GAO ISSUES STINGING REPORT ON PRIVACY ACT COMPLIANCE
For Immediate Release
GAO ISSUES STINGING REPORT ON PRIVACY ACT
Wednesday, July 30, 2003
5:45 p.m. CD
Says federal government cannot assure citizens that privacy
rights are protected
(St. Paul, Minnesota) - Personal data may not be adequately protected
from collection, use and disclosure, according to a stinging report
released today by the General Accounting Office. In a survey of
25 federal agencies, and through a GAO forum for federal privacy
officers, the GAO found a significant lack of compliance with
the federal Privacy Act of 1974.
OMB GETS ANGRY
The report includes a blistering retort from the Office of Management
and Budget, the agency responsible for enforcing the Privacy Act.
In its 10-page letter, it writes that the report's statements
"border on the reckless and irresponsible." A blunt and detailed
rebuttal by the GAO is included in the report, along with a conclusion
that "the government cannot adequately assure the public that
all legislated individual privacy rights are being protected."
Citizens' Council on Health Care (CCHC) agrees: "Federal agencies
are not following the law and, as a result, the personal data
of citizens may be improperly collected and poorly protected,"
asserts Twila Brase, president of CCHC.
"This report should give Congress a good reason to reconsider
building yet another database of citizen information," says Brase,
referring to the proposed National Patient Safety Database now
under consideration in Congress.
"One system of records holds data on 290 million people. If that
system happens to be one of the system that's out of compliance,
the privacy rights of every citizen have already been violated,
perhaps many times," Brase adds.
MULTIPLE FAILURES TO FOLLOW LAW:
The survey responses of the agencies reflect 2,400 systems of
records in the federal government, of which 70 percent contain
electronic records. Although the 82-page report did not include
details about specific agency failures, the GAO announced the
following aggregate results on federal agency failure to comply
with the Privacy Act:
- 11 percent (264) of the systems of records have not been disclosed
to the public, essentially keeping them secret.
- In 18 percent (432) of the systems of records, individuals
have not been provided with full disclosure of the potential
uses of their personal information before they provided it.
- In 18 percent (432) of the 2,400 systems of records, there
was no review of disclosures to ascertain whether data is being
used outside the original purposes of the data collection.
- For 29 percent (696) of the systems of records released to
non-federal organizations, agencies do not assure that personal
data on individuals is accurate, relevant, timely and complete.
- For 18 percent (432) of the systems of records, agencies did
not assess security safeguards for the data.
- 21 percent (504) of the systems of records do not have the
means to detect when persons, without authorization were reading,
altering, disclosing, or destroying information.
- 14 percent (336) of the systems of records could not account
for disclosures of personal information.
- one-third (8) of the agencies have not issued the Act's required
rules of conduct for employees as related to duties under the
REASONS FOR FAILURE:
Federal Privacy Act officers who attended the GAO forum reported
several problems with compliance, in the following rank of importance:
- Lack of OMB leadership, oversight and guidance.
- Compliance has a low priority within agencies, and therefore
- insufficient training, including how the Privacy Act relates
to electronic databases.
The GAO also notes that despite two previous reports on privacy
weaknesses in other areas of federal agencies, and agency requests
for updated guidance on the Privacy Act pertaining particularly
to new technologies, the OMB has yet to act.
Furthermore, 83 systems of records contain personal information
not protected by the Privacy Act because it can be retrieved without
using a name or personal identifier (ie. electronic records can
be found using search codes). The GAO suggested that a more complete
examination of this topic would require additional study.
"There appears to be a rather flippant attitude in government
toward following the law," says Brase.
"The sheer existence of 2,400 federal databases on citizens is
mind boggling. Information is power. Electronic government databases
combined with failure to follow federal law places the liberty
of all citizens in jeopardy," says Brase.
FMI ON PROPOSED NATIONAL PATIENT SAFETY DATABASE/NATIONAL ELECTRONIC
HEALTH DATA SYSTEM, GO TO: http://www.cchconline.org/pr/pr072403.php
- 30 -
CCHC is an independent non-profit free-market health
care policy organization located in St. Paul, Minnesota