U.S. Privacy Act outdated, hasn't kept up with technology, experts say

IDG News Service - WASHINGTON — Updates to a 34-year-old privacy law are needed to better protect personal information held by the U.S. government, privacy experts told a Senate panel today.

The 1974 Privacy Act, the main law governing how U.S. agencies should handle private information, hasn't kept up with new technologies and, in some cases, has huge exceptions on its restrictions for sharing personal information, witnesses told the Senate Committee on Homeland Security and Governmental Affairs.

"Technology evolves so rapidly in this day and age that we will need to be more vigilant in ensuring that the wheels of progress are not inadvertently running over our basic privacy rights," said Sen. Susan Collins (R-Maine). "We're constantly trying to catch up with the laws and the policies to the technology."

The U.S. government needs to make several improvements in its privacy policies and data collection to avoid data breaches like a 2006 incident in which a laptop containing the personal information of 26.5 million people was stolen from a U.S. Department of Veterans Affairs employee. There were also reports of 490 laptops stolen from the Internal Revenue Service over three years, Collins said.

The U.S. Government Accountability Office was due to release two reports today, one calling for Congress to establish new privacy rules, and a second recommending that the White House Office of Management and Budget establish a permanent chief privacy officer who could oversee privacy efforts governmentwide.

Privacy protections are not consistently applied across the U.S. government, and agencies often do not limit their collection of personal data to needed information, said Linda Koontz, the GAO's director of information management issues.

"Current laws and guidance impose only modest requirements for describing the purposes for personal information and limiting how it is used," Koontz wrote in one report.

Agencies are not required to be specific in their data-collection public notices, which "could allow for unnecessarily broad ranges of uses, thus calling into question whether meaningful limitations had been imposed," she wrote.

Privacy advocates Ari Schwartz, vice president of the Center for Democracy and Technology, and Peter Swire, an Ohio State University law professor and former chief privacy counselor at OMB during the Clinton administration, also called for Congress to mandate changes in the way U.S. agencies handle personal data.

The Privacy Act doesn't address new technologies such as data mining, which can have major privacy implications, nor does it envision government agencies contracting with private data brokers, Schwartz said. Current privacy guidance from President George W. Bush's administration is "vague and simply does not provide the agencies the tools they need" to create privacy impact assessments for their use of personal data, he said.

Schwartz and Swire both called upon Congress to update the Privacy Act and close loopholes in the law, as well as to create a permanent chief privacy officer at OMB.

Swire also raised concerns that the U.S. Department of Homeland Security is increasingly relying on biometric data such as fingerprints. The DHS has promoted the infallibility of fingerprints, but it's easy to find explanation online on how to forge them, Swire said.

He called on the DHS and other agencies to encrypt fingerprint and other biometric data in nearly all circumstances. "If you lose your fingerprint, it's hard to get a new finger," Swire said.