Current laws miss key points in protecting data

Current federal privacy laws fail to protect sensitive information and need amendments to keep pace with the evolving technology landscape, according to the Government Accountability Office.

The public sector consistently uses IT to collect, store and transmit personal information on individuals. But recently lawmakers and privacy advocates have raised the alarm that existing legislation for protecting that data may no longer be enough. What adds to the problem is agencies’ reliance on IT, which can put sensitive personal information at risk for leaks or misuse.

“While bringing significant benefits, this dependence on IT can also create vulnerabilities that can result in, among other things, the compromise of sensitive personal information through inappropriate use, modification or disclosure,” Gregory Wilshusen, GAO’s director of information security issues, testified before two Senate committees July 31.

Related story:

HHS publishes online list of patient data breaches

Currently, the Privacy Act of 1974 and parts of the E-Government Act of 2002 govern federal collection or use of personally identifiable information. However, these laws only provide minimum requirements for agencies and don’t always protect PII and how it’s used and collected, Wilshusen said in his testimony before the Subcommittee on Oversight of Government Management, the Federal Workforce, and the District of Columbia and the Committee on Homeland Security and Governmental Affairs.

Technological advances also add to the need for revamped legislation. While the Privacy Act applies to personal information residing on government systems, agencies’ use of commercial Web 2.0 tools prompt the question whether the law protects data gathered and stored by third parties.

GAO has made suggestions to Congress to consider revising both acts that deal with how government agencies handle personal information. Wilshusen said updated legislation need to include all PII collected, used and maintained by the federal government. Amendments should also address setting requirements to ensure the collection and use of PII is limited to a stated purpose.

Additionally, modified legislation should include additional mechanisms for notifying citizens about privacy protections by revising requirements for how public notices are made available. Currently, agencies have to post a notice in the Federal Register about data collection but some have questioned whether this is the most appropriate medium to notify citizens.

Another key element of protecting personal information is preventing data breaches, Wilshusen noted. Over the past six years, cases involving leaked or compromised sensitive data reported by federal agencies to the U.S. Computer Emergency Readiness Team increased nearly 680 percent.

“Incidents such as these illustrate that sensitive personally identifiable information remains at risk and that improved protections are needed to ensure the privacy of information collected by the government,” Wilshusen said.

In a 2006 report, GAO noted data breaches could be reduced by limiting how much data is collected and the number of individuals who have access to it. Technological measures such as encryption also helped in preventing incidents, as did adoption of a holistic security program.

However, while agencies can continue taking steps to prevent data breaches, incidents will continue to occur “and when they do it is critical that proper response policies and procedures be in place,” Wilshusen said.

Daniel Castro, senior analyst at the Information Technology & Innovation Foundation, told FCW he agreed the systems of record definition in the Privacy Act should be revised to cover PII and that privacy notices could be better structured and published more clearly on a website rather than in the Federal Register.

"I have some concerns with the recommendation to set more limits on the use of data," he said. "These types of restrictions may impede beneficial uses of information. Instead, more transparency and accountability would protect individual privacy while promoting innovation."

Castro also noted the GAO testimony didn't include the Electronic Communications Privacy Act , which governs how law enforcement can access private communications. "This is another area that should be updated," he added.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group