@Info.Policy: OMB pitches a fit over GAO's privacy compliance report

Robert Gellman

Last month a General Accounting Office report, titled OMB Leadership Needed to Improve Agency Compliance, took an interesting approach to measuring overall compliance with the Privacy Act of 1974.

Using survey instruments, GAO asked selected agencies about their policies and practices, and extrapolated the responses to estimate governmentwide compliance.

The Privacy Act requires each agency to make reasonable efforts to ensure that information is complete, accurate, relevant and timely before disclosing it to a nonfederal organization. GAO estimated a 71 percent compliance rate.

Overall, compliance with other Privacy Act requirements ranged from 70-plus percent to 100 percent.

No one checked on the actual degree of compliance, however, and the real numbers are likely lower. For example, 25 of 25 agencies reported complying with the disclosure accounting provisions. That's hard to accept. In my experience, many responsible agency record-keepers don't even know about the accounting requirement.

Still, as someone who has been involved in Privacy Act matters since 1975, I believe GAO's findings are roughly in the ballpark. Given the time and methodology involved, the report offers a reasonable assessment. Measuring actual compliance would cost a fortune.

The report called the Office of Management and Budget to account for doing a poor job of its statutory obligation to provide assistance to and oversight of agencies.

This isn't news. It's the same basic conclusion drawn by the Privacy Protection Study Commission and the Paperwork Commission in the late 1970s, by the House Government Operations Committee in the early 1980s [Disclosure: I wrote that report when I was on the committee's staff], and by GAO here and there over the years.

The really juicy item is the 10 pages of screaming comments from OMB in Appendix VII of the GAO report. Don't miss it. Go to www.gcn.com and enter 148 in the GCN.com/box.

OMB got a little hysterical, although it isn't clear why. The report mostly documents stuff that we knew or suspected.

In the end, OMB's critique didn't lay a glove on the report. GAO stood its ground, responding in an understated and effective fashion. Had OMB put half as much energy into Privacy Act oversight as it put into writing the comments, compliance might be significantly better.

What happens next? Nothing. OMB pays attention to the Privacy Act only when it hits the front page of the Washington Post or when Congress imposes a new duty.

Right now, OMB is working on implementing the privacy impact assessment provision of the E-Government Act of 2002. Rumor has it that the work is going well.

That follows the traditional pattern. When OMB actually does something about privacy, the result is usually OK. Then privacy gets dropped like a hot potato. Expect another OMB-is-doing-nothing-on-privacy report in five to seven years.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at rgellman@netacc.net.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above