Government Databases

The government holds a massive amount of personal information from many sources. Usually, individuals provide information to the government for one reason, like boarding an airplane or getting a background check. However, agencies across the federal government, local law enforcement, and private contractors often end up with access to sensitive government databases. Government databases create threats to privacy by allowing excessive surveillance and exposing sensitive information to hackers.

EPIC works to determine how the government is collecting and compiling information into databases and how those databases are disseminated inside and between government agencies. EPIC aims to cabin information collection to the minimum necessary, limit access to databases of sensitive information, and promote greater transparency. EPIC also pushes the government to adopt strong cybersecurity practices to safeguard sensitive data.

Databases Contain a Lot of Sensitive Information

Almost all information collected by the government is stored in electronic databases. Many of these are law enforcement databases that pull together all sorts of information about individuals. Everyone in the US is included in some kind of government database. The types of information stored in government databases includes:

• Biographical information – names, addresses, birthdays, social security numbers;
• Biometric information – fingerprints, facial recognition images, DNA, iris scans;
• Immigration Information – travel records, detailed files submitted by immigrants;
• Law Enforcement Investigations – phone records, friendships and family relationships, forensic information, unsubstantiated accusations;
• Intelligence Information – information gained by covert operations.

Agencies like the Department of Homeland Security collect so much information, from so many different sources, that the way they put that information together has substantial impacts on privacy. When agencies link databases together and allow free flows of information the risk of privacy harms is magnified. Combining data points and different types of information, can reveal the details of a persons’ life that any one piece of information, or even one database, could not.

Often non-federal employees are given access to federal databases when they serve as government contractors. Giving access to contractors is particularly risky because they are subject to even less oversight then government agencies.

The Privacy Act Is Supposed to Protect Information in Government Databases

The Privacy Act of 1974 lays out a set of fair information practices that federal agencies are supposed to follow when putting personal information in electronic databases. Under the Privacy Act federal agencies must:

• Publish information on all systems that hold personal information in the Federal Register;
• Give an individual access to records the agency has about them;
• Have one of 12 identified conditions to disclose information about an individual;
• Minimize the amount of information collected to “relevant and necessary”
• Not keep records of individuals performing First Amendment activity without other authorization.

Similarly the E-Government Act of 2002 requires agencies to perform a Privacy Impact Assessment before any new collection of personal information

The Privacy Act and E-Government Act were meant to provide substantive protections to individuals by limiting when agencies can collect information and requiring careful consideration of the risks involved. However, agencies often rubberstamp dangerous privacy practices by performing rote impact assessments and exempting databases from many of the protections of the Privacy Act.

Government Databases are Regularly Breached

The federal government records hundreds of data breach incidents every year. Data breaches occur when information is exposed when it shouldn’t be. That includes hacks, accidentally posting information online, and accidentally providing the wrong people with access to a database. Any way it happens, a breach can lead to people’s sensitive personal information being posted on the internet or put up for sale on the dark web. Data breaches occur in every branch of government, and nearly every agency. Most data breaches are small, but an alarming number are large and cover sensitive personal information.

In recent years the most serious data breaches have revealed social security numbers, facial recognition templates, fingerprints, biographical information like names and addresses. The biggest data breaches reveal information from millions of people. A 2018 data breach at the Postal Service exposed 60 million people to potential identity theft or surveillance. Similarly in 2015, the Office of Personnel Management lost more than 22 million records on individuals including security clearance information, fingerprints, and personal data.

EPIC’s Work

EPIC regularly comments on System of Record Notices and other proposed rulemakings that would allow federal agencies to keep more records in databases. EPIC urges agencies to strictly comply with the Fair Information Practices, minimize the amount of information stored in databases, perform regular privacy audits, increase cybersecurity protections, and limit access by other federal agencies or government contractors. Certain types of information, like biometrics, should generally not be stored in databases where they may be subject to data breach.

EPIC also uses the Freedom of Information Act and other investigative tools to understand how personal data flows through the federal government, determining who has access.