The U.S. government needs to rewrite the rules it has been using for 35 years to govern its use of personal data by focusing on new technologies for storing and retrieving data, a government advisory board recommended.
It's time for the U.S. Congress to overhaul the Privacy Act of 1974 by revamping arcane privacy notices called systems of records notices (SORNs), by requiring chief privacy officers at 24 major U.S. agencies and by creating a privacy.gov site where privacy notices from all agencies are available, members of the Information Security and Privacy Advisory Board (ISPAB) said Thursday.
Only 10 major agencies currently have chief privacy officers, and SORNs can be difficult to understand even for privacy experts, said Ari Schwartz, a member of ISPAB and vice president at the Center for Democracy and Technology (CDT), an advocacy group focused on privacy and online civil liberties.
The law is "stupid and way too narrow," said Peter Swire, former chief privacy counselor in President Bill Clinton's administration. "It's really out of touch with the way modern computers work."
The safeguards covered in the Privacy Act largely focus on government's use of paper records, but the government's ability to access personal data now far exceeds the limits of paper, said Dan Chenok, ISPAB chairman and senior vice president and general manager at IT solutions provider Pragmatics.
"We're no longer in the area of flat files," Chenok said.
In the past 35 years, the government has gained access to commercial databases, conducted data mining, used location and tracking technologies and has begun to experiment with social networking, Chenok said.
The continued use of SORNs represent a major problem, Schwartz said. A SORN is a group of any records from which information is retrieved by the name of person or by some other identifier assigned to a person. But many government searches, including data mining, don't start with searches for one person, he said.
The Privacy Act needs to cover database searches and data mining, he said. "The idea of a terabyte of data didn't exist in 1974."
The ISPAB also recommended that the White House Office of Management and Budget appoint a chief privacy officer to oversea all federal privacy issues, and it should rewrite the government's near ban on Web cookies, instead allowing cookies when Internet users opt in.
The Privacy Act established a set of fair information practices governing the collection, use and sharing of personal data held by federal agencies. The legislation requires that agencies give public notice of their data collection and sharing activities, and it prohibits the disclosure of information from a system of records without written consent from the people affected, with 12 exceptions.
Mary Ellen Challahan, chief privacy officer at the U.S. Department of Homeland Security, praised the ISPAB report, saying a dialog on government privacy policies is needed. Lawmakers are looking to rewrite the Privacy Act soon, added Evan Cash, a staff member of the U.S. Senate Committee on Homeland Security and Governmental Affairs
CDT took the first step toward a new privacy law by writing a proposed law, which was scheduled to be posted on a wiki at the new eprivacyact.org site Wednesday. The wiki will allow site visitors to make their own recommendations for a privacy law.
Swire also praised ISPAB's work, but suggested that lawmakers would ask a lot of questions about the need for a new law.
By including new technologies in SORNs, the federal government may have to issue "one million systems of records notices over the next five years," Swire said, anticipating critics' questions. "Is that a good use of government resources?"
Still, public notice on the use of personal data need to be rewritten, said Swire, now a law professor at Ohio State University.