RealTime IT News

GAO: Feds Not Protecting Citizen Privacy

Government agencies are making progress, but are still not completely complying with federal rules regarding data mining and personal information, according to a new report from the General Accountability Office (GAO).

Since the attacks of Sept. 11, 2001, the federal government has increasingly turned to the controversial practice of data mining -- a technique for extracting knowledge from large volumes of data -- in an effort to track terrorists and to fulfill a variety of other tasks.

Two years ago, Congress killed the Pentagon's Total Information Awareness program when privacy became an issue. Since then, the government has continued its work with data mining under the watchful eye of the GAO.

"While the agencies . . . took many of the key steps required by federal law and executive branch guidance for the protection of personal information, they did not comply with all related laws and guidance," the GAO report states.

The GAO reviewed the data mining programs at the Small Business Administration, the Department of Agriculture's Risk Management Agency, the Internal Revenue Service, the Department of State and the FBI.

The report notes that most agencies notified the general public that personal information was being used in the programs and, in compliance with the Privacy Act, provided opportunities for individuals to review the information involved.

"However, agencies are also required to provide notice to individual respondents explaining why the information is being collected," the GAO concluded. "Two agencies provided this notice, one did not provide it, and two claimed an allowable exemption from this requirement because the systems were used for law enforcement."

Three of the five agencies completed privacy impact assessments -- important for analyzing the privacy implications of a system or data collection -- but none of the assessments fully complied with Office of Management and Budget guidance.

In addition, according to the GAO, agency compliance with key security requirements was inconsistent.

"Until agencies fully comply with these requirements, they lack assurance that individual privacy rights are being appropriately protected," the report states.

The GAO defines data mining as the application of database technology and techniques to uncover hidden patterns and subtle relationships in data and to infer rules that allow for the prediction of future results.

The technique has been used for a number of years in the private sector. Customer relationship management, market research, retail and supply chain management and fraud detection are all examples of data mining.

The government initially used data mining techniques to detect fraud and abuse. After the terrorist attacks on New York and Washington, the government turned to data mining for national security purposes and quickly ran into privacy issues.

According to the GAO, "The ease with which organizations can used automated systems to gather and analyze large amounts of previously isolated information raises concerns about the impact on personal privacy."