Policies 
and Processes for Sharing Terrorism-Related and Sensitive but 
Unclassified Information. [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-06-385]. Washington, D.C.: March 17, 2006. 

Paperwork Reduction Act: New Approaches Can Strengthen Information 
Collection and Reduce Burden. [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-06-477T]. Washington, D.C.: March 8, 2006. 

Data Mining: Agencies Have Taken Key Steps to Protect Privacy in 
Selected Efforts, but Significant Compliance Issues Remain. [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-05-866]. Washington, D.C.: August 
15, 2005. 

Aviation Security: Transportation Security Administration Did Not Fully 
Disclose Uses of Personal Information during Secure Flight Program 
Testing in Initial Privacy Notices, but Has Recently Taken Steps to 
More Fully Inform the Public. [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-05-864R]. Washington, D.C.: July 22, 2005. 

Identity Theft: Some Outreach Efforts to Promote Awareness of New 
Consumer Rights Are Under Way. [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-05-710]. Washington, D.C.: June 30, 2005. 

Information Security: Radio Frequency Identification Technology in the 
Federal Government. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
05-551]. Washington, D.C.: May 27, 2005. 

Aviation Security: Secure Flight Development and Testing Under Way, but 
Risks Should Be Managed as System Is Further Developed. [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-05-356]. Washington, D.C.: March 
28, 2005. 

Social Security Numbers: Governments Could Do More to Reduce Display in 
Public Records and on Identity Cards. [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-05-59]. Washington, D.C.: 
November 9, 2004. 

Data Mining: Federal Efforts Cover a Wide Range of Uses. [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-04-548]. Washington, D.C.: May 4, 
2004. 

Aviation Security: Computer-Assisted Passenger Prescreening System 
Faces Significant Implementation Challenges. [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-04-385]. Washington, D.C.: 
February 12, 2004. 

Privacy Act: OMB Leadership Needed to Improve Agency Compliance. 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-304]. Washington, 
D.C.: June 30, 2003. 

Data Mining: Results and Challenges for Government Programs, Audits, 
and Investigations. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
03-591T]. Washington, D.C.: March 25, 2003. 

Technology Assessment: Using Biometrics for Border Security. 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-174]. Washington, 
D.C.: November 15, 2002. 

Information Management: Selected Agencies' Handling of Personal 
Information. [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-
1058]. Washington, D.C.: September 30, 2002. 

Identity Theft: Greater Awareness and Use of Existing Data Are Needed. 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-02-766]. Washington, 
D.C.: June 28, 2002. 

Social Security Numbers: Government Benefits from SSN Use but Could 
Provide Better Safeguards. [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-02-352]. Washington, D.C.: May 31, 2002. 

[End of section] 

Footnotes: 

[1] For purposes of this report, the terms personal information and 
personally identifiable information are used interchangeably to refer 
to any information about an individual maintained by an agency, 
including (1) any information that can be used to distinguish or trace 
an individual's identity, such as name, Social Security number, date 
and place of birth, mother's maiden name, or biometric records; and (2) 
any other information that is linked or linkable to an individual, such 
as medical, educational, financial, and employment information. 

[2] In addition, the Paperwork Reduction Act, enacted in 1980 and 
significantly revised in 1995, also has provisions affecting privacy 
protection in that it sets requirements for limiting the collection of 
information from individuals, including personal information. While the 
act's requirements are aimed at reducing the paperwork burden on 
individuals rather than specifically protecting personally identifiable 
information, the act nevertheless serves an important role in 
protecting privacy by setting these controls. 

[3] A privacy impact assessment is an analysis of how personal 
information is collected, stored, shared, and managed in an information 
system 

[4] Congress used the committee's final report as a basis for crafting 
the Privacy Act of 1974. See U.S. Department of Health, Education, and 
Welfare, Records, Computers, and the Rights of Citizens: Report of the 
Secretary's Advisory Committee on Automated Personal Data Systems 
(Washington, D.C.: July 1973). 

[5] These principles are described in table 1. 

[6] GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-304] 
(Washington, D.C.: June 30, 2003). 

[7] GAO, Personal Information: Agency and Reseller Adherence to Key 
Privacy Principles, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
06-421] (Washington, D.C.: Apr. 4, 2006). 

[8] Department of Health, Education & Welfare, Records, Computers, and 
the Rights of Citizens: Report of the Secretary's Advisory Committee on 
Automated Personal Data Systems (Washington, D.C.: 1973). 

[9] OECD, Guidelines on the Protection of Privacy and Transborder Flow 
of Personal Data (Sept. 23, 1980). The OECD plays a prominent role in 
fostering good governance in the public service and in corporate 
activity among its 30 member countries. It produces internationally 
agreed-upon instruments, decisions, and recommendations to promote 
rules in areas where multilateral agreement is necessary for individual 
countries to make progress in the global economy. 

[10] OECD, Making Privacy Notices Simple: An OECD Report and 
Recommendations (July 24, 2006). 

[11] European Union Data Protection Directive ("Directive 95/46/EC of 
the European Parliament and of the Council of 24 October 1995 on the 
Protection of Individuals with Regard to the Processing of Personal 
Data and the Free Movement of Such Data") (1995). 

[12] "Report on OECD Guidelines Program, Memorandum from Bernard 
Wunder, Jr., Assistant Secretary for Communications and Information, 
Department of Commerce (Oct. 30, 1981). 

[13] Privacy Office Mission Statement, U.S. Department of Homeland 
Security, "Privacy Policy Development Guide," Global Information 
Sharing Initiative, U.S. Department of Justice, [hyperlink, 
http://www.it.ojp.gov/global] (September 2005); "Homeless Management 
Information Systems, U.S. Department of Housing and Urban Development 
(69 Federal Register 45888, July 30, 2004). See also "Options for 
Promoting Privacy on the National Information Infrastructure," 
Information Policy Committee of the National Information Infrastructure 
Task Force, Office of Information and Regulatory Affairs, Office of 
Management and Budget (April 1997). 

[14] The Federal Enterprise Architecture is intended to provide a 
common frame of reference or taxonomy for agencies' individual 
enterprise architecture efforts and their planned and ongoing 
information technology investment activities. An enterprise 
architecture is a blueprint, defined largely by interrelated models, 
that describes (in both business and technology terms) an entity's "as 
is" or current environment, its "to be" or future environment, and its 
investment plan for transitioning from the current to the future 
environment. 

[15] National Research Council of the National Academies, Engaging 
Privacy and Information Technology in a Digital Age (Washington, D.C.: 
2007). 

[16] Under the Privacy Act of 1974, the term "routine use" means (with 
respect to the disclosure of a record) the use of such a record for a 
purpose that is compatible with the purpose for which it was collected. 
5 U.S.C. § 552a(a)(7). 

[17] OMB, OMB Guidance for Implementing the Privacy Provisions of the E-
Government Act of 2002, M-03-22 (Sept. 26, 2003). 

[18] The Paperwork Reduction Act was originally enacted into law in 
1980 (Pub. L. No. 96-511, Dec. 11, 1980). It was reauthorized with 
minor amendments in 1986 (Pub. L. No. 99-591, Oct. 30, 1986) and was 
reauthorized a second time with more significant amendments in 1995 
(Pub. L. No. 104-13, May 22, 1995). 

[19] Pub. L. No. 108-458 (Dec. 17, 2004). 

[20] For more information, see GAO, High-Risk Series: An Update, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-310] (Washington, 
D.C.: January 2007), p.47, and Information Sharing: The Federal 
Government Needs to Establish Policies and Processes for Sharing 
Terrorism-Related and Sensitive but Unclassified Information, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-385] (Washington, 
D.C.: Mar. 17, 2006). 

[21] 5 C.F.R. Part 1320. 

[22] Privacy Protection Study Commission, Personal Privacy in an 
Information Society (Washington, D.C.: July 1977). 

[23] U.S. Congress, House of Representatives, Who Cares About Privacy? 
Oversight of the Privacy Act of 1974 by the Office of Management and 
Budget and the Congress, House Report No. 98-455 (Washington, 
D.C.:1983). 

[24] The Information Security and Privacy Advisory Board's duties 
include identifying emerging managerial, technical, administrative, and 
physical safeguard issues relative to information security and privacy; 
and advising the National Institute of Standards and Technology (NIST), 
the Secretary of Commerce, and the Director of the OMB on information 
security and privacy issues pertaining to federal government 
information systems. Until December 2002, the ISPAB was named the 
Computer System Security and Privacy Advisory Board. 

[25] Computer System Security and Privacy Advisory Board, Findings and 
Recommendations on Government Privacy Policy Setting and Management 
(September 2002). 

[26] The DHS Data Privacy and Integrity Advisory Committee is a federal 
advisory committee that advises the Secretary of DHS and the DHS Chief 
Privacy Officer on programmatic, policy, operational, administrative, 
and technological issues within DHS that affect individual privacy, as 
well as data integrity and data interoperability and other privacy 
related issues. 

[27] The National Research Council (NRC) functions under the auspices 
of the National Academy of Sciences (NAS), the National Academy of 
Engineering, and the Institute of Medicine. The mission of the NRC is 
to improve government decision making and public policy, increase 
public education and understanding, and promote the acquisition and 
dissemination of knowledge in matters involving science, engineering, 
technology, and health. 

[28] National Research Council of the National Academies, Engaging 
Privacy and Information Technology in a Digital Age (Washington, D.C.: 
2007). 

[29] GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-304] 
(Washington, D.C.: June 30, 2003). 

[30] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347 
(Dec. 17, 2002). 

[31] Although we did not assess the effectiveness of information 
security or compliance with FISMA at any agency as part of this review, 
we have previously reported on weaknesses in almost all areas of 
information security controls at 24 major agencies. For additional 
information see, GAO, Information Security: Progress Reported, but 
Weaknesses at Federal Agencies Persist, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-08-571] (Washington, D.C.: Mar. 
12, 2008); Information Security: Despite Reported Progress, Federal 
Agencies Need to Address Persistent Weaknesses, [hyperlink, 
http://www.gao.gov/cgi-bin/getrpt?GAO-07-837] (Washington, D.C.: July 
27, 2007); and Information Security: Weaknesses Persist at Federal 
Agencies Despite Progress Made in Implementing Related Statutory 
Requirements, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-552] 
(Washington, D.C.: July 15, 2005). 

[32] A record is defined as "any item, collection, or grouping of 
information about an individual that is maintained by an agency, 
including, but not limited to, his education, financial transactions, 
medical history, and criminal or employment history and that contains 
his name, or the identifying number, symbol, or other identifying 
particular assigned to the individual, such as a finger or voice print 
or a photograph." 

[33] According to OMB, "systems should not be subdivided or reorganized 
so that information which would otherwise have been subject to the act 
is no longer subject to the act. For example, if an agency maintains a 
series of records not arranged by name or personal identifier but uses 
a separate index file to retrieve records by name or personal 
identifier it should not treat these files as separate systems." 40 
Federal Register 28963 (July 9, 1975). 

[34] An attribute search, in contrast to the conventional "name search" 
or "index search," starts with a collection of data about many 
individuals and seeks to identify those particular individuals in the 
system who meet a set of prescribed conditions or who have a set of 
prescribed attributes or combination of attributes. 

[35] GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-304] 
(Washington, D.C.: June 30, 2003). 

[36] GAO, Data Mining: Federal Efforts Cover a Wide Range of Uses, 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-548] (Washington, 
D.C.: May 4, 2004). 

[37] The DHS Privacy Office determined that because the data mining 
applications did not involve retrieval by individual identifier, a 
separate system of records notice describing the data mining 
application was not required. DHS Privacy Office, ADVISE Report: DHS 
Privacy Office Review of the Analysis, Dissemination, Visualization, 
Insight, and Semantic Enhancement (ADVISE) Program (Washington, D.C.: 
July 11, 2007). 

[38] DHS Privacy Office, 2007 Report to Congress on the Impact of Data 
Mining Technologies on Privacy and Civil Liberties (Washington, D.C.: 
July 6, 2007); Justice, Report on "Data-Mining" Activities Pursuant to 
Section 126 of the USA PATRIOT Improvement and Reauthorization Act of 
2005 (Washington, D.C.: July 9, 2007). 

[39] Homeland Security Operations Center Database, 70 Federal Register 
20156 (Apr. 18, 2005). 

[40] The task force's mission is to assist federal law enforcement and 
intelligence agencies in locating foreign terrorists and their 
supporters who are in or have visited the United States, and to provide 
information to other law enforcement and intelligence community 
agencies that can lead to their surveillance, prosecution, or removal. 

[41] 63 Federal Register 8671 (Feb. 20, 1998). 

[42] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-421]. 

[43] Section 222(4) of the Homeland Security Act of 2002 requires the 
DHS Privacy Officer to conduct "a privacy impact assessment of proposed 
rules of the Department or that of the Department on the privacy of 
personal information, including the type of personal information 
collected and the number of people affected." 

[44] TSA's current plans for Secure Flight do not include the use of 
reseller information. 

[45] GAO, Aviation Security: Efforts to Strengthen International 
Passenger Prescreening Security Are Under Way, but Planning and 
Implementation Issues Remain, GAO-07-346 (Washington, D.C.: May 16, 
2007). 

[46] 66 Federal Register 53029 (Oct. 18, 2001). 

[47] 63 Federal Register 8671 (Feb. 20, 1998). 

[48] See appendix III for a list of the specific exceptions where 
agencies do not need the consent of individuals to share their 
information. 

[49] GAO, Paperwork Reduction Act: New Approach May Be Needed to Reduce 
Government Burden on Public, GAO-05-424 (Washington, D.C.: May 20, 
2005). 

[50] 5 U.S.C. § 552a(b)(7): "to another agency or to an instrumentality 
of any governmental jurisdiction within or under the control of the 
United States for a civil or criminal law enforcement activity if the 
activity is authorized by law, and if the head of the agency or 
instrumentality has made a written request to the agency which 
maintains the record specifying the particular portion desired and the 
law enforcement activity for which the record is sought." 

[51] In cases where the collection occurs directly from the individual, 
an agency is required to include the routine uses on the form which it 
uses to collect the information. 

[52] OMB's 1975 guidance states that "Minimally, the recipient officer 
or employee must have an official 'need to know.' [The legislative 
history] would also seem to imply that the use should be generally 
related to the purpose for which the record is maintained." 

[53] If personal data are disclosed to another federal agency, the 
recipient agency may maintain this data in a system of records, and 
thus protections for this data would be defined by the recipient 
agency's system-of-records notice. However, these protections may not 
be consistent with statements originally made in the contributing 
agency's system-of records notice. For example, the recipient agency 
may state different routine uses and purposes. Further, if data are 
disclosed to an agency and are not maintained in a system of records, 
the Privacy Act no longer provides protections for that information. 

[54] Program Manager, Information Sharing Environment, Guidelines to 
Ensure That the Information Privacy and Other Legal Rights of Americans 
Are Protected in the Development and Use of the Information Sharing 
Environment (Nov. 22, 2006). 

[55] GAO, Homeland Security: Continuing Attention to Privacy Is Needed 
as Programs Are Developed, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-07-630T] (Washington, D.C.: Mar. 21, 2007). 

[56] Program Manager, Information Sharing Environment, Privacy and 
Civil Liberties Implementation Guide for the Information Sharing 
Environment (Sept. 10, 2007). 

[57] The Privacy Act allows agencies to claim exemptions if the records 
are used for certain purposes. 5 U.S.C. § 552a (j) and (k). For 
example, records compiled by criminal law enforcement agencies for 
criminal law enforcement purposes can be exempt from the access and 
correction provisions. In general, the exemptions for law enforcement 
purposes are intended to prevent the disclosure of information 
collected as part of an ongoing investigation that could impair the 
investigation or allow those under investigation to change their 
behavior or take other actions to escape prosecution. See appendix III 
for a complete description of these exemptions. 

[58] Kleimann Communication Group, Inc., Evolution of a Prototype 
Financial Privacy Notice: A Report on the Form Development Project 
(Feb. 28, 2006). 

[59] GAO, Privacy Act: OMB Leadership Needed to Improve Agency 
Compliance, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-304] 
(Washington, D.C.: June 30, 2003). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: