Washington, D.C. ? The Homeland Security Department admitted Friday it violated the Privacy Act two years ago by obtaining more commercial data about U.S. airline passengers than it had announced it would.

Seventeen months ago, the Government Accountability Office, Congress’ auditing arm, reached the same conclusion: The department’s Transportation Security Administration “did not fully disclose to the public its use of personal information in its fall 2004 privacy notices as required by the Privacy Act.”

Even so, in a report Friday on the testing of TSA’s Secure Flight domestic air passenger screening program, Homeland Security department’s privacy office acknowledged TSA didn’t comply with the law. But the privacy office still couldn’t bring itself to use the word “violate.”

Instead, the privacy office said, “TSA announced one testing program, but conducted an entirely different one.” In a 40-word, separate sentence, the report noted that federal programs that collect personal data that can identify Americans “are required to be announced in Privacy Act system notices and privacy impact assessments.”