Summary: To obtain government services, members of the public must often provide agencies with personal information, which includes both identifying information (such as name or Social Security number, which can be used to locate to identify someone) and nonidentifying information (such as age or gender). GAO was asked to review agencies' handling of the personal information they collect and whether this handling conforms with federal law, regulation, and agency guidance.
GAO reviewed the processes used in handling personal information collected from the public forms at four different agencies--Agriculture, Education, Labor, State. These four agencies were chosen because their forms represent a range of characteristics, including the time needed to fill them out (the total paperwork burden hours) and the purpose of the information they collect. In reviewing these forms, GAO concentrated on four areas (information collection, privacy, security, and records management). Handling of personal information varied among the agencies studied. Overall, agencies collected a substantial amount of personal information of a wide variety of types, including personal identifying information (names and Social Security numbers) and demographic, financial, and legal data. Agency procedures for handling personal information collected were complex, involving numerous processes and a wide range of personnel with access to the information. The personal information collected was shared extensively with other federal agencies, other government entities (state, local, tribal and foreign), and private individuals and organizations through authorized procedures. The agencies generally complied with the key requirements and guidance pertaining to information collection, privacy, security, and records management. However, GAO identified isolated instances of forms that were not accurate or current; other forms did not contain the proper privacy notices.