Agencies' Data Mining Efforts Criticized for Privacy Failures
In a recent report to a subcommittee of the Committee on Homeland Security and Governmental Affairs on data mining (i.e., the extraction of pertinent information from large volumes of data), the Governmental Accountability Office concluded that none of five agencies the GAO audited "followed all the key procedures" for the protection of personal information. The particular agency projects were chosen for review in part because they involved one of the following goals: (1) analysis of intelligence and detection terrorist activities; (2) detection of criminal activity; (3) identification of fraud, waste or abuse; or (4) efforts to improve service or performance.
In response to a request from Senator Daniel K. Akaka, the Ranking Minority Member of the Subcommittee on Oversight of Government Management, the GAO reviewed the data mining efforts of the Small Business Administration, the Department of Agriculture's Risk Management Agency, the Internal Revenue Service, the Department of State, and the Federal Bureau of Investigation from May 2004 to June 2005. The GAO selected the data mining efforts of these five agencies because each of these agencies use "personal information and data obtained from another agency or a private sector source, and because they were used for one of several specific purposes."
The data mining efforts reviewed by the GAO include among others:
1. The Department of State's use of Citibank's Custom Reporting System "to analyze government charge card spending patterns by its employees;"
2. Data mining by the FBI's Foreign Terrorist Tracking Task Force to help "federal law enforcement and intelligence agencies locate foreign terrorists and their supporters in the United States;"
3. The IRS's efforts to "detect evidence of financial crimes, fraud, and terrorist activities;" and
4. The SBA's efforts, contracted out to Dun & Bradstreet, "to identify, measure, and manage risk in two SBA loan programs."
The GAO found that although "most agencies notified the general public that they were collecting and using personal information and provided opportunities for individuals to review personal information," only two of the agencies informed respondents why they were collecting the personal information. Of the three agencies that did not inform respondents why they were collecting the information, two claimed they were exempted from this requirement because their data mining efforts were used for law enforcement.
The GAO also found that "Agencies' compliance with key security requirements that are intended to protect the confidentiality and integrity of personal information was inconsistent."
Finally, the GAO determined that only three of the five agencies whose data mining efforts it reviewed "had prepared a privacy impact assessment — an important tool for analyzing the privacy implications of a system or data collection — of their data mining efforts, [and] none of the assessments fully complied with the Office of Management and Budget (OMB) guidance."
This lengthy (75 page) report not only contains the GAO's findings regarding the five data mining efforts, but contains a great overview of the Privacy Act of 1974 (5 U.S.C. § 522a et seq.), recommendations made by the GAO to the five agencies whose data mining efforts were reviewed, the agencies' responses, and the GAO's analysis of the agencies' responses. The report provides an in-depth view into the federal government's data mining efforts and the efforts, or lack thereof, of various agencies to protect the confidentiality of personal information.
Eariler this summer, the GAO reported that the Transportation Security Administration violated the Privacy Act during testing of the Secure Flight program. Previous reports here and here.
Posted by K.M. Das