GAO: Privacy compliance uneven among federal agencies

Federal agencies are not doing a consistent job when it comes to complying with the requirements of a 1974 act aimed at assuring individual privacy, according to federal auditors.

A recent survey of 25 federal agencies by the General Accounting Office found that compliance with the provisions of the Privacy Act was uneven in many cases, ranging from full compliance with the various provisions in the act to only 70 percent compliance.

For example, there was 100 percent compliance with a rule that requires agencies to provide public notice when establishing or revising a system of records.

At the same time, the GAO found that in 29 percent of the cases, agencies did not have adequate safeguards in place to ensure that individual data was accurate, relevant or timely before releasing it to nonfederal authorities. Similarly, only 17 of the 25 agencies surveyed had written policies, as required by the Privacy Act, to determine whether all information collected on individuals is really needed.

In addition, of the 730 information systems containing personal information, 83 were not subjected at all to Privacy Act compliance, the GAO found.

The GAO report said that although each agency bears primary responsibility for compliance, a lack of leadership on the part of the Office of Management and Budget (OMB) is also to blame. “Specifically, OMB has not responded either to longstanding agency requests or to our recommendations for improved guidance,” the report said. “In addition, agencies believe that OMB has not provided enough assistance in dealing with challenges such as the low priority generally accorded to the Privacy Act and the lack of appropriate training.”

Until such issues are addressed, it will be hard for federal agencies to assure that legislated privacy rights are being protected, the report noted.

In response, administrators at the OMB conceded that compliance with Privacy Act requirements may have been inconsistent.

However, “a lack of perfect consistency from one agency to the next should hardly be surprising when one considers the federal government is composed of dozens of agencies,” the OMB said in a response jointly signed by Mark Forman, administrator of e-government and IT, and John. D. Graham, administrator of information and regulatory affairs at the OMB.

In addition, the federal auditors report does not indicate whether Privacy Act compliance is any worse than compliance with other regulations such as the Administrative Procedure Act, the OMB said.

The GAO report was released on the heels of a bill introduced in Congress this week called the Citizens’ Protection in Federal Databases Act. The bill would require federal agencies that collect personal information to report why and how the information is being used. It would also require federal agencies to put mechanisms in place for handling situations when personal information has been misused.