The March 13 episode of NPR’s Consider This podcast with Ailsa Chang talks about the risks of DOGE gaining access to sensitive data across the federal government, and how various lawsuits are using the Privacy Act of 1974 as grounds for suing the government to prevent DOGE’s continued access to the data.
The intro to the episode talks about the risks of DOGE having access to this data. Elizabeth Lair, of the Equity and Civic Technology Project at the Center For Democracy and Technology, and me, late of the Department of Veterans Affairs, appear at the start of the episode to discuss the risks, then the rest of the episode segues into University of Virginia law professor Danielle Citron discussing what the Privacy Act is and how it is being used to oppose DOGE’s access.
The NPR web site does not provide a transcript of the episode, so I’ve provided one below, for those of you who prefer reading over listening.
[Ailsa Chang]
Date of birth, home address, Social Security Number. I mean, these are just a few examples of some of the personal information that the US government collects on most of us and stores in databases across federal agencies. Well, the Department of Government Efficiency, or DOGE, created by President Trump, has been causing alarm by making massive cuts to Federal staff. But it has also been seeking access to the troves of personal information that the government has on Americans. Information that can go way beyond a Social Security Number.
[Elizabeth Lair]
The level of sensitivity of the information that we’re talking about is really unprecedented, and it is the most sensitive information that people provide about themselves.
[Ailsa Chang]
Elizabeth Lair directs the Equity and Civic Technology Project at the Center For Democracy and Technology. She spoke with NPR’s Laurel Wamsley.
[Elizabeth Lair]
It will include demographics about you, so your race, your sex, even if you have a disability, and then I think the thing that a lot of folks don’t think about, because a number of the reports of the systems that they’ve attempted to access or have actually accessed are financial in nature. But they also include really personal information about you. So, just to take your tax records, you know, it will include any major life events that you’ve had. So, whether you were pregnant and gave birth to a child, or you adopted a child, or you got married or divorced, whether you went bankrupt, you know, things that maybe your closest friends and family don’t even know are included in these Systems.
[Ailsa Chang]
And then there’s the kind of information that’s stored by agencies like Medicare, Medicaid, and the VA.
[Jonathan Kamens]
If you are a veteran that’s getting medical care from VA, your medical data is stored in VA databases. What conditions you’re being treated for, what treatments you’re receiving, if you have a VA therapist or you go to group therapy at VA, then, you know, therapy notes are being stored in VA databases. If you, I don’t know, have an opioid addiction because of an injury that you received while you were in service that information is going to be potentially stored in the VA databases.
[Ailsa Chang]
Jonathan Kamens has worked as a software engineer and cybersecurity professional for more than 30 years. His job was overseeing cybersecurity for the Department of Veterans Affairs main website, or va.gov. He was fired from the U.S. Digital Service on February 14th, along with about 40 other people. Kamens says he doesn’t know what Elon Musk and his team have access to at the VA, but he is worried about the kind of sensitive data that they could access from what’s stored there.
[Jonathan Kamens]
There’s all sorts of financial information because, you know, in order to apply for benefits, sometimes you have to disclose details about your financial circumstances. So DOGE claims that what it is trying to do is to find fraud and inefficiency and waste in the federal government so that it can be eliminated, and the single biggest budget line item at the VA is the benefits that are paid out to Veterans. So, if you’re really looking for fraud and waste and inefficiency, you’re not going to be able to do that at VA without looking at the veteran benefit databases, which are the ones that have the personal information in them.
[Ailsa Chang]
DOGE’s efforts to access these government databases have a lot of people wondering. Is there anything that can protect the personal information that we have to hand over to the federal government. Consider this: a little-known law exists to do just that, protect our sensitive data from government overreach, and more than a dozen lawsuits now invoke this 50-year-old law to stop DOGE’s access to this information.
[Ailsa Chang]
From NPR, I’m Elsa Chang.
[commercial break]
[Ailsa Chang]
It’s Consider This from NPR.
Across federal agencies, the government stores a lot of data, and often the data we entrust to federal agencies is very sensitive and very personal. Elon Musk’s Department of Government Efficiency, or DOGE, has access to many of the databases storing that personal data, and that’s raising alarm. At least a dozen lawsuits are attempting to stop DOGE from tapping into all this personal information. And these lawsuits have focused on one particular legal avenue, a 50-year-old law called the Privacy Act of 1974.
With us to talk about that law. Is Danielle Citron, she’s a law professor at the University of Virginia. Welcome.
[Danielle Citron]
Thank you for having me.
[Ailsa Chang]
So, before we talk about these lawsuits, can you just take us back to the mid-1970s? How did the Privacy Act of 1974 even come about? Like, what was it designed originally to do?
[Danielle Citron]
So it was amidst a time in the late 60s, where Congress sort of got wind of the fact that agencies had about 7,000 systems of records, of databases, and they got really interested in it because the National Crime Information Center, so the FBI, now, we think of as the database that shares criminal information between the states, locals, and the feds, had an incredible amount of sensitive information, including arrests that never went anywhere. And that information was being freely shared with employers, with colleges. So people were losing life opportunities. And you know, all of this is happening in the backdrop of Watergate in the backdrop of Hoover’s blacklist, which contained files on every single senator and congressman. There were gathering personal data on each and every one of us that were being shared across agencies without any safeguards. And there was heated agreement across the aisle that we worried that it gave government a lot of power, excessive power that could control us.
[Ailsa Chang]
And I’m sure there are a lot of people out there today who never even knew the Privacy Act of 1974 existed. How relevant has this law been over the last 50 years? Like, how much has it been invoked when there are concerns with how the federal government is handling people’s private information?
[Danielle Citron]
The Privacy Act was once a quite sleepy law in my privacy classes. It’s got an increasing prominence in part because there’s been so much compliance with the Privacy Act. Every agency now has to put out, you know, notices about having new collections of information and databases, and there’s Chief Privacy Officers at every agency. You have to pay attention to it and adhere to its commitments, which are to ensure that you don’t collect information you shouldn’t be collecting for a proper purpose. And that you’re not sharing it unless you meet the conditions of the Privacy Act.
[Ailsa Chang]
Okay, well, then, let’s talk about these dozen or so lawsuits now that concern access DOGE has had to personal data. Who exactly is filing these lawsuits, like, what’s the argument that the plaintiffs are making here.
[Danielle Citron]
Privacy groups and attorneys are representing employees of the government and individuals whose data is collected in these systems of records that are protected by the Privacy Act. And they’re arguing that there’s real harm here. They’re losing their jobs, they’re being fired. Presumably, we need to figure out in discovery if the loss of those jobs have to do with being in the databases, but we’re pretty sure that’s probably true. You need to figure out who your employees are so you can fire them and and asserting that the Privacy Act is sacred and that we honor when you turn over your data and you directly gave it to an agency that it would only be accessed and used and disclosed pursuant to that reason you gave it to them, and you trusted the government with that information.
[Ailsa Chang]
Okay, but what is the argument that the Trump administration is making for why they are allowed, members of DOGE are allowed to access this information?
[Danielle Citron]
The Trump administration is arguing that the DOGE employees, let’s say they’re working at the Department of Education, that they have every right to go into these systems of records to check for fraud, waste, and abuse.
[Ailsa Chang]
simply because they are now employees of the Department of Education?
[Danielle Citron]
That’s right, and it’s a fundamental misunderstanding of the Privacy Act, that if they worked at the Department of Education, they couldn’t get into records that include, you know, personal data, unless it was part of their job, right. And part of the Privacy Act is really specific about conditions and when for law enforcement purposes you can disclose information that’s protected by the Privacy Act. And it’s only when the head of a law enforcement agency makes a written request that’s really particular as about what records it wants.
[Ailsa Chang]
Even if a judge does rule that federal agencies should not be sharing this sensitive data with DOGE, isn’t there still the possibility that the Trump administration won’t be deterred and will continue to give DOGE access anyway? I’m sorry even to be asking this question right now, but who’s to say the Trump administration will care what a judge rules, right?
[Danielle Citron]
I mean, that’s a fundamental question on the minds of every law professor, lawyer, and law student. That even if you know, courts so orders that DOGE employees shouldn’t have access to these records and that they should destroy any data that they collected in violation of the Privacy Act that they may just say, sorry, I’m not going to comply with court order, and I think at that moment, when that happens, you know, it’s really testing our confidence in democracy and the rule of law.
[Ailsa Chang]
Danielle Citron is a law professor at the University of Virginia. Thank you very much for speaking with us.
[Danielle Citron]
Thank you so much.
[Ailsa Chang]
This episode was produced by Kathryn Fink. NPR correspondent Laurel Wamsley contributed to the episode. It was edited by Jeanette Woods and Nadia Lancy. Our executive producer is Sami Yenigun.
It’s Consider This.
