Update of Key Transparency Law Would Better Protect Americans' Privacy
A critical but neglected transparency law could be updated for the 21st century if a new congressional proposal succeeds. The Privacy Act Modernization for the Information Age Act (S. 1732), introduced by Sen. Daniel Akaka (D-HI) on Oct. 18, would update the Privacy Act of 1974 (5 U.S.C. 552a). The Privacy Act governs what actions federal agencies must take when collecting personal information on American citizens and how agencies use and share it.
In addition to protecting personal privacy, the current act gives Americans the right to know what information the government has about them, to know how the government has used the information, and to correct inaccuracies in the information. This makes it a key transparency law. Akaka's bill would make the law a more robust tool for holding government accountable and for empowering Americans to protect their personal information. Akaka, who is retiring at the end of 2012, hopes to pass the bill before this session of Congress adjourns.
Bill Expands Scope of Protected Personal Information
The modernization bill extends privacy requirements "to all Federal collection and use of personal information" and updates the law's wording to better apply to electronic information. This would enable Americans to more easily access and correct any personal information about them held by agencies, including data purchased or licensed from commercial sources. Examples of commercial information that government agencies may access include credit report information, telecommunication records, online purchase data, and passenger flight information.
Requirements that Individuals Be Informed When Personal Information is Collected
Under the Privacy Act, when collecting personal information, agencies must inform individuals of the authorization and purpose for doing so, as well as any likely effects should the individual not provide the requested information. These notices are an important way to make the public more aware that such information is being gathered and to make agencies more accountable for how they use personal information.
The proposed legislation would improve these notices by mandating that public agencies add information on how to access and correct a person's personal information and how to learn more about the reasons and uses for which such information is being collected. These changes would better inform Americans of their privacy rights, empowering them to engage agencies and make better decisions about providing their personal information. In 2008, a coalition led by OMB Watch demanded better notification of the public of their rights under transparency laws. The Akaka bill would implement that recommendation.
Information on Government Records Systems Collected on One Website
The Privacy Act requires agencies to publish a description in the Federal Register of the information they intend to use when establishing new systems for gathering personal information; moreover, they must solicit public comments on the proposed system before establishing or amending it. The modernization bill would update these provisions by requiring that these descriptions or notices be published both on agency websites and on a centralized, government-wide website. Since most people are not regular readers of the Federal Register, increased online notification should result in more people learning about these proposals and commenting on them.
The government-wide website would, in effect, generate an inventory of all such systems, updated annually. As Akaka commented, "We need more transparency so the average person has a place to go to learn about what information the government is keeping and how they can access that information."
The bill would also require agencies to publish replies to comments received and to notify the public when the system has been implemented. Establishing such a back-and-forth dialogue should strengthen public participation in setting agencies' privacy policies.
Better, More Unified Notification in the Case of Security Breaches
Moreover, the proposed legislation would require the Office of Management and Budget (OMB) to establish procedures for notifying the public of breaches of their personal information. Prompt breach notifications allow the public to protect against identity theft or other problems. Requiring notification also prevents agencies from hiding embarrassing security failures, providing a valuable incentive to prevent such breaches from occurring. A 2006 report of the House Oversight and Government Reform Committee found that every Cabinet department had reported "at least one loss of personally identifiable information" in the period from 2003 to 2006.
Most states have breach notification laws that apply equally to the private sector and to government agencies. However, no comprehensive law exists at the federal level. Instead, a patchwork of policies has developed over the years to address privacy breaches in the federal government or particular agencies:
- In response to high-profile losses of data by the Department of Veterans Affairs (VA), a 2006 law requires the department to notify affected individuals of data breaches.
- OMB issued memoranda in 2006 and 2007 that discussed breach notification procedures for agencies to undertake.
- The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, requires breach notification by entities that handle medical records, including federal agencies.
There are other pending legislative proposals that would also extend breach notification requirements across the federal government. Both the Data Breach Notification Act (S. 1408), introduced by Sen. Dianne Feinstein (D-CA) in July, and the Personal Data Privacy and Security Act (S. 1151), introduced by Sen. Patrick Leahy (D-VT) in June, would establish comprehensive breach notification for both government agencies and private entities. Both bills have been referred to the Senate Judiciary Committee. In May, the White House published a legislative proposal on breach notification that would apply to the private sector but not federal agencies.
Centralized Compliance Oversight at OMB
To oversee agency compliance with the Privacy Act and related requirements, the Akaka bill would create a Federal Chief Privacy Officer housed at OMB. This new office would seek to create more consistent implementation of the Privacy Act across the federal government. Increased oversight should prevent the sweeping exemptions from the act that some agencies have claimed.
The bill would also establish chief privacy officers in each agency that does not currently have one. The bill would give these officers the authority to investigate agency compliance with privacy laws, which currently only the Department of Homeland Security's officer has. The bill also would establish a government-wide Chief Privacy Officers Council to coordinate policy across agencies.
While the proposed legislation would strengthen the transparency and accountability of federal privacy practices, it could be improved in several important ways:
- More information on the central website: The government-wide website on agencies' personal information collection practices should explain the Privacy Act, agency procedures and obligations under it, and easy-to-understand instructions on how a citizen can access and correct his or her own personal information.
- Strengthen the breach notification requirements: The proposed law gives OMB the authority to determine breach notification standards. Congress should establish this standard, as nearly every state legislature has done.
- Improve public participation requirements in the law: The provisions in the bill that expand notification requirements and online information about records systems that collect personal information seem geared to improve participation by better informing the public. However, these fall short of best practices for effective participation. The bill should: require agencies to publish plain-language descriptions of information collection plans that would include personal information; to publish the comments they receive; and to publish responses to such comments before the establishment of new or amended information gathering systems.