This week, for a hearing in the Senate Homeland Security and Government Reform Committee, the Government Accountability Office released a report on privacy titled “Alternatives Exist for Enhancing Protection of Personally Identifiable Information.” (GAO testimony based on the report is here.) I served on a National Academy of Sciences “Expert Panel” that gave the GAO some perspectives on issues related to the Privacy Act.
The report had three main conclusions, which follow with my comments:
The Privacy Act’s definition of a “system of records” (any grouping of records containing personal information retrieved by individual identifier), which sets the scope of the act’s protections, does not always apply whenever personal information is obtained and processed by federal agencies. One alternative to address this concern would be revising the system-of-records definition to cover all personally identifiable information collected, used, and maintained systematically by the federal government.
The “system of records” definition has indeed fallen out of date. Thanks to the growth of search and other technological developments, records not organized by personal identifier can be accessed and used by the federal government, but they fall outside the purview of the Privacy Act. This should change. The report also highlights the fact that data used by the federal government, but held by information resellers, escapes the purview of the Privacy Act. This should also change.
According to generally accepted privacy principles of purpose specification, collection limitation, and use limitation, the collection of personal information should be limited, and its use should be limited to a specified purpose. Yet, current laws and guidance impose only the modest requirements in these areas. . . . Alternatives to address this area of concern include requiring agencies to justify the collection and use of key elements of personally identifiable information and to establish agreements before sharing such information with other agencies.
Once they have collected it, federal agencies can do anything they want with personal information simply by declaring their plan to do so in the Federal Register through a “System of Records Notice” or “SORN.” The statements agencies may make when they collect information do not bind them in the slightest. This is wrong and it should change. GAO’s recommendations to limit collection and sharing of information are rather tepid, alas, and they wouldn’t change agencies’ institutional incentives to over-collect and promiscuously share the personal information of the citizenry.
Privacy Act notices may not effectively inform the public about government uses of personal information. For example, system-of-records notices published in the Federal Register (the government’s official vehicle for issuing public notices) may be difficult for the general public to fully understand. Layered notices, which provide only the most important summary facts up front, have been used as a solution in the private sector. In addition, publishing such notices at a central location on the Web would help make them more accessible.
It’s true that Privacy Act notices don’t inform the public well. They are obscurely written documents in an obscure publication. But I’m not sure that the publication of “layered notices” would be an improvement. Sure, there’s a consensus among government types that layered notices are the next big thing, but I don’t believe that they will change citizen understanding or behavior in any significant respect. Notices are also not terribly relevant in the government environment because a person can’t decline to do business with a government based on its privacy practices or promises.
There’s more to learn on “notice” and its importance or relevance for getting people more privacy. The thing we know is that reducing data collection and use leads directly to privacy. Getting policymakers to understand the privacy costs they’re imposing on the public would be as effective, if not more, than notifying the public about what’s been done to them after a policy is made and the horse is out of the barn.