Information Technology: Government-Wide Guidance on Handling Data Could Improve Civil Rights and Civil Liberties Protections

Fast Facts

Emerging technologies—like facial recognition or AI—have rapidly increased the amount of personally identifiable information federal agencies collect, share, and use.

This Q&A report examines how agencies protect the public's civil rights and civil liberties while using personal data. Some agencies have policies and procedures to guide them in these efforts. But the specifics are different across agencies because there's no government-wide laws or guidance.

We suggested that Congress direct an agency to issue government-wide guidance or regulations that consider civil rights and civil liberties protections when using personal data.

Gavel next to a computer mouse and keyboard.

Highlights

What GAO Found

Emerging technologies and data capabilities have led to rapid increases in the amount of personally identifiable information (PII) collected, shared, and used. Given the threat posed by these technologies, many federal agencies have taken actions to protect civil rights and civil liberties:

All 24 Chief Financial Officers Act of 1990 agencies designated an accountable official to oversee protection of civil rights, while seven of 24 designated an official for civil liberties.
Sixteen of the 24 agencies reported addressing civil rights and civil liberties protections either in separate policy and procedures or in privacy compliance activities. The remaining eight agencies reported not considering civil rights and civil liberties protections in their policies or compliance activities.

The results of GAO's questionnaire sent to the 24 agencies show that the two most frequently mentioned challenges with protecting the public's civil rights and civil liberties were (1) 12 agencies citing complexities in handling protections associated with new and emerging technologies, and (2) 11 agencies reporting a lack of qualified staff possessing needed skills in civil rights, civil liberties, and emerging technologies. Further, eight of the 24 agencies believed that additional government-wide law or guidance would strengthen consistency in addressing civil rights and civil liberties protections. One agency noted that such guidance could eliminate the hodge-podge approach to the governance of data and technology.

Existing federal laws and guidance do not provide a comprehensive government-wide and technology agnostic approach to protecting the public's civil rights and civil liberties while using sensitive data. Agencies pointed out that emerging technologies pose new questions and concerns with protecting civil rights and civil liberties. Therefore, it is important for Congress to direct an appropriate federal entity to issue government-wide guidance or regulations that address a broad approach to considering civil rights and civil liberties protections. Until such guidance or regulations are issued, there is an increased risk of agencies' collection, sharing, and use of data potentially violating the public's civil rights and civil liberties.

Why GAO Did This Study

GAO was asked to examine federal agencies' civil rights and civil liberties protections related to data collection, sharing, and use. This report examines laws and guidance pertaining to civil rights and civil liberties, efforts the 24 Chief Financial Officers Act of 1990 agencies are taking to protect the public's civil rights and civil liberties when collecting sharing, and using data, and the challenges with protecting civil rights and civil liberties while using personal information.

Recommendations

To assist federal agencies with consistently implementing civil rights and civil liberties protections when collecting, sharing, and using data, we suggest that Congress direct an appropriate federal entity to issue government-wide guidance or regulations addressing this matter. In its direction, Congress should consider delegating to such entity the explicit authority to make needed technical and policy choices or explicitly stating Congress's own choices.

The agencies did not agree or disagree with the report. Three agencies provided written comments and ten agencies provided technical comments, which we incorporated in the report as appropriate. The remaining twelve agencies, including OMB, did not have comments on this report.

Matter for Congressional Consideration

Matter	Status	Comments
To assist federal agencies with consistently implementing civil rights and civil liberties protections when collecting, sharing, and using data, we suggest that Congress direct an appropriate federal entity to issue government-wide guidance or regulations addressing this matter. In its direction, Congress should consider delegating to such entity the explicit authority to make needed technical and policy choices or explicitly stating Congress's own choices.	Open	When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report

Full Report (21 pages)

GAO Contacts

Marisol Cruz Cain

Director

Information Technology and Cybersecurity

cruzcainm@gao.gov

(202) 512-5017

Media Inquiries

Sarah Kaczmarek

Managing Director

Office of Public Affairs

media@gao.gov

(202) 512-4800

Public Inquiries

Public Affairs

PublicAffairs@gao.gov

(202) 512-4800

Topics

Information Technology

Civil rightsCivil libertiesPrivacyPersonally identifiable informationData collectionCompliance oversightPolicies and proceduresEmerging technologiesFederal agenciesArtificial intelligence