Privacy Decision Making in Administrative Agencies

Privacy and Security

Article Snapshot


Kenneth A. Bamberger and Deirdre Mulligan


Chicago Law Review, Vol. 75, Winter 2008


This paper looks at how administrative agencies make decisions affecting privacy.

Policy Relevance

Using formal legal processes to protect privacy has limited effect, because agencies have considerable autonomy. Consultation with privacy experts is helpful.

Main Points

  • Administrative agencies such as the Department of Defense increasingly rely on technology and collect data with serious implications for individual privacy. 
  • The E-Government Act of 2002 requires administrative agencies to publish privacy impact assessments (PIAs) when using new technology systems that include personally identifiable information.
  • Described in Office of Management and Budget (OMB) guidelines, the PIA should assess threats to individual privacy, alternative systems, note measures taken to reduce risks, and justify final choices.
  • Comparing the Department of State’s process for adding data chips to passports with the Department of Homeland Security’s process and other cases shows that privacy assessments across agencies are inconsistent in quality. OMB oversight has been limited, and there has been no judicial oversight.
    • Independent personnel with contacts to the privacy community, and oversight by a privacy committee lead to more effective assessment at DHS.

Get The Article

Find the full article online

Search for Full Article