The report Data Brokers and the Federal Government: A New Front in the Battle for Privacy Opens, Part III in a series was published October 30, 2013 by the World Privacy Forum.
Report authors: Bob Gellman and Pam Dixon
You are at my personal copy of the report. The Background and Executive Summary is in the text below. A link to the full report at the World Privacy Forum is available below and here.
Background of Report
This report focuses on government use of commercial data brokers, the implications for that usage, and what needs to be done to address privacy problems. The government must bring itself fully to heel in the area of privacy. If it is going to outsource its data needs to commercial data brokers, it needs to attach the privacy standards it would have been held to if it had collected the data itself. Outsourcing is not an excuse for evading privacy obligations.
This report discusses new Office of Management and Budget (OMB) guidance for an initiative (Do Not Pay Initiative) that on one hand provides for expanded use of commercial data brokers by federal agencies and on the other it establishes new privacy standards for the databases used in the Initiative. Although incomplete, its extension of privacy standards to commercial databases purchased by the federal government is groundbreaking. As such, this report recommends that OMB should expand its new guidance to cover allgovernment data purchases, bartering, and exchanges from commercial data brokers and databases containing personal information. The problems created by unregulated government use of commercial data sources need to be seen clearly and addressed directly.
If all federal government uses of commercial data brokers are not required to satisfy the new OMB guidelines at a minimum, then the very databases that are supposed to be used for society’s benefit will be less accurate, timely, relevant, and complete, and can therefore cause unnecessary and avoidable harms such as garbled identities, blocking individuals from government benefits, and potential misclassification or even law enforcement actions against people due to errors in data. On a broader level, a lack of trust in the government’s ability to properly protect fair information rights in a new digital era can be the expensive societal result.
This report is Part III in a three-part series of reports concerning data brokers. Parts I and II are forthcoming. This report is available at www.worldprivacyforum.org, which is also where updates and further parts of the series will be published.
About the Authors
Robert Gellman is a privacy and information policy consultant in Washington DC. (www.bobgellman.com.) Pam Dixon is the Founder and Executive Director of the World Privacy Forum. Gellman and Dixon are the authors of Online Privacy A Reference Handbook (ABC CLIO, 2011) as well as co-authors and authors of numerous and well-regarded privacy-focused research, articles, and policy analysis.
About the World Privacy Forum
The World Privacy Forum is a non-profit public interest research and consumer education group focused on the research and analysis of privacy-related issues. The Forum was founded in 2003 and has published significant privacy research and policy studies in the area of health, online and technical, privacy, self-regulation, financial, and identity among other areas. www.worldprivacyforum.org
The US federal government is one of the largest and most frequent customers of commercial data brokers. Instead of creating its own databases subject to privacy laws applicable to federal agencies, the federal government often outsources the collection of significant amounts of information to external companies where privacy laws do not apply. It is well-established that commercial data brokers have been and are widely used in this manner for government law enforcement activities. However, that is not their only use by government.
In April 2012, the US Treasury launched a Do Not Pay portal designed to verify and check on the eligibility of individuals to receive government benefits and payments, such as those receiving food stamps, housing assistance, and survivor benefits. The scope of the people and vendors affected by the information in the portal is quite broad. The portal includes government-operated databases with information about individuals, databases that are usually subject to the Privacy Act of 1974. However, the Do Not Pay portal also includes information from a commercial database called The Work Number. The Work Number, owned by Equifax, is not a government-held database and is not subject to the Privacy Act.
This is important because The Work Number collects salary and other information on more than 190 million Americans. However, unlike most of the government-maintained databases in the portal, The Work Number is not subject to the privacy rules that apply standards of accuracy, relevance, timeliness, and completeness to federally-operated databases. This matters because eligible people whose Work Number files contain errors may fail to pass verification to receive government benefits or payments for services provided to the government.
Few people know that their salary information is available commercially in this way, and few know that their salary information may be used to verify government benefits. If an individual is the victim of an identity thief who created fictitious or erroneous pay records, or if the Work Number data contains inadvertent or even intentional errors from participating employers, individuals will be harmed when the federal government relies on that information. In the case of the Do Not Pay portal, people may not receive government benefits for which they qualify. If the digital era has taught one lesson it has taught that errors in files and databases do not discriminate – errors, including identity errors — can happen to any file in any data base, and they can impact the most vulnerable people who need government assistance the most. Those with data errors may need to work through a long correction process before they can receive their benefits. However, finding and correcting errors is difficult, especially when no law grants access and correction rights for most private sector databases.
By using The Work Number, the Do Not Pay portal employs the increasingly popular model of government outsourcing its data needs to commercial data brokers that do not have to abide by the same privacy standards applicable to the government, a model which has been criticized for its privacy shortcomings. This is because commercial databases do not have to satisfy the same privacy standards as databases held by the government. If the federal government obtains personal information from commercial data brokers but keeps the information outsourced and does not maintain that information in a government system of records, then a key law – the Privacy Act of 1974 – imposes few or no privacy constraints on federal agencies, and no constraints at all on the commercial data brokers supplying the information.
Being denied important government benefits is no small matter, and meaningful privacy protections must be in place to prevent harms from data errors and other problems. Recognizing the potential for harm and the shortcomings of using private databases, the Office of Management and Budget took the novel and long-requested step of issuing new guidance that establishes privacy standards for commercial data brokers used in the Do Not Pay Portal, such as The Work Number. The new standards extend some of the privacy requirements applicable to the federal government to commercial databases that the government uses.
Albeit only within the Do Not Pay Initiative, this is the first time the government’s commercial data outsourcing model has been meaningfully altered to apply important privacy safeguards.
The positive news is that because of the new OMB requirements, information in commercial databases used in the Do Not Pay Initiative– including The Work Number — must be sufficiently accurate, up-to-date, relevant, and complete to ensure fairness to the individuals who are the subject of those records. The other good news is that the OMB standard rejects using a commercial database that includes records about the exercise of rights protected by the First Amendment. Commercial data brokers that cannot meet these standards will not be able to sell their information for the Do Not Pay Initiative.
The guidance is new, and it is welcome, but it is just one step. There are still significant loopholes remaining in the OMB guidance. As discussed, the “data outsourcing” model that allows the government to evade Privacy Act protections can still exist almost everywhere else in government other than the Do Not Pay Initiative. OMB should act to provide guidance to establish privacy standards that are at least a good as those in the Do Not Pay Initiative covering all government purchases of commercial databases containing personal information, not just those in the Do Not Pay Initiative. This action would serve the rest of the government well – and citizens for that matter — by rejecting personal data from commercial sources that does not meet the same standards that the law imposes on that collected by federal agencies. Everyone benefits when better quality databases are used for decision-making about individuals. Programs will be more efficiently and more individuals will receive fair and appropriate treatment.
If this does not happen, and these standards are not created and applied to cover all government purchases of information from commercial databases, the model of government outsourcing its data needs while circumventing privacy protections will become a deeply entrenched norm across all levels of government. If the practice continues unabated, sloppy databases without the protection of federal standards can and will cause further harm to the millions of people who have been victims of identity theft and other forms of fraud, and the millions of people who unknowingly have erroneous, incomplete, or out of date information in their records.
When OMB wrote its new guidance, it only chose to use four of the much more complete set of Privacy Act standards to apply to the commercial databases in the Do Not Pay Initiative. (The four standards OMB used were that records must be accurate, up-to-date, relevant, and complete). OMB should not have cherry-picked some privacy standards while leaving others behind. At the earliest opportunity, OMB needs to expand the privacy standards for the Do Not Pay Initiative to require that participating commercial databases comply fully with all Fair Information Practices, including collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, access and correction rights, and accountability. It is especially important that data subjects have meaningful, timely, and effective access and correction rights to any commercial databases used by federal agencies. OMB should take steps to expand the privacy standards at the earliest possible opportunity following a reasonable test of the new Do Not Pay procedures.
If the additional standards are not applied, then it could lead to a significant long-term weakening of privacy standards in government databases. A substantial reduction in privacy protections could be substituted as a new norm, which would be a negative consequence of truncating these protections in the long term.
Another issue in the OMB guidance is the allowance of a 6-month pilot period where the new rules do not apply. Currently, The Work Number is being used within this pilot program. Therefore, the information of the millions of people in this database is being tested and is available for viewing, although it is not supposed to be used for adverse actions during this period. The first substantive test of the new OMB guidance will be how the US Treasury and other participants in the Do Not Pay Initiative apply the guidance to The Work Number as it moves out of the pilot phase.
Before permanent use of The Work Number database can happen, the OMB requirements call for public notice and comment. This is another novel feature of the OMB privacy standards for the Do Not Pay Initiative. OMB should provide ample and prominent public notice and comment opportunity. The public notice should include full documentation about the accuracy, timeliness, relevance, and completeness of The Work Number. An independent audit of The Work Number’s compliance with these data standards would be especially useful. In addition, all of the data fields maintained by The Work Number must be published to allow the public to evaluate whether any of the data reflects on the exercise of First Amendment rights.
If the privacy protections OMB established are effective, it will be an important step forward. At least in the Do Not Pay Initiative, people would have more ability to challenge the information coming from databases such as The Work Number and get redress from problems when they occur. If the OMB guidance was then taken up widely across the federal government and by state governments, the result could be better quality commercial databases for use by governments and by others. There would be fewer errors, less fraud, less government waste, more redress for individuals, and a higher overall standard of modern fair information practices would be set. Data could be used in a fair way that helps, not hurts, people.