The GAO reviewed data mining work at the Small Business Administration, the Department of Agriculture's Risk Management Agency (RMA), the Department of Treasury's Internal Revenue Service, the Department of State, and the Department of Justice's Federal Bureau of Investigation.
The agencies perform data mining for various purposes. For example, the IRS's Reveal system is used to detect evidence of financial crimes, fraud, and terrorist activity. The FBI Foreign Terrorist Tracking Task Force is designed to help law enforcement find foreign terrorists and their supporters in the U.S. The RMA effort is used to detect fraud and abuse in the Federal Crop Insurance Program.
"While the agencies responsible for these five efforts took many of the key steps required by federal law and executive branch guidance for the protection of personal information, none followed all key procedures," GAO analysts said in their report to Congress.
Most agencies notified the general public that they were collecting an dusing personal information, but not all provided the required notice to individual respondents explaining why information is being collected.
Three of the five agencies had prepared a privacy impact assessments of their data mining work, but none of the assessments fully complied with Office of Management and Budget guidance, according to the GAO.
The agencies under review had mixed responses to the report. While the USDA said it planned to address the concerns raised by the GAO, the General Services Administration generally disagreed, claiming the Privacy Act does not apply to its system and that it had taken appropriate steps to ensure data security. The Justice Department had no comment.