Privacy
Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions Gao ID: GAO-08-603 May 30, 2008Government agencies have a long-standing obligation under the Privacy Act of 1974 to protect the privacy of individuals about whom they collect personal information. A number of additional laws have been enacted in recent years directing agency heads to designate senior officials as focal points with overall responsibility for privacy. GAO was asked to (1) describe laws and guidance that set requirements for senior privacy officials within federal agencies, and (2) describe the organizational structures used by agencies to address privacy requirements and assess whether senior officials have oversight over key functions. To achieve these objectives, GAO analyzed the laws and related guidance and analyzed policies and procedures relating to key privacy functions at 12 agencies.
Federal laws set varying roles and responsibilities for senior agency privacy officials. Despite much variation, all of these laws require covered agencies to assign overall responsibility for privacy protection and compliance to a senior agency official. In addition, Office of Management and Budget guidance directs agencies to designate a senior agency official for privacy with specific responsibilities. The specific privacy responsibilities defined in these laws and guidance can be grouped into six broad categories: (1) conducting privacy impact assessments (which are intended to ensure that privacy requirements are addressed when personal information is collected, stored, shared, and managed in a federal system), (2) complying with the Privacy Act, (3) reviewing and evaluating the privacy implications of agency policies, (4) producing reports on the status of privacy protections, (5) ensuring that redress procedures to handle privacy inquiries and complaints are in place, and (6) ensuring that employees and contractors receive appropriate training. The laws and guidance vary in how they frame requirements in these categories and which agencies must adhere to them. Agencies also have varying organizational structures to address privacy responsibilities. For example, of the 12 agencies we reviewed, 2 had statutorily designated chief privacy officers who also served as senior agency officials for privacy, 5 designated their agency chief information officers as their senior privacy officials, and the others designated a variety of other officials, such as the general counsel or assistant secretary for management. Further, not all of the agencies we reviewed had given their designated senior officials full oversight over all privacy-related functions. While 6 agencies had these officials overseeing all key privacy functions, 6 others relied on other organizational units not overseen by the designated senior official to perform certain key privacy functions. The fragmented way in which privacy functions were assigned to organizational units in these agencies is at least partly the result of evolving requirements in law and guidance. However, without oversight of all key privacy functions, designated senior officials may be unable to effectively serve as agency central focal points for information privacy.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-603, Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions
This is the accessible text file for GAO report number GAO-08-603
entitled 'Privacy: Agencies Should Ensure That Designated Senior
Officials Have Oversight of Key Functions' which was released on June
18, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Report to the Chairman, Subcommittee on Oversight of Government
Management, the Federal Workforce, and the District of Columbia,
Committee on Homeland Security and Governmental Affairs, U.S. Senate:
May 2008:
Privacy:
Agencies Should Ensure That Designated Senior Officials Have Oversight
of Key Functions:
GAO-08-603:
GAO Highlights:
Highlights of GAO-08-603, a report to the Chairman, Subcommittee on
Oversight of Government Management, the Federal Workforce, and the
District of Columbia, Committee on Homeland Security and Governmental
Affairs, U.S. Senate.
Why GAO Did This Study:
Government agencies have a long-standing obligation under the Privacy
Act of 1974 to protect the privacy of individuals about whom they
collect personal information. A number of additional laws have been
enacted in recent years directing agency heads to designate senior
officials as focal points with overall responsibility for privacy.
GAO was asked to (1) describe laws and guidance that set requirements
for senior privacy officials within federal agencies, and (2) describe
the organizational structures used by agencies to address privacy
requirements and assess whether senior officials have oversight over
key functions. To achieve these objectives, GAO analyzed the laws and
related guidance and analyzed policies and procedures relating to key
privacy functions at 12 agencies.
What GAO Found:
Federal laws set varying roles and responsibilities for senior agency
privacy officials. Despite much variation, all of these laws require
covered agencies to assign overall responsibility for privacy
protection and compliance to a senior agency official. In addition,
Office of Management and Budget guidance directs agencies to designate
a senior agency official for privacy with specific responsibilities.
The specific privacy responsibilities defined in these laws and
guidance can be grouped into six broad categories: (1) conducting
privacy impact assessments (which are intended to ensure that privacy
requirements are addressed when personal information is collected,
stored, shared, and managed in a federal system), (2) complying with
the Privacy Act, (3) reviewing and evaluating the privacy implications
of agency policies, (4) producing reports on the status of privacy
protections, (5) ensuring that redress procedures to handle privacy
inquiries and complaints are in place, and (6) ensuring that employees
and contractors receive appropriate training. The laws and guidance
vary in how they frame requirements in these categories and which
agencies must adhere to them.
Agencies also have varying organizational structures to address privacy
responsibilities. For example, of the 12 agencies we reviewed, 2 had
statutorily designated chief privacy officers who also served as senior
agency officials for privacy, 5 designated their agency chief
information officers as their senior privacy officials, and the others
designated a variety of other officials, such as the general counsel or
assistant secretary for management. Further, not all of the agencies we
reviewed had given their designated senior officials full oversight
over all privacy-related functions. While 6 agencies had these
officials overseeing all key privacy functions, 6 others relied on
other organizational units not overseen by the designated senior
official to perform certain key privacy functions. The fragmented way
in which privacy functions were assigned to organizational units in
these agencies is at least partly the result of evolving requirements
in law and guidance. However, without oversight of all key privacy
functions, designated senior officials may be unable to effectively
serve as agency central focal points for information privacy.
What GAO Recommends:
GAO is recommending that certain agencies it reviewed take steps to
ensure that their senior agency officials for privacy have oversight of
all key privacy functions. Seven of the 12 agencies had no comment or
concurred with GAO‘s assessment. Commerce and Defense did not state
whether they agreed, but said that their current structures were
adequate. Justice, Labor, and Treasury disagreed with GAO‘s
characterization of their senior privacy officials as not having
oversight of all key privacy functions. However, these agencies‘
policies do not assign oversight of such functions to their senior
privacy officials.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-603]. For more
information, contact Linda Koontz at (202) 512-6240 or koontzl@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Laws and Guidance Set Varying Requirements for Senior Privacy
Officials:
Agencies Have Varying Privacy Management Structures, and Senior Agency
Officials for Privacy Do Not Consistently Have Oversight of All Key
Functions:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of Commerce:
Appendix III: Comments From the Department of Defense:
Appendix IV: Comments From the Department of Justice:
Appendix V: Comments from the Department of Labor:
Appendix VI: Comments from the Department of the Treasury:
Appendix VII: Recent Laws Establishing Privacy Protection
Responsibilities at Federal Agencies:
Appendix VIII: GAO Contact and Staff Acknowledgments:
Figures:
Figure 1: Laws with Provisions That Specifically Address Key Privacy
Functions:
Figure 2: Responsibility for Key Privacy Functions at 12 Agencies:
Abbreviations:
CIO: chief information officer:
CPO: chief privacy officer:
CISO: chief information security officer:
DHS: Department of Homeland Security:
E-Gov Act: E-Government Act:
FISMA: Federal Information Security Management Act:
OMB: Office of Management and Budget:
PIA: privacy impact assessment:
SAOP: senior agency official for privacy:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
May 30, 2008:
The Honorable Daniel K. Akaka:
Chairman:
Subcommittee on Oversight of Government Management, the Federal
Workforce, and the District of Columbia:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
Dear Senator Akaka:
As you know, government agencies have long-standing obligations to
protect the privacy of individuals about whom they collect personal
information. Based on concerns about privacy, a number of laws have
been enacted in recent years directing agency heads to designate chief
privacy officers (CPO) as focal points with overall responsibility for
privacy. For example, the Homeland Security Act of 2002 created the
first statutorily required senior privacy official at the Department of
Homeland Security (DHS). Several other laws followed with similar
direction to other agencies. Furthermore, the Office of Management and
Budget (OMB) issued guidance in 2005 directing each agency to designate
a senior agency official for privacy (SAOP).
Agency responsibilities for protecting privacy are based primarily on
two laws, the Privacy Act of 1974 and the E-Government Act (E-Gov Act)
of 2002. Under the Privacy Act, federal agencies must issue public
notices that identify, among other things, the type of data collected,
the types of individuals about whom information is collected, the
intended "routine" uses of the data, and procedures that individuals
can use to review and correct personal information. The E-Gov Act
requires agencies to conduct privacy impact assessments (PIA) of
privacy risks associated with information technology used to process
personal information.[Footnote 1] In addition, the Paperwork Reduction
Act sets conditions for collecting information from individuals and
designates agency chief information officers (CIO) as responsible for
privacy protection. Recent laws and guidance have also designated
specific agency officials with responsibilities for ensuring agency
compliance with privacy protection requirements.
Our objectives were to (1) describe laws and guidance that set
requirements for senior privacy officials within federal agencies, and
(2) describe the organizational structures used by agencies to address
privacy requirements and assess whether senior officials have oversight
over key functions.
To address our first objective, we reviewed and analyzed laws and OMB
guidance that assign agencywide privacy responsibilities to senior
officials within federal agencies. To address our second objective, we
analyzed policies and procedures at these agencies, and interviewed
senior agency privacy officials to identify the privacy management
structures used at each of these agencies and the roles and
responsibilities of senior privacy officials. The agencies included in
this review (Departments of Commerce, Defense, Health and Human
Services, Homeland Security, Justice, Labor, State, Treasury,
Transportation, and Veterans Affairs, as well as the Social Security
Administration and the U.S. Agency for International Development) are
major agencies with statutorily designated privacy officers, have a
central mission for which the collection of personally identifiable
information is a critical component, or have implemented a unique
organizational privacy structure. We examined and compared agency
management structures for fulfilling privacy responsibilities and
assessed the differences in roles and responsibilities of privacy
officers based on the differences in agencies' organizational
structures. We conducted this performance audit from September 2007 to
May 2008 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
Results in Brief:
Laws and guidance set a variety of requirements for senior privacy
officials at federal agencies. For example, agencies have had a long
standing requirement under the Paperwork Reduction Act to assign agency
CIOs overall responsibility for privacy policy and compliance with the
Privacy Act. In recent years, additional laws have also set roles and
responsibilities for senior agency privacy officials. Despite much
variation, all of these laws require agencies to assign overall
responsibility for privacy protection and compliance to a senior
official. In addition, OMB guidance directs agencies to designate an
SAOP with specific responsibilities. These laws and guidance define
specific privacy responsibilities that can be grouped into six broad
categories: (1) conducting PIAs; (2) complying with the Privacy Act;
(3) reviewing and evaluating the privacy implications of agency
policies, regulations, and initiatives; (4) producing reports on the
status of privacy protections; (5) ensuring that redress procedures are
in place; and (6) ensuring that employees and contractors receive
appropriate training. The laws and guidance vary in how they frame
requirements in these categories and which agencies must adhere to
them.
Agencies have varying organizational structures to address privacy
responsibilities. For example, of the 12 agencies we reviewed, 2 had
statutorily designated CPOs who also served as SAOPs, 5 designated
their agency CIOs as their senior officials, and the others designated
a variety of other officials, such as the general counsel or assistant
secretary for management. Further, not all of the agencies we reviewed
had given their designated senior officials full oversight over all
privacy-related functions. While 6 agencies had these officials
overseeing all key privacy functions, 6 others relied on other
organizational units not overseen by the designated senior official to
perform certain key privacy functions. The fragmented way in which
privacy functions have been assigned to organizational units in these
agencies is at least partly the result of evolving requirements in law
and guidance. As requirements have evolved, organizational
responsibilities have been established incrementally to meet them.
However, without oversight and involvement in all key privacy
functions, SAOPs may be unable to effectively serve as agency central
focal points for information privacy.
We are recommending that the heads of certain agencies we reviewed take
steps to ensure that their SAOPs have oversight over all key privacy
functions.
We provided a draft of this report to OMB and to the Departments of
Commerce, Defense, Health and Human Services, Homeland Security,
Justice, Labor, State, Treasury, Transportation, and Veterans Affairs,
as well as the Social Security Administration and the U.S. Agency for
International Development, for review and comment. Five agencies
provided no comments on this review.[Footnote 2] In comments provided
via Email, the Veterans Affairs and the Social Security Administration
concurred with our assessment and recommendations and provided
technical comments, which we incorporated in the final report as
appropriate. In oral comments, OMB also concurred with our assessment
and recommendations and provided technical comments, which we
incorporated in the final report as appropriate. Commerce and Defense
provided written comments that did not state whether they agreed or
disagreed with the content of the report; however, both agencies stated
that their privacy management structures were adequate. In contrast, we
believe that clearly establishing the role of the SAOP as a focal point
for departmental privacy functions would help ensure that these
agencies provide consistent privacy protections and would align with
OMB direction. Justice, Labor, and Treasury provided written comments
and disagreed with our characterization of their agency SAOPs as not
having oversight of all key privacy functions. However, our review of
agency policies and procedures relating to privacy management showed
that SAOPs at these agencies had not been assigned oversight of all key
functions.
Background:
In recent years, a number of factors have led to growing concern about
the protection of privacy when personally identifiable information is
collected and maintained by the federal government.[Footnote 3] Recent
data breaches of personal information at government agencies, such as
the data breach at the Department of Veterans Affairs, which exposed
the personal information of 26.5 million veterans and active duty
members of the military in May 2006, have raised concerns about
identity theft.[Footnote 4] In addition, increasingly sophisticated
analytical techniques employed by federal agencies, such as data
mining, also raise concerns about how personally identifiable
information is used and what controls are placed on its use. Concerns
such as these have focused attention on the structures agencies have
instituted to ensure privacy protections are in place.
The major requirements for privacy protection by federal agencies come
from two laws, the Privacy Act of 1974 and the E-Gov Act of 2002.
The Privacy Act places limitations on agencies' collection, disclosure,
and use of personal information maintained in systems of records. The
act describes a "record" as any item, collection, or grouping of
information about an individual that is maintained by an agency and
contains his or her name or another personal identifier. It also
defines "system of records" as a group of records under the control of
any agency from which information is retrieved by the name of the
individual or by an individual identifier. The Privacy Act requires
that when agencies maintain a system of records, they must notify the
public by a system-of-records notice: that is, a notice in the Federal
Register identifying, among other things, the type of data collected,
the types of individuals about whom information is collected, the
intended "routine" use of the data, and procedures that individuals can
use to review and correct personal information. The act also requires
agencies to define and limit their use of covered personal information.
In addition, the act requires that to the greatest extent practicable,
personal information should be collected directly from the subject
individual when it may affect an individual's rights or benefits under
a federal program.
The E-Gov Act of 2002 also assigns agencies significant
responsibilities relating to privacy. The E-Gov Act strives to enhance
protection for personal information in government information systems
or information collections by requiring that agencies conduct PIAs. A
PIA is an analysis of how personal information is collected, stored,
shared, and managed in a federal system. Furthermore, according to OMB
guidance, a PIA is an analysis of how information is handled.
Specifically, a PIA is to (1) ensure that handling conforms to
applicable legal, regulatory, and policy requirements regarding
privacy; (2) determine the risks and effects of collecting,
maintaining, and disseminating information in identifiable form in an
electronic information system; and (3) examine and evaluate protections
and alternative processes for handling information to mitigate
potential privacy risks.
Agencies must conduct PIAs (1) before developing or procuring
information technology that collects, maintains, or disseminates
information that is in a personally identifiable form or (2) before
initiating any new data collections involving personal information that
will be collected, maintained, or disseminated using information
technology if the same questions are asked of 10 or more people. To the
extent that PIAs are made publicly available, they provide explanations
to the public about such things as the information that will be
collected, why it is being collected, how it is to be used, and how the
system and data will be maintained and protected.
OMB is tasked with providing guidance to agencies on how to implement
the provisions of these two acts and has done so, beginning with
guidance on the Privacy Act, issued in 1975. The guidance provides
explanations for the various provisions of the law as well as detailed
instructions on how to comply. OMB's guidance on implementing the
privacy provisions of the E-Gov Act of 2002 identifies circumstances
under which agencies must conduct PIAs and explains how to conduct
them.
We have previously reported on the role of senior privacy officials in
the federal government. In 2006, we testified that the elevation of
privacy officers to senior positions reflected the growing demands that
these individuals faced in addressing privacy challenges on a day-to-
day basis.[Footnote 5] The challenges we identified included ensuring
compliance with relevant privacy laws, such as the Privacy Act and the
E-Gov Act, and controlling the collection and use of personal
information obtained from commercial sources. Additionally, in 2007 we
reported that the DHS Privacy Office had made significant progress in
carrying out its statutory responsibilities under the Homeland Security
Act and its related role in ensuring E-Gov Act compliance, but noted
that more work remained to be accomplished.[Footnote 6] We recommended
that DHS designate privacy officers at key DHS components, implement a
department wide process for reviewing Privacy Act notices, establish a
schedule for the timely issuance of privacy reports, and ensure that
the Privacy Office's annual reports to Congress contain a specific
discussion of complaints of privacy violations. In response, DHS
included a discussion of privacy complaints in its most recent annual
report; however, the other recommendations have not yet been
implemented.
Laws and Guidance Set Varying Requirements for Senior Privacy
Officials:
Laws and guidance set a variety of requirements for senior privacy
officials at federal agencies. For example, agencies have had a long
standing requirement under the Paperwork Reduction Act to assign agency
CIOs overall responsibility for privacy policy and compliance with the
Privacy Act. In recent years, additional laws have been enacted that
also address the roles and responsibilities of senior officials with
regard to privacy. Despite much variation, all of these laws require
agencies to assign overall responsibility for privacy protection and
compliance to a senior agency official. In addition, OMB guidance has
directed agencies to designate senior officials with overall
responsibility for privacy.
These laws and guidance set specific privacy responsibilities for these
agency officials. These responsibilities can be grouped into six broad
categories: (1) conducting PIAs; (2) Privacy Act compliance; (3)
reviewing and evaluating the privacy implications of agency policies,
regulations, and initiatives; (4) producing reports on the status of
privacy protections; (5) ensuring that redress procedures are in place;
and (6) ensuring that employees and contractors receive appropriate
training. The laws and guidance vary in how they frame requirements in
these categories and which agencies must adhere to them.
Laws and Guidance Address the Roles and Responsibilities of Privacy
Officials:
Numerous laws assign privacy responsibility to senior agency officials.
The earliest of these laws is the Paperwork Reduction Act of 1980,
which, as amended, directs agency heads to assign a CIO with
responsibility for carrying out the agency's information resources
management activities to improve agency productivity, efficiency, and
effectiveness.[Footnote 7] The act directs agency CIOs to undertake
responsibility for implementing and enforcing applicable privacy
policies, procedures, standards, and guidelines, and to assume
responsibility and accountability for compliance with and coordinated
management of the Privacy Act of 1974 and related information
management laws.[Footnote 8]
As concerns about privacy have increased in recent years, Congress has
enacted additional laws that include provisions addressing the roles
and responsibilities of senior officials with regard to privacy.
Despite variations, a common thread among these laws, as well as
relevant OMB guidance, is that they all require agencies to assign
overall responsibility for privacy protection and compliance to a
senior agency official. Relevant laws include the following:
* The Homeland Security Act of 2002 directed the secretary of DHS to
designate a senior official with primary responsibility for privacy
policy.
* The Intelligence Reform and Terrorism Prevention Act of 2004 required
the Director of National Intelligence to appoint a Civil Liberties
Protection Officer and assigned this individual specific privacy
responsibilities.
* The Violence Against Women and Department of Justice Reauthorization
Act of 2005 instructed the Attorney General to designate a senior
official with primary responsibility for privacy policy.
* The Transportation, Treasury, Independent Agencies and General
Government Appropriations Act of 2005 directed each agency whose
appropriations were provided by the act, including the Departments of
Transportation and Treasury, to designate a CPO with primary
responsibility for privacy and data protection policy.[Footnote 9]
* The Implementing Recommendations of the 9/11 Commission Act of 2007
instructed the heads of Defense, DHS, Justice, Treasury, Health and
Human Services, and State, as well as the Office of the Director of
National Intelligence and the Central Intelligence Agency to designate
no less than one senior officer to serve as a privacy and civil
liberties officer.[Footnote 10]
Specific privacy provisions of these laws are summarized in appendix
II.
A number of OMB memorandums have also addressed the roles and
responsibilities of senior privacy officials. In 1999, OMB required
agencies to designate a senior official to assume primary
responsibility for privacy policy.[Footnote 11] OMB later reiterated
this requirement in its guidance on compliance with the E-Gov Act, in
which it directed agency heads to designate an appropriate senior
official with responsibility for the coordination and implementation of
OMB Web and privacy policy and to serve as the agency's principal
contact for privacy policies.[Footnote 12] Most recently, in 2005, OMB
directed agencies to designate an SAOP with agency wide responsibility
for information privacy issues and with responsibility for specific
privacy functions, including ensuring agency compliance with all
federal privacy laws, playing a central policy-making role in the
development of policy proposals that implicate privacy issues, and
ensuring that contractors and employees are provided with adequate
privacy training.[Footnote 13]
Beginning in 2005, OMB has also issued guidance significantly enhancing
longstanding requirements for agencies to report on their compliance
with privacy laws.[Footnote 14] OMB's 2005 guidance directed agencies
to add a new section addressing privacy to their annual reports under
the Federal Information Security Management Act (FISMA).[Footnote 15]
SAOPs were assigned responsibility for completion of this section, in
which they were to report on such things as agency policies and
procedures for the conduct of PIAs, agency policies for ensuring
adequate privacy training, as well as their own involvement in agency
regulatory and policy decisions. In 2006, OMB issued further guidance
requiring agencies to include as part of their FISMA reports a section
addressing measures for protecting personally identifiable information.
This guidance also required that agencies provide OMB with quarterly
privacy updates and report all incidents relating to the loss of or
unauthorized access to personally identifiable information.[Footnote
16] Most recently, OMB directed agencies in 2007 to include in their
FISMA reports additional items, such as their breach notification
policies, plans to eliminate unnecessary use of Social Security
numbers, and plans for reviewing and reducing their holdings of
personally identifiable information.[Footnote 17]
These laws and guidance set a variety of requirements for senior
officials to carry out specific privacy responsibilities. These
responsibilities can be grouped into the following six key functions:
* Conduct of PIAs: A PIA is an analysis of how personal information is
collected, stored, shared, and managed in a federal system, and is
required before developing or procuring information technology that
collects, maintains, or disseminates information that is in a
personally identifiable form. Several laws assign privacy officials at
covered agencies responsibilities that are met in part by performing
PIAs on systems that collect, process, or store personally identifiable
information. This includes the requirements for several agencies to
ensure that "technologies sustain and do not erode privacy
protections." Furthermore, OMB guidance requires agency SAOPs to ensure
compliance with federal laws, regulations, and policies relating to
information privacy, such as the E-Gov Act, which spells out agency PIA
requirements.
* Privacy Act compliance: As previously discussed, the Privacy Act sets
a variety of requirements for all federal agencies regarding privacy
protection. For example, the act requires that when agencies establish
or make changes to a system of records, they must notify the public by
a notice in the Federal Register , identifying, among other things, the
type of data collected, the types of individuals about whom information
is collected, the intended "routine" use of the data, and procedures
that individuals can use to review and correct personal information.
Several other laws explicitly direct agency privacy officials to ensure
that the personal information contained in their Privacy Act systems of
records is handled in compliance with fair information practices as set
out in the act. Further, OMB guidance assigns agency SAOPs with
responsibility for ensuring Privacy Act compliance.
* Policy consultation: Relevant laws direct senior privacy officials to
actively participate in the development and evaluation of privacy-
sensitive agency policy decisions. Several specifically task the SAOP
with evaluating legislative and regulatory proposals or periodically
reviewing agency actions affecting privacy. As agencies develop new
policies, senior officials responsible for privacy issues play a key
role in identifying and mitigating potential privacy risks prior to
finalizing a particular policy decision. Moreover, OMB directed agency
SAOPs to undertake a central role in the development of policy
proposals that implicate privacy issues.
* Privacy reporting: Agency senior privacy officials are often required
to prepare periodic reports to ensure transparency about their
activities and compliance with the law. Many laws reviewed required
agencies to produce periodic privacy reports to agency stakeholders and
Congress. OMB also requires agency SAOPs to report on their privacy
activities as part of their annual FISMA reports, including such
measures as their total numbers of systems of records, the number of
written privacy complaints they have received, and whether a senior
official has responsibility for all privacy-related activities.
* Redress: With regard to federal agencies, the term "redress"
generally refers to an agency's complaint resolution process, whereby
individuals may seek resolution of their concerns about an agency
action. Specifically, in the privacy context, redress refers to
processes for handling privacy inquiries and complaints as well as for
allowing citizens who believe that agencies are storing and using
incorrect information about them to gain access to and correct that
information. The Privacy Act requires that all agencies, with certain
exceptions, allow individuals access to their records and the ability
to have inaccurate information corrected. Several recent laws also
direct senior privacy officials at specific agencies to provide redress
by ensuring that they have adequate procedures for investigating and
addressing privacy complaints by individuals. Several laws also provide
for attention to privacy in a broader context of civil liberties
protection.
* Privacy training: Privacy training is critical to ensuring that
agency employees and contractor personnel follow appropriate procedures
and take proper precautions when handling personally identifiable
information. For example, The Transportation, Treasury, Independent
Agencies and General Appropriations Act of 2005 requires senior privacy
officials at covered agencies to ensure that employees have adequate
privacy training. OMB also requires agency SAOPs to ensure that
employees and contractors receive privacy training.
In addition to performing key privacy functions, requirements in laws
include responsibilities to ensure adequate security safeguards to
protect against unauthorized access, use, disclosure, and destruction
of sensitive personal information. Generally, this is provided through
agency information security programs established under FISMA, and
overseen by agency CIOs and chief information security officers (CISO).
[Footnote 18] Moreover, OMB has issued guidance instructing agency
heads to establish appropriate administrative, technical, and physical
safeguards to ensure the security and confidentiality of records.
Figure 1 shows the extent to which laws have requirements that
specifically address each privacy function and to which agencies these
requirements apply.[Footnote 19]
Figure 1: Laws with Provisions That Specifically Address Key Privacy
Functions:
[See PDF for image]
This figure is a table depicting the following information:
Laws and guidance: Homeland Security Act of 2002;
Apply to: DHS;
Privacy function: PAI: Provision relating to key function;
Privacy function: Privacy Act compliance: Provision relating to key
function;
Privacy function: Policy consultation: Provision relating to key
function;
Privacy function: Reporting: Provision relating to key function;
Privacy function: Redress: No provision;
Privacy function: Training: No provision.
Laws and guidance: Intelligence Reform and Terrorism Prevention Act of
2004;
Apply to: Office of the Director of National Intelligence;
Privacy function: PAI: Provision relating to key function;
Privacy function: Privacy Act compliance: Provision relating to key
function;
Privacy function: Policy consultation: Provision relating to key
function;
Privacy function: Reporting: No provision;
Privacy function: Redress: Provision relating to key function;
Privacy function: Training: No provision.
Laws and guidance: Violence Against Women and Department of Justice
Reauthorization Act of 2005;
Apply to: Department of Justice;
Privacy function: PAI: Provision relating to key function;
Privacy function: Privacy Act compliance: Provision relating to key
function;
Privacy function: Policy consultation: Provision relating to key
function;
Privacy function: Reporting: Provision relating to key function;
Privacy function: Redress: Provision relating to key function;
Privacy function: Training: Provision relating to key function;
Laws and guidance: Transportation, Treasury, Independent Agencies and
General Government Appropriations Act of 2005;
Apply to: All entities whose appropriations are provided by this act.
This includes Transportation, Treasury and many other entities;
Privacy function: PAI: Provision relating to key function;
Privacy function: Privacy Act compliance: Provision relating to key
function;
Privacy function: Policy consultation: Provision relating to key
function;
Privacy function: Reporting: Provision relating to key function;
Privacy function: Redress: No provision;
Privacy function: Training: Provision relating to key function.
Laws and guidance: Implementing Recommendations of the 9/11 Commission
Act of 2007[A];
Apply to: Department of Defense, DHS, Justice, Treasury, Health and
Human Services, State, Office of the Director of National Intelligence,
and the Central Intelligence Agency;
Privacy function: PAI: No provision;
Privacy function: Privacy Act compliance: No provision;
Privacy function: Policy consultation: Provision relating to key
function;
Privacy function: Reporting: Provision relating to key function;
Privacy function: Redress: Provision relating to key function;
Privacy function: Training: No provision.
Laws and guidance: OMB memo M-05-08: Designation of Senior Agency
Officials for Privacy;
Apply to: All executive branch agencies;
Privacy function: PAI: Provision relating to key function;
Privacy function: Privacy Act compliance: Provision relating to key
function;
Privacy function: Policy consultation: Provision relating to key
function;
Privacy function: Reporting: No provision;
Privacy function: Redress: No provision;
Privacy function: Training: Provision relating to key function.
Laws and guidance: OMB memos M-06-20, M-07-19, M-08-09;
Apply to: All executive branch agencies;
Privacy function: PAI: No provision;
Privacy function: Privacy Act compliance: No provision;
Privacy function: Policy consultation: No provision;
Privacy function: Reporting: Provision relating to key function;
Privacy function: Redress: No provision;
Privacy function: Training: No provision.
Source: GAO analysis.
[A] This act also contains more specific requirements for DHS regarding
PIAs, Privacy Act compliance, and training.
[End of figure]
Agencies Have Varying Privacy Management Structures, and Senior Agency
Officials for Privacy Do Not Consistently Have Oversight of All Key
Functions:
Agencies have varying organizational structures to address privacy
responsibilities. For example, of the 12 agencies we reviewed, 2 had
statutorily designated CPOs who also served as SAOPs, 5 designated
their agency CIOs as their senior officials, and the others designated
a variety of other officials, such as the general counsel or assistant
secretary for management. Further, not all of the agencies we reviewed
had given their designated senior officials full oversight over all
privacy-related functions. While 6 agencies had these officials
overseeing all key privacy functions, 6 others relied on other
organizational units not overseen by the designated senior official to
perform certain key privacy functions. The fragmented way in which
privacy functions have been assigned to organizational units in these
agencies is at least partly the result of evolving requirements in law
and guidance. As requirements have evolved, organizational
responsibilities have been established incrementally to meet them.
However, without oversight and involvement in all key privacy
functions, SAOPs may be unable to effectively serve as agency central
focal points for privacy.
Agencies Varied in Their Designation of Senior Privacy Officials and in
Their Organizational Placement of Key Privacy Functions:
Agencies have taken varied approaches to designating senior agency
officials with privacy responsibilities. Two of the 12 agencies we
reviewed had separate CPOs that were also designated as the senior
officials for privacy. Five agencies assigned their agency CIOs as
SAOPs, and 1 agency assigned its CISO. Lastly, 4 agencies assigned
another high-level official, such as a general counsel or assistant
secretary for management, as the SAOP.
In addition to varying in how they designated senior officials for
privacy, agencies also varied in the way they assigned privacy
responsibilities to organizational units. Four of the 12 agencies we
reviewed (Transportation, DHS, State, and U.S. Agency for International
Development) had one organization primarily responsible for all of the
six key privacy functions outlined in the previous section. The
remaining 8 agencies (Social Security Administration, Veterans Affairs,
Defense, Commerce, Labor, Justice, Treasury, and Health and Human
Services) relied on more than one organizational unit to perform
privacy functions. Figure 2 summarizes the organizational structures in
place at agencies to address the six key privacy functions, including
the specific organizational units responsible for carrying out each of
the key privacy functions.
Figure 2: Responsibility for Key Privacy Functions at 12 Agencies:
[See PDF for image]
This figure is a table depicting the following information:
Agency: Department of Transportation;
SAOP: CIO;
Privacy function: PAI: Office of the CIO/Office of the General
Counsel[A];
Privacy function: Privacy Act compliance: Office of the CIO/Office of
the General Counsel[A];
Privacy function: Policy consultation: Office of the CIO[A];
Privacy function: Reporting: Office of the CIO[A];
Privacy function: Redress: Office of the CIO[A];
Privacy function: Training: Office of the CIO[A].
Agency: DHS;
SAOP: Chief Privacy Officer;
Privacy function: PAI: Privacy Office[A];
Privacy function: Privacy Act compliance: Privacy Office[A];
Privacy function: Policy consultation: Privacy Office[A];
Privacy function: Reporting: Privacy Office[A];
Privacy function: Redress: Privacy Office[A];
Privacy function: Training: Privacy Office[A].
Agency: Social Security Administration;
SAOP: General Counsel;
Privacy function: PAI: Office of Public Disclosure[A];
Privacy function: Privacy Act compliance: Office of Public
Disclosure[A];
Privacy function: Policy consultation: Office of Public Disclosure[A];
Privacy function: Reporting: Office of Public Disclosure[A];
Privacy function: Redress: Office of General Law/Office of Public
Disclosure[A];
Privacy function: Training: Office of Public Disclosure[A].
Agency: State;
SAOP: Assistant Secretary for Administration;
Privacy function: PAI: Office of Information Programs and Services[A];
Privacy function: Privacy Act compliance: Office of Information
Programs and Services[A];
Privacy function: Policy consultation: Office of Information Programs
and Services[A];
Privacy function: Reporting: Office of Information Programs and
Services[A];
Privacy function: Redress: Office of Information Programs and
Services[A];
Privacy function: Training: Office of Information Programs and
Services[A].
Agency: U.S. Agency for International Development;
SAOP: Chief Privacy Officer;
Privacy function: PAI: Privacy Office[A];
Privacy function: Privacy Act compliance: Privacy Office[A];
Privacy function: Policy consultation: Privacy Office[A];
Privacy function: Reporting: Privacy Office[A];
Privacy function: Redress: Privacy Office[A];
Privacy function: Training: Privacy Office[A].
Agency: Veteran's Affairs;
SAOP: CIO;
Privacy function: PAI: Privacy Service[A];
Privacy function: Privacy Act compliance[A]:
Privacy function: Policy consultation: Privacy Service[A];
Privacy function: Reporting: Privacy Service[A];
Privacy function: Redress: Privacy Service/Components[A];
Privacy function: Training: Privacy Service[A].
Agency: Department of Justice;
SAOP: Chief Privacy and Civil Liberties Officer;
Privacy function: PAI: Privacy and Civil Liberties Office[A];
Privacy function: Privacy Act compliance: Privacy and Civil Liberties
Office[A];
Privacy function: Policy consultation: Privacy and Civil Liberties
Office[A];
Privacy function: Reporting: Privacy and Civil Liberties Office[A];
Privacy function: Redress: Components[B];
Privacy function: Training: Privacy and Civil Liberties Office[A].
Agency: Treasury;
SAOP: Assistant Secretary for Management;
Privacy function: PAI: Office of the CIO/Components[A];
Privacy function: Privacy Act compliance: Office of the Deputy
Assistant Secretary for Headquarters Operations[A];
Privacy function: Policy consultation: Office of the Deputy Assistant
Secretary for Headquarters Operations/Office of the CIO[A];
Privacy function: Reporting: Office of the Deputy Assistant Secretary
for Headquarters Operations/Office of the CIO[A];
Privacy function: Redress: Components[B];
Privacy function: Training: Office of the Deputy Assistant Secretary
for Headquarters Operations/Components[A].
Agency: Department of Commerce;
SAOP: CIO;
Privacy function: PAI: Office of the CIO[A];
Privacy function: Privacy Act compliance: Privacy Act Office[B];
Privacy function: Policy consultation: Office of the CIO/Office of the
General Counsel[A];
Privacy function: Reporting: Office of the CIO/Privacy Act Office[A];
Privacy function: Redress: Privacy Act Office[B];
Privacy function: Training: Office of the CIO[A].
Agency: Department of Defense;
SAOP: Director for Administration and Management;
Privacy function: PAI: Office of the CIO[B];
Privacy function: Privacy Act compliance: Defense Privacy Office[A];
Privacy function: Policy consultation: Defense Privacy Office[A];
Privacy function: Reporting: Defense Privacy Office[A];
Privacy function: Redress: Components[B];
Privacy function: Training: Defense Privacy Office[A].
Agency: Department of Labor;
SAOP: CIO;
Privacy function: PAI: Office of the CIO[A];
Privacy function: Privacy Act compliance: Office of the Solicitor[B];
Privacy function: Policy consultation: Office of the CIO[A];
Privacy function: Reporting: Office of the CIO[A];
Privacy function: Redress: Office of the Solicitor[B];
Privacy function: Training: Office of the Solicitor[A].
Agency: Health and Human Services;
SAOP: CIO;
Privacy function: PAI: Office of the CIO[A];
Privacy function: Privacy Act compliance: Privacy Act Officer[B];
Privacy function: Policy consultation: Senior Advisor, Privacy
Policy[B];
Privacy function: Reporting: Office of the CIO/Components[A];
Privacy function: Redress: Privacy Act Officer[B];
Privacy function: Training: Office of the CIO[A].
Source: GAO analysis of agency data.
[A] Overseen by the agency SAOP.
[B] Not overseen by agency SAOP.
[End of figure]
Six of the agencies (DHS, State, Social Security Administration,
Transportation, U.S. Agency for International Development, and Veterans
Affairs) established privacy structures in which the SAOP oversaw all
key privacy functions. For example, DHS's Privacy Office performed
these functions under the direction of the CPO, who was also the
department's SAOP. Similarly, U.S. Agency for International
Development's CISO (also the SAOP) oversaw the agency's privacy office,
which was responsible for all key functions. While more than one
organizational unit carried out privacy functions in two cases
(Veterans Affairs and the Social Security Administration), all such
units were overseen by the senior agency official for privacy.
However, six other agencies (Commerce, Health and Human Services,
Labor, Transportation, Defense, and Treasury) had privacy management
structures in which the SAOP did not oversee all key privacy functions.
For two agencies--Justice and Treasury--the SAOP had oversight over all
key functions except for redress, which was handled by individual
component organizations. For the other four agencies, key functions
were divided among two or more organizations, and the senior privacy
official did not have oversight of all of them. For example, key
privacy functions at Labor were being performed not only by the office
of the CIO (who is also the SAOP) but also by the Office of the
Solicitor, who is independent of the CIO. Likewise, the senior official
at Commerce was responsible for overseeing conduct of PIAs, policy
consultation, and privacy training, while a separate Privacy Act
Officer was responsible for Privacy Act compliance. Without full
oversight of key privacy functions, SAOPs may be limited in their
ability to ensure that privacy protections are administered
consistently across the organization.
Evolving Requirements in Laws and Related Guidance Have Led to
Fragmented Assignment of Privacy Functions:
The fragmented way in which privacy functions have been assigned to
organizational units in several agencies is at least partly the result
of evolving requirements in law and guidance. As requirements have
evolved, organizational responsibilities have been established
incrementally to meet them. For example, although the Privacy Act does
not specify organizational structures for carrying out its provisions,
many agencies established Privacy Act officers to address the
requirements of that act and have had such positions in place for many
years. In some cases, agencies designated their general counsels to be
in charge of ensuring that the Privacy Act's requirements were met.
More recently, the responsibility to conduct PIAs under the E-Gov Act
frequently has been given to another office, such as the Office of the
CIO, because the E-Gov Act's requirements apply to information
technology, which is generally the purview of the CIO. If an SAOP was
designated in such agencies without reassigning these responsibilities,
that official may not have oversight and involvement in all key privacy
activities.
Uneven implementation of the Paperwork Reduction Act also may have
contributed to fragmentation of privacy functions. As previously
discussed, the Paperwork Reduction Act requires agency CIOs to take
responsibility for privacy policy and compliance with the Privacy Act,
and thus agencies could ensure they are in compliance with the
Paperwork Reduction Act by designating their CIOs as SAOPs.[Footnote
20] However, 7 out of the 12 agencies we reviewed did not designate
their CIOs as SAOPs. Further, if CIOs were designated as agency SAOPs
but did not have responsibility for compliance with the Privacy Act--as
was the case at Commerce, Labor, and Health and Human Services--the
SAOPs would be left without full oversight of key privacy functions.
Agencies that have more than one internal organization carrying out
privacy functions run the risk that those organizations may not always
provide the same protections for personal information if they are not
overseen by a central authority. Thus, unless steps are taken to ensure
that key privacy functions are under the oversight of the SAOP,
agencies may be limited in their ability to ensure that information
privacy protections are implemented consistently across their
organizations.
Conclusions:
While agencies have had the responsibility for many years to establish
management structures to ensure coordinated implementation of privacy
policy and compliance with the Privacy Act, recent laws and guidance
have significantly changed requirements for privacy oversight and
management. These laws and guidance vary in scope and specificity, but
they all require the designation of a senior agency official with
overall responsibility for privacy protection and compliance with
statutory requirements.
In adopting varied assignments for key privacy functions, not all
agencies gave their SAOPs responsibility for all key privacy functions.
As a result, agencies may not be implementing privacy protections
consistently. While the particulars of privacy management may vary
according to the size of the agency and the sensitivity of its mission,
agencies generally would likely benefit from having SAOPs that serve as
central focal points for privacy matters and have oversight of all key
functions, as required by law and guidance. Such focal points can help
ensure that agency activities provide consistent privacy protections.
Recommendation for Executive Action:
In order to ensure that their SAOPs function effectively as central
focal points for privacy management, we recommend that the Attorney
General and the Secretaries of Commerce, Defense, Health and Human
Services, Labor, and Treasury take steps to ensure that their SAOPs
have oversight over all key privacy functions.
Agency Comments and Our Evaluation:
We provided a draft of this report to OMB and to the departments and
agencies we reviewed: the Departments of Commerce, Defense, Health and
Human Services, Homeland Security, Justice, Labor, State, Treasury,
Transportation, and Veterans Affairs, as well as the Social Security
Administration and the U.S. Agency for International Development, for
review and comment. Five agencies provided no comments on this draft.
[Footnote 21] In comments provided via email, the Associate Deputy
Assistant Secretary for Privacy and Records Management at Veterans
Affairs and the Audit Management Liaison at the Social Security
Administration concurred with our assessment and recommendations and
provided technical comments, which we incorporated in the final report
as appropriate. In oral comments, the Acting Branch Chief of the
Information Policy and Technology Branch at OMB also concurred with our
assessment and recommendations and provided technical comments, which
we incorporated in the final report as appropriate. Commerce and
Defense provided written comments that did not state whether they
agreed or disagreed with our recommendations; however, both agencies
stated that their privacy management structures were adequate. Their
comments are reprinted in appendixes II and III respectively. Justice,
Labor, and Treasury provided written comments and disagreed with our
characterization of their agency SAOPs as not having oversight of all
key privacy functions. Their comments are reprinted in appendixes IV,
V, and VI respectively.
The Chief Information Officer of the Department of Commerce stated that
the department agreed with our characterization of the fragmentation
that has resulted from recent laws and guidance that have significantly
changed requirements for privacy oversight and management. However, she
stated that applicable law does not require that the administration of
the Privacy Act be consolidated with other privacy functions under the
Office of the Chief Information Officer. Law and OMB guidance direct
agencies to have a senior agency official, the CIO in the case of the
Paperwork Reduction Act, serving as a focal point for privacy and
ensuring compliance with the Privacy Act. Clearly establishing a senior
official as a focal point for departmental privacy functions aligns
with direction provided by law and OMB and would help ensure that the
agency provides consistent privacy protections.
The Senior Agency Official for Privacy at the Department of Defense
stated that, while privacy responsibilities are divided among the
Defense Privacy Office, the CIO, and agency components, the current
privacy management structure at Defense has proven to be successful
over time. We did not assess the effectiveness of the privacy
management structures we reviewed. However, establishing an agency
official that serves as a central focal point for departmental privacy
functions aligns with direction provided by law and OMB and would help
ensure that the agency provides consistent privacy protections.
The Acting Chief Privacy and Civil Liberties Officer at Justice
disagreed with our assessment that the department's SAOP did not have
oversight of redress procedures. He stated that the Chief Privacy and
Civil Liberties Officer has statutory authority under the Violence
Against Women and Department of Justice Reauthorization Act to assume
primary responsibility for privacy policy and to ensure appropriate
notifications regarding the department's privacy policies and privacy-
related inquiry and complaint procedures. We agree that the Chief
Privacy and Civil Liberties officer has the statutory authority and
responsibility for the oversight of privacy functions at Justice,
including redress. However, our analysis of agency policies and
procedures showed that the Chief Privacy and Civil Liberties Officer
did not have an established role in oversight of redress procedures.
Clearly defining the role of the Chief Privacy and Civil Liberties
Officer in the departmental redress procedures would help ensure that
the SAOP has oversight of this key privacy function. In its comments,
the department noted that the Office of Privacy and Civil Liberties was
undertaking a review of its orders and guidance to clarify and, as
appropriate, strengthen existing authorities to ensure that the
department implements thoroughly the Chief Privacy and Civil Liberties
Officer authorities.
The Chief Information Officer at Labor disagreed with our assessment
that the SAOP did not have full oversight of all key privacy functions.
He stated that Privacy Act compliance, redress, and training were
addressed jointly by his office and the Office of the Solicitor.
However, our review of Labor's policies and procedures relating to
privacy management showed that a joint oversight management structure
had not been established. Rather, we found that while the CIO was
responsible for three key privacy functions, the Office of the
Solicitor was responsible for the remaining three functions. Clearly
defining the role of the SAOP in Privacy Act compliance, redress, and
training would help ensure that the SAOP has oversight of all key
privacy functions.
The Assistant Secretary for Management at Treasury agreed that the SAOP
should have overall responsibility for privacy protection and
compliance with statutory requirements and that agencies generally
would likely benefit from having SAOPs that serve as central focal
points for privacy matters and have oversight of all key functions. The
Assistant Secretary noted that as of March 2008, the department had
implemented a new privacy management structure to emphasize the
importance of protecting privacy at its highest levels. However,
Treasury disagreed with a statement in our draft report that it had
realigned its organization in order to ensure that the SAOP had
oversight of privacy functions. We recognize that privacy functions,
with the exception of redress, were under the oversight of the SAOP
prior to the reorganization and accordingly have deleted this statement
from the final report. Treasury also disagreed that its SAOP did not
have full oversight of agency redress processes, stating that the
department has longstanding regulations that provide departmentwide and
bureau-specific policies and procedures relating to redress. While we
agree that such redress policies are in place, they do not establish a
role for the SAOP. Clearly defining the role of the SAOP in the
departmental redress procedures would help ensure that the SAOP has
oversight of this key privacy function. Lastly, Treasury stated it
submits quarterly reports to Congress on privacy complaint and redress
activities. We agree that reporting is an important privacy function;
however, it is separate from redress and does not constitute oversight
of Treasury redress activities.
We are sending copies of this report to the Attorney General; the
Secretaries of Commerce, Defense, Health and Human Services, Homeland
Security, State, Treasury, Labor, Transportation, and Veterans Affairs;
the Commissioner of the Social Security Administration; and the
Administrator of the U.S. Agency for International Development as well
as other interested congressional committees. Copies will be made
available at no charge on our Web site, [hyperlink,
http://www.gao.gov].
If you have any questions concerning this report, please call me at
(202) 512-6240 or send e-mail to koontzl@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Key contributors to this report are
listed in appendix III.
Sincerely,
Signed by:
Linda D. Koontz:
Director, Information Management Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to (1) describe laws and guidance that set
requirements for senior privacy officials within federal agencies, and
(2) describe the organizational structures used by agencies to address
privacy requirements and assess whether senior officials have oversight
over key functions. We did not evaluate agency compliance with these
laws and guidance.
To address our first objective, we reviewed and analyzed relevant laws
and guidance to determine privacy responsibilities for privacy
officials at agencies. We reviewed relevant laws, including the
Implementing Recommendations of the 9/11 Commission Act of 2007, the
Homeland Security Act of 2002, and others (see app. II for a full
listing), which designate senior privacy officials and assign them
privacy responsibilities. We also analyzed the Paperwork Reduction Act,
which has long-standing privacy requirements assigned to agency chief
information officers (CIO), and the Office of Management and Budget
(OMB) guidance relating to the designation of senior agency officials
with privacy responsibilities, such as Memorandum M-05-08. We also
analyzed the specific privacy responsibilities identified in these laws
and guidance and categorized the key privacy functions they
represented.
To address our second objective, we identified 12 agencies (Departments
of Commerce, Defense, Health and Human Services, Homeland Security,
Justice, Labor, State, Treasury, Transportation, and Veterans Affairs;
the Social Security Administration, and the U.S. Agency for
International Development) that either have a statutorily designated
privacy officer, have a central mission for which privacy protection is
a critical component, or have implemented a unique organizational
privacy structure. We analyzed policies and procedures at these
agencies, and interviewed senior agency privacy officials to identify
the privacy management structures used at each of these agencies and
the roles and responsibilities of senior privacy officials. We also
compared the varying management structures at these agencies to
identify the differences and similarities across agencies in their
implementation of these structures. Further, we analyzed agency
management structures to determine whether senior privacy officials at
each of these agencies had full oversight over all key functions.
We conducted our work from September 2007 to May 2008, in Washington,
D.C., in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the Department of Commerce:
United States Department Of Commerce:
Chief Information Officer:
Washington, D.C. 20230:
May 12, 2008:
Ms. Linda Koontz:
Director, Information Management Issues:
Government Accountability Office:
441 G. Street, N.W.
Washington, D.C. 20548:
Dear Ms. Koontz:
Thank you for the opportunity to review the draft of GAO 310794 -
Agencies Should Ensure that Designated Senior Officials Have Oversight
of Key Functions.
The report is useful in illustrating the diverse ways agencies carry
out their privacy responsibilities and the fragmentation that exists as
a result of recent laws and guidance that have significantly changed
requirements for privacy oversight and management. The laws and
guidance vary in scope and specificity, but as the report indicates,
require the designation of a Senior Agency Official for Privacy with
overall responsibility for privacy protection and compliance with
statutory requirements.
However, the report appears to indicate that existing laws and guidance
require that agencies organize their internal privacy functions,
including the administration of the Privacy Act, so that, for example,
at the Department of Commerce they would be consolidated under the
direct supervision of, and report to, the Commerce Chief Information
Officer, who is the designated Senior Agency Official for Privacy and
the Chief Privacy Officer. It is our view that applicable law does not
require that administration of the Privacy Act be consolidated with
other privacy functions under the Office of the Chief Information
Officer. In fact, at Commerce, the Privacy Act is administered under
the Chief Financial Officer and Assistant Secretary for Administration,
who coordinates with the Office of the Chief Information Officer on
Privacy Act issues. The Chief Privacy Officer provides oversight and
guidance on privacy issues, but does not handle Privacy Act requests or
appeals.
Indeed, agencies are accorded some flexibility precisely to provide the
opportunity to organize their privacy functions in the way that works
best for each of them. Since its enactment in 1974, administration of
the Privacy Act has at Commerce been the responsibility of the Chief
Financial Officer and Assistant Secretary for Administration. The
Commerce Privacy Act program is well regarded, and cooperates fully
with the Chief Privacy Officer with regard to all privacy functions
within the Office of the Chief Information Officer.
We see no reason to upset this well-coordinated well-functioning
institutional arrangement absent specific and explicit requirements to
do so. We would expect that other agencies would have similar interests
in maintaining existing organizational arrangements that they have
found effective in providing privacy oversight, coordination, and
protection.
Sincerely,
Signed by:
Suzanne Hilding:
Chief Information Office:
[End of section]
Appendix III: Comments From the Department of Defense:
Office Of The Secretary Of Defense:
Administration & Management:
1950 Defense Pentagon:
Washington, DC 20301-1950:
May 13, 2008:
Memorandum For United States Government Accountability Office:
Subject: Conclusions and recommendations from Draft GAO Report titled:
Privacy: Agencies Should Ensure that Designated Senior Officials Have
Oversight of Key Functions (GAO-08-603):
The DoD appreciates the opportunity to comment on the subject report.
The report concluded that "not all agencies gave their Senior Agency
Official for Privacy (SAOP) responsibility for all key privacy
functions. The single recommendation made was "In order to ensure that
their SAOPs function effectively as central focal points for privacy
management, we recommend that the Attorney General and the Secretaries
of Commerce, Defense, Health and Human Services, Labor, and Treasury
take steps to ensure that their SAOPs have oversight over all key
privacy functions.
The Director, Administration and Management for the DoD is assigned as
the SAOP. In this role, he has direct oversight of the core privacy
functions and executes these through the Defense Privacy Office. This
office administers the Privacy Act of 1974 and the other privacy
functions required by various laws. The area of redress of complaints
and inquiries has been further delegated to the DoD Components who are
the liaison organizations between DoD and the various systems owners
located within the components. The process to address these issues has
been found to be most effective when resolved at this level in the
organization.
The DoD CIO serves as the DoD principal point of contact for
Information Technology (IT) matters, oversees the PlAs and the
protection of information in IT. The Office of the DoD CIO works
closely with the Defense Privacy Office on all matters involving IT
privacy policy and implementation. Per our DoD PIA guidance, the DoD
SAOP serves as the DoD principal point of contact for the privacy
policies and provides assistance on privacy matters impacting PIAs. The
review of completed PIAs and annual reporting of the completion of
these assessments is conducted with the Defense Privacy Office and
other DoD Components as required. This arrangement has proven to be
successful over time.
The DoD CIO concurs in this response. Questions regarding this response
should be directed to Samuel Jenkins, Director. Defense Privacy Office
at (703) 607-2943 or via email at DPO.Correspondence@osd.mil.
Signed by:
Michael B. Donley:
Senior Agency Official for Privacy:
[End of section]
Appendix IV: Comments From the Department of Justice:
U.S. Department of Justice:
Office of the Deputy Attorney General:
Chief Privacy and Civil Liberties Officer:
Washington, D.C. 20530:
May 12, 2008:
Linda D. Koontz:
Director:
Information Management:
Government Accountability Office:
441 G. Street, NW:
Washington, DC 20548:
Dear Ms. Koontz:
Thank you for the opportunity to review and comment on the Government
Accountability Office's (GAO) draft report entitled, "Privacy: Agencies
Should Ensure that Designated Senior Officials Have Oversight of Key
Functions" (GAO-08-603). The Department of Justice is pleased that this
report acknowledges that the Department of Justice has taken important
and significant steps in ensuring the effectiveness of its privacy
official and embedding the protection of privacy and civil liberties
into the fabric of the Department.
We would like to address GAO's statement that the Department of
Justice's Chief Privacy and Civil Liberties Officer (CPCLO), the
Department's Senior Agency Official for Privacy (SAOP), does not have
oversight concerning the redress mechanisms associated with the
Department's handling of personally identifiable information (PII).
We disagree that this oversight function does not already lie with the
CPCLO. At the core of the statutorily mandated activities of the CPCLO
is section 1174 of the Violence Against Women and Department of Justice
Reauthorization Act of 2005, Pub. L. No. 109-162, January 5, 2006.
Specifically, subsection (a) provides that "the Attorney General shall
designate a senior official in the Department of Justice to assume
primary responsibility for privacy policy." Subsequently, on March 10,
2006, Deputy Attorney General Paul McNulty issued a memorandum, which
designated this senior official, stating that "as the CPCLO, the
official will oversee and administer the Department's privacy
functions, in accordance with [section 1174]."
As such, the CPCLO does already have full responsibility for the
oversight and management of all the privacy functions associated with
the Department and its constituent components. Although it is true that
the various components deal with day-to-day aspects of the operations
concerning privacy functions, the CPCLO administers such functions
through the promulgation of appropriate policies, the leadership of
Departmental privacy officers, and the provision of specific guidance
as required.
Further, section 1174(b) notes specific responsibilities of the CPCLO,
including under subsection (5), "appropriate notifications regarding
the Department's privacy policies and privacy-related inquiry and
complaint procedures," which deal with the redress processes at the
Department. In addition, section 1162 of the Intelligence Reform and
Terrorism Prevention Act of 2004, Pub. L. 108-458, December 17, 2005,
was amended by section 805 of the Implementing Recommendations of the
9/11 Commission Act of 2007, Pub. L. 110-53, August 3, 2007, to
provide, in part, that agency privacy officials "ensure that such
department, agency, or element has adequate procedures to receive,
investigate, respond to, and redress complaints from individuals who
allege such department, agency, or element has violated their privacy
or civil liberties." [Emphasis added] As such, even if the general
requirement for the CPCLO to oversee all the privacy functions of the
Department were not enough authority to exercise leadership over the
Department's redress processes, these additional two statutory
authorities create a specific mandate for the CPCLO to fulfill.
Nonetheless, the Department, through its Office of Privacy and Civil
Liberties is undertaking a review of the existing orders and guidance
issued by the Department to clarify and, as appropriate, strengthen
these existing authorities. The goal of this endeavor is to ensure that
the Department implements thoroughly the CPCLO's authorities and to
increase awareness of these authorities by all parts of the Department.
Again, we appreciate the opportunity to comment on GAO's draft report,
and we look forward to additional collaboration to ensure full
application of privacy protective authorities government wide. If you
have any questions regarding our comments, please contact Richard P.
Theis, Department of Justice Audit Liaison, Audit Liaison Group at
(202) 514-0469.
Respectfully submitted,
Signed by:
Kenneth P. Mortensen;
Acting Chief Privacy and Civil Liberties Officer:
[End of section]
Appendix V: Comments from the Department of Labor:
U.S. Department of Labor:
Office of the Assistant Secretary for Administration and Management:
Washington, D.C. 20210:
May 12, 2008:
Linda D. Koontz:
Director, Information Management Issues:
Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
Dear Ms. Koontz:
This letter responds to draft report GAO 08-603, Agencies Should Ensure
that Designated Senior Officials Have Oversight of Key Functions, dated
May 2008. We take seriously our responsibility to ensure the protection
of our computer systems, web-based resources and collection points for
Personally identifiable Information (PII) and appreciate the
opportunity to comment on the draft report.
Overall, the draft report provides a fair depiction of the Department
of Labor's (DOL) management and operating environment for the
protection of PII. However, I ask that the representation of how
responsibilities for the key privacy functions are overseen at DOL he
revised. As the Chief Information Officer (CIO) and Senior Agency
Official for Privacy (SAOP), I have responsibility for all key privacy
functions. In addition, three of the key privacy functions namely,
Privacy Act compliance, Redress, and Training-are jointly addressed by
my office and the Department's Office of the Solicitor. This process
has worked well for the Department in meeting our privacy protection
related responsibilities.
With this in mind, to accurately reflect DOL's management structure for
meeting its privacy protection responsibilities, the draft report
should be revised in two areas:
* On page 20, Figure 2 should show for the Department of Labor that the
SAOP is the CIO who has primary responsibility for all key privacy
functions, including joint responsibility with the Office of the
Solicitor for the three privacy functions of Privacy Act compliance,
Redress, and Training. This management structure appears very similar
to that portrayed in Figure 2 for the Department of Transportation.
* Correspondingly, the draft report Recommendation on page 24 should be
amended to remove reference to the Department of Labor in addition to
other conforming revisions throughout the draft report.
Thank you again for the opportunity to comment on the draft report. If
there are questions or further discussion about our comments is needed,
please have your staff contact Ms. Tonya Manning, Chief Information
Security Officer, at Manning.Tonya@dol.gov or 202-693-4431.
Sincerely,
Signed by:
Patrick Pizzolla:
Assistant Secretary for Administration and Management:
Chief Information Officer:
[End of section]
Appendix VI: Comments from the Department of the Treasury:
Department Of The Treasury:
Assistant Secretary:
Washington, DC:
May 15, 2008:
Mr. Idris Adjerid
Analyst-in-Charge
Government Accountability Office:
441 G Street, NW:
Washington, D.C. 20548:
Dear Mr. Adjerid:
Thank you for the opportunity to review and comment on your draft
report entitled "Privacy: Agencies Should Ensure that Designated Senior
Officials Have Oversight of Key Functions", GAO-08-603. The Treasury
Department concurs with your conclusions that the Senior Agency
Official for Privacy (SAOP) should have overall responsibility for
privacy protection and compliance with statutory requirements and that
agencies generally would likely benefit from having SAOPs that serve as
central focal points for privacy matters and have oversight of all key
functions, because such focal points can help ensure that agency
activities provide consistent privacy protections.
The policy of the Department of the Treasury is to protect the privacy
of individuals by ensuring that due consideration and regard for
information privacy is addressed in the execution of Departmental
programs and policies. To emphasize the importance of protecting
privacy at the highest levels of the Department, and to assign
accountability, the Department has designated the Assistant Secretary
for Management and Chief Financial Officer (ASM/CFO) as the SAOP
pursuant to Office of Management and Budget Memorandum OMB M-05-08. The
ASM/CFO has also been designated as the Chief Privacy Officer, pursuant
to Section 522 of Division H of the Consolidated Appropriations Act of
2005, and the Chief Privacy and Civil Liberties Officer, pursuant to
Section 803 of the Implementing Recommendations of the 9/11 Commission
Act of 2007.
The ASM/CFO has historically had overall responsibility for key privacy
functions. Nonetheless, in order to strengthen oversight of this
important area, the Department realigned components of the Office of
the ASM/CFO on March 24, 2008, to create a new Office of the Deputy
Assistant Secretary for Privacy and Treasury Records. The realignment
combined the Privacy Act and E-Government Act privacy functions and
programs into one office and elevated the importance of the privacy
office by creating a new Deputy Assistant Secretary for Privacy and
Treasury Records, who is a direct report to the ASM/CFO. The Department
continues to review a wide variety of activities and procedures within
the Department to find opportunities to enhance protections of the
privacy of individuals.
In that light, we respectfully request that your statement on page 22,
that Treasury was reorganizing in order to ensure that the SAOP had
overall responsibility for key privacy functions, be amended to reflect
that the Treasury SAOP has historically had overall responsibility for
key privacy functions, and has also now realigned its privacy functions
from two offices into one office and has elevated the position of that
office within the organization. In conjunction, we also request that
your statement on page 23, that Treasury is currently considering
consolidating privacy functions under a central office reporting
directly to the SAOP, be amended to reflect that Treasury has, as of
March 2008, consolidated its privacy functions from two Management
divisions into one Management office reporting directly to the SAOP.
On page 15, the draft report defines redress in the privacy context as
an agency's complaint-resolution process that allows individuals access
to their records and the ability to correct inaccurate information,
pursuant to the Privacy Act of 1974. On pages 6 and 15, the draft
report presents federal agency redress responsibilities as ensuring
that redress procedures are in place; that is, ensuring adequate
procedures for investigating and addressing privacy complaints by
individuals. Regarding the chart on page 20 and your statement on page
21, that the SAOP does not have oversight over the Treasury privacy
redress function, we point out that Treasury has long-standing
regulations at 31 C.F.R. §§ 1.26 and 1.27, that provide Treasury-wide
procedures for redress in the privacy context. In addition, each
Treasury bureau has specific, additional procedures published in
Appendix A to Subpart C of 31 C.F.R. Part 1, tailored to the mission
and functions of the particular bureau. These bureau-specific
procedures have been fully approved and authorized by the Department.
Moreover, Treasury has developed and implemented binding Department-
wide policy and procedures in Treasury Directive 25-04 and The Privacy
Handbook, TD Publication 25-04. In fact, Treasury Directive 25-04
stipulates that the ASM/CFO is responsible for ensuring Treasury's
compliance with the Privacy Act of 1974.
Finally, the SAOP submits to Congress quarterly reports of Department-
wide privacy complaint and redress activities, pursuant to Section 803
of the Implementing Recommendations of the 9/11 Commission Act of 2007.
In addition to these procedures for providing redress, we continue to
look for improvements that can be made to the Treasury redress process.
In light of existing redress procedures as spelled out above, we
respectfully request that the chart on page 20 and the statement on
page 21 of the draft report be amended to reflect that the Treasury
SAOP does have oversight responsibilities over Treasury redress
functions in the privacy context.
Again, we appreciate the opportunity to comment on GAO's draft report.
If you have any questions regarding our comments, please contact me, or
Elizabeth Cuffe of my staff, at 202-622-1682 or by email at
Elizabeth.Cuffe@do.treas.gov.
Sincerely,
Signed by:
Peter B. McCarthy:
Assistant Secretary for Management and Chief Financial Officer:
[End of section]
Appendix VII: Recent Laws Establishing Privacy Protection
Responsibilities at Federal Agencies:
The following are recent laws and their major provisions regarding
privacy protection responsibilities at federal agencies.
Homeland Security Act of 2002:
Section 222 of the Homeland Security Act of 2002, [Footnote 22] as
amended, instructed the secretary of DHS to appoint a senior official
with primary responsibility for privacy policy, including the
following:
* ensuring that technologies sustain, and do not erode, privacy
protections;
* ensuring that personal information contained in Privacy Act systems
of records is handled in full compliance with fair information
practices as set out in the act;
* evaluating legislative and regulatory proposals and conducting
privacy impact assessments of proposed rules;
* coordinating functions with the Officer for Civil Rights and Civil
Liberties;
* preparing an annual report to Congress (without prior comment or
amendment by agency heads or OMB); and:
* having authority to investigate and having access to privacy-related
records, including through subpoena in certain circumstances.
Intelligence Reform and Terrorism Prevention Act of 2004:
Section 1011 of this act required the Director of National Intelligence
to appoint a Civil Liberties Protection Officer and gave this officer
the following functions:[Footnote 23]
* ensuring that the protection of civil liberties and privacy is
appropriately incorporated into the policies and procedures of the
Office of the Director of National Intelligence and the elements of the
intelligence community within the National Intelligence Program;
* overseeing compliance by the Office of the Director of National
Intelligence with all laws, regulations, and guidelines relating to
civil liberties and privacy;
* reviewing complaints about abuses of civil liberties and privacy in
Office of the Director of National Intelligence programs and
operations;
* ensuring that technologies sustain, and do not erode, privacy
protections;
* ensuring that personal information contained in a system of records
subject to the Privacy Act is handled in full compliance with fair
information practices as set out in that act;
* conducting privacy impact assessments when appropriate or as required
by law; and:
* performing such other duties as may be prescribed by the Director of
National Intelligence or specified by law.
Violence Against Women and Department of Justice Reauthorization Act of
2005:
Section 1174 of the Violence Against Women and Department of Justice
Reauthorization Act of 2005[Footnote 24] instructed the Attorney
General to designate a senior official to assume primary responsibility
for privacy policy, which included responsibility for advising the
Attorney General in the following areas:
* appropriate privacy protections for the department's existing or
proposed information technology and systems;
* privacy implications of legislative and regulatory proposals;
* implementation of policies and procedures, including training and
auditing, to ensure compliance with privacy-related laws and policies;
* that adequate resources and staff are devoted to meeting the
department's privacy-related functions and obligations;
* appropriate notifications regarding privacy policies and inquiry and
complaint procedures; and:
* privacy-related reports from the department to Congress and the
President, including an annual report to Congress on activities
affecting privacy.
Transportation, Treasury, Independent Agencies and General Government
Appropriations Act of 2005:
Section 522 of this act[Footnote 25] directed each agency with
appropriations provided by the act to designate a chief privacy officer
with primary responsibility for privacy and data protection policy,
including:
* ensuring that technology sustains, and does not erode, privacy and
that technology used to collect or process personal information allows
for continuous auditing of compliance with stated privacy policies and
practices;
* ensuring that personal information contained in Privacy Act systems
of records is handled in full compliance with fair information
practices as defined in the Privacy Act;
* evaluating legislative and regulatory proposals and conducting
privacy impact assessments of proposed rules;
* preparing an annual report to Congress on activities affecting
privacy;
* ensuring the protection of personal information and information
systems from unauthorized access, use, disclosure, or destruction,
* providing employees with privacy training; and:
* ensuring compliance with privacy and data protection policies.
Implementing Recommendations of the 9/11 Commission Act of 2007:
This law[Footnote 26] amended the National Intelligence Reform Act of
2004 to require the heads of covered agencies to designate no less than
one senior officer to serve as a privacy and civil liberties officer.
This act applies to the Departments of Defense, Homeland Security,
Justice, Treasury, Health and Human Services, and State, as well as the
Office of the Director of National Intelligence, and the Central
Intelligence Agency. The act requires the senior privacy official to
perform the following functions:
* assisting the agency head in considering privacy and civil liberties
issues with regard to anti-terrorism efforts;
* investigating and reviewing agency actions to ensure adequate
consideration of privacy and civil liberties;
* ensuring that the agency has adequate redress procedures,
* considering privacy and civil liberties when deciding to retain or
enhance a governmental power;
* coordinating activities, when relevant, with the agency Inspector
General; and:
* preparing periodic reports, not less than quarterly, to the agency
head, Congress, and the Privacy and Civil Liberties Oversight Board.
[Footnote 27]
Agencies covered under this act are also required to establish a direct
reporting relationship between the senior privacy official and the
agency head.
[End of section]
Appendix VIII: GAO Contact and Staff Acknowledgments:
GAO Contact:
Linda D. Koontz, (202) 512-6240, koontzl@gao.gov:
Staff Acknowledgments:
Major contributors to this report were John de Ferrari, Assistant
Director; Idris Adjerid; Shaun Byrnes; Matt Grote; David Plocher; Jamie
Pressman; and Amos Tevelow.
[End of section]
Footnotes:
[1] A PIA is an analysis of how personal information is collected,
stored, shared, and managed in a federal system to ensure that privacy
requirements are addressed.
[2] These agencies are Health and Human Services, Homeland Security,
State, Transportation, and the U.S. Agency for International
Development.
[3] For purposes of this report, the terms personal information and
personally identifiable information are used interchangeably to refer
to any information about an individual maintained by an agency,
including (1) any information that can be used to distinguish or trace
an individual's identity, such as name, Social Security number, date
and place of birth, mother's maiden name, or biometric records, and (2)
any other information that is linked or linkable to an individual, such
as medical, educational, financial, and employment information.
[4] For analysis of issues associated with the Veterans Affairs data
breach, see GAO, Privacy: Preventing and Responding to Improper
Disclosures of Personal Information, [hyperlink, http://www.gao.gov/cgi-
bin/getrpt?GAO-06-833T] (Washington, D.C.: June 8, 2006) and Veterans
Affairs: Leadership Needed to Address Information Security Weaknesses
and Privacy Issues, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-
06-866T] (Washington, D.C.: June 14, 2006).
[5] GAO, Privacy: Key Challenges Facing Federal Agencies, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-06-777T] (Washington, D.C.: May
17, 2006).
[6] GAO, DHS Privacy Office: Progress Made but Challenges Remain in
Notifying and Reporting to the Public, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-07-522] (Washington, D.C.: Apr
27, 2007).
[7] While the Privacy Act of 1974 established privacy responsibilities
for agencies, it did not specify a senior agency official to be
responsible for meeting these requirements.
[8] OMB issued guidance for agencies on the implementation of the
Paperwork Reduction Act, including the responsibility of CIOs for
privacy. See OMB Circular A-130, Management of Federal Information
Resources (Washington D.C.: November 28, 2000). For an analysis of CIO
roles and responsibilities, see GAO, Federal Chief Information
Officers: Responsibilities, Reporting Relationships, Tenure, and
Challenges, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-823]
(Washington, D.C.: July 21, 2004).
[9] The Transportation, Treasury, Independent Agencies and General
Government Appropriations Act of 2005 applies to the Department of
Transportation, Department of Treasury, Executive Office of the
President, Architectural and Transportation Barriers Compliance Board,
Election Assistance Commission, Federal Election Commission, Federal
Labor Relations Authority, Federal Maritime Commission, General
Services Administration, Merit Systems Protection Board, Morris K.
Udall Scholarship and Excellence in National Environmental Policy
Foundation, National Archives and Records Administration, National
Historical Publications and Records Commission, National Transportation
Safety Board, Office of Government Ethics, Office of Personnel
Management, Office of Special Counsel, U.S. Postal Service, and U.S.
Tax Court.
[10] This law grants the Privacy and Civil Liberties Oversight Board
authority to require any other agency or element of the executive
branch to establish a privacy and civil liberties officer. Further,
this law specifies that if covered agencies have another statutorily
designated privacy officer, this officer must also undertake the
responsibilities described in the act.
[11] Office of Management and Budget, OMB Instructions on complying
with President's Memorandum of May 14, 1998, "Privacy and Personal
Information in Federal Records", M-99-05 (Washington, D.C.: Jan. 7,
1999).
[12] Office of Management and Budget, OMB Guidance for Implementing the
Privacy Provisions of the E-Government Act of 2002, M-03-22
(Washington, D.C.: Sept. 26, 2003).
[13] Office of Management and Budget, Designation of Senior Agency
Officials for Privacy, M-05-08 (Feb. 11, 2005).
[14] Office of Management and Budget, FY 2005 Reporting Instructions
for the Federal Information Security Management Act and Agency Privacy
Management, M-05-15 (Washington, D.C.: June 13, 2005).
[15] FISMA, Title III, E-Government Act of 2002, Pub. L. No. 107-347
(Dec. 17, 2002).
[16] Office of Management and Budget, FY 2006 Reporting Instructions
for the Federal Information Security Management Act and Agency Privacy
Management, M-06-20 (Washington, D.C.: July 17, 2006).
[17] Office of Management and Budget, FY 2007 Reporting Instructions
for the Federal Information Security Management Act and Agency Privacy
Management, ,M-07-19 (Washington, D.C.: July 25, 2007).
[18] For purposes of this report, we did not address information
security assurance as a privacy function. Prior GAO reports have
examined information security at federal agencies. For example, in
March 2008, we testified that agencies continue to experience
significant information security control deficiencies and that most
agencies did not implement controls to sufficiently prevent, limit, or
detect access to computer networks, systems, or information. As a
result, federal systems and information were at increased risk of
unauthorized access to and disclosure, modification, or destruction of
sensitive information. See GAO, Information Security: Progress
Reported, but Weaknesses at Federal Agencies Persist, [hyperlink,
http://www.gao.gov/cgi-bin/getrpt?GAO-08-571T] (Washington, D.C.: Mar.
12, 2008).
[19] These laws may make designated agency officials responsible for
additional privacy functions that are not specifically mentioned. For
example, by designating agency officials as responsible for Privacy Act
compliance, these laws would implicitly make such officials responsible
for meeting all requirements specified in the Privacy Act, including
such things as providing a means to access and correct information,
which is a component of the redress function.
[20] In 2004, GAO reported that 17 of 27 CIOs were responsible for
privacy, See [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-823].
OMB guidance also acknowledged the Paperwork Reduction Act's CIO
requirement, but stated that the CIO "may perform" the privacy role,
and that "if the CIO, for some reason, is not designated, the agency
may have designated another senior official (at the Assistant Secretary
or equivalent level) with agency-wide responsibility for information
privacy issues. In any case, the senior agency official should have
authority within the agency to consider information privacy policy
issues at a national and agency-wide level." M-05-08 (Feb. 11, 2005).
[21] These agencies are Health and Human Services, Homeland Security,
State, Transportation, and the U.S. Agency for International
Development.
[22] Pub. L. No. 107-296, November 25, 2002, as amended by the
Intelligence Reform and Terrorism Prevention Act of 2004, Sec. 8305,
and the Implementing Recommendations of the 9/11 Commission Act of
2007, Sec. 802.
[23] Pub. L. No. 108-458, December 17, 2004.
[24] Pub. L. No. 109-162, January 5, 2005
[25] Div H, Pub. L. No. 108-447, December 8, 2004.
[26] Pub. L. No. 110-53 August 3, 2007.
[27] This board was created by the Intelligence Reform and Terrorism
Prevention Act of 2004 to review executive branch anti-terrorism
activities and to ensure that privacy and civil liberties are
adequately protected.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
