All government contracts that outsource a service with private data to a third party should have an absolute requirement that the data itself is not to be shared without approval and that it had to be necessary for the service's functionality to do that sharing and that the data access logs must be under the direct control and review of a government auditor.

I know why this isn't how it's done: because those third party contractors are selling your data and that's how they get the low bid for those contacts.