A new GAO report released today finds that the existing laws and regulations are not adequately reflecting privacy needs in the changing technology landscape. The report highlights specifically that agencies using Web 2.0 and data mining tools need to find ways to protect private information. The key findings are:
- Applying privacy protections consistently to all federal collection and use of personal information. The Privacy Act’s protections only apply to personal information when it is considered part of a “system of records” as defined by the act. However, agencies routinely access such information in ways that may not fall under this definition.
- Ensuring that use of personally identifiable information is limited to a stated purpose. Current law and guidance impose only modest requirements for describing the purposes for collecting personal information and how it will be used. This could allow for unnecessarily broad ranges of uses of the information.
- Establishing effective mechanisms for informing the public about privacy protections. Agencies are required to provide notices in the Federal Register of information collected, categories of individuals about whom information is collected, and the intended use of the information, among other things. However, concerns have been raised whether this is an effective mechanism for informing the public.
- assessing the privacy implications of a planned information system or data collection prior to implementation;
- ensuring the implementation of a robust information security program; and
- limiting the collection of personal information, the time it is retained, and who has access to it, as well as implementing encryption.
The report points out many important issues and I agree that it is immensely important that government agencies have information security and privacy protection systems in place that prevent data breaches and leakages of user information to third parties.
Nevertheless, the implications of the report’s requests for the use of Web 2.0 applications and especially innovative data mining tools are reaching beyond privacy protection issues and might have unintended consequences. Many of the social media directors I talked to in the past two years have reported an important challenge in their use of social media tools: Measuring and analyzing the impact of their social media interactions.
While I am very much in favor of protecting personal information, such as health data, personal browser histories outside of government websites, I see a lot of value in developing appropriate measures and routines to capture digital interactions. Government needs to be able to understand online social interactions beyond the pure quantitative numbers of followers on Twitter or likes on Facebook – which are most of the time publicly observable. Instead, I believe agencies should have routines in place to understand how issues related to their mission are publicly discussed, or how information is snowballing through online social networks. Agencies need to be able to draw conclusions from data they are collecting to understand their online impact.
Again, the report has important implications for agencies for reviewing their privacy policies and implementation of these policies. However, I hope that it won’t restrict innovation in social media analytics, won’t prevent agencies from understanding how well they are doing online and to what extend their digital interactions are fulfilling the agency’s mission.