PRIVACYnotes

GAO ISSUES STINGING REPORT ON PRIVACY ACT COMPLIANCE
 

Home | Privacy Links | Opt-Out

   



Archive

PRIVACYnotes #1

PRIVACYnotes #2
PRIVACYnotes #3
PRIVACYnotes #4
PRIVACYnotes #5
PRIVACYnotes #6
PRIVACYnotes #7
PRIVACYnotes #8
PRIVACYnotes #9
PRIVACYnotes #10
PRIVACYnotes #11
PRIVACYnotes #12
PRIVACYnotes #13
PRIVACYnotes #14
PRIVACYnotes #15
PRIVACYnotes #16
PRIVACYnotes #17
PRIVACYnotes #18
PRIVACYnotes #19
PRIVACYnotes #20
PRIVACYnotes #21
PRIVACYnotes #22
PRIVACYnotes #23
PRIVACYnotes #24
PRIVACYnotes #25
PRIVACYnotes #26
PRIVACYnotes #27
PRIVACYnotes #28
PRIVACYnotes #29
PRIVACYnotes #30
PRIVACYnotes #31
PRIVACYnotes #32
PRIVACYnotes #33
PRIVACYnotes #34
PRIVACYnotes #35
PRIVACYnotes #36
PRIVACYnotes #37
PRIVACYnotes #38
PRIVACYnotes #39
PRIVACYnotes #40
PRIVACYnotes #41
HIPAA

GAO ISSUES STINGING REPORT ON PRIVACY ACT COMPLIANCE


GAO Report

For Immediate Release
Wednesday, July 30, 2003
5:45 p.m. CD


GAO ISSUES STINGING REPORT ON PRIVACY ACT COMPLIANCE
Says federal government cannot assure citizens that privacy rights are protected

(St. Paul, Minnesota) - Personal data may not be adequately protected from collection, use and disclosure, according to a stinging report released today by the General Accounting Office. In a survey of 25 federal agencies, and through a GAO forum for federal privacy officers, the GAO found a significant lack of compliance with the federal Privacy Act of 1974.

OMB GETS ANGRY

The report includes a blistering retort from the Office of Management and Budget, the agency responsible for enforcing the Privacy Act. In its 10-page letter, it writes that the report's statements "border on the reckless and irresponsible." A blunt and detailed rebuttal by the GAO is included in the report, along with a conclusion that "the government cannot adequately assure the public that all legislated individual privacy rights are being protected."

Citizens' Council on Health Care (CCHC) agrees: "Federal agencies are not following the law and, as a result, the personal data of citizens may be improperly collected and poorly protected," asserts Twila Brase, president of CCHC.

"This report should give Congress a good reason to reconsider building yet another database of citizen information," says Brase, referring to the proposed National Patient Safety Database now under consideration in Congress.

"One system of records holds data on 290 million people. If that system happens to be one of the system that's out of compliance, the privacy rights of every citizen have already been violated, perhaps many times," Brase adds.

MULTIPLE FAILURES TO FOLLOW LAW:

The survey responses of the agencies reflect 2,400 systems of records in the federal government, of which 70 percent contain electronic records. Although the 82-page report did not include details about specific agency failures, the GAO announced the following aggregate results on federal agency failure to comply with the Privacy Act:

  • 11 percent (264) of the systems of records have not been disclosed to the public, essentially keeping them secret.

  • In 18 percent (432) of the systems of records, individuals have not been provided with full disclosure of the potential uses of their personal information before they provided it.

  • In 18 percent (432) of the 2,400 systems of records, there was no review of disclosures to ascertain whether data is being used outside the original purposes of the data collection.

  • For 29 percent (696) of the systems of records released to non-federal organizations, agencies do not assure that personal data on individuals is accurate, relevant, timely and complete.

  • For 18 percent (432) of the systems of records, agencies did not assess security safeguards for the data.

  • 21 percent (504) of the systems of records do not have the means to detect when persons, without authorization were reading, altering, disclosing, or destroying information.

  • 14 percent (336) of the systems of records could not account for disclosures of personal information.

  • one-third (8) of the agencies have not issued the Act's required rules of conduct for employees as related to duties under the Privacy Act.

REASONS FOR FAILURE:

Federal Privacy Act officers who attended the GAO forum reported several problems with compliance, in the following rank of importance:

  • Lack of OMB leadership, oversight and guidance.

  • Compliance has a low priority within agencies, and therefore poor funding.

  • insufficient training, including how the Privacy Act relates to electronic databases.

The GAO also notes that despite two previous reports on privacy weaknesses in other areas of federal agencies, and agency requests for updated guidance on the Privacy Act pertaining particularly to new technologies, the OMB has yet to act.

Furthermore, 83 systems of records contain personal information not protected by the Privacy Act because it can be retrieved without using a name or personal identifier (ie. electronic records can be found using search codes). The GAO suggested that a more complete examination of this topic would require additional study.

"There appears to be a rather flippant attitude in government toward following the law," says Brase.

"The sheer existence of 2,400 federal databases on citizens is mind boggling. Information is power. Electronic government databases combined with failure to follow federal law places the liberty of all citizens in jeopardy," says Brase.

FMI ON PROPOSED NATIONAL PATIENT SAFETY DATABASE/NATIONAL ELECTRONIC HEALTH DATA SYSTEM, GO TO: http://www.cchconline.org/pr/pr072403.php

- 30 -

CCHC is an independent non-profit free-market health care policy organization located in St. Paul, Minnesota