Federal advisory board: Bring privacy laws up to 21st-century speed

Information Security and Privacy Advisory Board recommends broad updating of privacy laws to reflect changes in technology

The Privacy Act of 1974 has been outstripped by technology and does not provide agencies with appropriate guidance in handling personal information or individuals with adequate safeguards to their privacy, according to a federal advisory board.

“While the fundamentals of the act — the principles of fair information practices—remain relevant and current, the letter of the act and related law and policy do not reflect the realities of current technologies and do not protect against many important threats to privacy,” the Information Security and Privacy Advisory Board said in a report released May 27.

The law was written of a time of centralized mainframe computing and has not adapted to distributed and client-server computing, ubiquitous networks and increasingly powerful mobile devices, the report said.

“Policy written for the era of flat files has confused and frustrated those who would like to follow the law, especially since there has been no government-wide guidance on how to apply the Act’s older terms and assumptions to today’s environment,” the report said.

The law's shortcomings have been amplified by a lack of leadership from Congress and the White House, which has left privacy policy largely to the individual agencies, the report said, “and only a few privacy leaders in key agencies have been empowered by their internal leadership to fill the policy vacuum.”

The board recommended a number of amendments to update and strengthen privacy laws and improve government oversight, including mandating chief privacy officers in all CFO agencies.

The Information Security and Privacy Advisory Board (ISPAB) was established by the Computer Security Act of 1987 to advise government on information technology security and privacy issues and is comprised of industry and government officials. The report, “Toward A 21st Century Framework for Federal Government Privacy Policy,” follows up on earlier studies by the Government Accountability Office which found that privacy laws and policies have not been effectively implemented and have not kept pace with technology.

The Privacy Act applies to narrowly defined “systems of records” in which data is accessed through a unique identifier that do not correspond to modern relational databases, the report said, adding that distributed data and computing resources, powerful and portable storage and computing devices and the ability to cross-reference data from many sources to identify individuals were not anticipated in the law. Changes are continuing at a growing pace.

“The biggest change in Internet technology in the past three years has been the growth in Web 2.0 interactive tools,” the report said. “Social networks such as Facebook, MySpace and Twitter have changed the way individuals think about how they communicate online.”

There has been some updating of privacy legislation and regulation over the years, including the Office of Management and Budget policy against use of persistent cookies by agency Web sites, and data breach reporting requirements. But in general the requirements have not kept pace with technology, ISPAB found.

ISPAB recommended amending the Privacy Act of 1974 and the EGovernment Act of 2002 to:

  • Improve Government privacy notices.
  • Update the definition of System of Records to cover relational and distributed systems based on government use, not holding, of records.
  • Clearly cover commercial data sources under both the Privacy Act and the EGovernment Act.

To improve government leadership on privacy:

  • The Office of Management and Budget should hire a full‐time Chief Privacy Officer.
  • Privacy Act Guidance from OMB must be regularly updated.
  • Chief Privacy Officers should be hired at all “CFO agencies.”
  • A Chief Privacy Officers’ Council should be developed.

The other changes in privacy policy inlude:

  • OMB should update the federal government’s cookie policy.
  • OMB should issue privacy guidance on agency use of location information.
  • There should be public reporting on the use of Social Security numbers.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.