GAO was asked to determine whether laws and guidance consistently cover the federal government’s collection and use of personal information and incorporate key privacy principles. GAO was also asked, in doing so, to identify options for addressing these issues.
The GAO identified issues in three major areas:
- Applying privacy protections consistently to all federal collection and use of personal information. The Privacy Act’s definition of a “system of records” (any grouping of records containing personal information retrieved by individual identifier), which sets the scope of the Act’s protections, does not always apply whenever personal information is obtained and processed by federal agencies. One alternative to address this concern would be revising the system-of-records definition to cover all personally identifiable information collected, used, and maintained systematically by the federal government.
- Ensuring that collection and use of personally identifiable information is limited to a stated purpose. According to generally accepted privacy principles of purpose specification, collection limitation, and use limitation, the collection of personal information should be limited, and its use should be limited to a specified purpose. Yet, current laws and guidance impose only the modest requirements in these areas. While, in the post-9/11 environment, the federal government needs better analysis and sharing of certain personal information, there is general agreement that this need must be balanced with individual privacy rights. Alternatives to address this area of concern include requiring agencies to justify the collection and use of key elements of personally identifiable information and to establish agreements before sharing such information with other agencies.
- Establishing effective mechanisms for informing the public about privacy protections. Another key privacy principle, the principle of openness, suggests that the public should be informed about privacy policies and practices. Yet, Privacy Act notices may not effectively inform the public about government uses of personal information. For example, system-of-records notices published in the Federal Register may be difficult for the general public to fully understand. Layered notices, which provide only the most important summary facts up front, have been used as a solution in the private sector. In addition, publishing such notices at a central location on the Web would help make them more accessible.