Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Wednesday, August 4, 2010

Airline use of personal data on passengers likely not constrained by Privacy Act

A recent article on potentially troubling privacy practices by U.S. airlines posted on The Washington Post online highlights (unfortunately somewhat erroneously) some of the key differences in rules about personal data collection and use that apply to federal agencies versus those that cover commercial organizations like air carriers.  To comply with the information gathering requirements of the Transportation Security Administration's Secure Flight program, the airlines last fall began collecting the date of birth and gender of passengers, in addition to requiring that passenger name information on tickets exactly match the way names are represented on whatever official means of identification the passengers present for airport security screening.  In the Post article, the author speculated after receiving a birthday card from an airline on which he travels frequently that the airline was reusing the data it collected for Secure Flight on behalf of the government for marketing purposes.  In this case, it turns out that the airline had separately requested date of birth information from travelers through its frequent flier program, but the experience still prompted the question of just how the additional personal information being collected by the airlines could, or could not, be used for other purposes.

From a legal standpoint, the key issue is who collected the data from the passenger and for what purpose (and under whose authority) the data was originally collected.  Generally speaking, federal agencies that collect personal information from U.S. citizens or legally resident aliens are required under the terms of the Privacy Act of 1974 to publicize the type of data to be collected and its intended purpose for use, and not to use the data for any other purpose beyond what was stated at the time of collection, unless they first obtain consent from the individuals whose information they hold.  Commercial entities are not subject to the terms of the Privacy Act, unless the data collection they perform is done on behalf of the government.  This means that in the case of Secure Flight, if the airlines only collect the information the TSA requires in order to give it to the government, the data collection falls under the Privacy Act and the airlines could not re-purpose the data for some other use, arguably even for customer service.  However, if (as in the case of Southwest Airlines mentioned in the article) the airline already has the relevant information from passengers, the Privacy Act would not apply and the company would be held accountable only for complying with the terms of its own privacy practices, as regulated by the Federal Trade Commission under the unfair and deceptive practices section of the FTC Act.  For instance, several years ago, when it came to light that several airlines had provided actual passenger data to the government in association with a program developing an anti-terrorist passenger screening system, the actions by contractors working for the TSA, NASA, and other participating agencies were investigated as possible violations of the Privacy Act, but legal complaints (ultimately dismissed) lodged against the airlines who provided the data charged only that they had acted contrary to their own published privacy practices.

The Post online article cites a security industry executive who suggests that irrespective of TSA's information gathering requirements for Secure Flight, the airlines are bound by FISMA, the Privacy Act, and other federal laws. This simply isn't true, as these laws apply only to federal government agencies, and "agency" in these laws is defined to mean only those that are part of executive branch (e.g., Congress is not covered by FISMA).  The actual accountability here depends very much on whether the airline is collecting data for its own purposes or whether it does so on behalf of the TSA or some other government agency.  If the former situation applies, then once the airlines have the data on hand, they are legally permitted to use it in just about any way they wish (including selling it to third parties), although any anticipated possible uses of personal data on passengers should be included in their privacy policies.

No comments:

Post a Comment