Its
report on data mining, published yesterday, had been requested by
Senator Daniel K Akaka, Ranking Member of the Senate Subcommittee
on the Oversight of Government Management.
Data mining usually means analysing large volumes of data to
extract knowledge or to identify patterns or relationships. It is
used in both the public and private sectors, but questions have
been raised as to whether there are adequate measures in place
within federal agencies to protect the personal details of
individuals caught in the information sweep.
The GAO reviewed data mining efforts at the Internal Revenue
Service, the Federal Bureau of Investigation, the Small Business
Administration, the Department of Agriculture Risk Management
Agency, and the Department of State. These activities use personal
information and each obtains data from another agency or a private
sector source.
The GAO found that while these agencies took many of the key
steps to protect personal information, none followed all of the key
procedures. Some of the agencies failed to follow the notice
requirements in the Privacy Act, others had privacy impact
assessments (PIA) that were not in compliance with Office of
Management and Budget guidance, and still others failed to meet key
information security requirements.
“Until agencies fully comply with these requirements,” says
the report, “they lack assurance that individual privacy rights are
being appropriately protected.”
According to Senator Akaka, "the failure of agencies to follow
key privacy and security requirements limits the ability of the
public to participate in the management of their personal
information and risks improper disclosure or alteration of personal
data.”
"Although GAO found these lapses at the five agencies it
reviewed, this is a troubling trend given the number of data mining
activities in the federal government that use personal
information," he warned.
According to an earlier GAO report for Senator Akaka,
published in May 2004, federal agencies are using or plan to use
199 data mining activities of which 122 involve the use of personal
information.
Forty-six of these federal data mining activities involve
sharing personal information between agencies and 36 programs use
personal information from the private sector. The personal
information used in these data mining activities includes credit
reports, credit card transactions, student loan application data,
bank account numbers, and taxpayer identification numbers.
Senator Akaka concluded: "It is imperative that agencies are
in compliance with federal privacy and security laws to protect
personal information. In light of the high number of data mining
activities in the federal government and the use of personal
information, we must ensure that the federal government is
following the laws set up to protect the privacy rights of all
Americans. Having policies and safeguards in place will not work if
agencies are not following the law."
