PRESS RELEASE

For Immediate Release

Wednesday, July 30, 2003

5:45 p.m. CDT

======================================

Citizens’ Council on Health Care

1954 University Ave. W., Suite 8

St. Paul, MN  55104

http://www.cchconline.org

======================================

CONTACT:Twila Brase, R.N., President

PHONE:  651-646-8935

======================================

GAO ISSUES STINGING REPORT ON PRIVACY ACT COMPLIANCE: Says federal

government cannot assure citizens that privacy rights are protected.

(St. Paul, Minnesota) - Personal data may not be adequately protected

from collection, use and disclosure, according to a stinging report

released today by the General Accounting Office. In a survey of 25

federal agencies, and through a GAO forum for federal privacy

officers, the GAO found a significant lack of compliance with the

federal Privacy Act of 1974.

OMB GETS ANGRY

The report includes a blistering retort from the Office of Management

and Budget, the agency responsible for enforcing the Privacy Act. In

its 10-page letter, it writes that the report’s statements “border on

the reckless and irresponsible.” A blunt and detailed rebuttal by the

GAO is included in the report, along with a conclusion that “the

government cannot adequately assure the public that all legislated

individual privacy rights are being protected.”

Citizens’ Council on Health Care (CCHC) agrees: “Federal agencies are

not following the law and, as a result, the personal data of citizens

may be improperly collected and poorly protected,” asserts Twila

Brase, president of CCHC.

“This report should give Congress a good reason to reconsider

building yet another database of citizen information,” says Brase,

referring to the proposed National Patient Safety Database now under

consideration in Congress.

“One system of records holds data on 290 million people. If that

system happens to be one of the system that’s out of compliance, the

privacy rights of every citizen have already been violated, perhaps

many times,” Brase adds.

MULTIPLE FAILURES TO FOLLOW LAW:

The survey responses of the agencies reflect 2,400 systems of records

in the federal government, of which 70 percent contain electronic

records. Although the 82-page report did not include details about

specific agency failures, the GAO announced the following aggregate

results on federal agency failure to comply with the Privacy Act:

* 11 percent (264) of the systems of records have not been disclosed

to the public, essentially keeping them secret.

* In 18 percent (432) of the systems of records, individuals have not

been provided with full disclosure of the potential uses of their

personal information before they provided it.

* In 18 percent (432) of the 2,400 systems of records, there was no

review of disclosures to ascertain whether data is being used outside

the original purposes of the data collection.

* For 29 percent (696) of the systems of records released to

non-federal organizations, agencies do not assure that personal data

on individuals is accurate, relevant, timely and complete.

* For 18 percent (432) of the systems of records, agencies did not

assess security safeguards for the data.

* 21 percent (504) of the systems of records do not have the means to

detect when persons, without authorization were reading, altering,

disclosing, or destroying information.

* 14 percent (336) of the systems of records could not account for

disclosures of personal information.

* one-third (8) of the agencies have not issued the Act’s required

rules of conduct for employees as related to duties under the Privacy

Act.

REASONS FOR FAILURE:

Federal Privacy Act officers who attended the GAO forum reported

several problems with compliance, in the following rank of importance:

* Lack of OMB leadership, oversight and guidance.

* Compliance has a low priority within agencies, and therefore poor funding.

* insufficient training, including how the Privacy Act relates to

electronic databases.

The GAO also notes that despite two previous reports on privacy

weaknesses in other areas of federal agencies, and agency requests

for updated guidance on the Privacy Act pertaining particularly to

new technologies, the OMB has yet to act.

Furthermore, 83 systems of records contain personal information not

protected by the Privacy Act because it can be retrieved without

using a name or personal identifier (ie. electronic records can be

found using search codes). The GAO suggested that a more complete

examination of this topic would require additional study.

“There appears to be a rather flippant attitude in government toward

following the law,” says Brase.

“The sheer existence of 2,400 federal databases on citizens is mind

boggling. Information is power. Electronic government databases

combined with failure to follow federal law places the liberty of all

citizens in jeopardy,” says Brase.

FMI ON PROPOSED NATIONAL PATIENT SAFETY DATABASE/NATIONAL ELECTRONIC

HEALTH DATA SYSTEM, GO TO: http://www.cchconline.org/pr/pr072403.php

- 30 -

CCHC is an independent, non-profit, free-market health care policy

organization located in St. Paul, Minnesota.

**************************************************************

A free-market resource for designing the future of health care

**************************************************************

Citizens’ Council on Health Care

1954 University Ave.W., Suite 8

St. Paul, MN  55104

651-646-8935 phone

651-646-0100 fax

http://www.cchconline.org

**************************