Response to OMB Request for Information: Executive Branch Agency Handling of Commercially Available Information Containing Personally Available Information
View a PDF of the response here.
December 16, 2024
Richard L. Revesz
Administrator
Office of Information and Regulatory Affairs
Office of Management and Budget
725 17th Street, NW
Washington, DC 20503
Submitted electronically via www.regulations.gov
RE: Response to OMB Request for Information: Executive Branch Agency Handling of Commercially Available Information Containing Personally Available Information
Dear Administrator Revesz,
On behalf of The Leadership Conference on Civil and Human Rights (The Leadership Conference)[i] and its Center for Civil Rights and Technology, we write in response to the Office of Management and Budget’s (OMB’s) “Request for Information (RFI) on Agency Handling of Commercially Available Information Containing Personally Identifiable Information.”[ii] These comments focus on the use of data by agencies in AI systems and our concerns about potential biased results. We anticipate that other organizations will submit filings addressing broader privacy concerns related to the use of commercial data, including the need for data minimization.
We commend OMB for recognizing the impact that federal agency collection, processing, maintenance, use, sharing, dissemination, and disposition of commercially available information containing personally identifiable information can have on people. The work of our federal agencies affects the lives of people every day. Because AI, by its very nature, is dependent on data, agency data practices are critical to ensuring that emerging technology tools are consistent with our democratic values centered on civil rights and liberties and the protection of privacy. These concerns also exist when data are procured from data brokers.
Concerns about the use of data and discussion of needed protections is not new.
A decade ago, The Leadership Conference and its coalition partners published Civil Rights Principles for the Era of Big Data. Those principles remain relevant today:
Stop High-Tech Profiling: New surveillance tools and data gathering techniques that can assemble detailed information about any person or group create a heightened risk of profiling and discrimination. Clear limitations and robust audit mechanisms are necessary to make sure that if these tools are used it is in a responsible and equitable way.
Ensure Fairness in Automated Decisions: Computerized decisionmaking in areas such as employment, health, education, and lending must be judged by its impact on real people, must operate fairly for all communities, and in particular must protect the interests of those that are disadvantaged or that have historically been the subject of discrimination. Systems that are blind to the preexisting disparities faced by such communities can easily reach decisions that reinforce existing inequities. Independent review and other remedies may be necessary to assure that a system works fairly.
Preserve Constitutional Principles: Search warrants and other independent oversight of law enforcement are particularly important for communities of color and for religious and ethnic minorities, who often face disproportionate scrutiny. Government databases must not be allowed to undermine core legal protections, including those of privacy and freedom of association.
Enhanced Individual Control of Personal Information: Personal information that is known to a corporation – such as the moment-to-moment record of a person’s movements or communications – can easily be used by companies and the government against vulnerable populations, including women, the formerly incarcerated, immigrants, religious minorities, the LGBTQI+ community, and young people. Individuals should have meaningful, flexible control over how a corporation gathers data from them, and how it uses and shares that data. Non-public information should not be disclosed to the government without judicial process.
Protect People from Inaccurate Data: Government and corporate databases must allow everyone – including the urban and rural poor, people with disabilities, seniors, and people who lack access to the Internet – to appropriately ensure the accuracy of personal information that is used to make important decisions about them. This requires disclosure of the underlying data, and the right to correct it when inaccurate.
More recently, advocates and labor leaders highlighted the critical guardrails needed when data are used to drive AI and related products, systems, and tools:
Need for safeguards: Civil rights must be protected in the face of harm caused by AI across sectors. This is a critical step in any design, development, and deployment process, not a hurdle to overcome.
Engagement with those who are impacted: Community engagement is needed. Those who are closest to the problems are also closest to the solutions.
Protect privacy: A strong comprehensive federal privacy law that includes civil rights safeguards is critical; privacy rights are civil rights.
Recognition of potential benefits: Positive use cases of AI can only occur if developers and deployers are intentional in ensuring AI is rights-preserving.
Taken together, these protections provide an important foundation for needed baseline protections and should be included in any federal privacy regime for agencies.
Biased, inaccurate, or inappropriate data used for AI can result in discriminatory outcomes.
People who face discrimination based on race, ethnicity, national origin, religion, sex, sexual orientation, gender identity, income, immigration status, or disability are more likely to be harmed by automated systems and often lack the resources to respond to harms when they occur. These harms are well documented and span numerous sectors, including housing, employment, financial services and credit, insurance, public health and health care, education, public accommodations, government benefits and services, and policing. The risk of these harms underscores the importance of strong protections.
In our comments to OMB on Privacy Impact Assessments earlier this year, we urged the OMB to implement privacy safeguards for the information systems used by agencies and explained why such protections are imperative[iii]:
Black communities, Latino communities, and other communities who have been historically disadvantaged have a particularly strong interest in making sure that privacy impact assessments are done correctly, because they are disproportionately impacted by these harms. AI systems often rely on data sets that contain personally identifiable information, and the outputs can be tainted by historical bias, racial bias, or other social biases. The targets of AI systems, particularly surveillance-related systems, are often disproportionately from communities of color and other traditionally marginalized communities. The failure to meaningfully consider the impact of privacy-invasive systems and databases used by the government has eroded our civil liberties and civil rights. These consequences are compounded by the scale at which the federal government implements these systems and the fact that people often do not have a choice about the inclusion of their personal information or if the system is directed at them. To better address the privacy risks and the related civil liberties and civil rights risks with the information systems used by government agencies, agencies should implement the following recommendations.
There are measures that can be taken to help ensure data collection and use do not contribute to or cause bias in decisionmaking and that the use of commercial data by government addresses civil rights.
Data source evaluation: Agencies must thoroughly evaluate their sources of commercial data to ensure they are trustworthy, free from inherent biases, and fit for purpose. To do this, agencies should establish criteria for assessing data sources, including their collection methods, demographic representation, and historical accuracy. Agencies should take steps to ensure diversity in their datasets. The desired outcome of these actions is to reduce the risk of incorporating biased data into government systems from the beginning.
Bias detection and mitigation: Agencies must implement mechanisms for detecting and mitigating bias in commercial data to interrogate the veracity of the data sets used to create or train AI models. This can be done through statistical and other analytical techniques to identify and correct problems in datasets before they are used. In some instances, it may be effective to use algorithms to identify and correct biases. These measures can help ensure that data driven decisions are fair and equitable.
Transparency and accountability: Agencies must be transparent about how they obtain and use commercial data and be accountable for the impact of using that data. One way an agency can provide transparency is by publishing reports on data usage, decision-making processes, and outcomes. Data practices should be audited regularly. These actions will help build public awareness and trust and hold agencies and the companies’ providing data to them accountable.
Protecting privacy: Agencies must safeguard the privacy of people’s data, including data in commercial datasets. This includes minimizing the data they obtain and use, adhering to existing policies, standards, and regulations, anonymizing data and limiting access to sensitive information.
Ongoing monitoring and improvement: Agencies must continuously monitor their acquisition and use of commercial data for issues, including bias, and be responsive to feedback and new developments. To do this, agencies should consider implementing feedback mechanisms, conduct regular reviews, and update policies and practices as warranted. These measures will help ensure that data practices not only remain responsive to current developments but are also effective in preventing bias and discrimination. Agencies should provide training for staff responsible for data collection and use.
Conclusion
Agencies must be intentional about their use of commercially available data, especially given the proliferation of AI, and its use in agency decisionmaking. It is vital that the systems agencies use are not biased or discriminatory. We encourage agencies to adopt the measures described above to achieve more fair and unbiased decisionmaking processes. Thank you for considering our views.
Sincerely,
Alejandra Montoya-Boyer
Senior Director, Center for Civil Rights and Technology
The Leadership Conference on Civil and Human Rights
[i] The Leadership Conference is a coalition charged by its diverse membership of more than 240 national organizations to promote and protect the civil and human rights of all persons in the United States. Through its membership and its Media/Telecommunications Task Force, The Leadership Conference works to ensure that civil and human rights, equal opportunity, and democratic participation are at the center of communication, public education, and technology policy debates. The Leadership Conference, as a coalition and through the Center on Civil Rights and Technology, is actively engaged in policy development to ensure civil rights remains at the center of the development and use of innovative technologies, especially where those technologies are rights and safety impacting.
[ii] Request for Information: Executive Branch Agency Handling of Commercially Available Information Containing Personally Identifiable Information, 89 FR 8351, October 16, 2024.
[iii] Coalition Comment to OMB on Privacy Impact Assessments, April 1, 2024, Coalition Comment to OMB on Privacy Impact Assessments – The Leadership Conference on Civil and Human Rights.