Summary
Data mining--a technique for extracting knowledge from large volumes of data--is being used increasingly by the government and by the private sector. Many federal data mining efforts involve the use of personal information, which can originate from government sources as well as private sector organizations. The federal government's increased use of data mining since the terrorist attacks of September 11, 2001, has raised public and congressional concerns. As a result, GAO was asked to describe the characteristics of five federal data mining efforts and to determine whether agencies are providing adequate privacy and security protection for the information systems used in the efforts and for individuals potentially affected by these data mining efforts.
The five data mining efforts we reviewed are used by federal agencies to fulfill a variety of purposes and use various information sources, including both information collected on behalf of the agency and information originally collected by other agencies and commercial sources. Although the systems differed, the general process each used was basically the same. Each system incorporates data input, data analysis, and results output. While the agencies responsible for these five efforts took many of the key steps required by federal law and executive branch guidance for the protection of personal information, they did not comply with all related laws and guidance. Specifically, most agencies notified the general public that they were collecting and using personal information and provided opportunities for individuals to review personal information when required by the Privacy Act. However, agencies are also required to provide notice to individual respondents explaining why the information is being collected; two agencies provided this notice, one did not provide it, and two claimed an allowable exemption from this requirement because the systems were used for law enforcement. In addition, agency compliance with key security requirements was inconsistent. Finally, three of the five agencies completed privacy impact assessments--important for analyzing the privacy implications of a system or data collection--but none of the assessments fully complied with Office of Management and Budget guidance. Until agencies fully comply with these requirements, they lack assurance that individual privacy rights are being appropriately protected.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Linda D. Koontz
Government Accountability Office: Information Technology
(202) 512-6240
Recommendations for Executive Action
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of the Risk Management Agency (RMA) to provide the required Privacy Act notices to individuals, including producers, insurance agents, and adjusters, when personal information is collected from them.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to apply the appropriate information security measures defined in OMB and NIST guidance to the systems used in the RMA data mining effort, specifically, the development of a complete system security plan, a tested contingency plan, and regular testing and evaluation of the systems used in the effort.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to develop and implement procedures that ensure the accuracy, relevance, timeliness, and completeness of personal information used in the RMA data mining effort to make determinations about individuals.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to revise the privacy impact assessment for the RMA data mining effort to comply with OMB guidance, including analyses of the intended use of the information it collects, with whom the information will be shared, how the information is to be secured, opportunities for impacted individuals to comment, and the choices made by the agency as a result of the assessment.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to have the completed privacy impact assessment approved by the chief information officer or equivalent official.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of Agriculture should direct the Administrator of RMA to make the completed privacy impact assessment available to the public, as appropriate.
Agency Affected: Department of Agriculture
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of the Treasury should direct the Commissioner of the Internal Revenue Service to apply the appropriate information security measures defined in Office of Management and Budget (OMB) and National Institute of Standards and Technology (NIST) guidance to the systems used in the Reveal data mining effort, specifically, the performance of regular system testing and evaluation against NIST guidance.
Agency Affected: Department of the Treasury
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of the Treasury should direct the Commissioner of the Internal Revenue Service to revise the privacy impact assessment for the Internal Revenue Service's Reveal system to comply with OMB guidance, including analyses of the information to be collected, the purposes of the collection, the intended use of the information, how the information is to be secured, and opportunities for impacted individuals to comment.
Agency Affected: Department of the Treasury
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of the Treasury should direct the Commissioner of the Internal Revenue Service to make the completed privacy impact assessment available to the public, as appropriate.
Agency Affected: Department of the Treasury
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Attorney General should direct the Director of the Federal Bureau of Investigation to apply the appropriate information security measures defined in OMB and NIST guidance to the systems used in the Foreign Terrorist Tracking Task Force data mining effort, including the development of tested contingency plans.
Agency Affected: Department of Justice
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Attorney General should direct the Director of the Federal Bureau of Investigation to establish a date for the completion of a privacy impact assessment for its data mining effort that complies with OMB guidance, including analyses of the information to be collected, the purposes of the collection, the intended use of the information, with whom information will be shared, how the information is to be secured, opportunities for impacted individuals to comment, and the choices made by the agency as a result of the assessment.
Agency Affected: Department of Justice
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Attorney General should direct the Director of the Federal Bureau of Investigation to have the completed privacy impact assessment approved by the chief information officer or equivalent official.
Agency Affected: Department of Justice
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Attorney General should direct the Director of the Federal Bureau of Investigation to make the completed privacy impact assessment available to the public, as appropriate.
Agency Affected: Department of Justice
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Secretary of State should direct the Under Secretary for Management to notify purchase card participants of the legal basis under which the department collects their personal information, as required.
Agency Affected: Department of State
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the Small Business Administration should amend the system of records notice regarding its data mining effort to clearly identify the individual responsible for the effort, the process by which individuals can request notification that the system includes records about them, and the procedures individuals should use to review records pertaining to them.
Agency Affected: Small Business Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the Small Business Administration should complete a privacy impact assessment for the data mining effort that complies with OMB guidance, including analyses of the information to be collected, the purposes of the collection, the intended use of the information, how the information is to be secured, opportunities for impacted individuals to comment, and the choices made by the agency as a result of the assessment.
Agency Affected: Small Business Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the Small Business Administration should make the completed privacy impact assessment available to the public, as appropriate.
Agency Affected: Small Business Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the General Services Administration should publish a system of records notice for the purchase card program that specifies the name of the system, the categories of individuals and records in the system, the categories of information sources used by the system, the routine uses of the system, how the agency stores and maintains the system, the individual responsible for the effort, the process by which individuals can request notification that the system includes records about them, and the procedures individuals should use to review records pertaining to them.
Agency Affected: General Services Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that the data mining efforts reviewed include adequate privacy protections, the Administrator of the General Services Administration should ensure that the appropriate information security measures defined in OMB and NIST guidance are applied to the systems used in the Citibank Custom Reporting System data mining effort, including the development of a risk assessment, a system security plan, a tested contingency plan, the performance of regular testing and evaluation, and the completion of certification and accreditation by agency management.
Agency Affected: General Services Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
