Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information

Highlights

The centerpiece of the federal government's legal framework for privacy protection, the Privacy Act of 1974, provides safeguards for information maintained by federal agencies. In addition, the E-Government Act of 2002 requires federal agencies to conduct privacy impact assessments for systems or collections containing personal information. GAO was asked to determine whether laws and guidance consistently cover the federal government's collection and use of personal information and incorporate key privacy principles. GAO was also asked, in doing so, to identify options for addressing these issues. To achieve these objectives, GAO analyzed the laws and related guidance, obtained an operational perspective from federal agencies, and consulted an expert panel convened by the National Academy of Sciences.

Recommendations

Matter for Congressional Consideration

Matter	Status	Comments
In assessing the appropriate balance between the needs of the federal government to collect personally identifiable information for programmatic purposes and the assurances that individuals should have that their information is being sufficiently protected and properly used, Congress should consider amending applicable laws, such as the Privacy Act and the E-Government Act, according to the alternatives outlined in this report, including: revising the scope of the laws to cover all personally identifiable information collected, used, and maintained by the federal government; setting requirements to ensure that the collection and use of personally identifiable information is limited to a stated purpose; and establishing additional mechanisms for informing the public about privacy protections by revising requirements for the structure and publication of public notices.	Closed – Not Implemented	While the Senate considered amending applicable laws according to the alternatives outlined in our report, no such amendments have been passed by the Congress or enacted into law. Specifically, on October 18, 2011, Sen. Akaka introduced the Privacy Act Modernization for the Information Age Act of 2011, which would amend both the Privacy Act and E-Government Act to cover all personally identifiable information (PII) collected, used, and maintained by the federal government; set requirements to ensure all PII was used for stated purposes; and establish additional mechanisms for informing the public about privacy protections. The proposed act has not been passed.

Full Report

Highlights

Full Report (77 pages)

Accessible Text

GAO Contacts

Gregory C. Wilshusen

Director

Information Technology and Cybersecurity

wilshuseng@gao.gov

Media Inquiries

Sarah Kaczmarek

Managing Director

Office of Public Affairs

media@gao.gov

Public Inquiries

Public Affairs

PublicAffairs@gao.gov

Topics

Justice and Law Enforcement

Classified informationComputer securityConfidential informationE-governmentGovernment informationGovernment information disseminationInformation accessInformation disclosureInformation managementInformation securityInformation security managementInformation security regulationsInformation systemsInformation technologyPersonal securityPrivacy lawPrivacy policiesPrivacy policy violationProgram evaluationProgram managementRecords managementRegulatory agenciesReporting requirementsRight of privacyRisk assessmentRisk managementStrategic planningTechnologyProgram goals or objectives