Government Web Sites May Be Willingly or Unintentionally Sharing Data
"Together these reports paint a picture that shows that the Privacy Act of 1974 needs to be updated for the Internet age," said Ari Schwartz, policy analyst at the Center for Democracy and Technology, Washington.
Although federal agencies are required by the Office of Management and Budget to post privacy policies, the GAO found that 15 percent of federal Web sites lacked them.
Among the federal privacy policies posted and surveyed by the GAO, only 3 percent had in place the four fair information practice principles of notification, choice, access and security.
Also, 23 of 70 federal agencies included in a GAO report on Internet privacy were found to share information with third parties.
While most stated that the third parties were other government agencies, four said they share data with nongovernment entities, violating the Privacy Act of 1974, which prohibits government agencies from sharing taxpayer information.
Meanwhile, according to a separate GAO report on information security, the Web sites of the 24 largest federal agencies were analyzed and "had significant information security weaknesses."
Of the 24 agencies, seven, including the departments of Labor and Health and Human Services, were given failing grades.
Congressional investigators were able to gain unauthorized access to government sites' data in almost every instance, the report said.
"I think there is more that needs to be done to protect privacy in the federal government, but I certainly don't think that lets the private sector off the hook," said Marc Rotenberg, executive director at the Electronic Privacy Information Center, Washington. "We welcome efforts to strengthen privacy protection across the federal government, but we also believe that more needs to be done in the private sector."
In May, the Federal Trade Commission issued a report based on its review of popular consumer Web sites. It found that only 20 percent of the sites had implemented fair information practices.
In the report, the FTC recommended legislation that would require commercial Web sites to implement principles such as notifying consumers about what information is collected and how it will be used; provide the option of choosing whether information can be shared with third parties; give access to review collected data; and ensure security of that information.