Legislation to regulate data resellers raises concerns

Federal agencies increasingly rely on information from commercial data brokers to detect and investigate fraud, verify people's identities and determine eligibility for benefits. However, agencies often do not exercise the same privacy precautions with that data as they do with information they collect themselves, and some lawmakers and privacy advocates are concerned about the consequences of that trend.

Several witnesses at a congressional hearing March 11 on agencies' use of commercial data said the Office of Management and Budget has provided ambiguous privacy guidance on the matter. Others said additional legislation is necessary to address technological advances in data collection that were not anticipated when current privacy laws were enacted. Another witness endorsed the idea of forming a commission to make comprehensive recommendations for updating the Privacy Act of 1974.

Linda Koontz, director of information management issues at the Government Accountability Office, testified that OMB should clarify its guidance on federal agencies' use of commercial data as GAO recommended in 2006. OMB's guidance on implementing the privacy provisions of the E-Government Act of 2002 tells agencies when they must conduct privacy impact assessments. Agencies use those assessments to analyze how personal information collected for government purposes -- such as a person's name, date of birth and primary residence -- will be handled and safeguarded. However, ambiguity in the guidance has led to inconsistent practices and inadequate safeguards among agencies handling data from information resellers, Koontz said.

OMB's guidance limits the circumstances in which agencies must conduct privacy impact assessments on personal information obtained from commercial data brokers, Koontz said. OMB requires an assessment only when agencies systematically incorporate personal information into existing federal databases, according to the guidance. If agencies query a commercial database on an ad hoc basis, they are not required to conduct a privacy impact assessment on that database.

Some agencies do more than OMB's guidance requires. Hugo Teufel, the Homeland Security Department chief privacy officer, testified that DHS' Privacy Office errs on the side of caution by conducting privacy impact assessments "whenever there is a substantial risk of harm flowing from the use of commercial data."

DHS, along with the Justice and State departments and the Social Security Administration, are among the largest federal agency users of personal information acquired from data resellers such as LexisNexis, ChoicePoint and Equifax.

A subcommittee of the House Oversight and Government Reform Committee is working on legislation that would add further privacy protections for personal information that federal agencies acquire from commercial data brokers. That legislation, the Federal Agency Data Protection Act, would regulate agencies' use of commercial data brokers and would require agencies to conduct a privacy impact assessment whenever they purchase personal information from a data broker.

Some provisions of the legislation duplicate OMB's guidance on handling commercial data, said Karen Evans, administrator for e-government and information technology at OMB. However, OMB's greater concern is that conducting privacy impact assessments on data brokers' proprietary databases "is legally problematic and could seriously discourage data brokers from offering their services to assist federal agencies," Evans said.

Another panelist, Stuart Pratt, president of the Consumer Data Industry Association, testified that the information privacy practices of companies that resell personal data from public and commercial sources are sufficiently regulated under the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act.

Other witnesses at the hearing said they favored the data protection legislation. Its sponsor, Rep. William Lacy Clay (D-Mo.), is chairman of the committee's Information Policy, Census and National Archives Subcommittee.

Ari Schwartz, deputy director at the Center for Democracy and Technology, recommended that the Clay legislation include a provision requiring OMB to develop "best practices" guidelines for conducting privacy impact assessments. Schwartz also recommended that the committee appoint a commission to study whether the Privacy Act of 1974 is adequate today for addressing how federal agencies use personal information.

Florence Olsen writes for Federal Computer Week, an 1105 Government Information Group publication.