Wilshusen's testimony also mentioned two headline-grabbing healthcare industry breaches—the Utah health department's breach involving 780,000 records and a breach involving Blue Cross and Blue Shield of Tennessee affecting more than one million.
"Incidents such as these illustrate that sensitive personally identifiable information remains at risk and that improved protections are needed," Wilshusen said.
As a potential remedy, Wilshusen proposed that Congress consider amending the Privacy Act of 1974 and the E-Government Act of 2002, which limit the use of personally identifiable information to a stated purpose, and revising the scope of the laws "to cover all personally identifiable information collected, used and maintained by the federal government."
The Privacy Act protections are based on the Fair Information Practices principles developed by HHS' precursor in 1972 that also underlie the privacy laws and policies in the European Union, Australia and New Zealand, Wilshusen said. They include a limitation that individually identifiable information collected for one purpose should not be used for another without the individual's consent.
The Privacy Act defines a record as an item maintained by a government agency and a "system of records" as a group of records under the control of an agency that can be retrieved by a person's name or identifier.
The act affords individuals certain rights. First, they must be notified via the Federal Register that a record-keeping system is being created and the intended routine uses of the information being collected. The law generally allows an individual to review their records and make copies and make corrections to them.
The E-Government Act requires the government to conduct privacy impact assessments, or PIAs, of how individuals' information is being collected, stored and used.
A subsection of the E-Government Act, the Federal Information Security Management Act of 2002, requires agencies to provide information-security protections commensurate with the risk and potential harm that would be created by unauthorized access to information.
But while these protections apply to government-run databases, the government also uses many newer commercial Web-based technologies, such as wikis, blogs, video-sharing sites and social media, that are not directly under government control.
These technological developments since the Privacy Act and E-Commerce Act were adopted "have radically changed the way information is organized and shared," rendering portions of the two privacy laws "inadequate to fully protect all personally identifiable information collected, used and maintained by the federal government," the GAO official said.
"For example," Wilshusen said, "if agencies do not retrieve personal information by identifier, as may occur in data-mining systems, the act's protections do not apply."
Five federal agencies—unnamed by the GAO—have not provided evidence they have updated their privacy policies, and four haven't documented performance of required privacy impact assessments, according to Wilshusen's testimony.