GAO: Feds Not Protecting Citizen Privacy


Government agencies are making progress, but are still not completely
complying with federal rules regarding data mining and personal information,
according to a new report from the General Accountability Office (GAO).


Since the attacks of Sept. 11, 2001, the federal government has increasingly
turned to the controversial practice of data mining — a technique for
extracting knowledge from large volumes of data — in an effort to track
terrorists and to fulfill a variety of other tasks.


Two years ago, Congress killed the
Pentagon’s Total Information Awareness program when privacy became an issue.
Since then, the government has continued its work with data mining under the
watchful eye of the GAO.


“While the agencies . . . took many of the key steps required by federal law and
executive branch guidance for the protection of personal information, they
did not comply with all related laws and guidance,” the GAO report states.


The GAO reviewed the data mining programs at the Small Business
Administration, the Department of Agriculture’s Risk Management Agency, the
Internal Revenue Service, the Department of State and the FBI.


The report notes that most agencies notified the general public that
personal information was being used in the programs and, in compliance with
the Privacy Act, provided opportunities for individuals to review the
information involved.


“However, agencies are also required to provide notice to individual
respondents explaining why the information is being collected,” the GAO
concluded. “Two agencies provided this notice, one did not provide it, and
two claimed an allowable exemption from this requirement because the systems
were used for law enforcement.”


Three of the five agencies completed privacy impact assessments — important
for analyzing the privacy implications of a system or data collection — but
none of the assessments fully complied with Office of Management and Budget
guidance.


In addition, according to the GAO, agency compliance with key security
requirements was inconsistent.


“Until agencies fully comply with these requirements, they lack assurance
that individual privacy rights are being appropriately protected,” the
report states.


The GAO defines data mining as the application of database technology and
techniques to uncover hidden patterns and subtle relationships in data and
to infer rules that allow for the prediction of future results.


The technique has been used for a number of years in the private sector.
Customer relationship management, market research, retail and supply chain
management and fraud detection are all examples of data mining.


The government initially used data mining techniques to detect fraud and
abuse. After the terrorist attacks on New York and Washington, the
government turned to data mining for national security purposes and quickly
ran into privacy issues.


According to the GAO, “The ease with which organizations can used automated
systems to gather and analyze large amounts of previously isolated
information raises concerns about the impact on personal privacy.”

News Around the Web