Over at choof.org, my friend Chris Hoofnagle (Director, Electronic Privacy Information Center West Coast Office) points out a rather unusual new government database consisting of lactating mothers participating in the “Workplace Lactation Program.” This database is regulated by the Privacy Act of 1974, which requires that the government provide notice in the Federal Register about its plans for the database and how the data will be used. According to the notice, the data will include the “[p]articipant’s name, employing office and office symbol, work and home telephone numbers, signed agreement forms, dates and times of lactation room use, and physician’s approval slips and forms (if applicable).”
One major problem in the Privacy Act area is that agencies use the “routine use” exception to allow information sharing. The idea is that the Privacy Act shouldn’t prohibit ordinary use of data in government database, which on its face is reasonable. But the agencies have abused the exception, and now assert a series of “routine uses” over every database.
In this case, DOD has applied its “Blanket Routine Uses” to the lactation database. This means that information from the lactation database can be transferred to others for the following reasons:
- Law enforcement.
- To other agencies when DOD requesting information in order to engage in hiring and firing decisions.
- To other agencies when requested for a variety of government decision making.
- To Congress in response to Member inquiries.
- To foreign law enforcement.
- To state and local taxing authorities.
- To the Office of Personnel Management for pay, leave, and benefits administration.
- To the Department of Justice for litigation.
- To military banking facilities.
- To the General Services Administration for records management inspections.
- To the National Archives and Records Administration.
- To the Merit Systems Protection Board.
- To almost any entity for national security purposes.
This example demonstrates just how ridiculous the use of data in government has become. Why the need to share this data in all these ways? Does the government really need to reserve so many potential uses of the milk data? This is an illustration of how the Privacy Act, designed to provide limits on how the government can collect, use, and share personal data, is not working very well. There must be better limits on how the government can use the data it milks and milk the data it has.
Another problem with the Privacy Act is that it has failed to limit the use of Social Security numbers. Restricting the increasing use of Social Security numbers was one of the primary reasons for the passage of the Privacy Act. The Act sure hasn’t worked. The reason is because although the Privacy Act originally would have restricted the private sector use of Social Security numbers, this part was cut from the final version. Now virtually every business and organization under the sun will squeeze people for their Social Security numbers, and companies can trade and sell them. Sometimes spilt milk is worth crying over.
In short, in many respects, the Privacy Act is quite close to a paper tiger . . . or perhaps, more aptly put, an empty milk carton.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.