Internet Privacy

Agencies' Efforts to Implement OMB's Privacy Policy Gao ID: GGD-00-191 September 5, 2000

By issuing its 1999 guidance, the Office of Management and Budget (OMB) took an important step in bringing the federal government's protection of an individual's privacy in line with current technological advancements by providing guidance to agencies for addressing the collection of on-line personal information through the on-line posting of privacy policies. Sixty-seven of the 70 executive agencies GAO reviewed in 2000 had privacy policies on their web sites that were clearly labeled and easily accessed. Sixty-three of 70 agencies explained that they automatically collected information when individuals visited their web sites through the use of logs (date/time of access, pages visited, etc.).

GAO noted that: (1) of the 70 agencies' principal Web sites that GAO reviewed on April 14, 2000, 69 had privacy policies posted on their principal Web sites, and 1 did not; (2) in addition, of the 69 agency Web sites, 2 had privacy policies that GAO determined were not clearly labelled and easily accessed; (3) thus, 67 of the 70, agency principal Web sites GAO reviewed had privacy policies that were clearly labelled and easily accessed; (4) this appears to be considerable progress from a 1999 survey of selected federal home pages by a public interest group; (5) of the 70 agencies' principal Web sites GAO reviewed, 63 had privacy policies that addressed the automatic collection of information, and 46 of those agencies generally followed all 3 elements of the OMB memorandum's requirement for the agencies to disclose in their privacy policies what information they were automatically collecting, why they were collecting it, and how they planned to use it; (6) although OMB requires agencies to post privacy policies at major entry points to their Web sites, the privacy policy guidance does not define major entry point; (7) however, using a sample of six agencies that had a large number of Web sites or frequent contact with the public, GAO found that these agencies generally used similar criteria to determine the major entry points to their Web sites; (8) the OMB memorandum requires agencies to post privacy policies on pages where they collect substantial personal information, but the guidance does not define substantial personal information; (9) therefore, to assess OMB's requirement, GAO developed its own criteria defining personal information and reviewed the Web sites of 31 high-impact agencies for Web pages that collected any personal information; (10) GAO defined personal information to include an individual's name, e-mail address, postal address, telephone number, Social Security number, or credit card number; (11) most high-impact agencies did not post privacy policies on all pages that GAO identified as collecting personal information; and (12) in comparing the OMB memorandum and guidance to the Privacy Act and fair information principles, the OMB memorandum is narrower in scope than the Privacy Act and the fair information principles, and the act and principles also differ in some respect.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.