GAO raises privacy concerns about personal data collected by feds

Computerworld - The privacy practices of major information brokers who sell data to U.S. government agencies don't always comply with the requirements of the Privacy Act of 1974, according to a report released yesterday by the Government Accountability Office.

The report (download PDF) also found that federal agencies themselves lack policies on the use of reseller data and follow inconsistent practices with regard to data disclosure, purpose and accountability.

The GAO report is based on a study of fiscal year 2005 contracts for the acquisition of personal data from information resellers by the Departments of Justice, Homeland Security and State and the Social Security Administration.

Together, the agencies spent $30 million purchasing data from private information brokers for a wide variety of purposes, including locating witnesses and fugitives, researching assets held by individuals of interest, detecting immigration fraud, border screenings and prescription drug fraud.

“Recent security breaches at large information resellers such as ChoicePoint Inc. and LexisNexis Group have raised questions about how resellers and their federal customers handle people’s personal information,” Linda Koontz, the director of information management issues at the GAO, said in testimony before a House Judiciary Subcommittee.

The study showed that while major information resellers that do business with the federal agencies had some measures to protect privacy, they “are not always fully consistent with the Fair Information Practices,” on which the Privacy Act is based on, Koontz said.

For example, information brokers typically collect their information from a variety of sources and do not limit its use to specific purposes or customers.

“Resellers make it their business to collect large amounts of personal information and to combine that information in new ways so that it serves purposes other than those for which it was originally collected,” the GAO said. Information resellers also have limited ability to ensure the accuracy of the data they collect. And most of them generally limit the extent to which individuals can access their own personal data and correct or delete inaccurate information, the report said.

At the same time, the federal agencies that were surveyed appear to have no policies governing the use of personal information gathered from commercial sources.

“Specifically, agencies did not always have policies or practices in place to address the purpose specification, openness and individual participation principles with respect to reseller data,” the GAO said.

There also was no consistency in holding staff accountable for appropriate use of personal information, the GAO said.

The report validates “something that many of us have known at an intuitive level for quite some time,” said David McGuire, a spokesman for the Center for Democracy and Technology in Washington. “There are some real concerns associated with the government using private collected data for official purposes, especially as they relate to law enforcement,” McGuire said.

“Fundamentally, we believe that the government can’t use privately collected information to make an end-run around its own established privacy rules,” he said. “I think this report drills home the fact that it's a real and, in fact, already manifested danger."