Information Management
Selected Agencies' Handling of Personal Information Gao ID: GAO-02-1058 September 30, 2002To obtain government services, members of the public must often provide agencies with personal information, which includes both identifying information (such as name or Social Security number, which can be used to locate to identify someone) and nonidentifying information (such as age or gender). GAO was asked to review agencies' handling of the personal information they collect and whether this handling conforms with federal law, regulation, and agency guidance.
GAO reviewed the processes used in handling personal information collected from the public forms at four different agencies--Agriculture, Education, Labor, State. These four agencies were chosen because their forms represent a range of characteristics, including the time needed to fill them out (the total paperwork burden hours) and the purpose of the information they collect. In reviewing these forms, GAO concentrated on four areas (information collection, privacy, security, and records management). Handling of personal information varied among the agencies studied. Overall, agencies collected a substantial amount of personal information of a wide variety of types, including personal identifying information (names and Social Security numbers) and demographic, financial, and legal data. Agency procedures for handling personal information collected were complex, involving numerous processes and a wide range of personnel with access to the information. The personal information collected was shared extensively with other federal agencies, other government entities (state, local, tribal and foreign), and private individuals and organizations through authorized procedures. The agencies generally complied with the key requirements and guidance pertaining to information collection, privacy, security, and records management. However, GAO identified isolated instances of forms that were not accurate or current; other forms did not contain the proper privacy notices.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-02-1058, Information Management: Selected Agencies' Handling of Personal Information
This is the accessible text file for GAO report number GAO-02-1058
entitled 'Information Management: Selected Agencies' Handling of
Personal Information' which was released on October 30, 2002.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products‘ accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
Report to the Chairman, Committee on Governmental Affairs, U.S. Senate:
September 2002:
INFORMATION MANAGEMENT:
Selected Agencies‘ Handling of Personal Information:
GAO-02-1058:
Highlights: Information Management: Selected Agencies‘ Handling of
Personal Information:
Highlights of GAO-02-1058, a report to the Chairman, Committee on
Governmental Affairs, U.S. Senate:
Why GAO Did This Study:
To obtain government services, members of the public must often
provide agencies with personal information, which includes both
identifying information (such as a name or Social Security number,
which can be used to locate or identify someone) and nonidentifying
information (such as age or gender). GAO was asked to review agencies‘
handling of the personal information they collect and whether this
handling conforms with federal law, regulation, and agency guidance.
What GAO Found:
GAO reviewed the processes used in handling personal information
collected from the public on forms at four different agencies”
Agriculture,
Education, Labor, and State. These four agencies were chosen because
their
forms represent a range of characteristics, including the time needed
to
fill them out (the total paperwork burden hours) and the purpose of the
information they collect. In reviewing these forms, GAO concentrated on
four areas (information collection, privacy, security, and records
management).
Handling of personal information varied among the agencies studied.
Overall, agencies collected a substantial amount of personal
information
of a wide variety of types, including personal identifying information
(names and Social Security numbers) and demographic, financial, and
legal data (see display below). Agency procedures for handling personal
information collected were complex, involving numerous processes and a
wide range of personnel with access to the information. The personal
information collected was shared extensively with other federal
agencies, other government entities (state, local, tribal, and
foreign),
and private individuals and organizations through authorized
procedures.
The agencies generally complied with the key requirements and guidance
pertaining to information collection, privacy, security, and records
management. However, GAO identified isolated instances of forms that
were not accurate or current; other forms did not contain the proper
privacy notices.
Figure: Agencies Collect Many Types of Personal Information:
[See PDF for image]
Source: GAO analysis.
[End of figure]
What GAO Recommends:
To strengthen agency compliance with requirements for handling personal
information, GAO recommends that the Secretary of Labor ensure that
data
collection forms are up to date and include appropriate Privacy Act and
other notices. GAO also recommends that the Secretary of Agriculture
ensure that the notices of how the department shares forms data be
assessed and forms updated as appropriate.
Labor, Agriculture, Education, and State officials generally agreed
with
GAO‘s report. In addition, Labor officials posted a valid, up-to-date
form as recommended.
This is a test for developing highlights for a GAO report. The full
report,
including GAO‘s objectives, scope, methodology, and analysis is
available
at www.gao.gov/cgi-bin/getrpt?GAO-02-1058. For additional information
about the report, contact Linda Koontz (202-512-6240). To provide
comments
on this test highlights, contact Keith Fultz (202-512-3200) or
E-mail HighlightsTest@gao.gov.
Contents:
Letter:
Recommendations:
Agency Comments:
Appendixes:
Appendix I: Selected Agencies‘ Handling of Personal Information:
Appendix II: Objectives, Scope and Methodology:
Selected Bibliography:
Related GAO Products:
Table:
Table 1: Forms Analyzed:
Letter September 30, 2002:
The Honorable Joseph I. Lieberman
Chairman, Committee on Governmental Affairs
United States Senate:
Dear Mr. Chairman:
The security and protection of personal information[Footnote 1] is a
topic of growing national concern. Personal information is provided to
the government by the public for a specific purpose--to receive a
government benefit, obtain a service or loan, or participate in a
program. However, this information in the hands of unauthorized persons
can present a risk to those who provide it--such as misuse of personal
information or loss of personal privacy.
This report addresses the flow and management of personal information
at four agencies: the Departments of Agriculture, Education, Labor, and
State. At your request, we selected one information collection[Footnote
2] form requesting personal information at each of these agencies, to
review its life cycle from collection, use, dissemination, and storage,
through archiving and/or disposal. As agreed with your office, our
objectives were to (1) document the flow of and practices associated
with the handling of personal information within these agencies and (2)
evaluate these information flows and practices against agency and
federal guidance.
To fulfill our objectives, we modeled the data flows for each of these
forms. We conducted structured interviews with top agency officials and
program managers to understand the data flow and agency practices. We
also reviewed applicable laws and regulations and analyzed agency
documentation on policies and procedures for using, protecting, making
available, and disposing of this information. We conducted our review
from March 2001 to July 2002, in accordance with generally accepted
government auditing standards.
On August 19, 2002, we provided a detailed briefing[Footnote 3] to your
office on the results of our work. The briefing slides are included as
appendix I, and a detailed discussion of objectives, scope, and
methodology is included as appendix II. The purpose of this report is
to provide the published briefing slides and appendixes to you and to
officially transmit our recommendations to the Secretaries of Labor and
Agriculture.
In brief, we reported that these four agencies‘ handling of personal
information varied greatly--including the types and amount collected--
and a wide range of personnel had access to the information. Further,
these agencies generally followed the applicable laws and regulations
in the collections we reviewed, and the agency officials recognized the
need to protect this information. We did, however, note isolated
instances of forms that were not accurate or current, and other forms
that did not contain the proper privacy notices.
Recommendations:
In order to meet the requirements of the Privacy Act and other relevant
laws and guidance protecting personally identifiable information, we
recommend that the Secretary of Labor ensure that the appropriate
agency officials review their data collection forms to ensure that the
electronic forms (1) include the Paperwork Reduction Act and Privacy
Act statements and all notices, as appropriate; and (2) are valid and
up to date. We also recommend that the Secretary of Agriculture ensure
that Agriculture officials periodically determine that notices of how
they share personal information from their data collections are still
valid (updating their forms as appropriate).
Agency Comments:
In providing oral comments on a draft of this report, officials at
Labor, State, Agriculture, and Education--including the Assistant
Secretary for Employment Standards at Labor, the Director of
Information Management and Liaison at State, and representatives from
the offices of the Chief Information Officers at Agriculture and
Education--generally agreed with our results. Officials also provided
technical comments that we incorporated as appropriate. In addition,
Labor noted that, as we recommended, they have now posted a valid, up-
to-date electronic employee compensation form on their Web site, which
includes the required Paperwork Reduction Act and Privacy Act
statements.
As agreed with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
from the date of this letter. At that time, we will send copies to the
Secretaries of the Departments of Agriculture, Education, Labor, and
State; the Director of the Office of Management and Budget; and other
interested congressional committees. Copies will also be available at
no charge on our Web site at www.gao.gov.
Should you have any questions on matters contained in this report,
please contact me at (202) 512-6240, or by E-mail at koontzl@gao.gov.
Other key contributors to this report included Elizabeth Bernard, Tonia
Brown, Barbara Collier, Patricia Fletcher, Michael Jarvis, Colleen
Phillips, David Plocher, and Warren Smith.
Sincerely yours,
Linda D. Koontz
Director, Information Management Issues:
Signed by Linda D. Koontz:
[End of section]
Appendixes:
Appendix I: Selected Agencies‘ Handling of Personal Information:
[See PDF for Image]
[End of figure]
[End of section]
Appendix II Objectives, Scope, and Methodology:
Our objectives were to:
* determine how agencies are handling personal information collected on
selected information collection forms; and:
* evaluate the adequacy of agencies‘ handling of personal information
against federal law, regulation, and agency guidance.
We chose one form per information collection from a system of records
in each of four agencies: Department of Agriculture, Department of
Education, Department of Labor, and Department of State. We chose these
four agencies to reflect a broad range in the level of the paperwork
burden that their information collection imposed on the public; the
total paperwork burden ranged from a low of about 16.56 million hours
to a high of about 186.11 million hours annually.
From these agencies, we selected four information collections that
offered a range of the following variables:
* the type of information collected, e.g., demographic, financial,
medical, or criminal activity;
* the collection and submission media, e.g., paper, facsimile, and/or
electronic transactions;
* the type of collection, e.g., application for a direct or guaranteed
loan, grant or subsidy, medical benefits and/or workplace compensation,
or receipt of a service;
* the scope of the system, including computer matching agreements;
* the size of the collection burden in hours; and:
* the population groups or audience using the collection, e.g.,
farmers, students, federal workers, and the general public.
Table 1 shows the forms that we analyzed and their owners.
Table 1: Forms Analyzed:
Department; Component; Form.
Agriculture; Farm Service Agency; ’Request for Direct Loan Assistance,“
form FSA-410-1; OMB No.: 0560-0167.
Education; Office of Federal Student Aid; ’Free Application for Federal
Student Aid,“
form FAFSA; OMB No.: 1845-0001.
Labor; Office of Workers‘ Compensation Programs, Division of Federal
Employees‘ Compensation; ’Claim for Compensation,“
form CA-7; OMB No.: 1215-0103.
State; Bureau of Consular Affairs; ’Application for U.S. Passport or
Registration,“
form DS-11; OMB No.: 1405-0004.
Source: Agency data.
[End of table]
To document the flow and practices associated with the handling of
personal information, we developed detailed data flows of each of these
forms[Footnote 4] in cooperation with agency personnel involved in the
direct use of the data. First, we conducted structured interviews with
top agency officials, including Chief Information Officers and staff,
to understand the policy framework in place at the agency level.
Second, we analyzed agency documentation on policies and procedures for
using, protecting, and making available this information and mapped the
procedures to the data flows. Third, we interviewed program managers
responsible for the collection and use of the data collected on the
forms to better understand the chosen information collection. Fourth,
using data modeling software, we held in-depth data flow modeling
meetings with agency staff who received, processed, maintained, and
disposed of the data, as well as with the program managers responsible
for the systems. Fifth, we submitted the model of the flow of personal
information to the system users for their feedback to ensure the
model‘s validity. Finally, we reviewed past GAO reports for relevant
information on information collection, privacy, security, and records
management.
In order to evaluate the information flows and practices against agency
and federal guidance, we reviewed applicable laws and regulations and
met with and obtained documentation from appropriate agency officials.
We identified the key requirements of the laws and then compared these
with agency practices. Our review of laws covered the Privacy Act of
1974, the Computer Matching and Privacy Protection Act of 1988, the
Paperwork Reduction Act of 1995, the Government Paperwork Elimination
Act of 1998, the Computer Security Act of 1987, the Government
Information Security Reform Act of 2000, the Federal Records Act, and
the Code of Federal Regulations. We also reviewed pertinent OMB
guidance.
We conducted our review from March 2001 to July 2002, in accordance
with generally accepted government auditing standards.
[End of section]
Selected Bibliography:
[End of section]
General:
Internal Revenue Service Technical Manual, Office of Privacy Advocate.
Privacy Impact Assessment. Version 1.3. Washington, D.C.: December 17,
1996.
Office of Management and Budget. FY 2001 Report to Congress on Federal
Government Information Security Reform. Washington, D.C.: February 13,
2002.
Office of Management and Budget, OIRA. Managing Information Collection
and Dissemination: Fiscal Year 2002. Washington, D.C.: n.d.
Privacy Working Group, Information Policy Committee, Information
Infrastructure Task Force. Privacy and the National Information
Infrastructure: Principles for Providing and Using Personal
Information. Washington, D.C.: June 6, 1995.
SRA International, Inc. Report on Current Recordkeeping Practices
within the Federal Government. Prepared for the National Archives and
Records Administration. Arlington, VA: December 10, 2001.
Agriculture:
Department of Agriculture, Office of Inspector General, Great Plains
Region. Farm Service Agency/Commodity Credit Corporation: Security Over
Information Technology Resources. 03099-47-KC. Washington, D.C.:
October 31, 2001.
Education:
Department of Education, Office of Inspector General, Final Audit
Report on Audit of the Department‘s Records Management Program. ED-OIG/
A11-A0011. Washington, D.C.: September 2001.
[End of section]
Related GAO Products:
[End of section]
General:
Paperwork Reduction Act: Changes Needed to Annual Report. GAO-02-651R.
Washington, D.C.: April 29, 2002.
Social Security Numbers: SSNs Are Widely Used by Government and Could
Be Better Protected. GAO-02-691T. Washington, D.C.: April 29, 2002.
Paperwork Reduction Act: Burden Increases and Violations Persist. GAO-
02-598T. Washington, D.C.: April 11, 2002.
Information Resources Management: Comprehensive Strategic Plan Needed
to Address Mounting Challenges. GAO-02-292. Washington, D.C.: February
22, 2002.
U.S. Postal Service: Update on E-Commerce Activities and Privacy
Protections. GAO-02-79. Washington, D.C.: December 21, 2001.
Computer Security: Improvements Needed to Reduce Risk to Critical
Federal Operations and Assets. GAO-02-231T. Washington, D.C.: November
9, 2001.
Electronic Government: Challenges Must Be Addressed With Effective
Leadership and Management. GAO-01-959T. Washington, D.C.: July 11,
2001.
Record Linkage and Privacy: Issues in Creating New Federal Research and
Statistical Information. GAO-01-126SP. Washington, D.C.: April 1, 2001.
Information Management: Progress in Implementing the 1996 Electronic
Freedom of Information Act Amendments. GAO-01-378. Washington, D.C.:
March 16, 2001.
Information Security: Advances and Remaining Challenges to Adoption of
Public Key Infrastructure Technology. GAO-01-277. Washington, D.C.:
February 26, 2001.
High-Risk Series: An Update. GAO-01-263. Washington, D.C.: January 1,
2001.
Electronic Government: Government Paperwork Elimination Act Presents
Challenges for Agencies. GAO/AIMD-00-282. Washington, D.C.: September
15, 2000.
Internet Privacy: Comparison of Federal Agency Practices with FTC‘s
Fair Information Principles. GAO/AIMD-00-296R. Washington, D.C.:
September 11, 2000.
Internet Privacy: Agencies‘ Efforts to Implement OMB‘s Privacy Policy.
GAO/GGD-00-191. Washington, D.C.: September 5, 2000.
Electronic Government: Federal Initiatives Are Evolving Rapidly But
They Face Significant Challenges. GAO/T-AIMD/GGD-00-179. Washington,
D.C.: May 22, 2000.
Information Technology: Comments on Proposed OMB Guidance for
Implementing the Government Paperwork Elimination Act. GAO/AIMD-99-
228R. Washington, D.C.: July 2, 1999.
Corps of Engineers Electronic Signature System. GAO/AIMD-97-18R.
Washington, D.C.: November 19, 1996.
Agriculture:
Farm Loan Programs: Improvements in the Loan Portfolio but Continued
Monitoring Needed. GAO-01-732T. Washington, D.C.: May 16, 2001.
USDA Electronic Filing: Progress Made, But Central Leadership and
Comprehensive Implementation Plan Needed. GAO-01-324. Washington,
D.C.: February 28, 2001.
Information Security: USDA Needs to Implement Its Departmentwide
Information Security Plan. GAO/AIMD-00-217. Washington, D.C.: August
10, 2000.
Information Security: Software Change Controls at the Department of
Agriculture. GAO/AIMD-00-186R. Washington, D.C.: June 30, 2000.
USDA Information Security: Weaknesses at National Finance Center
Increase Risk of Fraud, Misuse, and Improper Disclosure. GAO/AIMD-99-
227. Washington, D.C.: July 30, 1999.
Education:
Student Financial Aid: Use of Middleware for Systems Integration Holds
Promise. GAO-02-7. Washington, D.C.: November 30, 2001.
Education Information Security: Improvements Made But Control
Weaknesses Remain. GAO-01-1067. Washington, D.C.: September 12, 2001.
Financial Management: Internal Control Weaknesses Leave Department of
Education Vulnerable to Improper Payments. GAO-01-585T. Washington,
D.C.: April 3, 2001.
Major Management Challenges and Program Risks: Department of Education.
GAO-01-245. Washington, D.C.: January 1, 2001.
Student Loans: Improvements in the Direct Loan Consolidation Process.
GAO/HEHS-99-19R. Washington, D.C.: November 10, 1998.
Labor:
Office of Workers‘ Compensation Programs: Further Actions Are Needed to
Improve Claims Review. GAO-02-637. Washington, D.C.: May 9, 2002.
Office of Workers‘ Compensation Programs: Further Actions Are Needed to
Improve Claims Review. GAO-02-725T. Washington, D.C.: May 9, 2002.
Department of Labor: Status of Achieving Key Outcomes and Addressing
Major Management Challenges. GAO-01-779. Washington, D.C.: June 15,
2001.
Workers‘ Compensation: Action Needed to Reduce Payment Errors in SSA
Disability and Other Programs. GAO-01-367. Washington, D.C.: May 4,
2001.
Office of Workers‘ Compensation Programs: Goals and Monitoring Are
Needed to Further Improve Customer Communications. GAO-01-72T.
Washington, D.C.: October 3, 2000.
Information Security: Software Change Controls at the Department of
Labor. GAO/AIMD-00-192R. Washington, D.C.: June 30, 2000.
Major Management Challenges and Program Risks: Department of Labor.
GAO/OCG-99-11 Washington, D.C.: January 1, 1999.
Federal Employees‘ Compensation Act: Percentages of Take-Home Pay
Replaced by Compensation Benefits. GAO/GGD-98-174. Washington, D.C.:
August 17, 1998.
State:
Electronic Signature: Sanction of the Department of State‘s System.
GAO/AIMD-00-227R. Washington, D.C.: July 10, 2000.
Information Security: Software Change Controls at the Department of
State. GAO/AIMD-00-199R. Washington, D.C.: June 30, 2000.
FOOTNOTES
[1] Personal information is defined as all information associated with
an individual and includes both identifying information (e.g., name,
Social Security number, E-mail address, and agency-assigned case
number) and nonidentifying information (e.g., age, finances, and
gender).
[2] Collections of information include (1) requests for information for
transmission to the government, such as application forms and written
report forms; (2) record keeping requirements; and (3) third party or
public disclosure requirements.
[3] We have amended the briefing as of September 12, 2002, to include
technical corrections and suggestions provided by the agencies.
[4] We used a data flow modeling tool called Workflow Analyzer from
Meta Software to map the flow of personal information on each form.
GAO‘s Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO‘s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO‘s Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as ’Today‘s Reports,“ on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select ’Subscribe to daily E-mail alert for newly
released products“ under the GAO Reports heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548:
