GAO findings on government privacy issues differ
GAO findings on government privacy issues differ
Agency cites vast improvement in Web site policies but notes poor compliance with FTC guidelines
By Eric Hartley
Special to GCN
A pair of General Accounting Office reports released last month paint differing pictures of the privacy protection that government Web sites afford consumers.
The second GAO report, whose release followed the earlier audit by six days, painted a less rosy picture of federal privacy protections. That report, Internet Privacy: Comparison of Federal Agency Practices with FTC's Fair Information Principles, drew staunch criticism from the Office of Management and Budget.
For the first report, GAO evaluated 70 federal sites based on guidelines developed by OMB. The Privacy Act of 1974 requires protection of personal information in federal records, and in 1998 President Clinton gave OMB expanded authority to coordinate federal privacy issues.
In June of last year, OMB released guidelines requiring agencies to post clear privacy policies on all home pages and other major site points. Each policy must specify any information a site will collect and what an agency will do with the data.
In its recent audit, GAO found the situation vastly improved. Sixty-nine of the 70 sites posted privacy policies, though GAO said two of the 69 did not meet OMB guidelines for 'clearly labeled and easily accessed' policies.
Of 2,700 pages that agencies had defined as 'major entry points,' only nine lacked privacy policies, GAO found. With no guidelines on what constitutes a major entry point, GAO relied on agencies to identify these pages. Agencies tended to define them similarly, GAO auditors found.
GAO also evaluated agencies' treatment of what OMB labels 'substantial personal information,' though again there is no OMB guidance. For its audit, GAO defined substantial information as including names, e-mail and postal addresses, telephone numbers, Social Security numbers and credit card information.
Forty-four of 101 online forms that agencies use to collect such data did not include privacy notices, GAO found. It was difficult to analyze the results because of the lack of clear guidelines, said Michael Brostek, GAO's associate director of federal management and work force issues.
Agencies have made improvements in posting privacy policies, and the problems that remain are mostly at the forms level, Brostek said. Users may be transported from one Web site to a form within another agency's site without ever seeing the home page, so agencies need to ensure users can find out privacy policies on all forms, he said.
GAO recommended that OMB draft more specific guidelines and work more closely with agencies on privacy issues.
But Peter Swire, chief counselor for privacy at OMB, cautioned against expecting too much oversight by his agency.
OMB analysts 'don't know all the details' of each agency's mission, so OMB tries to refrain from micromanaging, Swire said.
Including commonsense privacy policies when sites are first introduced would make later OMB intervention less necessary, Swire said.
He added that OMB is wary of moving too quickly, but the agency has made progress in setting guidance. 'We've tried to take sensible and significant steps each year,' he said.
OMB's Sally Katzen says the reports don't reflect agencies' progress on privacy issues.
Sally Katzen, deputy director for management at OMB, in a written response to the first of the two reports, said the findings did not 'adequately reflect the significant progress that federal agencies have made in this area.'
Brostek said that because online issues are evolving so rapidly, Katzen might have felt the report was outdated by the time it was released. It's likely that GAO will conduct regular reviews because of the continual changes taking place, he said.
Katzen also criticized the second report, saying it's inappropriate to judge agency efforts against privacy guidelines the Federal Trade Commission created for commercial sites.
The commission in May had issued four guidelines for evaluating privacy protection: notice, choice, access and security. It recommended that corporate Web sites be required to abide by these principles, which it defined:
Notice: If a site collects data, disclose of the practice before collection occurs.
Choice: Give consumers a choice on whether information can be collected and how it can be used beyond the stated purposes.
Access: Let consumers see information that is collected about them and verify its accuracy.
Security: Ensure that personal information is secure.
All 65 sites GAO officials reviewed in July collected some personal information. Of those, 69 percent posted notices that met the FTC criteria, 45 percent adequately provided a choice for consumers on use, 17 percent gave consumers sufficient access to review the collected information, and 23 percent had acceptable security policies.
GAO found that only 3 percent of randomly selected government sites fulfilled all four FTC criteria. A review of sites run by agencies with high public profiles, such as the IRS or the Securities and Exchange Commission, found that 6 percent had met them.No comparison
Compared to commercial sites, agencies fell far short on meeting the FTC criteria. Forty-two percent of the most popular commercial sites and 20 percent of randomly selected sites fulfilled all four in a review the commission conducted earlier this year.
Katzen questioned the validity of such a report and said it served no useful purpose in evaluating agency privacy protections.
'Agencies have been directed to follow the Privacy Act and OMB policy on Web site privacy policies rather than the FTC formulation of fair information practices,' she said.
In fact, agencies are held to far stricter privacy standards than industry, she said.
GAO acknowledged that FTC officials had also questioned whether the commission guidelines developed for commercial sites were an appropriate evaluation tool for government sites.