Federal law forbids the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) from maintaining a consolidated database of firearms transactions in order to keep government from effecting a de facto central registry. Instead, gun sellers are required to keep those records themselves and make them available to the ATF when necessary. Gun owners have always suspected that the ATF might be retaining those records themselves.

Is it true? A June report from the Government Accountability Office, discovered by the Daily Caller, offers some justification for those fears:

A government report discovered the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) illegally stockpiles gun owners’ personal information.

The U.S. Government Accountability Office (GAO), the go-to federal oversight agency, conducted an audit of ATF and found it does not remove certain identifiable information, despite the law explicitly mandating it do so. GAO conducted reviews for four data systems, and concluded at least two of ATF’s systems violated official protocols.

Here, however, we get to the Clintonian parsing of the present tense form of the verb to be. The DC’s headline says The ATF Is Illegally Hoarding American Gun Owners’ Personal Information, emphasis mine. The report says that the ATF was consolidating the data, but had stopped years earlier. In one of the four systems, the deletion policy is still not properly being followed, but the number of records involved is relatively small:

Of the 4 data systems, 2 fully comply and 2 did not always comply with the appropriations act restriction prohibiting consolidation or centralization of FFL records. ATF addressed these compliance issues during the course of GAO’s review. ATF also does not consistently adhere to its policies. Specifically:

• OBRIS complies with the restriction and adheres to policy.

• A2K for in-business FFL records complies with the restriction. A2K for out-of-business FFL records did not comply with the restriction because ATF maintained these data on a single server at ATF. Thus, ATF deleted the records in March 2016. In addition, ATF policy does not specify how, if at all, FFLs may use A2K records to meet out-of-business record submission requirements. Such guidance would help ensure they submit such records.

• FRNP generally complies with the restriction. However, a 2007 through 2009 program using FRNP did not comply. ATF cancelled this program in 2009 and deleted the related data in March 2016. Also, a technical defect allows ATF agents to access FRNP data—including purchaser data—beyond what ATF policy permits. Aligning system capability with ATF policy would ensure that firearms purchaser data are only provided to those with a need to know.

• MS complies with the restriction, but ATF inconsistently adheres to its policy when deleting MS records. Specifically, until May 2016, MS contained over 10,000 names that were not consistently deleted within the required 2 years. Aligning the MS deletion policy with the timing of deletions could help ATF  maintain only useful MS purchaser data and safeguard privacy.

One potential hole in the system occurs when federal firearm licensees (FFLs — gun sellers) go out of business. What happens to those records? FFLs keep them for a reason; those records can help investigators establish a chain of custody for a firearm determined to have been used in a crime. As long as they remain in business, those records are private property, but by law an FFL who goes out of business has to transfer those records to the ATF.

The OBRIS system is designed to maintain those records electronically without crossing the line into becoming a central registry. And in fact, GAO found that OBRIS consistently complies with those restrictions. The biggest problem found by the GAO was that those out-of-business FFL records ended up in the A2K system where they didn’t belong. A2K gives the ATF capability to electronically access records of operating FFLs, but leaves those records in the hands of the FFLs, and shouldn’t be used to store records from FFLs who close their doors. After getting gigged on this major violation, ATF transferred those records to OBRIS, where they belong and which was designed to store them, in March 2016. Problem solved.

The other major violation took place years ago in a regional office of the Firearm Recovery Notification Program (FRNP), which handles alerts for weapons suspected of being used in crimes. Only one regional office was found to be non-compliant, and then only for a two-year period — but the records had not been deleted until this March, too.

The last violation in the MS system has to do with flushing multiple-sales data after two years. The ATF keeps records of multiple firearms sales within a five-day period for quick access, but if none of the weapons have been subject to a trace, the ATF is required to dump the data after two years. Given the number of firearms sales that take place every month, 10,000 non-compliant records indicates sloppiness rather than malice. In James Comey’s terms, this doesn’t even qualify for “extremely careless.”

So the GAO report doesn’t say that the ATF is hoarding gun owners’ personal information; it says that the ATF was retaining some records improperly. It also reports that ATF had already corrected most of the issues during the audit, and is working on cleaning up its MS system churn rate. What the report makes clear is that GAO didn’t find any evidence of intent to hoard that data, nor that ATF broadly violated the restrictions on retaining FFL sales records.

It’s always worth watching the ATF closely. GAO proved that by getting the bureau to correct some problems simply by conducting the audit. But it’s also important not to overreact to what gets seen.