Improper disclosures by the Consumer Product Safety Commission of personal information on members of the public resulted from a lack of training for employees on privacy requirements, compounded by the complexities of the agency’s databases, according to a Senate report.
The report focused on disclosures made over more than a year ending early this year involving several databases of information related to reported injuries and deaths associated with consumer products. The report said that 29 requests for the information—mainly from a consumer magazine and a university researcher—had been fulfilled without redacting manufacturer information on nearly 11,000 companies as well as personal information including addresses, ages, and genders of some 30,000 consumers.
The Commerce, Science and Transportation Committee found that the employees involved stated that they “had little to no knowledge” of the legal requirements for protecting consumers’ personal information and that they “did not know that the disclosures were improper.”
Also contributing to the disclosures were “convoluted and ineffective” systems for frontline employees to access data the agency maintains, the report said, with data spread across three separate systems, the report said. One of them dates to 1997 and “was supposed to have been phased out years ago”; a second, designed to replace that one, “is of limited effectiveness”; and the third was custom-designed by a now-retired employee and many current employees “don’t have any training for, or knowledge of,” how to use it.