Federal investigators say the government isn't doing all it should to notify citizens that information about them is being collected by systems employing data-mining techniques.
The Government Accountability Office, the investigative arm of Congress, reviewed five data-mining efforts employed by the Small Business Administration, Agriculture's Risk Management Agency, the Internal Revenue Service, the State Department, and the FBI.
In an 82-page report requested by Sen. Daniel Akaka, D-Hawaii, the ranking minority member of the Homeland Security and Government Affairs Subcommittee on Oversight of Government Management, the GAO said the five agencies didn't comply with all related laws and guidance to protect personal information, though they did take some key stops to offer those safeguards.
Most agencies notified the public that they collected and used personal information and provided chances for individuals to review personal information when required by the Privacy Act. But government law and rules require agencies to furnish notice to individual respondents explaining why the information is being collected.
The GAO said only two agencies provided this notice, one did not provide it, and two claimed an allowable exemption from this requirement because the systems were used for law enforcement. The GAO also contends agency compliance with key security requirements was inconsistent. And, it says, three of the five agencies completed privacy impact assessments -- important for analyzing the privacy implications of a system or data collection -- but none of the assessments fully complied with Office of Management and Budget guidance.
"Until agencies fully comply with these requirements," writes Linda Koontz, GAO director of information-management issues, "they lack assurance that individual privacy rights are being appropriately protected."