Privacy laws may not cover key systems

E-Government Act

Related Links

Information systems that search private data, including the controversial Total Information Awareness (TIA) program, may not be covered under privacy laws, experts inside and outside government said last week.

The Office of Management and Budget is developing guidance to instruct agencies on how to carry out laws designed to protect Americans' privacy.

The E-Government Act of 2002 includes the first major revisions to federal information privacy mandates since the Privacy Act of 1974, which limits federal collection and use of personal information. One change under the E-Government Act requires all new federal systems used for agency-conducted information collection activities to undergo a thorough assessment of how those systems address privacy protection.

But those requirements only apply to information held in databases operated by federal agencies, while more agencies are proposing to tap into private-sector sources for information and analysis, particularly for homeland security. For example, the proposed TIA system, a Defense Advanced Research Projects Agency pilot program, would sift through individual financial data — for example, information held in databases operated by private banks — to find anomalies that could point to possible terrorist activity.

Resolving the issue of whether agencies can search private data will be the real test for the guidance that OMB is now developing to help agencies follow the new privacy mandates, said Peter Swire, a law professor at Ohio State University and chief privacy counselor at OMB under the Clinton administration.

The OMB guidance will address areas such as how to conduct an assessment, how to circulate an agency's privacy policies and how to secure the information collected. But Swire said the protocol should also address the government's use of private-sector systems and databases, where there is no real precedent. "It seems to me that's where the action is and there ought to be guidance," he said.

Increasingly, agencies have hired contractors to run federal systems, complicating whether those systems fall under the privacy provisions of the E-Government Act, said Ari Schwartz, associate director for the Center for Democracy and Technology.

The courts decided that the 1974 Privacy Act applies only to the collection of information on behalf of an agency, said Franklin Reeder, chairman of the National Computer Systems Security and Privacy Advisory Board, which advises both OMB and the National Institute of Standards and Technology.

The courts, however, have also ruled in the past that the act does not apply to agency use of private databases, which is the controversy with many current systems, Reeder said.

The E-Government Act explicitly states that the privacy policies apply to systems that are developed or bought by federal agencies. OMB still intends to address the subject in its guidance, said Dan Chenok, branch chief for information policy and technology at the agency.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.