There are a number of more specific regulations, often attached to more extensive laws, that play a role in privacy protection in the U.S. Government. The Federal Agency Data Mining Reporting Act of 2007, The Federal Advisory Committee Act and the Government in the Sunshine Act all protect privacy by promoting public access to records dealing with Government activities.
After the 9/11 terrorist attacks a commission report was created to evaluate security risks and other potential threats and create recommendations for increasing security. The Implementing Recommendations of the 9/11 Commission Act was passed in 2007 in order to turn many of the recommendations into law. Section 804 of the act deals with the use of Data Mining by the U.S. Government and is called the Federal Agency Data Mining Reporting Act.
Data Mining uses pattern based queries to search through electronic databases in order to uncover possible terrorist or criminal activity. The searches do not specifically target individuals or groups to monitor their activities, rather the program searches widely through disparate records of data to uncover any patterns of transactions, activities, communications, and other elements which are deemed suspicious. Since Data Mining is a form of government surveillance, the Federal Agency Data Mining Reporting Act set up certain reporting requirements to monitor its use and prevent potential abuse by government agencies.
The head of every department or agency that practices data mining is required to submit a report of their activities to Congress and make the information available to the public. Reports must be published at least annually to comply with the act.
Each report must contain:
- A description of the data mining activities, the goals of the program and the target dates of use
- A description of the technology used as well as the basis used to determine whether a pattern or anomaly indicates illegal activity
- A description of the data sources from which information is collected
- An assessment of the likely efficacy of the program
- An assessment of the impact of the program, especially with regard to privacy and civil liberties. It must also detail the steps taken to prevent potential violations
- A list an analysis of the applicable laws and regulations that affect data collection for the data mining activities
- A discussion of the policies and procedures in place to protect privacy and due process rights, as well as those used to ensure information is complete, accurate, timely and secure.
Any information that cannot released to the public (ie: classified information, sensitive law enforcement information, business information, trade secrets) must be published in an annex to the report which is then submitted to Congress.
The Federal Advisory Committee Act created regulations for the creation, use and monitoring of such committees. Federal Advisory Committees are used to gain recommendations and advice from the private sector, when they may have more knowledge of a particular issue. Over 1,000 committees are currently in existence. The FACA makes the following requirements regarding privacy:
- An advisory committee meeting must be open to the public unless the President determines it to be a matter of national security
- While an advisory committee exists, all reports, transcripts, working papers, studies, agendas and other relevant documents must be available for public inspection and copying in the advisory committee or agency office.
- All advisory committee meetings must be recorded in the official minutes including the attendees, a complete summary of the issues discussed, and copies of all reports received. The minutes must be authenticated by the chairman of the Advisory Committee
- If a meeting or portion of a meeting of an Advisory Committee is determined to be closed to the public by the President or head of the agency to the Advisory Committee, the determination must be made in writing including the reasons behind the determination as compliant with section 552(b) of Title 5, the United States Code
- No meeting of an advisory committee may be conducted in secret. Each Committee must have a designated Government official to attend all meetings and who has the authority to adjourn a meeting in the interest of the general public.
- All meetings and agendas of an Advisory Committee must be approved by the designated Government official.
The Government in the Sunshine Act was passed in 1976 and requires that “every portion of every meeting of an agency shall be open to public observation.” The Act includes several exceptions to the rule. Disclosure of a meeting or part a meeting is not required if the information:
- is related to matters that are authorized by executive order to be kept secret in the interest of national security and foreign policy and is properly classified pursuant to an executive order
- relates only to the inner workings of an agency
- discloses information exempted from disclosure by other regulations
- discloses trade secrets, commercial information, financial information considered to be confidential
- discloses information which accuses a person of a crime
- discloses personal information that would be considered an violation of privacy
- discloses records used by law enforcement officials if the information will: interfere with enforcement proceedings; deprive an individual of their right to a fair trial; release personal information; disclose investigative techniques; endanger the life of law enforcement personnel
- relates to the examination, operation or condition reports used by an agency to regulate and supervise financial institutions
- discloses information whose premature disclosure could cause endanger the stability of financial institutions or significant financial speculation of currencies, securities or commodities
- discloses information whose premature disclosure could create larger problems in the implementation of a proposed action
- concerns the issuance of a subpoena or participation in a court proceeding.
The act also requires notice of all meetings to be given to the public at least one week prior to meeting time including, time, date, location, subject matter, whether it is open or closed to the public, and the contact information for the agency official that handles requests for information. Any changes must be announced to the public as soon as possible. All public announcements must also be submitted to the Federal Register for publication.
Enforcement of the Sunshine Act is accomplished through annual reports to Congress regarding the number of meetings open and closed to the public, and the reasons for the closed meeting.
Laws such as the three mentioned above are not broad privacy regulations, but are still important parts of privacy regulation in the U.S. Government because they apply privacy principles to narrow, specific practices within the Government. Open Government promotes privacy by allowing citizens to access and monitor government activities including how their information is being used.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- Federal Open Meeting Laws including FACA and the Sunshine Act (I.C.g.i-ii)
- The Federal Agency Data Mining Report Act of 2007