The federal government collects and uses personal information on individuals in increasingly sophisticated ways, and its reliance on information technology (IT) to collect, store, and transmit this information has also grown. While this enables federal agencies to carry out many of the government's critical functions, concerns have been raised that the existing laws for protecting individuals' personal information may no longer be sufficient given current practices. Moreover, vulnerabilities arising from agencies' increased dependence on IT can result in the compromise of sensitive personal information, such as inappropriate use, modification, or disclosure.
The GAO was asked to provide a statement describing (1) the impact of recent technology developments on existing laws for privacy protection in the federal government and (2) actions agencies can take to protect against and respond to breaches involving personal information.
The GAO identified issues in three major areas:
- Applying privacy protections consistently to all federal data collection and use of personal information. The Privacy Act's protections only apply to personal information when it is considered part of a "system of records" as defined by the Act. However, agencies routinely access such information in ways that may not fall under this definition.
- Ensuring that use of personally identifiable information is limited to a stated purpose. Current law and guidance impose only modest requirements for describing the purposes for collecting personal information and how it will be used. This could allow for unnecessarily broad ranges of uses of the information.
- Establishing effective mechanisms for informing the public about privacy protections. Agencies are required to provide notices in the Federal Register of information collected, categories of individuals about whom information is collected, and the intended use of the information, among other things. However, concerns have been raised whether this is an effective mechanism for informing the public.
The GAO previously suggested that Congress consider amending applicable privacy laws to address identified issues. GAO has also made numerous recommendations to agencies over the last several years to address weaknesses in policies and procedures related to privacy and to strengthen their information security programs.