oversight

Computers and Privacy: How the Government Obtains, Verifies, Uses, and Protects Personal Data

Published by the Government Accountability Office on 1990-08-03.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

,4llglrst   I Yt!lo
                              COMPUTERS AND
                              PRIVACY
                              How the Government
                              Obtains, Verifies, Uses,
                              and Protects Personal
                              Data




                              RESTRICTED--      Not to be released outside the
                              General Accounting Office unless specifically
                              approved by tbe Office of Congressional
                              Relations.


(ii40 ~IM'l'I1:(:-!)0-7OlIK
               --




                    Information Management and
                    Technology Division

                    IS239819

                    August 3,199O

                    The IIonorable Edward *J.Markey
                    Chairman, Subcommittee on
                       Telecommunications and Finance
                    Committee on Energy and Commerce
                    IIouse of Representatives

                    Dear Mr. Chairman:

                    Your ,June 23, 1989, letter requested information on how federal agen-
                    cies obtain, verify, use, and protect personal data; how individuals are
                    made aware of information collected about them; what telecommunica-
                    tions and network facilities agencies’ systems use to transmit data; and
                    what effect new technologies have on the sharing of personal data. On
                    May 11, 1990, we briefed your staff on the results of our rcvicw. This
                    report expands on the information provided at that briefing.

                    To respond to your request, we sent a comprehensive questionnaire to
                    189 federal agencies to collect data on their information management
                    practices and use of computer technology. We received responses from
                    178 agencies, for a 94-percent response rate. We did not independently
                    validate the agencies’ responses; however, we reviewed and edited all
                    questionnaires and contacted agency personnel when additional infor-
                    mation or clarification was necessary. By providing a quantitative sum-
                    mary of government activities in this area, this report should facilitate
                    discussions on how to most appropriately provide both individual pri-
                    vacy protection and effective government operations.

                    A more detailed discussion of our objectives, scope, and methodology
                    appears in section 1. Appendix I summarizes general laws relating to
                    privacy and computer security, appendix II shows the number of federal
                    systems reported to contain personal information, and appendix III con-
                    tains our questionnaire with agencies’ responses.’



                    Almost every federal agency collects and uses personal information in
Overview            carrying out its responsibilities. The 178 agencies reported that, as of
           w        early 19389,they maintained about 2,000 predominantly computerized




                    Page 1                      GAO/IMTEC-90.70BR   Government   Computers   and Privacy
                                        B-239819                                                                            i-




_“._ ..I.. .. . ~. . .-.._ .---   --.
                                        systems containing personal information. Almost 83 percent of these
                                        systems are covered by the Privacy Act, which governs federal agencies’
                                        handling of personal information. In recent years, advances in com-
                                        puters and communications technology have had a major impact on
                                        information activities by making it easier for agencies to maintain,
                                        manipulate, and share personal information on large numbers of indi-
                                        viduals. These applications have been promoted as a means of
                                        increasing agencies’ efficiency and effectiveness; however, privacy
                                        experts have raised concerns about their impact on personal privacy.


                                        Agencies gave us detailed information on their 9 10 largest computerized
Agencies Have                           systems containing personal information. These systems-which
Hundreds of Computer                    include payroll, personnel, and program systems-contain extensive
Systems Containing                      data, ranging from names and social security numbers to financial and
                                        health information, on many aspects of individuals’ lives. Agencies use
Extensive Personal                      this information for such purposes as determining initial eligibility for
Information                             federal programs, investigations, and statistical studies. The Privacy
                                        Act requires agencies to publish in the Federal Register a notice about
                                        their systems of records containing personal information. However,
                                        agencies reported that they did not comply with this requirement for
                                        292 of these systems.

                                        Computers and advanced technologies-such           as computer networking-
                                        are widespread throughout the federal government. Some 78 percent of
                                        the 9 10 large computerized systems are networked through telecommu-
                                        nications facilities, and many of these systems can be accessed by a
                                        variety of federal, state, and local agencies, as well as by private organi-
                                        zations. These organizations use the accessed information for such pur-
                                        poses as initial eligibility/certification determinations and
                                        investigations. Section 2 of this report presents information on how
                                        agencies obt,ain, validate, use, and protect personal information; how
                                        they make individuals aware of systems containing personal informa-
                                        tion; and what network and telecommunications facilities the systems
                                        USC’.




                                        Page 2                       GAO/IMTEC-YO-70BR   Government   Computers   and Privacy
                          Complltcrs and communications technologies have enabled agencies to
  New Computer            use personal information in new applications designed to detect and pre-
  Applications Have       vent, fraud, waste, and abuse. Such applications include computer
_ Had a Major Impact on   matching, used to compare two or more automated sets of records to
                          identify similarities or differences in data; front-end verification, used
  How Agencies Use        t,o verify personal information on government application forms; and
  Personal Information    computer profiling, used to determine types of individuals more likely to
                          exhibit, behaviors of interest to an agency. Section 3 details the extent of
                          computer matching, front-end verification, and computer profiling
                          within the federal government, and describes how the information
                          resulting from these applications is used.


                          As agl*e(td with your office, we did not obtain written comments from
                          the agencies on a draft of this report. IJnless you publicly announce the
                          contents of this report earlier, we plan no further distribution of it until
                          30 days aftor the date of this letter. We will then send copies to the
                          agencies, and make copies available to others upon request.

                          This information was compiled under the direction of Jack L. Brock, Jr.,
                          I.)ircctor, Government Information and Financial Management, who can
                          bo rcachod at (202) 275-3195 should you require further information or
                          have any qucst,ions about this report. Other major contributors are
                          list.cbdin appendix IV.

                          Sinccrc~ly yours,




                          lialpl~ V. Carlonc
                          Assistant, Comptroller General




                          Page 3                        GAO/IMTEC-90-70BR   Government   Computers   and Privacy
---                                                                                                  ,”
Contents


Letter                                                                                                 1
Section 1                                                                                             6
Introduction: Privacy   Objectives, Scope, and Methodology                                            8
in a Computerized
Society
Section 2                                                                                            10
Government Maintains    Agencies IJse Computers to Collect and Store Personal
                            Information
                                                                                                     10
Vast Amounts of         Security Issues Relating to Systems Containing Personal                      21
Personal Information        Information

Section 3                                                                                            24
Applications of New     Computer Matching Is Used Extensively for Many
                            Purposes
                                                                                                     24
Information             Agencies Use Front-End Verification to Determine                             31
Technology Are              Eligibility
Widespread              Agencies Conduct Computer Profiling to Identify                              32
                            Behaviors of Interest
Throughout the
Government
Appendixes              Appendix I: Summary of General Legislation Relating to                       36
                            Privacy and Computer Security
                        Appendix II: Number of Federal Systems Containing                            41
                            Personal Information, as Reported by Federal
                            Agencies
                        Appendix III: U.S. General Accounting Office Survey of                       44
                            Computers, Networks, and Privacy
                        Appendix IV: Major Contributors to This Report                               68

Tables                  Table 2.1: Controls in Place in Agencies’ 910 Largest                        22
                            Systems
                        Table 3.1: Numbers and Purposes of Agencies’ Computer                        26
                            Matching Activities
                        Table 3.2: Federal Agencies That Participated in                             29
                            Computer Matching With State Agencies



                        Page 4                     GAO/IMTEC90-70BR   Government   Cemputera and h’ivacY
          Contents




          Table 3.3: Federal Agencies That Participated in                                29
              Computer Matching With Local Agencies
          Table 3.4: Federal Agencies That Participated in                                30
              Computer Matching With Private Organizations
          Table 3.5: Organizations With Which Agencies                                    30
              Participated in Computer Matching Activities

Figures   Figure 2.1: A Federal Register Notice of an Air Force                           11
               System of Records
          Figure 2.2: Percentage of Systems Containing Data                               12
               Covered by the Privacy Act About Which
               Information Was Published in the Federal Register
          Figure 2.3: Agencies’ Methods of Notifying Individuals                          13
          Figure 2.4: Sources From Which Agencies Obtain Data                             14
          Figure 2.5: Procedures Agencies Use to Ensure Complete                          15
               and Accurate Information
          Figure 2.6: Purposes for Which Organizations Access                             16
               Systems
          Figure 2.7: Procedures Used to Verify Third-Party                               17
               Information Collected Electronically
          Figure 2.8: Organizations That Have Access to Systems                           18
          Figure 2.9: Number of Systems Accessed for Unknown                              19
               Purposes
          Figure 2.10: Types of Networks Through Which Systems                            20
               Are Accessed
          Figure 3.1: Percentage of Agencies That Used Their                              27
               Employees as Computer Matching Subjects
          Figure 3.2: Types of Information Developed by Agencies                          33
               That Conduct Computer Profiling
          Figure 3.3: Agencies’ Use of Computer Profiles                                  34




          Abbreviations

          IQIA       Freedom of Information Act
          GAO        General Accounting Office
          IMTEC      Information Management and Technology Division
          OMH        Office of Management and Budget


          Page 6                     GAO/IMTEGSO-70BR   Government   Computers   and Privacy
Section 1 ~___

Introduction: Privacy in a Computerized Society


                     Many of the existing legal protections for and safeguards on the use of
                     personal information maintained by federal agencies date back to 1974.
                     At that time the Congress passed the Privacy Act of 1974 (P.1,. 93-579),
                     which established governmentwide standards for the protection of pri-
                     vacy. For some time, privacy issues had been a focus of public atten-
                     tion-in part as a result of congressional inquiries in the 1960s and
                     early 1970s into wiretapping, mail openings, and burglaries by govern-
                     mcnt employees, harassment of individuals for political purposes, and
                     the questionable use of individuals’ personal records.

                     In 1973 a committee appointed by the Secretary of Health, Education,
                     and Welfare to study the impact of computers on record keeping recom-
                     mended giving individuals more control over personal information con-
                     cerning them maintained by government agencies and private
                     organizations. The committee recommended the enactment of a federal
                     “Code of Fair Information Practice,” which would apply to both com-
                     puterized and manual systems. The code, which incorporated principles
                     designed to protect the privacy of individuals, served as the intellectual
                     framework for the Privacy Act of 1974.

                     In enacting the Privacy Act, the Congress codified information princi-
                     ples requiring federal agencies to take certain actions:

                 . Collect, maintain, and use only relevant and accurate information.
                 . Permit individuals to gain access to information about themselves and to
                   correct or amend such information.
                 l Permit individuals to determine what records concerning themselves are
                   collected, maintained, used, and disseminated. In this regard, agencies
                   arc required to publish in the Federal Register a notice of the existence
                   and nature of all systems of records containing personal information.’
                 l Generally permit individuals to prevent records about themselves
                   obtained by an agency for one purpose from being used for another pur-
                   pose without their consent.
                 l Provide adequate safeguards to ensure information security and
                   confidentiality.




                     ‘A system of rc~rds      is any group of records under an agency’s control in which information           is
                     ret tkvc,d by an individual’s   name or by an identifying       numhcr, symbol, or other identifying     pa-tic-
                     UIW assigned to an individual.     Ilow the information      is rc~trkvrd   (by a personal identifier) and not t hc
                     substantivr  content drtcbrmincs     whether  t hc information     is covcrcld by t hc act.




                     Page 6                                      GAO/IMTEC-90.70BK          Government      Computers     and Privacy
Section 1
Introduction:    Privacy in a
Computerized      Society




Personal information is not covered by the act if the system in which it
is contained does not meet the definition of a “system of records” or is
specifically exempted.2

Additionally, the act provided for criminal penalties for officers of agen-
cies that violate it, and civil remedies for citizens when agencies do not
comply with it. For example, individuals can seek judicial relief to force
access to or correction of records that agencies maintain on them and
recover damages after an unlawful disclosure or violation of their rights
under the act that results in an adverse determination. The Office of
Management and Budget (OMB) was assigned responsibility for over-
seeing agencies’ implementation of the act.

When the Privacy Act was passed, most federal record systems were
manual; computers were used to store and retrieve information, rather
than to manipulate and share it. However, in the ensuing years,
advances in computer and communications technology have had a major
impact on agencies’ information practices. These technologies have
enabled agencies to share and manipulate information in ways largely
unforeseen in 1974. High-speed, high-capacity computers enable agen-
cies to search large numbers of record systems and instantaneously
retrieve information. Similarly, the linkage of records through computer
networks allows a vast increase in the exchange of information as well
as the number of people having access to it.

These technologies have facilitated new ways to use, correlate, and
manipulate information collected. For example, computer matching-a
major application facilitated by computer technology-compares       infor-
mation from two or more automated lists or files and can involve
thousands of records. Front-end verification and computer profiling are
other applications facilitated by computer technology. These new appli-
cations have made it easier for agencies to access, share, and process
information and to carry out their missions effectively and efficiently.
However, they have also increased opportunities for inappropriate or
unauthorized use of personal information and have made it more diffi-
cult to oversee agencies’ information management practices and to safe-
guard individuals’ rights.




‘Seven specific Privacy Act exemptions       exist, covering   information   such as law enforcement   activi-
ties, investigatory material and statistical    records.




Page 7                                      GAO/IMTEC90-7OBR             Government   Computers    and Privacy
       . . . . --_-   -__..
                                  Srction 1
                                  IuLroduction:   Privacy in a
                                  Computerized     Society




                                  This report was requested by the Chairman, Subcommittee on Telecom-
Objectives, Scope,and             munications and Finance, House Committee on Energy and Commerce,
Methodology                       who asked that we provide information on

                              l   fcdcral agencies’ largest computer and network systems containing
                                  information on ITS citizens and how agencies obtain, verify, and protect
                                  this information;
                              l   the telecommunications facilities and networks used to transmit the per-
                                  sonal information in these systems and how the networked information
                                  is used;
                              l   the effect of new technologies on the sharing of information across these
                                  net.works and the extent to which personal information is matched with
                                  that, contained in other systems; and
                              l   the extent to which individuals are made aware of records concerning
                                  them and t,he recourse they have if they find incorrect information or if
                                  there has been unauthorized disclosure of information.

                                  To obtain this information, we developed and sent a comprehensive
                                  questionnaire to 189 federal cabinet and subcabinet-level and indepen-
                                  dent agencies. To develop our questionnaire and identify privacy con-
                                  cerns, we analyzed privacy and security laws, 0~13's guidance on
                                  agencies’ responsibilities in maintaining and sharing personal informa-
                                  tion, and earlier reports prepared by us and by the President’s Council
                                  on Integrity and Efficiency, the Office of Technology Assessment, and
                                  the Privacy Protection Study Commission. In addition, we spoke with
                                  computer security and information technology experts, privacy interest
                                  groups, and scholars at the Massachusetts Institute of Technology,
                                  IIarvard Tlnivcrsity, Northeastern [Jniversity, and The George Wash-
                                  ington IJnivcrsity in Washington, D. C., and Boston, Massachusetts.

                                  We pretested our questionnaire with officials from the Department of
                                  the Air Force, Department of Energy, Department of Education, Depart-
                                  ment of Labor, Department of IIousing and IJrban Development, the
                                  Food and Nutrition Service of the Department of Agriculture, the Social
                                  Security Administration of the Department of Health and Human Ser-
                                  vices, and the Selective Service System. We used pretest results to refine
                                  our questionnaire.

                                  We used a contractor for mailing the questionnaires, designing a data
                                  base, and entering agency responses into the data base. We verified the
                                  contractor’s data entry on a random-sample basis. We queried the dat,a
                                  base and analyzed results. We did not validate questionnaire responses;
                                  however, we reviewed and edited all questionnaires and followed up


                                  Page 8                         GAO/IMTEC-90.7OHR   Govrrnmrnt   Computers   and Privacy
Section 1
Introduction:   Privacy in a
Computerized     Society




with agency officials when additional information was needed. Since the
data-collection methods involve self-reporting by the respondents, we
expected adverse findings to be somewhat underreported.

We received responses from 178 agencies-a 94-percent response rate.
Appendix II lists the agencies that responded to our questionnaire, as
well as those that did not, and shows for each agency that responded
the number of systems containing personal information. Appendix III
reproduces our questionnaire and agency responses to each question. In
some cases, questions were preceded by a filter question, which
instructed respondents to skip a number of subsequent questions if they
responded to the filter question in a certain way. The reader is cau-
tioned to account for these questions when comparing responses to spc-
cific: questions with statistics cited in the report. In addition, because
certain questions allowed the respondents to choose more than one alter-
native, the sum of the numbers of responses for each alternative may
not, equal the total number of respondents for that question.




Page 9                         GAO/IMTEC-00.70BR   Government   Computers   aud Privacy
Government Maintains Vast Amounts of
Personal Information

                           Federal agencies are making significant use of computer technology to
                           store, process, and share personal information. Much of this information
                           is subject. to the Privacy Act of 1974. This information is maintained in
                           about 2,000 program management, payroll, personnel, financial, and
                           other types of systems and is used by agencies for purposes such as
                           making payments and determining program eligibility. Although agen-
                           cies collect much of the information directly from individuals, personal
                           information is also collected-sometimes electronically-from       third-
                           party sources. Agencies use various methods to inform individuals
                           about the information they maintain; however, individuals are not
                           always informed about such information. Many agencies share the per-
                           sonal information they maintain with other federal, state, and local
                           agencies, as well as with the private sector.


                           Agencies reported that, as of .January 19389,they collected and stored
Agencies Use               personal information on individuals in approximately 2,000 predomi-
Computers to Collect       nantly computerized systems. Agencies identified 910 systems as their
and Store Personal         largest computerized systems containing personal information. Data
                           maintained in these systems include social security numbers; names and
Information                addresses; and financial, health, education, demographic (e.g., race, sex),
                           and occllpational/regSulatory information. Data in about 91 percent, of
                           theso systems are covered by the Privacy Act.


How Individuals Are Made   I Jnder the Privacy Act, agencies are required to publish information
                           about their systems of records in the Federal Register. The purpose of
Aware of Information       this is t,o prevent agencies from maintaining secret files on individuals
Colleeted About Them       by giving the public notice of agency record-keeping practices. However,
                           concerns have been raised that the Federal Register is not the best
                           moans of notification since it is not easily accessible to most people.
                           Information published in the Federal Register is to include a description
                           of’ the categories of records maintained, types of sources for the infor-
                           mation, and purposes of the records. An example of a Federal Register
                           c>ntry is illustrated in figure 2.1.




                           Page 10                      GAO/IMTE<:-W70BR   Govrrnment   Computers   and Privacy
~..--
                                                             Section 2
                                                             Government Maintains     Vast Amounts    of
                                                             Personal Information




Figure 2.1: A Federal
                  .. -- --- Ree
                             .._          Notice of an Air Force System of Records
  _.__..^.
      - _.-..-_ --._~-...

                                        FM0 AF A
    Syttta Mmt:                                                                          safeguudr:
       010 AF A Automated Orders Data System.                                             Records UC accessed by person(s) responsible for servicing the
       Syttem loatlaa:                                                                 records in performance of their oflicial duties who are properly
                                                                                       screened for need-to-know.      Records are protected by computer
       Any location where tern rary duty travel orders arc published at                system software.
    all lcvcl~ down to and inc p”.
                                 udmg Air Force squadrona. ofiicial mail-
    inp addresser are in the Department of Defense directory in the                       Rtttntioa and diaporrl:
    appendix to the Air Force’s systems notica.                                           Orders are maintained for one year after the year in which they
                                                                                       are published. Identification data is maintained until the individual ia
       Catagorta of lndlrlduala covered by the ryrtam:                                 reassigned.
       AU Air Force civilian employees and military mcmbcn who per-                       Syrttm mtnqtrb) arid addren:
    form temporary duty travel.
                                                                                          Director of Administration,  Headquarters United States Air Force
        cagwlta         of rtcorda h tht ryatcm:                                       Washington, DC. Local System Manager, base director or chief of
       All temporary duty travel ordcn published by the organizstioa                   administration.
    maintaining the ryrtcm also containa identification data on individrul,               N~dflcatlon  procedure:
    who perform travel.                                                                   Requests from individuals should be addressed to the local system
       Autbdty   for malatenanct of tbt #y&m:                                          manager.
       IO USC 8012, Secretary of the Air Force: Powers and dutia;                         Record acccw procedura:
    delegation by.                                                                        Individuals can obtain assistance in gaining access from the Local
       -):                                                                             System Manager.
       Uud to prepare temporary           duty travel     orders and to determine         contwting rtmrd procedura:
    atatu) of individual orders.                                                          The Air Force’s NICE for acce$a lo records and for contesting and
       ROdat 0tw of rtcod arlntalatd in tbt tynttm, lncludhg cattgo-                   a pealing initial determinations by the individual concerned may be
    rleaofuaanaadtbepqoaeaofaucbuaea:                                                  oEtaincd from the System Manager and are published in Air Force
                                                                                       Regulation 12-35.
       Record8 from Ihis system of records may be disclosed for any of
    (he blanket routine UKI published by the Air Force.                                  Rtcord sourct categoria:
       Pollcla and prtttlctt for tiering, rttrltvlng, ttcusltq, rttth~ing, and            Information is obtained from personnel records and travel order
    dlapttlng of ruwda b tbt myattm:                                                   reguats prepared by clerical staff serving the individual traveler.
       stongt:                                                                            Extmptionr tltimtd for tit rytiem:
        Maintained      on computer.                                                      None.
        RtMtrtblllty:
      Filed by name, Social Security            Number,    or Air   Force   Service
    Number.

 ^,,,.._....l.l”..l .    . . ._.-~-- ..____-.
                                                             Source Federal Register, Prwacy Act Issuances, 1987 Compdation, Vol. III, pp, 204-205




                                                             Page 11                                 GAO/IMTEC:-80.7OBR        Government   Computers   and Privacy
                                         Section 2
                                         Government Maintains   Vast Amounts    of
                                         Personal Information




                                         Agencies reported that they use the Federal Register to publish informa-
                                         tion about most of their Privacy Act record systems. Although 827 (91
                                         percent) of agencies’ 910 largest systems were reported to contain infor-
                                         mation covered by the act, information on only 535 (65 percent) was
                                         published in the Federal Register. (See fig. 2.2.)



Containing Data Covered by the Privacy
Act About Which Information Was
Published in the Federal Register



                                                                                           Information not published in Federal
                                                                                           Register (292 systems)


                                                                                           Information published in Federal
                                                                                           Register (535 systems)




                                         Number of systems (N = 827)




                                         Page 12                               GAO/IMTEGSO-7OBR   Government   Computers   and Privacy
                                   Section 2
                                   Government Maintains           Vast Amounts    of
                                   Personal Information




                                   Written notification on the form (e.g., benefits application) was the
                                   second most used notification method (used for 445, or 54 percent, of
                                   the systems). Other notification methods used included (1) verbal notifi-
                                   cation at the time the information is collected (176, or 21 percent) and
                                   (2) other methods, such as leave and earnings statements (63, or 8 per-
                                   cent). There were 97 systems covered by the Privacy Act for which no
                                   notification was provided. (See fig. 2.3.) These questionnaire results
                                   indicate that agencies do not always comply with the Privacy Act’s noti-
                                   fication provisions,


Figure 2.8: Agencies’ Methods of
Notlfylng Indivldual8
                                   Numbsr of systems (N I 827)
                                   5s0

                                   500

                                   450

                                   400

                                   am
                                   300
                                   280

                                   2oQ

                                   150

                                   100

                                    50

                                     0




                                         Msthods of notlflcdlon   (more than ona method may be used)




                                   Page 13                                       GAO/IMTEC-90-70BR     Government   Computers   and Privacy
-.                               -
                                     Swtion 2
                                     Govrrnment   Maintains   Vast Amounts    of
                                     Pwsonal Information




How Agencies Collect,                Agencies reported that they obtained personal information from various
Validate, and Use Personal           sources, sometimes more than one. Sources include federal, state, and
                                     local agcncics, and the subject individuals themselves. Agencies reported
Information                          that for over 70 percent of their largest 910 systems, personal informa-
                                     tion was obtained from the individuals themselves and/or within their
                                     own agency. (See fig. 2.4.)

----______--              -.-.
Figure 2.4: Sources From Which
A&cies    Obtain Data
                                     700   Number of systems (N I 910)


                                     600
                                     550
                                     600
                                     450
                                     400
                                     350
                                     300
                                     250
                                     200
                                     150
                                     100
                                      50
                                      0




                                      Sources (data may be obtained from more than one source)




                                     Page 14                                 GAO/IMTEC-90.70BR   Govrrnment   Computrrs   and Privacy
I_._._.,. I   _._..   -.---.
                                          Section 2
                                          <iovernment Maintains    Vast Amounts    of
                                          Percional Infw-mation




                                          Agencies reported that the information maintained in 71 percent of their
                                          9 10 largest systems was validated by checking with the individual. This
                                          practice allows individuals to correct inaccurate information, as well as
                                          to control information about themselves. Additional methods of valida-
                                          tion included (1) comparison with other federal agencies’ records, (2)
                                          checking with institutions, such as banks and schools, and (3) checking
                                          with state and local agencies. (See fig. 2.5.)

      .^.._......- ..-.._-_----- _.._
                                   -__
Figure 2.5: Procedures Agencies Use to
Ensure Complete and Accurate
Information                               Number of systems (N = 910)
                                          650
                                          600
                                          550
                                          500
                                          460
                                          400
                                          360
                                          300
                                          250




                                         Procedures (more than one procedure may be used)




                                          Page 15                                 GAO/IMTECYO-70BR   Government   Computers   arid Privacy
        . _ ._.___
                 ^...“.,
                     _I.-_.^..._----
                                                                  Swtiou 2
                                                                  Goverument Maintains         Vast Amounts   of
                                                                  Personal Iuformation




 .-..     -   .~_   -.....   “._.--   ..-.-..-   “I   --.-   --




                                                                  Federal agencies and other organizations use the information they
                                                                  obtain primarily for (1) payment (340, or 37 percent, of the systems),
                                                                  (2) initial eligibility/certification determinations (338, or 37 percent),
                                                                  and (3) investigations (334, or 37 percent). (See fig. 2.6.)


Figure 2.6: Purposes for Which
Organizations Access Systems                                      400        Number of systems (N = 910)

                                                                  350
                                                                         r
                                                                  300

                                                                  250

                                                                  200

                                                                  150

                                                                  100

                                                                   50

                                                                    0




                                                                        Purpose of access (organizations may access systems for more than one purpose)




                                                                  Page 10                                     GAO/IMTEC-90770BR     Government    Computers   and Privacy
-
                                          sectloll 2
                                          Government MaWaine      Vast Amounts    of
                                          Persoual Information




Agencies Collect Thi rd-                  Agencies also obtain and verify information from third-party sources.
Party Information                         Of the 178 agencies responding to our questionnaire, 36 (20 percent)
                                          reported that they collected personal information electronically from
Electronically                            third-party sources, such as state divisions of motor vehicles, credit
                                          bureaus, and insurance companies. Agencies use third-party information
                                          for debt collection (e.g., repayment of education loans), enforcement,
                                          and prescreening (e.g., to determine whether an individual meets speci-
                                          fied qualifications).

                                         Agencies use various methods, sometimes more than one, to ensure the
                                         accuracy of third-party information. Of the 36 agencies, 25 validate
                                         information with subject individuals and 15 compare information with
                                         original source documents. Other means used to ensure the accuracy of
                                         third-party information included (1) comparing information with other
                                         federal agencies’ records (13 agencies) and (2) validating information
                                         with sources other than federal agencies (12 agencies). (See fig. 2.7.)


Figure 2.7~ Procedures Used to Verify
Third-Party Information Collected
                                          Numbr of agonciea (N = 36)
Electronically
                                          26
                                          24
                                          22
                                          20
                                          18
                                          16
                                          14
                                          12
                                          10
                                           8
                                           6
                                           4
                                           2
                                           0




                                        Procdunr   (mom th8n one procedura may ba raw!)




                                         Page 17                                 GAO/IMTEC9O-70BR   Government   Computers   and Priwcy
                                      Section 2
                                      Government Maintains        Vast Amounts    of
                                      Personal Information




Many Systems Are                      Information in 509 (56 percent) of the agencies’ 910 largest systems can
Accessedby a Variety of               be accessed by a variety of organizations, such as other agency compo-
                                      nents within cabinet-level departments; other federal agencies; state and
Organizations                         local agencies; and private organizations, such as health care providers,
                                      marketing companies, and insurance companies. (See fig. 2.8.)

-
Figure 2.8: Organizations That Have
Access to Systems
                                      Number of systems (N = 910)
                                      900
                                      940
                                      790
                                      720
                                      860
                                      600
                                      540
                                      4eO
                                      420
                                      360
                                      300
                                      240




                                      i                   ,   ,         I          7-t-l~




                                          Organizations


                                      Seventy-nine systems (9 percent) can be accessed by all of these entities,
                                      as well as the agencies responsible for them. One system-the Federal
                                      Election Commission’s mail list system containing individuals’
                                      addresses -is accessed solely by the private sector.




                                      Page 18                                    GAO/IMTEC-90-70BR   Government   Computers   and Privacy
                                Section 2
                                Government Maintains       Vast Amounts    of
                                Personal Information




                                Some of the purposes for which these organizations use the accessed
                                information are initial eligibility/certification determinations, payment,
                                investigation, and employment purposes. However, for 75 (8 percent) of
                                the 910 systems, agencies responsible for the systems reported that they
                                did not know the purposes for which the personal information was
                                being accessed by other organizations. For example, agency respondents
                                reported that they did not know how accessed information was being
                                used by (1) their own agency for 9 systems (1 percent), (2) educational
                                institutions for 49 systems (5 percent), (3) local organizations for 46 sys-
                                tems (5 percent), and (4) private organizations for 42 systems (5 per-
                                cent). (See fig. 2.9.)


Figure 2.9: Number of Systems
Accessed for Unknown Purposes
                                Numbar of systems accessed (N = 910)
                                50

                                45

                                40

                                35

                                30

                                25

                                20

                                15

                                10

                                 6

                                 0




                                Organlratlone   accessing systems




                                Page 19                                   GAO/IMTEC-90-70BR   Government   Computers   and Privacy
                                         Section 2                                                                                         ,
                                         Government Maintains     Vast Amounts    of
                                         Personal Information




Most Agencies’ Largest                   Federal, state, local, and private organizations have access to personal
Systems Are Accessed                     information maintained in many federal agencies’ computerized systems
                                         through various types of networks. Some 707 of the agencies’ 9 10
Through Networks                         largest systems (78 percent) are accessed through one or more communi-
                                         cations networks. Of the 910 systems, 413 (45 percent) are accessed
                                         through a public-switched network, such as AT&T and MCI, or through
                                         a commercial network, such as Tymnet and Telenet; 379 (42 percent)
                                         are accessed through a local area network; 363 (40 percent) are accessed
                                         through a private network using private-leased lines; and 251 (28 per-
                                         cent) are accessed through a private network using government-owned
                                         facilities. (See fig. 2.10.)


Figure 2.10: Types of Networks Through
Which Systems Are Accessed
                                         450   Number of systems (N - 910)

                                         400

                                         350

                                         300

                                         250

                                         200

                                         160

                                         100

                                          so

                                           0




                                         Networks (system may be accessed through more than one type of network)




                                         Page 20                                 GAO/IMTEC-90.70BR      Government   Computers   and Privacy
                           Section 2
                           Government Maintains        Vast Amounts      of
                           Prrsonal Infomlation




                           Security controls are needed to protect the personal information stored
Security Issues            and processed in computer systems from unauthorized disclosure and
Relating to Systems        modification. We asked agencies to provide us with information on (1)
Containing Personal        the types of security controls they have implemented in their 910
                           largest systems, (2) computer security weaknesses identified under the
Information                Federal Managers’ Financial Integrity Act, and (3) security breaches in
                           their systems. This information is not intended to provide an assessment
                           of the security of these systems, but to provide examples of the types of
                           security controls used, security problems encountered, and agency
                           efforts to address these problems.


Computer Security          The Congress passed the Computer Security Act of 1987 in response to
Controls Agencies Use to   concerns that the federal government was not adequately addressing the
                           security and privacy of its sensitive information. The act required,
Safeguard Their Systems    among other things, that agencies develop a security and privacy plan
                           for each system containing sensitive information.’ Guidance developed
                           by OMII for federal agencies to follow in preparing their computer
                           security plans segregated computer security measures into six basic con-
                           trol categories: management, development, operational, technical, sup-
                           port system security measures, and security awareness and training for
                           employees.

                           Most of these categories consist of several security controls that address
                           an underlying security objective. For instance, “assigning security
                           responsibilities, ” “conducting risk assessments,” and “screening per-
                           sonnel” are examples of specific security controls that address the
                           broader security category of management controls. Depending on the
                           functions and importance of a particular system, as well as acceptable
                           levels of risks, one or more controls may be necessary within each cate-
                           gory to provide an adequate level of security.

                           We asked agencies to identify the controls they have implemented for
                           each security category outlined in OMH’s guidance. Table 2.1 lists the
                           controls within each security category that agencies reported as being in
                           place for their 910 largest systems.




                           “l’hc act defines sensitive   information    as any unclassified  information    that in the event of loss,
                           misuse, or unauthorized     access or modification    could adversely    affect the national interest, conduct
                           of a f’edcral program, or the privacy     to which individuals   are entitled under the Privacy      Act of 1974.




                           Page 2 1                                    GAO/IMTEC-SO-7OBR          Govemment       Computers     and Privacy
                                            Section 2
                                            Government Maintains      Vast Amounts    of
                                            Personal Information




Table 2.1: Controls in Place in Agencies’
910 Largest Systems.

                                                                                                                         Percentage of systems with
                                            Security controls  -          ~~~_.~___..                                      security controls in place
                                            Management controls                                                                                                   ---
                                            Assignment of security responsibility                    __-                                                                95
                                            Documented risk assessment                                                                                                  53
                                            Undocumented risk-assessment                              ____-                                              ___--.-        24
                                            Personnel screening                                                               __-I_-                      --            66
                                            Development controls
                                            Secunty specifications                                                                                                      a3
                                            Design, review, and testing                            ___                             ---                    __..-         80
                                            Certification                                          __-            ___-                                                  46
                                            Operational controls                                                                                               ----
                                            Productron, input/output controls                                                                       __I__               90
                                            Contingency plannrng                     ..~~ -_.__                                        --               --              63
                                            Audit detection                                                                                                             60
                                            Software maintenance control                                                                            _.                  77
                                            Documentation                                                                --            _____--.---_____- 74
                                            Security awareness and training controls                   .__.___                                  __---
                                            Security awareness and training measures                                                                                    91
                                            Technical controls                   ~         ~~ ~.__
                                            User authentication                                                                                                         a9
                                            Access controls                                                .---                                                         94
                                            Data Integrity controls                                                   ___--.                                            77
                                            Audit trails                                                     -. -.-.                                                    65
                                            Support system security measures               -- .--.-____~-
                                            Activity monitonng      ~-                      ~- -.-~.._-~-.-.                                __-__                       78
                                            Securrtv measures for support svstems                                                                                       76


        ..- _-..- .._~~..- -
Security Weaknesses                         IJndcr the Federal Managers’ Financial Integrity Act, federal agencies
Identified LJnderthe                        are required, on an ongoing basis, to evaluate the ability of their internal
                                            control systems to protect federal programs against fraud, waste, abuse,
Financial Integrity Act                     and mismanagement. For fiscal year 1988,13 agencies reported that
                                            they had identified material weaknesses in the security of their comput-
                                            erized systems containing personal information. For fiscal year 1989, 10
                                            agencies responded that they had identified such material weaknesses,
                                            For example, the Department of the Treasury reported, for fiscal year
                                            1988, that programmers had access to both data files and production
                                            programs for the departmental salaries and expenses system. This con-
                                            trol weakness allowed employees access to more information than was


                                            Page 22                                  GAO/IMTEGSO-70BR             Government           Computers         and Privacy
.
                       Section 2
                       Government Maintains   Vast Amounts    of
                       Personal Information




                       needed to perform their jobs and, as a result, increased the risk of fraud-
                       ulent behavior. To correct this problem, Treasury implemented a pass-
                       word security system to prevent programmers from accessing data files
                       of systems for which they also write programs.


Agencies Reported 34   Agencies reported 34 instances of security breaches in their computer-
Security Breaches      ized systems containing personal information in fiscal years 1988 and
                        1989. Two agencies reported 13 incidents of unauthorized access in
                       fiscal year 1988; 5 agencies reported 21 incidents in fiscal year 1989.
                       Thirty of the 34 incidents involved unauthorized access to personal
                       information by personnel otherwise authorized to use the system. For
                       example, in one case, an employee modified his own personal informa-
                       tion to benefit himself financially. In two other cases, unauthorized
                       users gained access to agencies’ systems by using passwords others had
                       disclosed to them. In another case, an agency’s contractor was allowing
                       third-party access to a system that the agency intended to be
                       confidential.




                       Page 23                               GAO/IMTECSO-7OBR   Government   Computers   and Privacy
Section 3

Applications of New Information Technology
Are Widespread Throughout the Government

                       Computer matching, front-end verification, and profiling are applica-
                       tions of information technology facilitated by technological advances,
                       such as computer networks. Computer matching, the electronic compar-
                       ison of two or more sets of records, is used by federal agencies for such
                       purposes as uncovering unreported income, erroneously reported tax
                       information, and duplicate benefits. Some 46 agencies reported that they
                       participated in computer matching. Front-end verification, used when
                       an individual applies for government benefits, employment, or services
                       to determine whether the individual is a qualified applicant, was used
                       by 28 agencies, Computer profiling, which involves searching a record
                       system to determine characteristics of individuals most likely to engage
                       in behaviors of interest (e.g., tax evasion), was used by 37 agencies.
                       These three applications have been supported by organizations such as
                       OMR and the inspectors general as effective means of detecting fraud,
                       waste, and abuse; however, their use has raised privacy and constitu-
                       tional concerns.


                       Computer matching, as discussed in OMB'S June 19, 1989, final guidance
Computer Matching Is   interpreting the provisions of the Computer Matching and Privacy Act
Used Extensively for   of 1988, is the electronic comparison of records from (1) two or more
Many Purposes          automated federal systems of records or (2) federal systems of records
                       with nonfederal records to identify similarities or dissimilarities in the
                       data. To facilitate computer matching, a number of data bases have been
                       created. Often, the data bases contain information on beneficiaries
                       under different government programs.

                       Organizations support computer matching as a means of improving gov-
                       ernment efficiency and strengthening program management. The Presi-
                       dent’s Council on Integrity and Efficiency and OMB have attributed
                       substantial savings and recoveries of overpayments in federal benefits
                       programs to the use of computer matching. Savings can be realized from
                       matching records of recipients in federal benefit programs with the files
                       of other agencies or programs to verify the eligibility of individuals
                       receiving benefits, For example, the Social Security Administration
                       matches its supplemental security income benefit file with the Internal
                       Revenue Service’s tax data to identify potential overpayments and
                       investigates and resolves identified cases. As a result of this computer
                       matching effort, the Social Security Administration estimated savings of
                       $184.1 million for fiscal years 1986 through 1988.

                       IIowever, privacy advocates have raised a number of concerns
                       regarding the effect of computer matching on individuals’ privacy


                       Page 24                     GAO/IMTEGSO-70BR   Government   Computers   and Privacy
Section 3
Applications of New Information    Technology
Are Widespread Throughout     the Government




rights. Some of these concerns are that (1) computer matching makes it
more difficult for individuals to control information about themselves
and (2) Fourth Amendment protections against unreasonable searches
and seizures may be violated because of the lack of probable cause
linking a crime and an individual.

In response to these concerns, the Congress enacted the Computer
Matching and Privacy Protection Act of 1988, a major amendment to the
Privacy Act, that became effective July 19, 1989. The act covers
matches (1) involving federal benefits programs and (2) using records
from federal personnel or payroll systems of records. The legislation
created an important procedural framework providing for independent
verification of matching results before further action can be taken; ade-
quate notice to individuals; the right to a hearing before benefits are
reduced, suspended, or terminated; and mandatory requirements for
agency reporting to the Congress and OMB. Each federal agency must,
establish an internal data integrity board to oversee and coordinate its
matching activity. Before participating in a matching program, agencies
must enter into written agreements specifying the purpose of the pro-
gram and the records to be matched and, where appropriate, perform a
cost-benefit analysis. In cases where individuals are wrongfully affected
as a result of a match subject to the act, the Privacy Act’s civil remedy
provisions may be applicable.

Of the 178 agencies responding to our questionnaire, 46 (26 percent)
reported that they participated in computer matching as either a
matching agency (the agency performing the match) or a source agency
(the agency disclosing records to the matching agency for use in a
match).’ In each of fiscal years 1988 and 1989,31 respondents partici-
pated as a matching agency and 35 as a source agency. The Drug
Enforcement Administration and the Farmers Home Administration
accounted for about 97 percent of the matches.’ Most of these computer
matches were for law enforcement (78 percent) and tax (18 percent)
purposes. Agencies reported the numbers and purposes of their matches
as shown in table 3.1.




‘Qucstionnairc respondents  were asked to provide information     on matching      activities   for fiscal    years
1988 and 1989. Most of this period was before the act’s effective   date.

‘Most of t.ho matches reported  by these two agencies   involved   comparing    information     on a single
individual  with various agency data bases.




Page 25                                  GAO/IMTEC-90.7OBR         Government       Computers       and Privacy
                                         Section 3
                                         Applications of New Information Technology
                                         Are Widespread Throughout the Government




Table 3.1: Numbers and Purposes of
Agencies’ Computer Matching Activities                                                                      Matches in which agencies
                                                                                                                 participated as a
                                                                                                               Matching            Source
                                         Purpose of match                                                        agency            agency
                                         Establishlig or verifying federal program eligibility                         681 ____-___--~ 442
                                         Re&uping payments or delinquent debts                                      10,208               10,183
                                                                                                                                ___-..---_
                                         Law enforcement                                                         4,320,932”               1,148
                                         Tax purposes        ~~ ~~~~~~~~ ~~                                         16,245          1,000,024”
                                         Audit purposes                                                                 72                2,044
                                         Statut&y mandate                                                           10,037
                                                                                                                   _____-..____          10,004
                                         Aggregate statistical purposes”                                            16,099               20,055
                                         Research/statistical   purposesc                                           16,073                  570
                                         Other                                                                       3,471             112,373
                                         “The majority of matches in these categories Involved matching Information on a smgle Individual with
                                         on-Me law enforcement and tax-related data bases
                                         “Data produced do not Include information that Identifies an mdwidual

                                         ’ Data may be produced that identify an individual.


                                         Over half (27) of the 46 agencies engaging in computer matching activi-
                                         ties reported that they included their employees as matching subjects.
                                         Of these 27 agencies, 15 involved their employees as subjects in 1 to 80
                                         percent of their matches, 11 involved their employees as subjects in 100
                                         percent of their matches, and 1 did not know how many of its matches
                                         involved its employees. (See fig. 3.1.)




                     Y




                                         Page 26                                   GAO/IMTEC-90-70BR     Government    Computers   and Privacy
  ,
                                          Section 3
                                          Applications of New Information    Technology
                                          Are Widespread Throughout     the Government




Figure 3.1: Percentage of Agencies That
Used Their Employees as Computer
Matching Subjects                                                                                      Agencies’ employees are always match
                                                                                                       subjects (11 agencies)




                                                                                                   Agencies’ employees are subjects in 1%
                                                                                                   to 80% of matches (15 agencies)




                                                                                                   Don’t know (1 agency)
                                                                                                   Agencies’ employees are never match
                                                                                                   subjects (19 agencies)
                                          Numberof agencies(N = 46)



Many Matches Are Not                      Many matches conducted by the federal government are exempt from
Covered by Computer                       the Computer Matching and Privacy Protection Act. Types of matching
                                          activities specifically exempted include matches that (1) produce aggre-
Matching and Privacy                      gate statistical data without personal identifiers; (2) support any
Protection Act                            research or statistical project in which the results may include personal
                                          identifiers, but which are not used to affect an individual’s rights, bene-
                                          fits, or privileges; (3) are conducted for law-enforcement purposes-i.e.,
                                          matches performed by agencies or components whose principal function
                                          is criminal law enforcement; (4) use federal employees’ personnel or
                                          payroll records for routine administrative purposes;” (5) are conducted
                                          for background investigation and foreign counterintelligence matters;
                                          (6) involve various types of tax return information; and (7) are con-
                                          ducted within an agency using records only from the agency’s systems
                                          of records.


                                          2According  to OMWs guidance, the percentage    of records    in the system   relating     to federal   employees
                                          must bc greater than any other category.




                                          Page 27                                GAO/IM’lXGSO-70BR            Government           Computers      and Privacy
                                                                                                             I




                          Section 3
                          Applications of New Information Technology
                          Are Widespread Throughout the Government




                          Our questionnaire results indicated that a significant portion of govern-
                          mentwide matching activity is excluded from the act. For example, in
                          fiscal years 1988 and 1989, 11 source agencies reported that they partic-
                          ipated in over 1 million matches for tax purposes, while 4 matching
                          agencies reported 16,245 matches conducted for this purpose in fiscal
                          years 1988 and 1989. Such matches are excluded from the act’s cov-
                          erage. In addition, 18 agencies reported that in fiscal years 1988 and
                          1989, they conducted about 2 million matches using only their own
                          records.


Federal Agencies          During fiscal years 1988 and 1989, respondents reported that they par-
Participate in Computer   ticipated in computer matching not only with other federal agencies, but
                          also with state and local agencies and private organizations. As shown
Matching With Many        in tables 3.2, 3.3, and 3.4, 21 agencies participated in computer matching
Organizations             with state agencies, 9 with local agencies, and 16 with private
                          organizations.




                          Page 28                             GAO/IMTEC-YO-70BR   Govenunent   Computers   and Privacy
                                                   Section 3
                                         a         Applications of New Information    Technology
                                                   Are Widespread Throughout     the Government




Table 3.2: Federal Aaencies That Participated in Computer Matching With State Agencies
                                                                                  Sent information                           Received information
                                                                                 to a state agency                            from a state agency
Bureau of Labor Statrstrcs                                           .~~ __.. ~~--.                      ______                                     X
Centers for Disease Control                                                                                       X                            __-
Defense Logtstrcs Agency                                                                      ____                X     ___-                        X
Department of Housrng and Urban Development         ‘~                                                                            ---__             X
Department of Veterans Affarrs                                                                                                    -_                X
Drug Enforcement Admlntstration                                                               ._______.__         X  --       ___           ~-
Employment and Standards Admrnistratton                                                                    ___-_- X
Envtronmental Protection Agency        ~-                                                                         X                              -.
Federal Crop Insurance Corporatron                         .~             ~-- -~~                  ____--___      X                    ..___--      X
Food and Nutntron Service                                                                   ____---               X                                 X
Health Care Financing Admrnrstration                                                                              X            ______-
lmmrgratron and Naturalrzation Service                                                                            X                                 X
lndran Health Service                                                                       ___~..                                                  X
                                                                                                                                                    -..
                                                                                                                                      -.
Internal Revenue Servtce                                                                                          X                                 X
National Highway Traffic Safety Admintstratton                                          -~-.___     .~_..____--   X   -.
Office of Information Resources Management, Department of Education                   ~-- -____                   X                                 X
Office of Personnel Management                               ~~~~ ~~~~..
                                                                      ~-..~~~~. ~~_..--~ __..___                  X
Railroad Retirement Board                                                                                         X          _____-__-              X
Selective Service System                   - _.   ._-~ -... -~ - ~-_.--. __-__-~--.        ___---~-~-             X
                                                                                                           ---_________-.-                          X
Social Security Administration         -                                                                     .___ X ___.                            X
Tennessee Valley Authority                                                                                                                          X




Table 3.3: Federal Aaencies That Particioated in Cornouter Matchina With Local Agencies
                                                                                   Sent information                           Received information
                                                                                  to a~..-_____-
                                                                                       local agency                            from a local agency
Department of Housing and Urban Development                                                                         X
                                                                                                                   -.--.-             .--____--         X
Drug Enforcement Administration                                                                                      X
Environmental Protectron Agency                                                                                     X                 -___
lmmtgratron and Naturalization Service                                      _.~                                                           .--.-~        X
internal Revenue Service                                                                                                               ______           X
Office of Personnel Management                                                                                      X
Selective Service System                                                                                                                                X
Soctal Security Admrnrstratton                                                                                      X                        ___-       X
Tennessee Vallev Authoritv                                                                                                                              X




                                                   Page 29                               GAO/IMTEC-9OQOBR       Government    Computers   and Privacy
_-_---
                                               Section 3                                                                                                      ,
                                               Applications uf New Information Technology
                                               Are Widespread Throughout the Guvernment




Table
--_.-- 3.4: Federal Agencies That Participated in Computer Matching With Private Organizations
                                                                                    Sent information                              Received information
                                                                                 to a private agency                             from a private agency
                                                                                                                                                  -~-
ACTION                                                                   ~~~~-._~    _....~                         X
                                                                                                  -.__---_--_---..~_~___
Centers for Drsease Control                                                                   ___-_. .-             X
Defense Logrstrcs Agency                                                                                            X                                             X
Department of the Army                                                                                              X
Department of Commerce                                                                                              X
                                                                                                             _____~.~
Department of Labor                                                                                                 x                        ~...           .~~
Department of Veterans Affairs                                                                                      X
Employment and Standards Admrnrstratron                                                                             X
Farmers Home Admrnrstration                                                                                         X                                       X
Internal Revenue Service                                                                                                                                    X
Offrcc of lnformatron Resources Management,   Department of Education ~~~~ -~~~ - .~~-~~.           ~-~~~       ~~.. X __~-       ~-~_..~~~.._.._       _. -..X
Offrce of Personnel Management                                                                                                                              X
Rarlroad Retirement Board                                                                                                                                   X
Social Secunty Admrnrstratron                                                                                          X
U S Coast Guard                                                                                                        X
U S Customs Service                                                                                                    X


                                               Private organizations that received information from and provide infor-
                                               mation to federal agencies include credit bureaus, banks, schools and
                                               universities, unions, insurance companies, real estate brokers,
                                               employers, health care providers and insurers, and railroads. While only
                                               5 federal agencies reported that they received information from private
                                               organizations, 14 sent information to such organizations. (See table 3.5.)

Table 3.5: Organizations With Which                                                 ..,       ,,_           ,,_.,                   _
Agencies Participated in Computer                                                                              Number of agencies that
Matching Activities                                                                                                   Sent              Received
                                               Organization                                                 information to      information from
                                               Anotherbffice/component      within agency                             ~-___~18      .-__     . .~~ -... -     15
                                               Another federatagency                                                        35                                33
                                               State agency                                                                 16                                14
                                               Local agency                                                                  5                                 6
                                               Pnvate organization                                                          14                                 5
                                               Congress”                                                                     1                                 1
                                               “The Department of Education particrpated in computer matching with the House and Senate




                                               Page 30                                GAO/IMTEC-90.7OBR             Government   Computers     and Privacy
                        Section 3
                        Applications of New Information    Technology
                        Are Widespread Throughout     the Government




Number of Individuals   Individuals identified through a computer match and found ineligible to
Affected by Computer    receive a specified federal benefit may have their benefits reduced, sus-
                        pended, or terminated. Under the Computer Matching and Privacy Pro-
Matches                 tection Act, however, agencies may take further action against
                        individuals only after investigation and verification. Individuals must
                        also be given advance notification and an opportunity to challenge the
                        results before final actions are taken. Agencies reported that the
                        number of individuals against whom further action was taken (e.g., ben-
                        efits denied, reduced, or suspended) as a result of computer matching
                        was about 3.6 million in each of fiscal years 1988 and 1989. In each of
                        these two years, the Internal Revenue Service took further action
                        against 3 million individuals because they had filed erroneous tax infor-
                        mation. The Social Security Administration reported that further action
                        had been taken against 600,000 individuals in each of the two years for
                        various reasons, such as overpayments due to unreported increased
                        income.


                        Front-end verification involves certifying the accuracy and authenticity
Agencies Use Front-     of information supplied by an applicant by comparing it with similar
End Verification to     information held in a computerized data base, generally obtained from a
Determine Eligibility   third party. For instance, an applicant’s eligibility for a benefit, such as
                        food stamps, is validated both before the applicant receives the benefit
                        and later to determine continued eligibility. Front-end verification is
                        similar to computer matching in that it involves an electronic search to
                        ensure the accuracy and completeness of the personal information. Such
                        ~%rcRes through personal records have raised privacy experts’ con-
                        cerns about the protection of individual’s privacy. IIowever, front-end
                        verification differs from computer matching in that it is used to

                        verify information on an individual, at the time of the initial transac-
                        tion, before the individual receives government benefits, employment, or
                        services; and
                        prevent, rather than detect, fraudulent activities.

                        Some privacy experts believe that because this procedure involves a
                        search through a particular citizen’s file rather than a general search
                        through all files, it may constitute less of an intrusion into citizens’ pri-
                        vacy than computer matching.

                        Twenty-eight agencies responded that they used front-end verification
                        during fiscal years 1988 and 1989.



                        Page 31                               GAO/IMTECXO-70BR   Government   Computers   and Privacy
                        Section 3
                        Applications of New Information Technology
                        Are Widespread Throughout the Government




                         Computer profiling involves using inductive logic to determine the char-
Agencies Conduct         acteristics of individuals most likely to engage in behaviors of interest-
Computer Profiling to    for example, illegal activities. In computer profiling, a record system is
Identify Behaviors of   electronically searched for a specified combination of data elements to
                         construct a profile. For example, a profile may describe the characteris-
Interest                 tics of persons more likely to misrepresent information in order to
                         receive federal aid or benefits. The profile can then be used to make
                        judgments about individuals based on the past behavior of others who
                         appear statistically similar. Computer profiling raises privacy and con-
                         stitutional concerns because individuals may be singled out for scrutiny
                        or different treatment before they take any action warranting such
                        treatment. Whereas computer matching and front-end verification com-
                        pare factual information, profiling compares characteristics or events
                        that may not be indicative of the action to be prevented. Advocates of
                        profiling, however, believe it increases agencies’ efficiency and effec-
                        tiveness by permitting resources to be applied more judiciously.

                        Thirty-seven agencies reported that they conducted computer profiling.
                        Agencies obtain data for profiles from their own agency, other federal
                        agencies, state and local governments, organizations, and associations.
                        In developing profiles, agencies use social security, health, educational,
                        financial, tax, law enforcement, property, and housing and public assis-
                        tance information. (See fig. 3.2.)




                        Page 32                             GAO/IMTEC-YO-70BR   Government   Computers   and Privacy
-- .
                                          Section 3
                                          Applications of New information    Technology
                                          Are Widespread Throughout     the Government




Figure 3.2: Types of Information Developed by Agencies That Conduct Computer Profiling
Numbor of rgenclr (N I 37)

3o r-
27

24

21

18

15

12

 0

 6

 3

 0
                        nLAI
Intormatlon developed




                                          Agencies use profiles for many purposes, including program analyses,
                                          planning, investigation, screening, scientific research, and surveillance.
                                          (See fig. 3.3.) Two examples of agencies’ computer profiling descriptions
                                          are the Social Security Administration’s profiles on people most likely to
                                          have unreported changes in income, resources, and/or living arrange-
                                          ments; and the U.S. Secret Service’s profiles of individuals most likely to
                                          commit aggressive action against a public figure.




                                          Page 33                               GAO/IMTEC-90-70BR   Government   Computers   and Privacy
                                        Section 3
                                        Applications of New Information Technology
                                        Are Widespread Throughout the Government




Figure 3.3: Agencies’ Use of Computer
Profiles
                                        26   Number of agencies (N I 37)




                                             r
                                        24
                                        22
                                        20
                                        18
                                        16
                                        14
                                        12
                                        10
                                         6
                                         6
                                         4
                                        2
                                         0




                                        Page 34                            GAO/IMTEC-90-70BR   Government   Computers   and Privacy
Page 36   GAO/IMTEC-90.70BR   Goverument   Computers   and Privacy
Appendix I

bnmary of General Legislation Relating to                                                                   ’
Privacy and Computer Security

                           The Privacy Act is the primary legislation regulating the federal govern-
Privacy Act of 1974,       ment’s maintenance of personal information. The act establishes (1)
as Amended (5 U.S.C.       requirements and prohibitions federal agencies must observe regarding
552a)                      record-keeping and disclosure practices and (2) safeguards for individ-
                           uals (U. S. citizens and aliens lawfully admitted for permanent resi-
                           dence) against invasion of their personal privacy. Personal information
                           is not covered by the act if the system in which it is contained does not
                           meet the definition of a “system of records” or is specifically exempted.
                           .4 system of records is any group of records under an agency’s control in
                           which information is retrieved by an individual’s name or by an identi-
                           fying number, symbol, or other identifying particular assigned to the
                           individual. How the information is retrieved (by a personal identifier)
                           and not the substantive content determines whether the information is
                           covered by the act.

                           The Privacy Act, along with the Freedom of Information Act (5 U.S.C.
                           !%a), permits disclosure of most personal files to the individual who is
                           the subject of the files. The two laws, however, restrict disclosure of
                           personal information to others when disclosure would violate privacy
                           interests. Agencies cannot disclose records pertaining to individuals
                           without their consent, except under prescribed circumstances. Federal
                           agencies must also account for disclosures made of such records.

                           In enacting the Privacy Act, the Congress codified information princi-
                           ples requiring specific actions of federal agencies:

                       . Publish a notice of their Privacy Act record systems in the Federal Reg-
                         ister. (This provision was intended to prevent agencies from maintaining
                         secret records.)
                       l Grant individuals access to records concerning them and an opportunity
                         to correct inaccurate information.
                       l Maintain only information that is relevant and necessary to accomplish
                         a legal purpose.
                       l Collect information, to the greatest extent practicable, directly from
                         individuals when the use of the information may result in an adverse
                         determination about individuals’ rights, benefits, and privileges under
                         federal programs.
                       l Maintain accurate, complete, and timely records to assure that individ-
                         uals are treated fairly.
                       l Establish safeguards to ensure information security and confidentiality.




                           Page 36                     GAO/IMTEGSO-7OBR   Goverument   Computers   and Privacy
                                 Appendix I
                                 Summary of General Legislation   Relating   to
                                 Privacy and Computer Security




                                 The Privacy Act provides civil remedies for individuals whose rights
                                 under the act have been violated, as well as criminal penalties for viola-
                                 tion of the act. The act also contains provisions for the treatment of
                                 archival records, mailing lists, and the use of social security numbers.
                                 Government contractors are also subject to the act under certain circum-
                                 stances. 0~13 has oversight responsibility for the Privacy Act.


                                 The Freedom of Information Act (EY)IA) establishes a presumption that
Freedom of                       records in the possession of Executive Branch agencies and departments
Information Act, as I            are accessible to the public. FOIA sets standards for determining which
Amended (5 U.S.C.                records must be made available for public inspection or released to a
                                 party that requests access and which records may be withheld. The law
552)                             also provides administrative and judicial remedies for those persons
                                 denied access to records. Above all, the statute requires federal agencies
                                 to provide the fullest possible disclosure of information to the public.
                                 Agencies must justify why records are not accessible to the public.

                                 Like the Privacy Act, EQIA recognizes the legitimate need to restrict dis-
                                 closure of some information. For example, agencies may withhold infor-
                                 mation classified in the interest of national defense or foreign policy,
                                 trade secrets, and criminal investigatory files. Other specifically defined
                                 categories of confidential information may also be withheld.

                                 An essential feature of both laws is that they make federal agencies
                                 accountable for information disclosure policies and practices. While
                                 neither law grants an absolute right to examine government documents,
                                 both laws provide a right to request records and to receive a response to
                                 the request. If a requested record cannot be released, the requester is
                                 entitled to know why. The requester has a right to appeal the denial
                                 and, if necessary, challenge it in court.


                       The Computer Matching and Privacy Protection Act, which became
Computer Matching      effective ,July 19, 1989, establishes procedural safeguards affecting
and Privacy             agencies’ use of Privacy Act records in performing certain types of com-
Protection Act of 1988 pwritten
                         u terized matching programs. The act requires that agencies enter into
                                 agreements specifying the terms under which matches are to be
(5 U.S.C.552a Note)    performed. It also provides due process rights for record subjects to prc-
                                 vent agencies from taking adverse actions unless they have indepen-
            Y                    dently verified the results of a match and given the subject 30 days’
                                 advance notice, Oversight is accomplished by having agencies publish
                                 agreements, report matching programs to the Congress and OMI3, and


                                 Page 37                              GAO/IMTEC-90-70BR   Government   Computers   and Privacy
  Appendix I
  Summary of General Legislation   Relating   to
  Privacy and Computer Security




  establish internal data integrity boards to oversee and coordinate their
  matching activity.

  The act covers only matches having one or more of the following
  purposes:

. establishing or verifyinginitial or continuing eligibility for federal bene-
  fits programs,
. verifying compliance with the requirements (either statutory or regula-
  tory) of such programs, or
. recouping payments or delinquent debts under such federal benefits
  programs.

  In addition, to be covered, a match must also involve (1) the computer-
  ized comparison in an automated form; (2) individuals initially applying
  for benefits, individual program participants who are currently
  receiving or formerly received benefits, or individuals who are not the
  primary beneficiaries of federal benefits programs, but may derive
  income from them, such as health care providers; and (3) a federal bene-
  fits program. For example, if the Department of Education matched a
  student loan recipient data base with the Department of Veterans
  Affairs education benefit recipient data base for the purpose of ensuring
  that both agencies were maintaining current and accurate home address
  information, the match would not be covered since the matching pur-
  pose is not one of those listed above. If, however, the purpose of the
  match were to identify recipients receiving excess benefits, the match
  would be covered.

  The Computer Matching and Privacy Protection Act brings state and
  local agencies within the scope of the Privacy Act when they engage in
  matching activities with a federal agency subject to the Privacy Act and
  when a federal system of records is used. The act does not cover
  matches between nonfederal agencies or matches involving private enti-
  ties In 1989 the Congress amended the act to extend the compliance
  date for agencies rworting some of their matchhg p?rw-vs.         For the=
  pro&-ams in operation beforit Jiiiie 1, 1889, ~lf~lli~iB WtTt3 giWn WW
  *January 1, 1990, to report their matching programs to the Congress and
   OMB,




   Page 38                              GAO/IMTEGSO-70BR   Goverument   Computers   and Privacy
                        Appendk I
                        Summary of General Legislation   Relating   to
                        Privacy and Computer Security




                        The Right to Financial Privacy Act prescribes the procedures and safe-
Right to Financial      guards that federal agencies must follow in obtaining access to customer
Privacy Act of 1978     financial records maintained by financial institutions. Generally, this
(12 U.S.C.3401)         law requires that the access be in conjunction with a legitimate law-
                        enforcement inquiry. The act requires notification to customers about
                        the access or subsequent transfer of their records to another agency and
                        gives customers the right to challenge such disclosure or transfer. How-
                        ever, the notice and opportunity to challenge may be delayed with an
                        appropriate judicial order. The act does not apply to customer financial
                        records being disclosed for criminal, civil, or administrative litigation in
                        which t,hc government and customers are both parties. Neither does this
                        act supercede other statutes, such as the Internal Revenue Code, in
                        regard to accessing financial records.


                        The Electronic Communications Privacy Act provides protection for
Electronic              electronic communications, including computer data transmissions, elec-
Communications          tronic mailboxes, cellular phones, and fiber-optic transmissions. The
Privacy Act of 1986     basic premise behind this legislation was to protect the content of pri-
                        vate communications, regardless of how they are transmitted.
(18 USC. 2510)

                        The Computer Security Act provides for improving the security and pri-
Computer Security Act   vacy of sensitive information in federal computer systems. The act
of 1987 (Public Law     defines sensitive information as any unclassified information which, if
100-235)                lost, misused, or accessed or modified without authorization, could
                        affect the privacy to which individuals are entitled under the Privacy
                        Act.

                        In general, the Computer Security Act requires that all federal agencies
                        identify their computer systems, whether operational or under develop-
                        ment, that contain sensitive information, establish training programs to
                        increase security awareness and knowledge of security practices, and
                        establish a security plan for each computer system with sensitive infor-
                        mation. IIowever, some federal entities are exempt from complying with
                        the act either because they are not federal agencies as defined in the act
                        or their computer systems are excluded from the act’s application.
                        Agencies not exempted are required to develop security plans, in accor-
                        dance with the guidance issued in OMU Bulletin 88-16, showing the imple-
                        mentation status of 18 control measures.




                        Page 39                              GAO/IMTEWO-70BR   Government   Computers   and Privacy
                                                                                                                     I
                          Appendix I
                          Summary of General Legislation   Relating   to
                          Privacy and Computer Security




                          The Federal Managers’ Financial Integrity Act requires ongoing evalua-
Federal Managers’         tions of the internal control and accounting systems that protect federal
Financial Integrity Act   programs against fraud, waste, abuse, and mismanagement. It further
of 1982 (31 U.S.C.        requires that the heads of federal agencies report annually to the Presi-
                          dent and the Congress on the condition of these systems and on their
3512)                     actions to correct the material weaknesses identified. For example,
                          material weaknesses are weaknesses that could significantly impair the
                          fulfillment of an agency mission or significantly weaken safeguards
                          against the loss or waste of funds, property, or other assets.




                          Page 40                               GAO/IMTEC-90-70BR   Government   Computers   and Privacy
Appendix II

Numbed?of Federal Systems Containing
Personal Information, as Reported by
Federal Agencies

                                                                        Computerized systems containing personal information
                                                                  Total number of        Systems covered
Cabinet departments                                                      system@
                                                                       I___            by the Privacy Acta       Largest 8ystemsb
                                                                                                                             ----
Department   of   Agriculture                                __.. --.          109            _______.  87                -_-__ 90
Department   of   Commerce         --                       -----~-                  49                               47                             39
Department   of   Defense                                                           363                              360                  -102
                                                                                                                                            --._
Department   of   Educatron                                                          20                               20                               IO
Department   of   Energy                                                             43                               43                      _-..--_.-10
Departmen!   of   Health and Human Services                               _I_--     274    _____                     210                              78
Department   of   Housrng and Urban Development                          .___        20                               20               _~-__----       10
Department   of   the Intenor                                                        70                               70                              64
Department   of   Justice                                                           201                              169                    ___.- 53
Department   of   Labor                                                              96           -_-                 30                    --~ --44
Department   of   Transportation                                                     59-___-                       -  54                              57
Department   of   the Treasury -~                                                    78            l____-l_           70           __--.-__           65
Department   of   Veterans Affairs                                                   35
                                                                             ..-. ---~--       ----.~                 35            __-.--.~~---      IO
   Subtotal                                                                    1,417                             1,223                              632
independent agencies                                                                                                    ____-__
ACTION                                                                              3          ----              ___ 2                  -___-__.        3
Admrnrstratrve Conference of the United States                                      1                                   1-.                   ____~._. 1
Agency for lnternatronal Development                                                9                                   8 ___--__                       9
Appalachian Regronal Commrssion                                                     1                                   1      ___.     __-       --.- 1
Arms Control and Disarmament Agency                                                 0                                   0                .___      --.._0
Commrssron on CIVII Rrghts                                                          5                   .II___-         5                 --__.-        5
Commodrty Futures Trading Cornmiss&                                                17                                 17 -___                         10
Consumer Product Safety Cbmmrssion                                                  2      -___                         2                               2
Envrronmental Protectron Agency                                                    98                                 20                              IO
Equal Employment Opportunity Commissions                                            5                 -____ __-.        5         ---                   5
Farm Credit Admrnrstratron                                                          6                           __. --6                                 6
Federal Communrcatrons Commission                                                  66                                 66------
                                                                                                                 -.-__-                               10
Federal Deposit Insurance Corporation                                              17                        ____--- 17                               10
Federal Election Commrssron --.                                                     8                                   8                    -.__     ~~8
Federal Emergency Management Agency                                                39                                 25 .__.__          _-_- ..__ 10
Federal Energy Regulatory Commission-                                              20                                 20                              IO
Federal Labor Relations Authonty                                                    2                                   2                               2
Federal Maritime Commission                                                         1                                   1                               1
Federal Medratron and Concrliation Service                                          0                                   0                               0
Board of Governors of the Federal Reserve System                          -~       40                                 22                              IO
Federal Retrrement Thrift Investment Board                            __-__         1                                   1         - -.---.~-.-          1
Federal Trade Commrssion                   -...~-~ .__.~.   -__                    15                                 14                              10
                                                                                                                                           (continued)




                                                  Page 41                           GAO/IMTEC-SO-7OBR          Government     Computers    and Privacy
                                                                                                                                                                                                   C-
                                                                 Appendix II
                                                                 Number of Federal Systems Containing
                                                                 Personal Information, as Reported by
                                                                 Federal Agencies




_- .-_. --
                                                                                                  Computerized systems containing perbonal information
                                                                                            Total number of        Systems covered
Cabinet departments                    - _- _.....^__
                                                  - ..._--____ ...~. .._...
                                                                         - -_._--__        -       system@       by the Privacy Act’       Largest systemab
General Services Administration: -  .-~---.--_--. ..- .----.__~.-.__                                                                                     .__
   Federal Supply Service                                                                   0                                                             0                                           0
   Information-Resources Management Service                       -~ .--.-.__-.      -__--.-0                                                             0                                           0
   Public Buildings Service                                                                 1                                                             0                                        -- 1
Interstate Commerce Cdmmission _~_~~~____~~~...~~                             -_---.      15                                                              5                                          10
Merit Systems Protection Board                                                              6                                                             6                                           6
Natlonal Aeronautics and Space Administration                                             33                                                             19                                          10
National     Archtves      and Records          Administration                                                  2                                         2                                                2
                                                                                                               ---.          ____-
National     Credit      Union Administration                                                                   3       ~.            -.-- __-          __-.-3 -          -_____-__-       3
National     Labor Relatlon~~Bo~rd                                                                              7                                          6
                                                                                                                                                           ---..                           7
NatIonal Mediation Board                                                                                       1                                           0                               1
Natlonal Science Foundation                                                                                __ 15 -.-                                      15             ________. ~.-._- 10
Nuclear Regulatory Comm&on          -~                                                                       29                                           29                         ___. 10
Occupational Safety and Health Review Commission                           _~     .~~~~~                       2                                           2                               2
Office of Management and Budget                                                                                2                       .~~~-~-.
                                                                                                                                                           2                  ___-.-
                                                                                                                                                                                           2
                                                                                                                     ..~..
Office     of Personnel      Managemini                                                                       12                                         11                                             10
                                                                    .       .~    ~.   .    -....
Office of the Special Counsel                                                                                  3                                          3                           ~-.-__             3
Office of Thrift SupervIsion                                                                                   7                     ___--                5            --__        --       __-.         7
Overseas Private Investment Corporation                                                                        1                                          1                                              1
                                                                                                                      ~....~__---
Peace Corps                                                                                                   11                                         11                                             10
                                                                                                                                                                                            .-~
Pension Benefit Guaranty Corporation                                                                            5            __.---__              --.    5                        ---_-.                5
Railroad Retirement Board                                                                                       7                                         7                                              7
Secuntles      and Exchange           Cdmmission                                                                                                          5-.----.--                                    10
                                                                                                    __~     ..J6-.-     --. .__      . . ---
Selective      Service     System                                                                               4                                         4                                                4
Small Business           Admlnistratidn                                                                         9                    _---                 9                                                9
                                                                                                                                                 --.-
Tennessee Valley Authority                 -~                                                                 23                    -. ..--      ___-
                                                                                                                                                       23 -_-.
                                                                                                                                                            _____---___----                             10
United      States    International       Trade Commission                                                     4                                        2          -.
                                                                                                                                                                                                      4
                                                                                                                                                                                                  _. ..-
United      States    Postal Service                                                                          15                                       15 --                                         10
  Subtotal                                                                                                  589                                       433                                           278
Total                                                                                                     2,008                                    1,666                                            910
                                                                 “Includes predominantly     computerized     systems maintained by agencies at the end of calendar year
                                                                 1988.
                                                                 “A 9 encies ldentlfied up to 10 of their largest computerized          systems containing personal Information
                                                                 ’ Formerly the Veterans Administration
                                                                 Note One hundred twenty-seven cabinet and subcablnet-level agencies responded to our question-
                                                                 naire The Agency for International Development consolidated its responses with the United States
                                                                 Trade and Development Program. Cabinet, subcabinet, and independent agencies that did not respond
                                                                 Include. the Offlce of Human Development Services (Department of Health and Human Services), the
                                                                 Bureau of International Labor Affairs (Department of Labor), the Pension and Welfare Administration
                                                                 (Department of Labor), the Department of State, the General Services Administration, the Federal Prop-
                                                                 erty Resources Service (General Services Administration), the National Transportation Safety Board, and
                                                                 the Office of Information Regulatory Affairs (Offlce of Management and Budget). We received the fol-




                                                                 Page 42                                       GAO/IMTEGSO-7OBR                  Government            Computers      and Privacy
Appendix II
Number of Federal Systems Containing
Personal Information, as Reported by
Federal Agencies




lowing agencres’ questionnaire responses too late to be included in our analyses: the Agrrcultural Stabr-
lization and Conservation Service (Department of Agriculture) and the Export-Import Bank of the United
States The Central Intelligence Agency reported that it could not respond to the questionnaire wrthout
exposing sensitive rntellrgence methodology.




Page 43                                 GAO/IMTEC-90-7OBR        Govemment     Computers    and Privacy
                                                                                                           ,
Appendix III

U.S. General Accounting Office Survey of                                                                       ’
Computers, Networks, and Privacy




                                                                     ql.ledonnaire.  Ifycuhave    any guestions,
               -m                                                    please call Mary m       at (202) 275-0471
                                                                     or-iaoltreras         at (202) 275-3178.
               me U.S. Germal. Acmlmaq            Offh   hat3 heen   ThaIiJcyau forycurhelp.
               ~~YtheOfthe
               -marTal                  ecamamicatiw      and
               F-,         --$=-epz               FJlargy ad         PleaaepxuvidetheMmeofthecneperson
               -,                              carprtarsd            whallwemayconwzttoclarify
               ne+=rkWBpereonal                                      infonnaticm, if tle-s=q.
               illformatia.    Th-,---N
               thisqueatiormab3todhxh.infornrati0n                   Name:
               fran fewal    agerlciee on OmQuterized
               e5yatm3 ap-rtnining personal information              Title:
               whichmayormaycrmaymtbeeubjectto
               the Privacy Act.                                      Dapartmerrt:
               -m                                                    -:
               ToL%Esdstyalincarp?letingthis                         'Iblephone No:
               questionnaire,uJe-prwidin3an
               -witiaUgf.pfmglXl                                     otxmnmAND-nmm
               dlefinitlwls      Please readthe. attachrmxk          FJEBWALLt2mmwncN (GmmM.J
               before    z-eq&rq     to the questionnaFre. we
               occasionally ask for information whe.re               l.Pleaae estimate the nmbar of
               estimate~maybepruvidsrl.           H0w~er,unl.ess     predcminanuy canplterizd       SW-
               ckherwise hsQxcUd,         specific information       ~intrgperwnalinformationmaintainezl
               is-.                                                  byyauragencyattheendofcalendary~
                                                                     1988. (m       NUMBER. )
               Pleasereturnthecanplet&questionnaire
               intheencla3adself-addressed       envelcpe m               2.906-
               1aterfhanDecenWr      22, 1989, to:
                                                                     2.Please estimate the number of the above
                         Araceli antraras                             (Questionl)qsteInsWhicharecWeredby
                         U.S. Genaral Accarntirq Office              the Privacy Act. pINl?ERNUMBER.1
                         FZccxn
                              6905, 441 G street, N.W.
                         Washh$on, D.C. 20548.                            -l.&Lsystens
               Please respxld to the follcwiI?g questions
               astheyrelatet0yaxagencyaslistedon
               theabovelabel.      Aslrotedinae-
               latter,We~asMnrJ~chdagwtlrent
               anponw&toaaapleteaseparate




                              Page 44                            GAO/IMTEC-SO-70BRGovernmentComputersandPrivacy
                                                                                                        Appendix III
                                                                                                        U.S. General Accounting office Survey of
                                                                                                        Computers, Networks, and Privacy




                                                  ltAllASEl8Elll           OF CDIWUIERIZED              SlSlLltS   CollfilllMi    PERSOWAI. IUFDRMTIW                 (SPECIFIC)

    Pt....    provld.                th.   folIowln#       lntorm.tlon                         for   your    ip
    of trmswtlona)                      computwlred          Syaterr                                                                     whether      or    not    they   l   re    cowred           by    the      Prlwsy
    Act.   Plrrrr               provldr        the followinS

    MO h.v.           u..d     th.         In.tructlon               ‘(ENTER      All     CDDES IllAl       APPLY.)'     throughout          the quortionnrlr..                 For ..ch            qu..tlon
    roqulrlng             thl.       reeponrr,               .nt.r       In th.     .p.c.     provldrd,        thr numbrr       (cod.)       PuLpr     thr     rrrpon..         th.t        I. mo.t
    ch.r.ct.rl.tlc                  of      th.       ry.t.a.            In rddltlon,         krrp      th.  .y.tnn.     in th.      ..I*      ord.r   throughout         thr        qu..tionn.ir..                  When
    r..pmdlnS                 @oth.rl,            pI...r          .pwlfy      no mar.       th.n     5 1t.m.       und.r   thl.    c.t.Sory.

                                                                                                                                   SYSlElf           SYSTLM           SYSTEM                SYSTf)I              SYSTfll     SYSlfI4     SYSlE)I   SYSlfM
                                                                                                                                       s                4                5                    6                     7            8         9           10
             Full       n.u       .nd       0th.r             1d.ntlfI.r             of                                                             ---
             eyetern.




            I. th.   Informtlon                          In      thle   .y.t.m
            cov.r.d    by th.                 Prlv.cy              Act7      (ENTER
            OWf CoDf.)

            I.       '100 (00        IO aufsrloti                  6.)
            2.       NO (00          TO aufsTloN                   I.)
                                                                                                                                                    ---
            If th.    Informtlon                    In thl.                .y.t.n         I.
            not cov.r.d        by             the Prlv.cy                  Act,
            pl....    1ndlc.t.                  the remone.                         (ENTER
            CODE.)

            1.       fn.mpt.d
            2.       Not ratrlrwd           by            . p.r.0n.l
                      Id.ntlfl.r
            3.       0th.r       (SPECIFY.)


                                                                                                                                                    ----_                                                                                          --




L




                                                                                                            Page 45                                                   GAO/IMTEGSO-7OBR                                 Government      Computers    and Privacy
                                                                                  Appendix III
                                                                                  U.S. General Accounting Office Survey of
                                                                                  Computers, Networks, aud Privacy




                                                                               -------                    --                -_-.     ---                 --.                  ----.
                                                                               SYSTEM            SYSIEH   SYSIEH   SYSTEM   SYSTEM    SYSTEM    SYSTEM   SYSTEM      SYSTEM   SYSTEM
                                                                                       1             2        3       4          5      6          7        a          9            10
                                                                               ---            .-_-.                         --
6.    Yhrt     l 9wuleS         or partlea          oprrrt.       the        I           7a
      eyetom      on your        behalf?         DDIrlfPr        of .          :          I
      fedrrel      conputw           ayetom       II e tederll              : )
      l Se”ey,     contractor           of l federal                                     1:
      l wncy.      or other          orpwtlzPtlon           that            : :
      proceSsa*        lnfornltlon           wlnp         I                 ii )           11
      computw        eystom        on behalf         of the                 7)
      federal      9ovwrYIent           to wccmpllsh             l
      fodwml       function.            (ENYER ALL CODES
      INAT APPLY.)

      1. Your own agency
      2. Your cabIna-level                       department
      3. Another    federal                aSw~y
      4. Contractor      (not              etatc     or local

      5.   Grantee     (not   fitate    or local
           povsrnment)
      6.   State   or local       9overnms”t
      7.   Other   (SPECIFY.)
                                                                          .-. _--__--.                                      ----_    _--_
7.    Yhat     type@ at information    are                                  11         iat
      collected       and malnta4ned in this                                           171
      lY,t*ll?     (ENTER ALL CODES THAT APPLY.)                           :’ ;        2a
                                                                           4)            21

                                                                           .i ;          1::
                                                                                         631
                                                                           ;i )
                                                                                         171
                                                                           91            341
                                                                           11I)           51
      1.   Soclel        Security          number                          1’ I)         151
      a.   Retirement                                                                    471
      9.   Flnanclal                                                       :i I;         41:
     10.   Credl t                                                            Lb          3(
     11.   Wllitwy          hlntory                                        II i)          7t
     12.   Rerldenee          (address)                                    11            SSi
     13.   Demographic             (e.g..        #SC, sex,         raw,    1; Fi          aa
           etc.)                                                           II 5)         191
     14.   Sclec~lw           Service          replstration
     15.   Property         (e.g.,         realwe8tate,
           Personal.          etc.)
     16.   Occup~tlan~l/r~9ul~tory                        te.9..
           p*rsonn*I          paY, pllot
           cwtltlcbtlo”,                 etc.)
     17.   LIM rntorcmo”t
     18.   Other       (SPECIFY.)
                                                                          .__ .------_                                                          __----




                                                                                  Page 46                                   GAO/IMTEC-90.7OBR      Goverument     Computers   and Privacy
                                                                                Appendtx III
                                                                                U.S. General Accountiug Office Survey of
                                                                                Computers, Networks, and Privacy




                                                                                .-----.
                                                                                               SYSIEM
                                                                                 SYSIEW
                                                                                     1             2
                                                                                                        SYSTEM
                                                                                                            3
                                                                                                                   SYSTEM
                                                                                                                      4
                                                                                                                            SYSTEM
                                                                                                                                5
                                                                                                                                      SYWEN
                                                                                                                                        6            T         SYETEN
                                                                                                                                                                 9
                                                                                                                                                                        SYSTEM
                                                                                                                                                                            10

a.    from      whom do..     Vow .P."CY      obt.in     th.                            661
      d.t.      .nt.r.d   into   thli  .Yit.m?       (ENTER                     'i
      ALL      COWS 7NAl APPLY.)                                                  )     ;;i
                                                                                  )     14:
      1.     Your own rg*ncy                                                      )     lli
      2.     lh.    .ubJ.ct         i"dividu.l
      3.     An0th.r        1.d.r.t         9ov.r"m.nt                .9.ncy
      4.     St*t*     or locrl           .9."ey
      5.     Other     (SPEClfY.3
                                                                                        aoi
9.    Now doe.   your   .S.ncy      obt.ln                      th. dot.                4ai
      .nt.r.d  into   this     .yrtm?                        (ENTER ALL          )       !a
      COOLS lNA1 APPLY.)

      1.     nard copy
      2.     Elwtronie        (e.g.,               floppy        di.k,
             t.p.,     .tc.1
      3.     0th.r     (SPECIFY.)                                               -----                                       ----     ----            --
                                                                                        55Y
10.   Hou .r.          Indlvldu.1.      .ndfor    group.                                47C
      n.d.       .w.r.       of record.    your   .S."cy                                iai
      q .int.in.          on them in thl.       .y.t.n7                         :         67
      (ENTER All            CODES INAI APPLY.)                                  1         71
                                                                                1       131
      1.     F.d.r.1      R.qi.t.r
      2.     Uritt.n      notlflc.tion              on form
      3.     Verbel     notifis.tion              .t int.rvl.u
      4.     0th.r    p.r.on.1         notiflc.tion
             (SPECIfY.)
      5.     Other    (SPECIFY.)
      6.     Do not notify                                                                              -------_            ---      ---
                                                                                1       21s
11.   Uhleh     of th.       following       proc.dure.                                 643
      do..    your      .S.ncy      p.rform     t. .n.ur.                       ;       1lC
      th.t    p.r.on.1         lnform.tion        m.1nt.in.d                    1       12i
      in thir       ryatm         is complct.       .nd                         )       19e
      aCcurate7           (ENTER ALL THAT APPLY.)

      1.     Comp.ri.on               ulth        other      fad.r.1
             l pancier~             records
      2.     V.lid.tlon               check.         with      wbjoct
             Individu.l.
      3.     V.lld.tion               ch.ck.         nlth      .t.t.      ."d
             l0c.l        . .."Ci..
      4.     V.1id.ti.n               cheek.         uith
             lnstltution.                  t..g.,        b.nk.,       etc.)
      5.     Other        (SPECIFY.1                                                                               ---      ---_     -------




                                                                                Page 47                                     GAO/IMTEC&O-70BR   Government   Computers   and Privacy
_.-----.-l ----“-
                                                                           Appendix III
                                                                           U.S. General Accounting Office Survey of
                                                                           Computers, Networks, and Privacy




                                                                      _-------                            ---.                 --                                    --.        --
                                                                       SYSTEM         SYSTEII   SYSlE#l    SYSTEM    SYSTEll        SYSTEM   SYSTEM        SYSTEM     EYETEll   6YSlEM
                                                                           1             2          3          4        5             6          7            8          Q          10
                                                                                                          .---      ---        --                                    --         --
     12.   Uhat pwaonal    Idontltlara       .~a used            to   I)       706
           WC.I~   the rawdo         In thlo   eyetern?
           (ENTER ALL CODES THAT APPLV.)                              f:      571
                                                                              151
                                                                      1)      221
           1. Yen*                                                    i)
           2. Social        Security       number                     b)        :';
           3. OAt.      o( blrth                                      '1       104
           4. Account        number      (8.0..       bwk,
              MedIcare,          etc.)
           5. Mllltclrv        I.D.
           6. RalDtlw'a            naln. (U.S..
              prrenti)/reaponilbla                  Individual
              to.@.,        Suardlan       Intormatlon)
           7. Other       (SPECIFY.)
                                                                                                          -__       --_        ----
     1).   Uhlch     of the tollowIng        orgenitatlon             rl)     316
           (are    mrts     A-C below)     hrvc     acc~‘             12)     151
           (autoimatcd      or nanualj     tD lntormstlon             13)     276
           In this      @votam?     (ENILR     ALL CODES              i4)
           1WAl APPLC.)                                               is1     2:;
                                                                      1.5)      51
           A.    Your       0""    .#ency:                            17)     150
                                                                      10)     323
                 For what purpow?    (ENTER                           19)       15
                 ALL CODES lNA1 APPLY.)                               110)    274
                                                                      111)        9
                 1.     lo determIne            Inltlal
                        rIlSlblllty/csrtlfy
                 2.     llccertltlc~tlon
                 3.      InVCstlS~tlon
                 4.     SurveilI&nc~
                 5.     Employment
                 6.     Credlt
                 7.     rrllnlng
                 8.     Pwment
                 9.      Ini"ctl0"
                10.     Other        (SPEClfV.)
                11.     Do not knou


                                                                                                                               _----         -----.                  -----.     -__




                                                                           Page 48                                    GAO/IMTECSO-7OBR                Government    Computers    and Privacy
                                                                        Appendix III
                                                                        U.S. General Accounting Office Survey of
                                                                        Computers, Networks, and Privacy




                                                                                                  .----.    ---_     --       ---                               --
                                                                                         SYSTEM    SYSTEM   SYSWI    SYSTEM        SYSTEM   SYSTEM   SYSTEM          SYSTEP   SYSTEM
(OUESTION           13 CONTINUED)                                                            2         3         4      5            6          7        8             9          10
                                                                                                  --.                --       --                                --            --
13.   Uhlch     of the foIlowIng      OrRanlzRtlon                                fl
      have RcceRR (RutowtRd           or mmwl)         to              :;
      InformatIon      In this   System?        (EYlER                 3)        1:
      ALL CODES TIIAY APPLY.)                                          ::          78
                                                                                   1,

      0.     Other      offlceS/RmenclRR                within
             crblnRt-lrwl            department             (e.g.,     2           2,
                                                                                   "
              IRS within         the Departnant               of rho               7'
             lre~sury):                                                t:
                                                                       10)         81
             for     what ptrpoS.7   (ENlER                            11)         3
             ALL     CODES THAI APPLY.)

             1.IO detrrmlne            Inltlel
               sllglblIIty/certlty
            2. Recortlflertlon
            5. InvePtlRRtlon
            4. SurvelIl*nce
            5. Employment
            6. Crsdlt
            7. Yralnlnp
            1. Pwment
            9. In&ctlon
           10. Other        (SPEClfY.)
           11. Do not know                                                               ---      ---       --
                                                                       t:        101
      C.    Other        federal        agencies:                                 4i
                                                                       5)        13i
            for what purpow?                   (ENTER      ALL         i)         15
            CODES THAI APPLY.)                                         5)         111

             1.    To determIne            Initial                     :;          25
                                                                                   22
                   rllRlblIItY/certlfy                                           lot
            2.     RrcertlflcRtlon                                     ;;            I
            3.     Inve*tlSatlon                                       IO)       111
            4.     Survalllbncc                                        II)         3s
            5.     Emplovment
            6.     Cr;dli
            7.     Irafnlnp
            II.    Pwment
            9.     lnb"ctlo"
           10.     Other        (SPECIFY.)
           11.     Do not knou
                                                                       ------_           ----     -----I    .----_   .----




                                                                       Page 49                                       GAO/IMTEC-90-70BR         Government     Computers       and Privacy
                                                                           Appendix III
                                                                           U.S. Qeneral Accounting Office Survey of
                                                                           Computers, Networks, and Privacy




                                                                                      .-es,     -_--      --
                                                                      5lsTEn           SVSlEN   SvsrEN    SVSIEM   SVElRl   SVllEW     SVSTLN   WSWI          tVSlEl   SVblEM
         (OUESTIOY        13 COYTIYUEO)                                    1             2           3        4        5      6           7        8             9         10
                                                                                                ---                                                      --
         13.   Yhlch     of the followInS      or9antrAtlon           11)      6;
               have WC.,.       (Automated     OP l wwA1)        to   2)       25
               Inform~tlan      In thlS    SyStAl?        (ENTER      15)      71
               ALL CooEs TIIAT APPLY.)                                14)      l!
                                                                      15)      44
                                                                      16)      11
                                                                       7)         I
                   for     wh@t purpoee?               (ENIER         '8)      si
                   ALL     TWA1 APPLY.)                                9)
                                                                       10)     6:
                   1.To detarmlm             Inltlbl                   11)     31
                     sllgiblllty/c~rtlfy
                  2. RcccrtificAtion
                  3. Invertlpatlon
                  4. Surveillmce
                  5. Employment
                  6. Credit
                  7. Irainln9
                  5. Peymcnt
                  9. InductIon
                 10. Other        (SPECIfV.)
                 11. Do not know

                                                                                                __-----   ---
                   for h'hat purpoSe?  (ENIER                         :;       ::
                   ALL CODES 1HAT APPLV.)                             3)       57
                                                                      6)       13
                   1.     lo dcterllna            InltiaI             5)       43
                         rll9iblllty/ccrtlfy                          6)       13
                  2.     Reccrtlflc~tlon
                  3.      Invcstl9atlon                               i:       3:
                  4.     survrlIlmcr                                  0)         0
                  5.     Employment                                   10)      69
                  6.     Crcdlt                                       11)      46
                  7.     lrllninp
                  8.     Payment
                  9.     lnductlon
                 10.     Other         (SPEClfV.)
                 11.     Do not know


                                                                                                .-----             _--




-_...-
                                        ”




                                                                        Page 50                                    GAO/IMTEC-90-70BR       Government   Computers      and Privacy
--
                                                                              Appendix III
                                                                              U.S. General Accounting Office Survey of
                                                                              Computers, Networks, and Privacy




                                                                             ------_         .--                         ---.      -----                  --         ---.
                                                                             SYSTEW          SYSTEM   SYSTEM   SYSTEM    SVSTEM       SVSTEN   SVblEM     STSTEM       SYSTEM   SISTER
     (QUESTION          13 COYTINUEO)                                           1               2        3        4         5            6         7         II          9          10
                                                                                                               --                                                    ---
     13.   Uhlch       of tho followina      oroonizotion                              21
           have .CC~II        (autoutoi      orvmmuel)         to            :;         3
           Inforrotion        In this   l yntom?        (ENTER               3)         t
           ALL CODES THAT APP1V.j
                                                                             5";       2:
           f.    Educational              Inrtitution~            (privoto   6)          6
                 and public):
                                                                             x;        1':
                 for     whmt purport?   (ENTER                              9)          0
                 ALL     CODES TNAT APPLY.)                                  10)       49
                                                                             10        49
                 1.    To detormlno            Initial
                       eliSibility/cwtlfy
                 2.    nccertific*tlo"
                 3.    I"vcstigrtio"
                 4.    SurveiIIa"cr
                 5.    Enployncnt
                 6.    Crcdlt
                 7.    1rainlnp
                 6.    Poymcnt
                 9.    Induction
                10.    Other        (SPECIfV.)
                11.    Do not know

           C.    Private         lcctoc      tC.9..     honks,               -------                           -----               ---                                          --
                 physiclow,              omployoro,      crrdit                    66
                 burcoua,          etc.)       OPEClfV.)                     ::    12
                                                                             3)    14
                 for uhat purpo~.?                       (ENTER      ALL
                 COOES THAT APPLY.)

                 1.    lo datormlna             inltlol
                       cll9lbiIlty/c.rtify
                 2.    Recertification                                       9)     0
                 3.    Invcstlpotion                                         10)   69
                 4.    Survcillancc                                          11)   42
                 5.    Employment
                 6.    Credit
                 7.    Training
                 8.    Pllyncnt
                 9.    Inductlo”
                10.    Other         tSPECIfV.1
                11.    Do not know
                                                                                                               .----_-   ------_   _----_      _--        ---_       _-------




                                                                              Page 51                                    GAO/IMTEGSO-7OBR            Government    Computers    and Privacy
                                                                       Appendix III
                                                                       U.S. General Accountig Office Survey of
                                                                       Computera, Networks, and Privacy




                                                                      SYSTEM       FISTEN     SYSTEM      SYSTEM   SYSTEM    SILTEY   SYSIEM
                                                                                                                                                                                       1
                                                                                                                                                                       SVSlEfl
                                                                          1            2         3           4        5         6         7                                10
14.   In what            form,     if At @II,    I@ the                            P-e
      lntorutlon               from thla    dAtAbAee                         700
      r*l*aa*d')             (ENTER ALL CODES TIMI               :;          411
      APPLI.)                                                    3)           JE
                                                                 4)          164
      1.   Herd copy
      2.   Elactro”(c        te.0..         floppy   disk.
           tap*.      *tc.)
      3.   Other      OPECIfY.)
      4.   Cwmot        b. reteAsed
                                                                 --                ---        -----
15.   AOY doeA ywr               @S.“cy    .cc.pt  requests      1)          365
      for  the reloue               of InformAtion     from                  750
      this    system?            tENlEA   ALL CODES THAT         ::          230
      APPLY.)                                                                110
                                                                 :;           19
      1.   In p*r*on
      2.   Written        requert
      3.   Telephone
      4.   Electronic          (e.g.,      floppy    disk,
           t.p.       etc.>
      5.   OthAr      (SPECIFY.)
                                                                 ---------         -I---.     --- -----   -----    ----     -------   ---         --                   --
16.   Ihrough        which      of the     followInS    kind     Al)         254
      of network          t,..    pwts       A-E belou)     I,   LZ)         637
      thla    ‘Yet..         l CCa#Aedl        (EYIER ALL
      COOEE TIIAI APPLY.)

      A.   Publlc*swltch           network      ti.8.. ATLl,
           Sprint,       end     MCI):     (ElITEA CODE.)

           1.      ver
           2.      no

      S.   Other  cornrclal               network    (e.S.,
           Tynet,    1elcnet,             etc.):     (EYlER
           CODE.)

           1.      VOI
           2.      no                                            81)         258
                                                                 82)         627




                                                                                   -------.                        _-----   _------   ---_        --_---     ----.     -----




                                 Y




                                                                       Page 52                                     GAO/IMTJ3G9OBOBR          Government    Computers     and Privacy
                                                                               Appendix III
                                                                               U.S. General Accounting Office Survey of
                                                                               Computers, Networks, and Privacy




(PUESIIOY        16 COYIIYUED)                                            ._-----_       _--.             .------   ---_     -----                  -----                 --
                                                                           SYSTEM        SVSl    SVSTI    i'lSlEM   SYSTEM      SYSTEM    SYSTEM     SYSTEM      SVSlEl   SYSTEU
                                                                                 1           1      3           4      5          6           7         0          9            10
16.   lhrou9h     uhlch    of (he foIlwin        kind                     ,---           -       -.                 --       ---         ---        -__       --_         ---
      of “etuork        is Ihi   sy.tcm   accwred?                      C          47
      (EYIER     ALL CODES TtlAT APPLY.)                                C ::       36
                                                                        C,3)         1
      C.    Local        .r..     "eIwrk:                               C 4)        2
                                                                        C
            A~mclss   or partier   oporrtlng                               2
            “sCuork      (ENTER ALL CODES                               I ,I)        1
            THAT APPLY.)

            1.   Syltem        Ir not mcce@Aed vim
                 locrl      .r..      network8         (GO 10
                 OUEfill011        16D.b
            2.   Own .gency
            3.   Atwhsr          federal       a9a"cy
            4.   Contractor           (not     *(ate    or local
                 povarnnsnt)
            5.   Grantee         (not    st.ta       or local
                 Qovernncnt)
            6.   State     or local          ~overnmsnt
            7.   Other      (SPECIFV.)

                                                                           ------        _-__    -----    .------   _--      _---                             ---
                                                                        II 1)       45
                                                                                    29
            A~lnclcr  w partie                     OpsratinQ            i :;         3
            network.     (EYlER              ALL    CODES                 4)         9
            THAT APPLY.)                                                : 5)
                                                                        D 6)
            1.   sy.tw        i8 not l cceared               via        D 7)         1
                 private netuork          uslnp            leaned
                 line8      (GO 10 PUESIION                16E.j
            2.   Own aQc”cy
            3.   Another        federal   wcncy
            4.   contractor          (not 8lIfC            or   local
                 government)


            6.   State          Or IOCllt     QOWr”,“c”t
            7.   Other          (SPECIFY.)
                                                                          ------                 _---               ------   --          --I.




                                                                               Page 53                               GAO/IMTEC-90.70RR          Government Computrrs and Privacy
                                                                                   Appendix III
                                                                                   U.S. General Accounting Office Survey of
                                                                                   Computers, Networks, and Privacy




                                                                              _--.          ,-I---                                  ----                                  -.
                                                                              SVSTEI         SYSTEM     SVSTEH   SVSTEl4   SrSlER    SVSTEW                     SVSlEM    SVSTEI
tPUESIIOY        16 CONTINUED)                                                   1               2           3      4           5      6                          v           10
                                                                              --            ---        .----                                                              ---
16.   IhrouSh    uhtch    of the folIowIng       kind
      of network       I# thle  nyntem    wceesed?                            ;;       ;
      (EYIER   ALL CODES THAI APPLY.)                                         3)

      E.    Private       network          urlng      government-             ::
            owned      facllltles:                                            6)
                                                                              7)
            Asencle~       or    Partiel           OPer~tlng
            network.     tEitlER            ALL     iODES
            THAI APPLY.)

            1.   Syatam     Is not rccc@erd                    vir
                 prlvste      network    usInn
                 &rnment.ownsd            facilitlel                    (CO
                 10 0UES1l0Y        17.)

            3.   Another       fcderel       qency
            k.   contractor         (not     *t.sta    or IOCSI
                 government)
            5.   Grantee       (not    etatc       or locrl
                 government,
            6.   state      or local       gO"e,"lnc"t
            7.   Other      (SPECIFY.)

17.   For uhich     of th,   following      IS                  there                       _-----     ---_
      authorlrad      acce.,   via dial-up?                                   1        3
      tENlER     ALL CODES Ill11 APPLV.)                                      15
                                                                              1
      1.   Syatema      proSrams     (I.e.,      software                              :
           used In the oporotinp              system)                         ;
      2.   Applicat(ons
      3.   DLagnosticn        (e.g.,     diagnostics                    to
           identlfy       6 avtem      problem)
      L.   Routine      or general       maintenance
      5.   Other     (SPECIFY.)

                                                                              _-----        _------.                                ------          _------               _----_




                                                                                  Page 54                                  GAO/IMTEC-YO-70BR   Government     Computers   and Privacy
                                                                         Appendix III
                                                                         U.S. General Accounting Office Survey of
                                                                         Computers, Networks, aud Privacy




                                                                      ____~____________            ---.   ----       --__      ---            .___     --                   -----.
                                                                         SYSTLn           SYSIEI   SVS’   SYSTEM     SYSlEfl        SlSlElt   SYSTEM   SYSTEM      SYSTEH   SYSTEM
                                                                             1                2                 4        5             6          7       0          9         10
                                                                      ------        -..-- ---      ---.   -----                --                      --        __-        -.
18.   What rartrictlon,        .re     imposed     on                          420
      Indlvidualr       with  wthorlzsd        dial-up                :;        327
      .ECCI.      to the l y#tem?        (EYIER ALL                   3)        325
      CODES lHA1 APPLY. )                                             4)        316
                                                                      5)
      1.   Ability     to read personal             data              6)        3::
      2.   ltodlfy   perw~al       data
      3.   Add ~crsonal       data
      4.   Oslcic    personal      data
      5.   Other   (SPECIFY.)
      6.   Not rppllcrblc
                                                                      -------..-----               _-     ----       --
19.   Uhat       controla       .re Jn PISCC         to protect       Al)            060
      the information              maintained        In your          AZ)            406
      computcr(zed            systems       against                   h3)            219
      altcretio”           and unauthorized            ICCCIO?        A41            601
      (See OIB’s           Suldance       for prepwinS         and    L5)               5
      submitting           o9e”cV     security      plsns,     OltB
      BulLstin          No. 118-16.       July    6, 1988.1
      (EYIER        ALL CODES 7HAT APPLV.)

      A.   HAWAGEMEUI        COW,ROLS:

           1.   Aasipnment        of security
                re8ponvlblIity
           2.   Documented         risk     8usewme"t
           3.   Undocumrnted           risk    l smsnment
           4.   Personnel        8creeni"S
           5.   Wonc of the above ,nanaS~ment
                controlr       ore in place
                                                                                                   _---   -------.   _---      ----                    .-        --         --.
      8.   DEVCLOPMENI         COYIROLS:

           I.   Security        specifications
           2.   Design.       review       and testing
           3.   Certification
           4.   IIon@ 01 the above development
                controls        are in place


                                                                                                          -------.   ----      ---.                    .-.       --.




                                                                         Page 55                                     GAO/IMTEC-90.70BH            Government    Computers    aud Privacy
-                                                                                                                                                                             ,
                                                                         Appendix III
                                                                         U.S. General Accounting Office Survey of
                                                                         Computers, Networks, and Privacy




                                                                                    --           --
                                                                                        SVSlEM   SYsrEM    SYSTEM   5VETEl   SYSTEM    8YSYLll    8YOYE1
    (OULSTIOW           19 COYIIYUED)                                                       2         3       4         5      6           r         0
                                                                                                 --I_
    19.   What        controls       .,.

          earputwlzed           ryrtrmr       roalnat                          !
          altrrrtlon        wad unwthorfted               1~1117
          (SO* o)(S’a       guldanc.        for pr*pwing         and           1
          rubmltting        .#.nsy      I*curlty        plw,     OH5           I
          SulIetln       Ya. 88*16,         July      6, 1988.)
          (LYlEI      ALL CODES TIM1 APPLY.)

          C.     OPERAlIOYAL           CONTROLS:

                 1.    Pcoductlon,          lnputloutput
                       controll
               2.      Contlno*ncY          Plmnlna
               5.      Audit     &t&ion                  -
               4.      Software       nalntenmca           control
               5.      oocunsnt~tion
               6.      “one of the *bow               operational
                       controls       ar*     In place
                                                                                                 ------   _----     _---
          D.   SLCURllY           AWARENESS AND 1AAIYING:                      ,


               2.      Sccurlty       .~.r.ne..   and         trelnin9
                       me.,we*        not In place
                                                                                   ..                     __-




          t.     IECIUIICAL        CONTROLS;
                                                                               I
               1.      USar ruth.ntlcation
               2.      ACC~IS controls
               3.      Dota     Int*RrltY      controla
               4.      Audit      trailr
               5.      Mona of the @bow tschnlcll
                       control8          .re In place
                                                                                                          --I-      ----                          --
          I.     SUPPORI SVSIEM             SECURITV MEASURES                  I
                 (1.0..   physical           or facllitlss
                 sscurlty    control)

               1.      Actlvlty        monltorlng
               2.      sscurity        m.a*“reI       for   wpport
                       .y.tcm.




                                                                                   .                      -----     _-----            ---




                                                                         Page 56                                    GAO/IMTEGSO-70BR         Government    Computers   and Privacy
.
                                                                         Appendix III
                                                                         U.S. General Accounting Office Survey of
                                                                         Computers, Networks, and Privacy




                                                                                                    ---.
                                                                        SYSTEM
                                                                            1
                                                                                           SYSlEM
                                                                                               2
                                                                                                    SYSTEM

                                                                                                    I_.
                                                                                                       3
                                                                                                              SYSTEM
                                                                                                                 4
                                                                                                                       SYSTEM
                                                                                                                          5
                                                                                                                                SYSTEM
                                                                                                                                  6
                                                                                                                                         SYSTEII
                                                                                                                                            r      “*:E”
20.   for thaw       control8        thAt  Are not In               0                  j
      p\Ac..     plmm       IndlcAte      which of th.                           ii’
      followlnp,       If Any, Am reAsonA          they             :;              3(
      we not In pIAce.             (EWlER ALL CODES                 6)
      THAT APPLY.)                                                  5)            ti
                                                                    6)           52:
      1.   tludgrt        corwtrmlnts
      2.   RlAk AAswAment                IndicAtAd        control
           tier*      not neeesswy
      3.   Dlfflculty            In hirlno       qwliflrd
           mpl aye*.
      4.   Lwk        of AdequAtA          guidance
      5.   Other        (SPECIfY.1
      6.   Yet l ppllcmblr



                                                                    - .-------                      _-----.




                                                                         Page 57                                       GAO/IMTFJCSO-7OBR      Goverument   Computers   and Privacy
                                                                                                                                       .
                     Appendix III
                     U.S. General Accounting Office Survey of
                     Computers, Networks, and Privacy




            --




 Please mspcmd to the folluhq                       questions for&J          of yaE agenq's systam mining
 personal information
 21. Did yax agency participate in aqmter matdhq activities                 with amthr WPW a a (A)
     matching agency (* agency WOW                the ma-1 or W -agerrcy(-agMcy
     dixlos~recordstothe~~agencyforuseinthe~~)atanytimeduring
     fiscal years (FYs) 1988 and 1989? OJmxrter m                  is defined as the cuq~~terized
     ~iw;oloftwoormJreautcmatrdlistsorfFlestoiderrtifyLrcnsiotenciesor
     irregularitiesamorrJthelistsorfiles.(CHW(YES~NOFCBlEAMYEAR.)
                                 (A)                  (B)
                          ASA-                  ASASUJRCE
                              zGEx!Y?             AGENCY?
                                   -iriL                      zf-zl
                  FY 1988            (311      (1171            (351       11121
                  FY 1989            t311 [1161                 1351       [I=1
                                   (IF NO ‘El (A) m            (B),    a, TO QUESI.TCN 32.)


                                                                            (QvEsmm        2.2 -)
 22. For each pupoeelistedbelaw,please
     estimate gp the 6axtent avail,&& the
     nwlber of j +      saera         raqggy
     (inclucli.ng fedLi¶l,~andlccal
     agencies)azqutermtchesinwhichyauz                                                                           BwlTx        Bamx
     agency participated during FY 1988 and
     FY 1989. We reaqnize that in&a-agency                                   5.hlditpuqxxes                           72         2,044
     (withinyouragencyaqonmt)matchs
     arenotaweredbythecanprterMa~                                            6.statutoryIMnJate                   10,037        10,004
     and Privacy F??atedion Act of 1988.
     However, if possible, please include the                                7. Al3grepb
     nmber for htra-agency matches in yauc                                      statistical
     calculations.     (ENfER '0' IF NCME.)                                     plrp-ses (data
                                                                                produceddoesnot
                                                                                include
                                                                                informtion    that                16,099        20,055
                                                                                auldbeusedto
                                                                                identify an
                                      IJ!xmi           samx                     iJ-dividLlal)
     1. Establishirq        or                                               8. Research/
        verifyimj                                                               statistical
        eligibility        for a             681              442                 pupa;es      (data
        federal    Program                                                        maYbP-
                                                                                  aIri retained      that
     2.Recot4kq                                                                    amldkeusdto                    16,073             570
        pnyments     or                    10,208       10,183                     identify an
        delinquent        debts                                                    individual)
     3. rawenforcamlt              4,320,932             1,148               9. other      (SPECIFY.)
                                                                                                                   3,471        112,373
     4.Taxpuposes                          16,245 1,000,024                       GRAND-                     4,393,818        1,156,843


--




                     Page 58                                           GAO/IMTEC-YO-70BR            Government    Computers    and Privacy
                 Appendix111
                 U.S.General Accounting      Office Survey of
                 timputem,     Networks,   and Privacy




                                                                                                                        1


    23. ofunalq7larmamheB-by                                    25. wmn participating in ampter
        yaaa+mcyinN1988andR[1989,what                               matches clurjnq F-i 1988 and FY 1989,
        porarntofthmamtchmiwol~yalr                                  w~-~yauEtgancy~
                                                                    infonnatimand    (2) franwbatscxlrces
                                                                    did ycur agency reoeive/accese
                                                                    infcnnaticm? (aiEcK Au.4n-m APPLY.)
                                                                                                      yalr Agent:
                                                                                                      F&ceived/
               0% -   19 ageulcief3
                                                                                                      Infomtia
        1%to 80%- I.5 arpenciee                                     ozqanizaticm                      mm
                                                                                                         (2)
              100%- 11 agrmcies
                                                                    1. Amther
        1agencyd.idIWthOWthspercrpltage                                office/          18               15
    24.Rowmaq'~mbi1emdidyour                                             wx
        agcvrcYQIlchlct cIW?inqFY 1988 ar~I Fy                           w
        1989 wbm all the infonmtion used had
        heenauedgibyyarragency?(~
        m-1                                                         2. Another
                                                                       federal          35               33
        (1)     575.219 MdtChS in F'Y 1988                             agency
        (2)   1,185.209 I-b*          in F'Y 1989                   3. state
                                                                                        16               14
        (3)locQmtma.inbmktrtainrecprds
                        on intra-mmatchee                           4. Iccal.           5                 6
                                                                       agency
                                                                    5. Private
                                                                         oqaniza-       14                5
                                                                         tion
                                                                          u-m
                                                                         upw
                                                                         five
                                                                    as-ET2
                                                                    2*
                                                                    3.
                                                                    5.
                                                                                    1             I
                                                                    6. ullm
                                                                       (SPFXXFY)         1                1




Y




                Page69                                  GAO/IMTEC-SO-70BR
                                                                        Government           Computers    and Privacy
                                                                                                            ,
               Appendix III
               U.S. General Accounting Office Survey of
               Computers, Networks, and Privacy




26.Inadditimtcyo~rrk~ticeofax~~br                         29. what are ycur agency's step aId
     mL%tchrasintheFederal -iI*,               h              pztzwuw     forverifyirqda~prxduced
     often,ifever,daesyourarpney                              frana 'hit'?     (CBCKWTfBTAPPLY.)
     provide separatewrittmnctification
     tclsubjectindLvidualstl¶attheyare                        1. [21] hsking the subject irdividual
     invclvedinaaqutermat&?(CHECK
    a=.)                                                      2. [19] Tracing the cCqutwz outpn to
                                                                      the original doa0ent
    1. [13] Always or almDet always
                                                              3. [201 -in3         indepenaMt
    2. [ 21 MO& of the tine                                           investigaticm ard confimation
    3.[1]Akcuthalfthetilm                                     4. [ 41 other (SPMIIFY.)
    4. [ l] scmatimes
    5. [28] Never cr allmst nevar                         30.Iiowmanyinlividualshaveker1
            (GO'IU GUBI'ICXl 28.)                              adwrsely affected (e.g., denied
                                                               benefits,  inzlictad, etc.) asamsult
27.WhenimIividualsareadvisedthattheir                          ofacempltermat&Mtiatsd          byyour
    P-&g      Mermat~~J~       z 2             in              age.nc&Wc2ut. $ 1988 and EY 1989?
                                                                               .
    follcw~~~on                 is prwided   to
    the subject  irdividllal?       (CHECX ALL                 (1) 3,611,67L    irdividudls     in FY 1988
    ?lmT APPLY.)
                                                               (2) j.624.984.   irdividuals     in FY 1989
    1. 1141 zhs pupose ofulemti
                                                          31.Hasyaxagencyd~elqedanappm.ls
    2.[2]menardhcw0ftentheuEltches                            process for individuals/h3titutions
              will   -                                        whohavelxenadverselyaffsctedas               ths
                                                              result of a %it'? (C-ECKONE.)
    3. [ 81 Vii-& infozmtion       will   be
            matrfied                                          1. [20] Yes
    4. [ 91 How the matched information                       2. [23] NC
            willkeusd
                                                          32.Hasyouragencyusf%Ica~@erized
    5. [ 41 other (SPECIFY.)                                  frorrt-endverificationdurhq           fiscal
                                                              years 1988 and 1989 when inlividuils
                                                              applied for federal prqram, benefits,
                                                              enplcylmtorservi.ce8?          m-Q@
28.Doesyaxagexyve~ifydataprcduced                             verification     is the certification      of
    fruna %.it'?    (CHDXCNE.)                                the acmuacy and authenticity of
                                                              information suppliedby an applicant
    1. [31] Yes (Go To QtJFmmN 29.)                           thatisdmclcedagainstsimilar
                                                              informationheld       ina aqmterized
    2. [14] No (Go -ID QUESTION30.)                           databas.e,gemmllyofathizdparty.
                                                               (-       ONE.1
                                                              1. [ 281 Yes
                                                              2. [117] No




              Pagr 80                               GAO/IMTEC-SO-70BR
                                                                    Government           Computers   and Privacy
                .

.”   .Y.~....   .~_..._ --_-   ..__ ~~__   __---

                                                                 Appendix III
                                                                 U.S. General Accounting Office Survey of
                                                                 Computers, Networks, and Privacy




                                                   7mRDpAKcl IIlmmmI(H?lND-                                 36. What ar-8 yCUr agencY's procPcfures for
                                                                                                                assurinqtheaccua~ofthis
                                                   33. DoQsyalragencycoll6!ct       inelectrcnic                infoxmation? (CliEcx Au.4'IHAT APPLY.)
                                                       form (allel~coroptical
                                                       madcnarrdar-line      Qcoess)fmuthiId                    1. [13] canparison with ether federal
                                                       parq -          (e.g., credit l-xlrQau!3,                        agerd3s !cecodQ
                                                       death records,   Divisitm  of M&x
                                                       VehiclW) any i.nfcrmatiul fxlu whid-l                    2. [l2]    Validaticmcheckswithsowx
                                                       yw can idenufy i.na.VidualS? (a+EcK                                 ctherthanfederalag~ncies
                                                       m.1
                                                                                                                3. [25]    Validation checks with subje
                                                       1. [ 361 Yes (GOTo QUESlTCN34.)                                     individuals
                                                       2. [113] NC (Go To QuEslToN 37.)                         4. [15]    (Bnparison with smrce
                                                   34. Run what -Qesycuragency
                                                       ccllectth.i5hlformaticm?           (CzmKALL              5. [ 51 other (SPECIFY.)
                                                       THATAPPIX.)                                                                                          -

                                                       1. [ll]   credit     kureaus                                                                         -

                                                       2. [U]    Division     of N&or Vehicles
                                                       3.[5]Educatimalinstitutions                          37.~~--agency~ccmplterp-                        I
                                                                                                                tcdevelcpgemricpmfil~s           of types of
                                                       4. [lo] Iaw enforcement agencies                         individuals or catqories of
                                                                                                                inlivichaals?    w        BrPfilirn    is t he
                                                       5.[6]courtre~ieus                                        smrhing~arecordsysternfor                   *a
                                                                                                                specified cfmbinationofdata         element1,
                                                       6. [ 21 Inmranm         bureaus                          i.e., the profilQ.     For awmple, a
                                                                                                                profile amid describe the
                                                       7. [ 51 l3meauofVital          statistics                cilaracteristics   ofpersomi mxelikel .Y
                                                                                                                to misrepresent infornation in order to
                                                       8. [23] Other (SPECIFY.)                                 receive federal aid or benefits.
                                                                                                                 t-      ONE.1
                                                                                                                1. [ 371 Yes (Go To WEEtON 38.)
                                                   35. Forwhatpzpcse  was this infoxTaticn
                                                       aAl.ectQd? (cHw(W'IHAT~.)                                2. [113] No (GO'TOCJJESTION
                                                                                                                                          42.)
                                                       1. [12]FLnf0x-ament
                                                       2. [13] Dsbt ccllecticm
                                                       3. [lo] Pre              g
                                                       4. [ 91 Denial of benefits
                                                       5. [22] other (SpMII:FY.)




                                                                 Page 61                             GAO/IMTEC-SO-70BR      Government   Computers   and Privacy
..- ..--.---~                                                                                                                   ,
                               Appendix III
                               U.S. General Accounting Office Survey of
                               Computers, Networks, and Privacy




                38.Whattypesofinf'on1Wicnare~develcqed                           39. Ifyouragencydevelcpegeneric
                                                                                                                                1
                    intheprofile      (cElEcxw;'RII\T                                pmfileds, please describebalcmthe
                    =.I                                                              tYF+- OfpmfilirqyGaragencyperfonr
                                                                                      (e.g., categories   of taxpayers    mre
                    1. [13] Iiaalth/lmdical                                          lihlytobeunder--taxable
                                                                                     i.ncmmortypeeofpecplemrelikely
                    2. [lo] Inwstigati~                                              LEi=&mwJ          i.n Ulesal w
                                                                                                .
                   3. [18] Eduaticn
                   4.[1]Bcusin3ass-                                                   30 agencies-.
                                                                                       7agemieedidmtcuumnt.
                   5. [ l] RlRlic see-
                   6.[7]Taxinfon&i~
                   7. [ 9]sccialseeurity
                   8. [14] -                                                     40. wlat are tiw salrces of input data for
                                                                                     yazagencytsgmericpmfilee?         (am
                   9. [ 91 Financial                                                 ALLTliXl?APPLY.)
                   lO.[ 81 M.Uitary hbtazy                                           1. [351 -      csgency
                   ll.[l5]   Reeideplce (ackb38)                                     2. [ 81 Federal aqm=ies
                   12.1301 t-mgr@ic           (e.g.,       we,     sex,              3.[7]stateorlccalgove1nmant
                             -r       etc.1
                                                                                     4. [ 21 organization       or asmciaticn
                   13. 41 prcperty        (e.g.,       a         estate,
                             pewondl,     etc.1                                      5. [ 51 other (SPECIFY.)
                   14. 161 Om.wticmal/regulatory                    (e.g.,
                           pareopnralpaY# Pfi0.t
                           certification,  etc.)                                 41. Forwhatuses &es ycur agencydevelq
                                                                                     profiles? ((3IEcxALLmAepL;y.)
                   15. [ 61 Lawenforcenent
                                                                                     1. [23] Prcqzam nmnagementanalyses
                   16.[ 61 Other (SPECIFY.)
                                                                                     2. [ll]   Scientific     research
                                                                                     3. [18] Plann&!
                                                                                     4. [ 21 Sumeillance
                                                                                     5. [lo]   !2cmmiq
                                                                                     6. [I.21 InvestiqatiOn
                                                                                     7. [14] other (SPECIFY.)




                             Page62                                          GAO/IMTEC-SO-70BRGovernment        ComputersandPrivacy
              Appendix III
              U.S. General Accounting Office Survey of
              Computers, Networks, and Privacy




                                                                           -        in FY 1988 and
(Que9itims 42 thrU 50, balaW, refer      to the             N 1989 in therre systsem? (EWlEFt
syatwslisbd     incueetion 3.)                              m-1
42. lUri.nq F'i 1988 and FY 1989, did yam

    ceapltar~~-containirq
    pereeplal data (i.e., system identified
    inQWstial3)      basedc?litxlevaluatioQ
    UrKlQrtheFedexal~              Financial
    Integrity Aft (FMFIA) of 1982? (CIiECK
    m.1


                                                            2. [ 41 word ofnulth
                                                                    [ 41 conf-


                                                            3. [ 21 Destruction     of cupiter   file

                                                            4. [ l] Denial of servicse
43. Please prc4ide cqhs of reports cm                       5. [ l] Other (sm.)
    securitywea)oleasesinthe~
    idmtified     inmestion    3 thatyalr                47. Please describe WCW BQPBewnples of
    agencypEpWdWthsFMFLAaSwel1                               theiJvAdentthathave-in
    asthosepmpar&bythehosident~s                             these systems since Cctchr 1987.
    CbmA.l QI Infqrity      and Efficiency
     (=m,     ~agencyreport,              =dany
    catsultant report for Fy 1988 and FY                     5agenciesm
    1989.     [29]qenciesprcvidedreports                     1agencydidnotanment..
              [l21] agerhxi did net
44. Curirq F'Y 1988 and FY 1989, were there
    any hClents    of unauthorized a-      or
    axceedFngauthorizedacces3stopersonal

                    -authorized
    ~istoaccmseaaquterwith
    authcrizaticm~tcuaesuchaccessto
    maad, cbtain, OraltQr~
    inforolation in ths axqaker that the
    auassorisrwtentiUedtoacoess.
    1. [ 61 Yes (a, 'ID QUES'ICN45.)
    2. [135] No (Go 'ID t2lJEWIcxJ48.)
    3. [ 8]Donot)ouxJ      (GOT0
            QTJFSTION 48.)




              Page 63                             GAO/IMTEC-SO-7OBR    Government    Computers   and Privacy
    Appendix III
    U.S. General Accounting Office Survey of
    Computers, Networks, and Privacy




                                                            -te             Great          very Grd
                                     (2)          (3)             (4)           (5)           (6)
1                                    48           75          39             27                   8
2
                                     33           42          33                18                3

                                     77           39          38                 6                4


                                    170           91          39                11                1




6
                                    181
                                     73       1 117
                                                 83     j     ::        /    ::           1       :

                                     88          200          97             65               10


                                     26            3              0              0                0

                                     47            8              3                  0            0




    Page 64                                GAO/IMTECBO-7OBR        Government         Computers       and Privacy
                      Appendix XII
                      U.S. General Accounting Office Survey of
                      Computers, Networks, and Privacy




49.am8idutb8pIxblml6,ifany,thatwerebldicedabwe.                                       Inycuropinicn,whatarethe
     Vuwmo#tsfgnificantprd3lminycuragoncy?                                 (lWER0XEFFfl'lWESl'XCN48;FoR
     aam.E,       '-OF            nM!A' Is a3m         'l'.)

     I..          7         xmtaignificmtpmblm                  (Imufficientmf/reewroes)

     2.           4         smmdnnstsignifiamt~l6m                        (Qualityofdatasu@ie3bythesubject
                                                                           hiividual      or third    party)
     3.           5         ThMmo6tsignificantpmbl&m(sof?twmand-                                        ml-1

     4.52hadnoEignificantpmblm6

50. Phaw        aabozataalthmpmblenstllatycunrnksd~.                                   (useadditicmlpaper,if
    "yyurv*)



            8lagaTmziemoasmnta
            698qemi.emdidnotammt.




51. If you hmm any aorrmBllte thatyoubmldlikotomakeakxaztthequestionnaireor
    aoprtrrMcurityingenual,pleasepawidetheapbelow.


            42 agrnciea     oemmmted.
           108alg8ncieedidnot-.




52.mmaz                 PLEASR-        CCWIESOFFMFIA,FCE,AGEN~ANDCDNSULXANT                                REPXIS    FOR
                        FISCAL YEARS 1988 AND 1989 (C&ESTICM 43.)




                      Page 66                                  GAO/IMTEGSO-7OBR            Government    Computers   and Privacy
Appendix III
U.S. General Accounting Office Survey of
Computers, Networks, and Privacy




~-theazquterized~~oftwoormore
autcmk3~list5orfilesof~informationtoidentify
inaana~ies         or irregularities   anmg the lists        or files.

---                       eerarchirqWa-rdsystem(or
n3wrdeystsmrr) foraspacifiedunkdnaticmofdataelfmu3nts,
Le., the PfFle     (e.g., typee of people mope likely to be
erqagirq in illegal dxug activity).
Qrarfer-wanYWarmsystaaor
aiu&easof~thatisusedintheautunatic
acquisiticzI, sknage, maniprlation, management,nuvement,
-td,       aisplay, =j.t=fdw,     me,            tzandssion,   or
Klacepdcm, of data or inf~tion.          TrI.ls inclules amprters;
anciUqequipWnt;so~,firnware,tisimilarprocedures;
eezvicee,includiqsqportsarvices;andrelatedresxtus
paxradim-toaaess                               a ccaputerwith
authorizaticmadtousesuchaaxss               to mad, btain, or alter
~in.formaticnintheomprtertbatttm                     accessoristi
entitled to access.
Hi& -aneormoredataelatlantsintwoormolleautcmatedfiles
thataFpeartobeidentical0rsimi1arwhen(xqanzd                      (e.g.,mlme,
8ocial swurity mker, add~~~,dateofbirth,andthfslih).
&QQ& - ths mqxf3itirm of a cmmunicationsmadiumtiall
aWxhedcarpDnentg fortzansferrirq           information.   such
~mayillclude,butaren3tli.mitedto,haet~,
aamD.mimticm ciracits,       packet switches, teldcatioRs
amtrollers,kayd!L3tr~oncenters,accessamtxulcenters,
t33chnicalcaRmltice.s,andutheramponentsusedbythe
network.

                                    svstan-afederalagency,
0xtractorofafederalagenq,orotheroqanizationthat
prooesseainformationusi.ngamrpxrtersysi23nonk&alfofthe
fedaral g5fw          to acca@isb a federal function.
v               - any type of inforndion        on an irdividual.
-identifierthetheofanirdividual,orsane
identify~       mmber (e.g., social Secxritynunker),          symbol, or
othri&ntlfyirrJpartiarlarassignedtotheindivi.dual.




Page 66                            GAO/IMTEC:-90.7OHK
                                                    <;ovrrrunent <:omputersand Privacy
Appendix III
U.S. General Accounting Office Survey of
Computers, Networks, and Privacy




Page 67                             GAO/IMTEC-90.70BR   Government   Computers   and Privacy
Appendix--_.--
           IV                                                                                                   -
Major Contributors to This Report


                               Linda D. Koontz, Assistant Director
Information                    ,Jerilynn 13.Hoy, Assignment Manager
Management and                 Mary T. Brewer, Evaluator-in-Charge
Technology Division,           Araceli Contreras, Evaluator

Washington, DC.

                               *JamesS. Jorritsma, Regional Assignment Manager
Boston      Re@ona1   Office   C Jeff Appel Senior Evaluator
                               Eii’zabeth Q. iacar, Evaluator
                               Susan Wong, Evaluator


                               Luann M. Moy, Social Scientist
Human Resources
Division, Washington,
D.C.




                               Page 68                     GAO/IMTEC-90-70BH   Government   Computers   and Privacy
      -   .   .   ..^   .-._.   _.   “_   ..__   _   ..-..   ._   _-_   ..I   .__.   ._   .   ..“”   ._   _--_-        -   -.._   I-----                     I____--_--                       .--




il.                                                                                                               ‘I’de[JhtJtlt~ 202-275-8241




                                                                                                                  ‘I’iitw~ is a 25”0 disconnl.   on or&w   for 100 or Inow t:oIJies rnailtd   t,o a
                                                                                                                  single atithss.