Page images
PDF
EPUB

time, there hasn't been any monitoring of the type which would surface them if they existed.

Mr. WEISS. Have you found in the course of your study instances where sensitive data was maintained by contractors and where misuse seemed possible or likely even if no specific evidence of its misuse was uncovered?

Mr. EIRICH. There were conditions which could lead to this logical conclusion. The fact, as I mentioned before, is that there are large systems of automated records out there. The data processing industry has not completely addressed the problem of control over automated data due to its volume and the cost for example, of encrypting access and transmission lines and changing computer software. The computer equipment and software that exists now was not generally designed to insure protection of personal data. It is something which is still being developed and may be applied to future generations of computer systems. There is a possibility of improper disclosure of this information.

Mr. WEISS. Were you able to gather any opinion as to how the Government contractors, themselves, feel about the requirements of the act? Do they think it imposes unnecessary restrictions or useless requirements, and do you feel if their obligations under the law were clearer, there would be the same degree of dissatisfaction, if there is dissatisfaction?

Mr. EIRICH. Contractors were not negative about the Privacy Act, but, again, they weren't doing anything different as a result of the act than before, so the basis for complaint didn't exist. If suddenly there were strict enforcement by agencies with audits, with inspections of the I.G. type, and so forth, to uncover weaknesses or violations, it may be that contractors would find it objectionable.

Mr. WEISS. Were you able to come to any conclusion as to whether the requirements of the act raised the cost of performing Government contracts, and do they think so? If you think that it does, do you think it is possible to change the legislation so, in fact, the same thing could be achieved with no more cost to the contractor? Mr. EIRICH. Concerning the first part of the question, again because contractors are generally not doing anything different since the act than before, no additional cost that we know has been incurred.

However, we do know of one instance where HEW has published new privacy protection guidelines which would apply to their contractors as well as their own operations. Some of their contractors under the medicare program have indicated this would be considerably costly for them to implement, to put in the new controls required, and to monitor the controls.

They were unable to give any estimates of what the additional costs might be. They just indicated it would be more costly.

Mr. WEISS. Do contractors ever define routine use as to the type of disclosures made for systems of records they maintain, and have you found any overly broad or inappropriate uses in these routine use notices?

Mr. EIRICH. The routine use notices, to our knowledge, are inserted into the Federal record by the agencies. There may be some consultation with contractors, but we are not aware of any cases,

are we, Bob, of contractors inserting any notices. This was all by agencies.

Mr. WEISS. Do agencies permit contractors to release information from the systems of records on a discretionary basis? In one instance, cited in the draft report of the subcommittee, an agency allowed the contractor to decide whether or not to make a disclosure that had been requested. In your opinion, is that legally proper? Who should define routine uses for contractors' systems? Mr. EIRICH. We believe that the agency should define routine uses. It should be limited to an agency disclosure for themselves and their contractors, and I think this provides some measure of control by having the agency prepare the language and define the type of use that is permitted for those records.

Mr. WEISS. Is it your opinion, in fact, if the agency allows the contractor to make those decisions, that that is not meeting the requirements of the legislation?

Mr. EIRICH. I don't believe we have a legal position on that interpretation.

Maybe Mr. Gilroy can elaborate on that.

Mr. GILROY. Presumably it would be legal to make the disclosure, if proper disclosure accounting was put into effect. I would have to go back to what Mr. Eirich said, in most, if not all, of the systems of records we reviewed, the agency is identified as the systems manager; and if there were requests for access to the records, it would presumably come through the agency. We do think it is ultimately the agency responsibility to make decisions on disclo

sure.

Mr. WEISS. Did you find the agency use of the Privacy Act clause to regulate contractor disposition of the records after completion of the contracts, and, if so, how? If you haven't found it, should they, and does the Privacy Act regulate disposition of records by contractors?

Mr. EIRICH. We found no indication that the Privacy Act was being utilized to regulate disposition of the records. The question really is unclear as to disposition of such records. The Privacy Act, the Privacy Protection Study Commission, and the Commission on Federal Paperwork had recommendations regarding such records. But there has been no implementation, that we could find. We might say we think it would be well to clarify this particular question contractually. This could be done possibly on a contractby-contract basis, as Mr. Fettig indicated, or possibly some general standard contract clause. That is, regular boilerplate language could be prepared for the Federal property management regulations by the GSA, or ASPR in the case of DOD, to provide a standard records disposition clause.

Possibly they could be subject also to the same records disposal limitations which the National Archives and Records Service prescribes for Federal records, the same schedule of disposition.

Mr. WEISS. Do you have any judgment as to who owns the material developed under a Federal contract which is subject to the Privacy Act? Are the agencies or the contractors aware or coned about the issue?

Mr. GILROY. We didn't find any agencies or contractors expressing any concern about this problem. I would say there is probably a need for more specific policies in the area.

To go back to what Mr. Eirich said, the Privacy Act records that are handled by the Government contractors should probably come under the same records management program as Federal recordsthe program would be monitored by the National Archives and Records Service of GSA. I believe there is a recommendation in the Paperwork Commission report to that effect, that they would extend this type monitoring and advice to both State and local governments and to contractor records. This would seem to be a reasonable approach.

Mr. MCCLOSKEY. Let me see if I can restate the question, because I suppose what I am asking for, sir, is your recommendation as if you were sitting here as a Member of Congress, because you have been into this field more than we have. The question I am torn between is whether we carry out your recommendations to see that subsection 3(m) is both effective and enforced, which means, as I understand it, that OMB would issue guidelines to make sure that each Government agency procurement contract contains a privacy clause.

You are also suggesting training on the meaning of the privacy clause, both to the Government people who procure and the Government contractors who provide, and finally some sort of monitoring, to make sure those provisions are enforced.

Now all of that involves an expense. We have no way from your report here to quantify that expense as to what it would mean in additional cost to the Government for implementing these recommendations and to the taxpayer for the cost involved. More than that, we have no way to quantify the benefits to be attained to the Nation by enforcing these privacy rules with regard to Government contractors, because we have no idea what abuses have existed.

I guess the question in my mind is, do we repeal 3(m) or do we carry out these recommendations that you have properly submitted? I don't know how to make that decision. Do you have any judgment on it? Do you see any danger in repealing 3(m)? When we passed the Privacy Act we deliberately wanted it to apply to Government. We didn't want to apply it to the free enterprise system or the private sector. We didn't know anything about the private sector; we didn't know what the abuses were. We perceived abuses in Government.

Perhaps I could ask the staff if we have any testimony on abuses in the private sector that would justify continuing 3(m) in the law? Mr. INGRAM. I think at this time the GAO interpretation is that the intent of 3(m) was to prevent an agency from taking a system of records which would otherwise be covered by the Privacy Act, and shifting that set of records into a contractor's domain. Section 3(m) would still carry over Privacy Act protection-

Mr. MCCLOSKEY. There is nothing in this testimony about that. Have we found any examples where an agency shifted its Privacy or Freedom of Information Act responsibility to a private contractor?

Mr. EIRICH. Where they shifted responsibility, yes. The medicare program of HEW is operated largely under contract, and the contractor has the records, executes the claims and so forth.

Mr. MCCLOSKEY. But, as a rule, the private sector, particularly in the medical field, has strongly resisted any invasion of privacy programs more than the Government?

Mr. EIRICH. They made this point to us; that is right.

Mr. MCCLOSKEY. Their whole frame of reference is that they don't want anything; it is the Government recordkeeping procedure they are worried about. Is that not correct?

Mr. EIRICH. I am not sure I understand your question. The medical profession that we contacted did emphasize the fact that they historically have recognized the propriety of personal records. It is traditional with them, and even without a privacy act they would accord them protection.

Mr. MCCLOSKEY. In trying to keep medicare costs down, how would you balance it? If this is the only example where an agency like HEW has said to whomever is handling Blue Cross/Blue Shield, medicare and medicaid, that, "We insist, in order to protect privacy, you follow this additional set of rules"? Is there a need to do that, or is the private sector already more slanted in favor of privacy, so there is no need to add this additional cost?

My understanding of counsel was that the intent of Congress was that we not permit an agency to get out from under the protection of privacy by shifting into a contract, but if the contractor is inherently of the nature to protect privacy even more than the Government, that risk doesn't exist. And the question I come back to is, do we repeal 3(m) or do we enforce it in the manner you recommend?

Mr. EIRICH. I don't think we could generalize whether privacy is more secure in the private sector or in the Government. It would be a very difficult question. If it could be done, there is the riskassessment-type approach, which is the current approach for an automated system of records, to determine whether there is risk. It is a formalized approach that has been promulgated by the National Bureau of Standards; and it involves making a study to see what measures are necessary in physical protection-to the doors, the windows, that type of thing, and in other controls-technical and administrative.

Mr. MCCLOSKEY. Let me go back into the intent of Congress question. Counsel might correct me if I am wrong on this.

Mr. INGRAM. There is a split in interpretation about the intent of 3(m), whether it was simply limited to providing a stopgap measure which would insure that an agency could not get out from under the requirements of the Privacy Act by covering contractors who might take over those files, or whether it had a broader purpose that would indicate that, when an agency contracted for a specific task, all filing systems with industry identifiers would come within the act's requirements. I take it the question for Mr. Eirich is whether, as a policy matter, GAO would recommend continuation of those requirements. But I should point out, in fairness to GAO, that they were simply requested under the chairman's letter to examine whether or not there was compliance with that section.

Perhaps the question is whether or not GAO would be capable of doing a further audit, which would come up with an answer to your question regarding evidence of specific abuses.

Mr. MCCLOSKEY. I guess I can just try to outline my own recollection of the intent of Congress.

We seriously debated whether we should extend this to the private sector or just to the Government. It was not the same intent, as I recall we had in the civil rights law, where we knew there was discrimination based on race in the private sector. We brought contractors under it deliberately, because that was a large segment of the public we could protect against discrimination; I don't remember any testimony that would have demonstrated that the intent of Congress was to cover this broader area with the privacy statute.

Did you find any examples of that first situation, where a Government agency appeared to have shifted records to a private organization in order to get out from under the privacy requirements?

Mr. GILROY. No. Theoretically they couldn't get out. The 3(m) is there; so, shifting the records to the private sector would not relieve them of their obligations under the Privacy Act.

Mr. MCCLOSKEY. There have apparently been different interpretations of an "agency function." Surely it includes anything shifted to a private contractor which would clearly be an agency function. Mr. GILROY. I think when we were doing this review, when we did some legislative research to try to determine the intent of the Congress in 3(m), we found it was quite sparse. We heard different stories from agencies. It was sometimes called the "foot in the door of the private sector." Others said the main reason for section 3(m) was to cancel out the opportunity for an agency to shift records from the Government to the private sector to avoid coverage of the records by the act.

I think what we found, basically, is that there just isn't much attention given by agencies or contractors.

It is our view that the extent of emphasis agencies should provide in enforcing provisions of the act will ultimately depend on positions taken by the Congress.

We have not uncovered instances of abuse, but I think we say on balance that our review was not directed toward determining if abuses exist. The potential is certainly there.

One of the computer magazines recently referred to a Minneapolis-Honeywell conference on data security. The conference participants brought out some outlandish cases of poor security practices. One consulting firm stated they had a hard time convincing a bank that they had any problems with security. They told the bank they would come in one day a week, or every day within a week, and steal $1 million every night and return it every morning, which they did, and each time they used a different approach to get the funds, and at the end of the week the bank realized they had rather a major problem when it came to security.

In our review we didn't go into determining through any investigation whether abuses existed-except to ask agencies if they were aware of any abuses.. They weren't aware, but they weren't moni

« PreviousContinue »