Federal advisory board: Bring privacy laws up to 21st-century speed
Information Security and Privacy Advisory Board recommends broad updating of privacy laws to reflect changes in technology
- By William Jackson
- May 28, 2009
The Privacy Act of 1974 has been outstripped by technology and does not provide agencies with appropriate guidance in handling personal information or individuals with adequate safeguards to their privacy, according to a federal advisory board.
“While the fundamentals of the act — the principles of fair information practices—remain relevant and current, the letter of the act and related law and policy do not reflect the realities of current technologies and do not protect against many important threats to privacy,” the Information Security and Privacy Advisory Board said in a report released May 27.
The law was written of a time of centralized mainframe computing and has not adapted to distributed and client-server computing, ubiquitous networks and increasingly powerful mobile devices, the report said.
“Policy written for the era of flat files has confused and frustrated those who would like to follow the law, especially since there has been no government-wide guidance on how to apply the Act’s older terms and assumptions to today’s environment,” the report said.
The board recommended a number of amendments to update and strengthen privacy laws and improve government oversight, including mandating chief privacy officers in all CFO agencies.
The Privacy Act applies to narrowly defined “systems of records” in which data is accessed through a unique identifier that do not correspond to modern relational databases, the report said, adding that distributed data and computing resources, powerful and portable storage and computing devices and the ability to cross-reference data from many sources to identify individuals were not anticipated in the law. Changes are continuing at a growing pace.
“The biggest change in Internet technology in the past three years has been the growth in Web 2.0 interactive tools,” the report said. “Social networks such as Facebook, MySpace and Twitter have changed the way individuals think about how they communicate online.”
There has been some updating of privacy legislation and regulation over the years, including the Office of Management and Budget policy against use of persistent cookies by agency Web sites, and data breach reporting requirements. But in general the requirements have not kept pace with technology, ISPAB found.
ISPAB recommended amending the Privacy Act of 1974 and the EGovernment Act of 2002 to:
- Improve Government privacy notices.
- Update the definition of System of Records to cover relational and distributed systems based on government use, not holding, of records.
- Clearly cover commercial data sources under both the Privacy Act and the EGovernment Act.
To improve government leadership on privacy:
- The Office of Management and Budget should hire a full‐time Chief Privacy Officer.
- Privacy Act Guidance from OMB must be regularly updated.
- Chief Privacy Officers should be hired at all “CFO agencies.”
- A Chief Privacy Officers’ Council should be developed.
- OMB should issue privacy guidance on agency use of location information.
- There should be public reporting on the use of Social Security numbers.
William Jackson is a Maryland-based freelance writer.