Report: Privacy compliance is uneven

General Accounting Office reports

Inconsistent compliance with the Privacy Act means the federal government cannot adequately assure the public that individual privacy is being protected under the law, federal auditors said.

After surveying the privacy practices and procedures of 25 federal agencies, the General Accounting Office determined that compliance with the act is uneven governmentwide. In a report released today, the auditors say the Office of Management and Budget needs to, among other things, improve monitoring of government actions, consider more guidance for agencies and raise agency awareness.

Sen. Joseph Lieberman (D-Conn.) demanded improved leadership from OMB and a stronger commitment from all agencies.

"GAO's report today makes it very clear the government cannot adequately assure the public its privacy rights are being protected," Lieberman said. "The [Bush] administration needs to act quickly to strengthen privacy protections, by committing more focused leadership and greater resources to protecting the public's privacy."

GAO found that in almost 30 percent of instances when agencies disclosed personal information to nonfederal organizations, procedures were not in place to ensure that the data disclosed was complete, accurate, relevant and timely, as the Privacy Act requires.

Auditors also identified weaknesses in security. According to their report, more than one out of every five agency officials does not have a way to detect when unauthorized persons were reading, altering, disclosing or destroying information in the system.

And the report states that eight of the 25 agencies studied do not have the required policies and procedures to determine whether all personal information collected was needed.

GAO blamed the privacy shortfall on a lack of leadership from OMB, employee training and emphasis on privacy issues. For instance, OMB has only one person assigned to handle governmentwide privacy issues.

"That is simply unacceptable, given the importance of this issue to the general public," Lieberman said.

The E-Government Act of 2002 requires that federal agencies complete Privacy Impact Assessments for new information technology systems and new information collections.