Government Databases

The government holds a massive amount of personal information from many sources. Usually, individuals provide information to the government for one reason, like boarding an airplane or getting a background check. However, agencies across the federal government, local law enforcement, and private contractors often end up with access to sensitive government databases. Government databases create threats to privacy by allowing excessive surveillance and exposing sensitive information to hackers.

EPIC works to determine how the government is collecting and compiling information into databases and how those databases are disseminated inside and between government agencies. EPIC aims to cabin information collection to the minimum necessary, limit access to databases of sensitive information, and promote greater transparency. EPIC also pushes the government to adopt strong cybersecurity practices to safeguard sensitive data.

Databases Contain a Lot of Sensitive Information

Almost all information collected by the government is stored in electronic databases. Many of these are law enforcement databases that pull together all sorts of information about individuals. Everyone in the US is included in some kind of government database. The types of information stored in government databases includes:

• Biographical information – names, addresses, birthdays, social security numbers;
• Biometric information – fingerprints, facial recognition images, DNA, iris scans;
• Immigration Information – travel records, detailed files submitted by immigrants;
• Law Enforcement Investigations – phone records, friendships and family relationships, forensic information, unsubstantiated accusations;
• Intelligence Information – information gained by covert operations.

Agencies like the Department of Homeland Security collect so much information, from so many different sources, that the way they put that information together has substantial impacts on privacy. When agencies link databases together and allow free flows of information the risk of privacy harms is magnified. Combining data points and different types of information, can reveal the details of a persons’ life that any one piece of information, or even one database, could not.

Often non-federal employees are given access to federal databases when they serve as government contractors. Giving access to contractors is particularly risky because they are subject to even less oversight then government agencies.

The Privacy Act Is Supposed to Protect Information in Government Databases

The Privacy Act of 1974 lays out a set of fair information practices that federal agencies are supposed to follow when putting personal information in electronic databases. Under the Privacy Act federal agencies must:

• Publish information on all systems that hold personal information in the Federal Register;
• Give an individual access to records the agency has about them;
• Have one of 12 identified conditions to disclose information about an individual;
• Minimize the amount of information collected to “relevant and necessary”
• Not keep records of individuals performing First Amendment activity without other authorization.

Similarly the E-Government Act of 2002 requires agencies to perform a Privacy Impact Assessment before any new collection of personal information

The Privacy Act and E-Government Act were meant to provide substantive protections to individuals by limiting when agencies can collect information and requiring careful consideration of the risks involved. However, agencies often rubberstamp dangerous privacy practices by performing rote impact assessments and exempting databases from many of the protections of the Privacy Act.

Government Databases are Regularly Breached

The federal government records hundreds of data breach incidents every year. Data breaches occur when information is exposed when it shouldn’t be. That includes hacks, accidentally posting information online, and accidentally providing the wrong people with access to a database. Any way it happens, a breach can lead to people’s sensitive personal information being posted on the internet or put up for sale on the dark web. Data breaches occur in every branch of government, and nearly every agency. Most data breaches are small, but an alarming number are large and cover sensitive personal information.

In recent years the most serious data breaches have revealed social security numbers, facial recognition templates, fingerprints, biographical information like names and addresses. The biggest data breaches reveal information from millions of people. A 2018 data breach at the Postal Service exposed 60 million people to potential identity theft or surveillance. Similarly in 2015, the Office of Personnel Management lost more than 22 million records on individuals including security clearance information, fingerprints, and personal data.

EPIC’s Work

EPIC regularly comments on System of Record Notices and other proposed rulemakings that would allow federal agencies to keep more records in databases. EPIC urges agencies to strictly comply with the Fair Information Practices, minimize the amount of information stored in databases, perform regular privacy audits, increase cybersecurity protections, and limit access by other federal agencies or government contractors. Certain types of information, like biometrics, should generally not be stored in databases where they may be subject to data breach.

EPIC also uses the Freedom of Information Act and other investigative tools to understand how personal data flows through the federal government, determining who has access.

FIGHTING RECENT ABUSES OF FEDERAL DATABASES

In January 2025, on the day of his second inauguration, President Donald Trump signed an Executive Order standing up the Department of Government Efficiency (DOGE). On the Administration’s telling, the Elon Musk-led DOGE was created to address (broadly unsubstantiated) claims of fraud, waste, and abuse of government resources. But following its inception, DOGE and other Administration personnel unlawfully forced their way into sensitive databases across the federal government, including at agencies that provide critical services and handle vast stores of sensitive data. This includes the Treasury Department, the Internal Revenue Service, the Office of Personnel Management, the Department of Education, the Social Security Administration, the Department of Health and Human Services, the Department of Housing and Urban Development, the Center for Medicare and Medicaid Services, and many others.

Through these unprecedented database incursions, the DOGE and its agency allies have consolidated access to staggering volumes of sensitive personal data from tens of millions of people—precisely the kind of Big Brother surveillance weapon that federal law prohibits. The more a government entity knows about us, the more it can exert control over us: by building detailed profiles, revoking benefits, targeting us for investigation and enforcement, tracking and harassing us, and cultivating a climate of fear and suspicion. That’s why Congress has imposed strict limits on the government’s collection and aggregation of personal data through the Privacy Act, the E-Government Act of 2002, the Internal Revenue Code, and other privacy laws.

EPIC is using these and other tools to fight back against the Administration’s sweeping privacy abuses. Working with allies in civil society, EPIC has brought litigation challenging illegal database incursions at the Treasury Department and the Office of Personnel Management (OPM); the unlawful withholding by OPM of key records about those incursions; the Department of Agriculture’s unlawful demand to states for the personal data of millions of people receiving benefits under the Supplemental Nutrition Assistant Program (SNAP); and the Administration’s unlawful expansion and evisceration of privacy safeguards on the Systematic Alien Verification for Entitlements (SAVE) system—changes which have inflicted widespread privacy harms and caused untold numbers of naturalized and derived citizens to be illegally removed from the voter rolls. EPIC has also weighed in on related litigation over government databases with amicus support and filed comments calling for sweeping amendments to strengthen the Privacy Act, and we continue to identify opportunities to provide expertise and shine a light on this ongoing federal assault on our privacy.