GAO: Federal data mining not obeying privacy rules

Federal agencies are not adequately protecting citizens’ privacy when they query databases containing personal information, according to a Government Accountability Office report released today.

GAO auditors examined five agencies’ procedures for data mining, an increasingly popular method of extracting hidden relationships in data and inferring rules that can predict future data trends. They reviewed data-mining programs within the Small Business Administration, the Agriculture Department’s Risk Management Agency, the Internal Revenue Service, the State Department and the FBI.

Federal uses of data-mining vary from detecting financial fraud to locating U.S. supporters of foreign terrorists. After the Sept. 11, 2001, terrorist attacks, some federal agencies expanded their use of data-mining to detect terrorist threats.

GAO auditors found that “while the agencies responsible for these five efforts took many of the key steps required by federal law and executive branch guidance for the protection of personal information, none followed all key procedures.”

Government data-mining efforts of late have been both successful and controversial. For example, Agriculture officials were alerted to more than $250 million in fraudulent crop insurance claims in the three years after they began using the technique.

But an unsettling data-mining project under the homeland security mission – the Total Information Awareness (TIA) program – was ultimately axed. TIA combed through open-source, third-party information to find potential terrorists, causing outrage among privacy advocates.

The GAO report showed that although most agencies are notifying the public that they are using personal information, few are notifying people about the intended uses of the personal information.

Part of the problem is that agency officials themselves do not fully comprehend the privacy repercussions of data-mining. Federal law requires agencies to conduct privacy impact assessments before collecting data containing personal information. The five agencies reviewed did not perform acceptable privacy impact assessments, according to the report.

“None of the agencies we reviewed conducted a complete privacy impact assessment,” the report states. “In addition, none of the privacy impact assessments adequately addressed the choices that agencies made regarding privacy in their data mining efforts. As a result, the basis for their choices regarding tradeoffs between privacy protections and operational needs is unclear. Better analyses of such choices could help agencies strike the appropriate balance between operational needs and individuals’ rights to privacy.”

Agency officials agreed with a majority of the GAO report’s 19 recommendations, which included ensuring that information security measures are in place and making privacy impact assessments available to the public.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.