Privacy
OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background Investigations Gao ID: GAO-10-849 September 7, 2010Approximately 90 percent of all federal background investigations are provided by the Office of Personnel Management's (OPM) Federal Investigative Services (FIS) division. In fiscal year 2009, FIS conducted over 2 million investigations of varying types, making the organization a major steward of personal information on U.S. citizens. GAO was asked to (1) describe how OPM uses personally identifiable information (PII) in conducting background investigations and (2) assess the extent to which OPM's privacy policies and procedures for protecting PII related to investigations meet statutory requirements and align with widely accepted privacy practices. To address these objectives, GAO compared OPM and FIS policies and procedures with key privacy laws and widely accepted practices.
FIS, a component of OPM, conducts background investigations using extensive amounts of PII. Specifically, FIS collects PII from the individual being investigated, government agencies holding relevant data on the subject, and contacts familiar with the subject of the investigation. It uses this information during the four phases of the investigation process: (1) Questionnaire Submission, when requesting agencies submit a questionnaire completed by the individual who will be investigated; (2) Scheduling and Initiation, during which goals and milestones are set, automated information requests occur, and an investigator is assigned; (3) Investigation, during which an investigator gathers information from the automated requests and from interviews and prepares a report; and (4) Review, during which a reviewer determines if a report is complete before allowing it to be sent to the requesting agency. FIS has taken steps to incorporate key privacy laws and widely accepted privacy practices into policies and procedures for conducting background investigations. For example, field investigators are directed to limit collection of PII to only information relevant to an investigation, and several procedures are in place to ensure that such information is recorded as accurately as possible in OPM's systems. However, the agency has conducted limited oversight of FIS's development of privacy impact assessments (PIA), investigators' implementation of privacy protection guidance, and customer agencies' adherence to privacy agreements. A PIA is an analysis of how personal information is collected, stored, shared, and managed in a federal system. It is required by the E-Government Act of 2002. Related Office of Management and Budget guidance emphasizes the need to identify and assess privacy risks in concert with developing a PIA. However, OPM's guidance for PIAs does not require that privacy risks be analyzed or mitigation strategies be identified for those risks. Consequently, OPM cannot be sure that potential risks associated with the use of PII in its information systems have been adequately assessed and mitigated. Additionally, widely accepted privacy practices call for accountability to ensure privacy-protection policies are implemented to safeguard personal information from potential risks. Such accountability includes monitoring to ensure proper implementation of privacy protection measures. However, although FIS tracks PII that is provided to and received from field investigators, it had not monitored investigators' adherence to its policies and procedures for protecting PII while investigations are underway. Further, while FIS has developed agreements with customer agencies related to the protection of PII contained in investigation case files, it does not monitor customer agencies' implementation of these policies, even though its agreements state it is responsible for doing so. Without oversight processes for monitoring investigators' and customer agencies' adherence to its PII protection policies, OPM lacks assurance that its privacy protection measures are being properly implemented. GAO is recommending that the Director of OPM (1) develop guidance for analyzing and mitigating privacy risks in privacy impact assessments, and (2) develop and implement oversight mechanisms for ensuring that investigators properly protect PII and that customer agencies adhere to agreed-upon privacy protection measures. OPM agreed with our recommendations.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Gregory C. Wilshusen Team: Government Accountability Office: Information Technology Phone: (202) 512-6244GAO-10-849, Privacy: OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background Investigations
This is the accessible text file for GAO report number GAO-10-849
entitled 'Privacy: OPM Should Better Monitor Implementation of Privacy-
Related Policies and Procedures for Background Investigations' which
was released on October 7, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Subcommittee on Oversight of Government Management, the
Federal Workforce, and the District of Columbia, Committee on Homeland
Security and Governmental Affairs, U.S. Senate:
United States Government Accountability Office:
GAO:
September 2010:
Privacy:
OPM Should Better Monitor Implementation of Privacy-Related Policies
and Procedures for Background Investigations:
GAO-10-849:
GAO Highlights:
Highlights of GAO-10-849, a report to the Subcommittee on Oversight of
Government Management, the Federal Workforce, and the District of
Columbia, Committee on Homeland Security and Governmental Affairs,
U.S. Senate.
Why GAO Did This Study:
Approximately 90 percent of all federal background investigations are
provided by the Office of Personnel Management‘s (OPM) Federal
Investigative Services (FIS) division. In fiscal year 2009, FIS
conducted over 2 million investigations of varying types, making the
organization a major steward of personal information on U.S. citizens.
GAO was asked to (1) describe how OPM uses personally identifiable
information (PII) in conducting background investigations and (2)
assess the extent to which OPM‘s privacy policies and procedures for
protecting PII related to investigations meet statutory requirements
and align with widely accepted privacy practices. To address these
objectives, GAO compared OPM and FIS policies and procedures with key
privacy laws and widely accepted practices.
What GAO Found:
FIS, a component of OPM, conducts background investigations using
extensive amounts of PII. Specifically, FIS collects PII from the
individual being investigated, government agencies holding relevant
data on the subject, and contacts familiar with the subject of the
investigation. It uses this information during the four phases of the
investigation process: (1) Questionnaire Submission, when requesting
agencies submit a questionnaire completed by the individual who will
be investigated; (2) Scheduling and Initiation, during which goals and
milestones are set, automated information requests occur, and an
investigator is assigned; (3) Investigation, during which an
investigator gathers information from the automated requests and from
interviews and prepares a report; and (4) Review, during which a
reviewer determines if a report is complete before allowing it to be
sent to the requesting agency.
FIS has taken steps to incorporate key privacy laws and widely
accepted privacy practices into policies and procedures for conducting
background investigations. For example, field investigators are
directed to limit collection of PII to only information relevant to an
investigation, and several procedures are in place to ensure that such
information is recorded as accurately as possible in OPM‘s systems.
However, the agency has conducted limited oversight of FIS‘s
development of privacy impact assessments (PIA), investigators‘
implementation of privacy protection guidance, and customer agencies‘
adherence to privacy agreements. A PIA is an analysis of how personal
information is collected, stored, shared, and managed in a federal
system. It is required by the E-Government Act of 2002. Related Office
of Management and Budget guidance emphasizes the need to identify and
assess privacy risks in concert with developing a PIA. However, OPM‘s
guidance for PIAs does not require that privacy risks be analyzed or
mitigation strategies be identified for those risks. Consequently, OPM
cannot be sure that potential risks associated with the use of PII in
its information systems have been adequately assessed and mitigated.
Additionally, widely accepted privacy practices call for
accountability to ensure privacy-protection policies are implemented
to safeguard personal information from potential risks. Such
accountability includes monitoring to ensure proper implementation of
privacy protection measures. However, although FIS tracks PII that is
provided to and received from field investigators, it had not
monitored investigators‘ adherence to its policies and procedures for
protecting PII while investigations are underway. Further, while FIS
has developed agreements with customer agencies related to the
protection of PII contained in investigation case files, it does not
monitor customer agencies‘ implementation of these policies, even
though its agreements state it is responsible for doing so. Without
oversight processes for monitoring investigators‘ and customer agencies‘
adherence to its PII protection policies, OPM lacks assurance that its
privacy protection measures are being properly implemented.
What GAO Recommends:
GAO is recommending that the Director of OPM (1) develop guidance for
analyzing and mitigating privacy risks in privacy impact assessments,
and (2) develop and implement oversight mechanisms for ensuring that
investigators properly protect PII and that customer agencies adhere
to agreed-upon privacy protection measures. OPM agreed with our
recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-10-849] or key
components. For more information, contact Gregory C. Wilshusen at
(202) 512-6244 or wilshuseng@gao.gov.
[End of section]
Contents:
Letter:
Background:
OPM's Background Investigation Process Involves Extensive Collection
and Use of PII:
FIS Has Taken Steps to Ensure Privacy Policies and Procedures Meet
Statutory Requirements and Align with Fair Information Practices, but
Oversight of Implementation is Limited:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: GAO Contact and Staff Acknowledgments:
Table:
Table 1: Fair Information Practices:
Figures:
Figure 1: Key Steps in FIS's Background Investigation Process:
Figure 2: Questionnaire Submission Phase Detailed Steps:
Figure 3: Scheduling and Initiation Phase Detailed Steps:
Figure 4: Investigation Phase Detailed Steps:
Figure 5: Review Phase Detailed Steps:
Figure 6: Reported Incidents of Lost or Stolen Paper Files Associated
with Background Investigations:
Abbreviations:
CIO: Chief Information Officer:
DOD: Department of Defense:
e-QIP: Electronic Questionnaires for Investigations Processing:
FBI: Federal Bureau of Investigation:
FIPC: Federal Investigations Processing Center:
FIPS: Federal Information Processing Standard:
FIS: Federal Investigative Services:
MOU: memorandum of understanding:
NAC: National Agency Check:
NIST: National Institute of Standards and Technology:
OECD: Organization for Economic Cooperation and Development:
OIG: Office of the Inspector General:
OMB: Office of Management and Budget:
OPM: Office of Personnel Management:
PIA: privacy impact assessment:
PII: personally identifiable information:
PIPS: Personnel Investigations Processing System:
PIPS-R: Personnel Investigations Processing System - Reporting:
SORN: System of Records Notice:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
September 7, 2010:
The Honorable Daniel K. Akaka:
Chairman:
The Honorable George V. Voinovich:
Ranking Member:
Subcommittee on Oversight of Government Management, the Federal
Workforce, and the District of Columbia:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Federal Investigative Services (FIS) division of the Office of
Personnel Management (OPM) is responsible for conducting approximately
90 percent of all federal background investigations. To conduct its
work, FIS relies heavily on personally identifiable information (PII)
provided by the individuals who are being considered for security
clearances. Such information can be extensive and can include
financial and medical information, as well as PII on family members
and close contacts. In fiscal year 2009, FIS conducted over 2 million
investigations of varying types, making the organization a major
steward of personal information on U.S. citizens.
Government agencies have a long-standing obligation under the Privacy
Act of 1974 and the E-Government Act of 2002 to protect the privacy of
individuals about whom they collect personal information. These laws
prescribe specific activities that agencies must perform to protect
privacy, such as ensuring that personal information is used only for
an authorized purpose and that assessments are conducted of the
privacy risks associated with the information technology used to
process the personal information.
You asked us to review the implementation of privacy protection
provisions for information collected and maintained by FIS as it
relates to the background investigation process. Specifically, as
agreed with your office, our objectives were to: (1) describe how OPM
uses PII in conducting background investigations and (2) determine the
extent to which OPM's privacy policies and procedures for protecting
PII related to investigations meet statutory requirements and align
with widely accepted privacy practices.
To address our first objective, we analyzed agency policies,
procedures, and guidance to identify FIS's background investigation
process. We interviewed FIS officials at their headquarters in Boyers,
Pennsylvania, and at OPM headquarters in Washington, D.C., and
conducted site visits of FIS headquarters to identify the current
process for conducting background security clearance investigations.
We analyzed this information to identify the overall process for
conducting investigations and how PII is utilized throughout the
process.
To address our second objective, we reviewed pertinent information
security and privacy policies, procedures, guidance, and practices in
place at OPM. Additionally, we analyzed key privacy laws, standards,
and widely accepted privacy practices and compared them with key
elements of the FIS investigation processes. We interviewed officials
at FIS headquarters and within the OPM Privacy Office to discuss
recent efforts to oversee the implementation of privacy policies and
procedures.
We conducted this performance audit from October 2009 to September
2010 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives. Our
objectives, scope, and methodology are discussed in more detail in
appendix I.
Background:
OPM is the central human resources agency for the federal government,
tasked with ensuring the government has an effective civilian
workforce. To carry out this mission, OPM delivers human resources
products and services, including personnel background investigations,
to agencies on a reimbursable basis. These investigations are the
responsibility of OPM's FIS division.
Federal Investigative Services Conducts Background Investigations for
the Federal Government:
FIS conducts approximately 90 percent of all personnel background
investigations for the federal government. FIS provides the results of
the investigations to agencies for use in determining individuals'
suitability or fitness for federal civilian, military, or federal
contract employment as well as eligibility for access to classified
national security information. FIS also has responsibility for
developing and implementing uniform policies and procedures to ensure
the proper completion of investigations. For example, FIS issued
internal agency guidance, called the Investigator's Handbook, to
direct its federal and contract investigators as they conduct
investigations. In fiscal year 2009, FIS conducted over 2 million
investigations of varying types.
In addition to background investigations, FIS conducts other types of
investigations and checks, including--among others--credit searches of
all three major credit bureaus regarding financial responsibility and
periodic reinvestigations (generally for moderate or high-risk
positions).[Footnote 1] Many of these may be limited to contacting
other federal agencies or private institutions for information and may
not require an investigator to conduct traditional investigation
activities such as interviewing individuals familiar with the subject.
FIS's investigations staff consists of approximately 2,300 federal
employees and 6,000 contractor staff.
To conduct these investigations, FIS officials use information
technology systems located at FIS headquarters, known as the Federal
Investigations Processing Center (FIPC), to coordinate investigative
activities and store all of the information generated by such
investigations. At FIPC, officials store and maintain electronic,
microfilm, and paper records of OPM-conducted background
investigations. Officials at FIPC make security clearance information
available to federal personnel offices through a Web portal. FIPC
receives requests for investigations from federal agencies, processes
the requests through an automated system, and fields questions about
its process and ongoing investigations.
Security Clearances and Background Investigations Vary in Breadth and
Methods Used to Collect Information:
Security clearances are required for access to national security
information, which may be classified at one of three levels:
confidential, secret, and top secret. The level of classification
denotes the degree of protection required for information and the
amount of damage that unauthorized disclosure could reasonably be
expected to cause to national security. Unauthorized disclosure could
reasonably be expected to cause (1) "damage," in the case of
confidential information; (2) "serious damage," in the case of secret
information; and (3) "exceptionally grave damage," in the case of top
secret information.[Footnote 2]
Background investigations allow federal agencies to make decisions
both about suitability for employment, as well as access to national
security information. The scope of information gathered in an
investigation depends on the purpose of the investigation, such as
whether it is being conducted for an employment suitability
determination, an initial clearance, or a clearance renewal. For
example, investigators collect information from agencies such as the
Federal Bureau of Investigation (FBI) for all initial and renewal
clearances. However, for initial top secret clearances investigators
need, among other things, to also corroborate the subject's education
and interview educational sources, as appropriate.
For an investigation for a confidential or secret clearance,
investigators gather much of the information electronically. For an
investigation for a top secret clearance, investigators gather
additional information through more time-consuming efforts such as
conducting in-person interviews to corroborate information about a
subject's employment and education. In 2009, OPM estimated that
approximately 6-10 labor hours were needed for each investigation for
a secret or confidential clearance, and 50-60 labor hours were needed
for the investigation for an initial top secret clearance.
Key Laws and Privacy Practices Govern the Protection of Personal
Information:
The primary laws that provide privacy protections for personal
information accessed or held by the federal government are the Privacy
Act of 1974 and E-Government Act of 2002. These laws describe, among
other things, agency responsibilities with regard to protecting PII.
[Footnote 3] The Privacy Act places limitations on agencies'
collection, disclosure, and use of personal information maintained in
systems of records. A system of records is a collection of information
about individuals under control of an agency from which information is
retrieved by the name of an individual or other identifier. The E-
Government Act of 2002 requires agencies to assess the impact of
federal information systems on individuals' privacy. Specifically, the
E-Government Act strives to enhance the protection of personal
information in government information systems and information
collections by requiring agencies to conduct privacy impact
assessments (PIA).
A PIA is an analysis of how personal information is collected, stored,
shared, and managed in a federal system. Specifically, according to
Office of Management and Budget (OMB) guidance,[Footnote 4] the
purpose of a PIA is (1) to ensure handling conforms to applicable
legal, regulatory, and policy requirements regarding privacy; (2) to
determine the risks and effects of collecting, maintaining, and
disseminating information in identifiable form in an electronic
information system; and (3) to examine and evaluate protections and
alternative processes for handling information to mitigate potential
privacy risks.
The Privacy Act of 1974 is largely based on a set of internationally
recognized principles for protecting the privacy and security of
personal information known as the Fair Information Practices. A U.S.
government advisory committee first proposed the practices in 1973 to
address what it termed a poor level of protection afforded to privacy
under contemporary law.[Footnote 5] The Organization for Economic
Cooperation and Development (OECD)[Footnote 6] developed a revised
version of the Fair Information Practices in 1980 that has, with some
variation, formed the basis of privacy laws and related policies of
many countries--including the United States, Australia, and New
Zealand--and the European Union.
These practices are now widely accepted as a standard benchmark for
evaluating the adequacy of privacy protections. The eight principles
of the Fair Information Practices are shown in table 1.
Table 1: Fair Information Practices:
Principle: 1. Collection limitation;
Description: The collection of personal information should be limited,
should be obtained by lawful and fair means, and, where appropriate,
with the knowledge or consent of the individual.
Principle: 2. Data quality;
Description: Personal information should be relevant to the purpose
for which it is collected, and should be accurate, complete, and
current as needed for that purpose.
Principle: 3. Purpose specification;
Description: The purposes for the collection of personal information
should be disclosed before collection and upon any change to that
purpose, and its use should be limited to those purposes and
compatible purposes.
Principle: 4. Use limitation;
Description: Personal information should not be disclosed or otherwise
used for other than a specified purpose without consent of the
individual or legal authority.
Principle: 5. Security safeguards;
Description: Personal information should be protected with reasonable
security safeguards against risks such as loss or unauthorized access,
destruction, use, modification, or disclosure.
Principle: 6. Openness;
Description: The public should be informed about privacy policies and
practices, and individuals should have ready means of learning about
the use of personal information.
Principle: 7. Individual participation;
Description: Individuals should have the following rights: to know
about the collection of personal information, to access that
information, to request correction, and to challenge the denial of
those rights.
Principle: 8. Accountability;
Description: Individuals controlling the collection or use of personal
information should be accountable for taking steps to ensure the
implementation of these principles.
Source: OECD.
[End of table]
The Fair Information Practices are not precise legal requirements.
Rather, they provide a framework of principles for balancing the need
for privacy with other public policy interests, such as national
security, law enforcement, and administrative efficiency. Ways to
strike that balance vary among countries and according to the type of
information under consideration.
OPM and FIS Have Implemented Privacy Protection Structures and
Policies:
The OPM Privacy Office is tasked with ensuring that the agency is in
compliance with privacy laws by providing guidance on how to implement
privacy provisions needed to protect personal information. To oversee
its implementation of privacy protections, OPM has designated its
Chief Information Officer (CIO) as its senior agency official for
privacy.[Footnote 7] The CIO, in turn, uses the Privacy Program
Manager to assist in providing oversight to ensure the agency is
complying with privacy policies and guidance. Among other things, the
Privacy Program Manager is responsible for developing policies and
procedures for the development of PIAs as well as reviewing and
recommending their approval.
Within each OPM division, information system owners are responsible
for implementing OPM's privacy policies and guidance. To assist
division-level officials in assessing potential privacy risks and
protecting personal information, OPM's Privacy Office established
guidance for conducting PIAs. The guidance includes a template
consisting of two parts: (1) an initial screening assessment tool to
determine whether system owners are required to complete a PIA and (2)
the PIA itself, which requires system owners to answer seven basic
questions about the nature of their systems in addition to their
intended uses and purposes for collecting personal information. Upon
completion of the PIA template, system owners are required to submit
PIAs to the Privacy Program Manager for evaluation and recommendation
for approval to the CIO. According to OPM guidance, the CIO is
responsible for reviewing and signing all OPM PIAs, which signify that
a PIA is complete and can be posted to OPM's Web site for public
viewing.
Additionally, OPM has developed and issued an agency-wide information
security and privacy policy for both its federal and contractor
employees to follow in protecting information resources from loss,
theft, misuse, and unauthorized access.
To supplement guidance provided by the OPM Privacy Office, FIS also
has developed a Policy on the Protection of Personally Identifiable
Information (PII) to provide employees, including contractors, with a
description of their responsibilities in protecting PII and reporting
PII breaches. FIS also requires its investigators to adhere to its
Investigator's Handbook for procedures and policies related to
conducting personnel background investigations for the federal
government. These two documents guide federal and contract
investigators in the protection of PII during the course of their
work.[Footnote 8] These documents specify procedures that align with
the Fair Information Practices. For example, the documents direct
investigators to protect PII they possess at their duty stations using
a "two-barrier" approach, such as storing it within a locked desk that
is located inside of a locked house, which aligns with the security
safeguards principle.
In addition to its policies and guidance, FIS promotes awareness of
privacy protection requirements through PII training and agency
newsletters. For example, to support the agency's initiative to reduce
privacy breaches, employees participated in a "no breach" week
initiative to help ensure that FIS policies and guidance were being
followed.
Previous Inspector General Review Recommended Improvements for the
Protection of PII:
In April 2009, the OPM Office of the Inspector General (OIG) completed
an audit of the security of PII within the FIS division and made nine
recommendations to improve the protection of these data.[Footnote 9]
The OPM OIG reviewed FIS controls for the storage, security, and
transmission of PII. The OIG's report identified, among other things,
that (1) required security awareness and PII training had not been
completed by all FIS employees and contractor staff; and (2) FIS did
not have adequate controls for ensuring that PII incidents were
reported by FIS employees and contractors in a timely manner. In
response to the OIG's recommendations, FIS recently established a
security and PII training program and required all employees and
contractors to complete PII awareness training. Furthermore, to better
ensure PII incidents are properly reported, FIS updated its incident
response procedures to require supervisors to ensure that employees
and contractors report incidents to the OPM Situation Room--the
agency's central repository for PII incidents--within 30 minutes of
identifying a breach or loss.
OPM's Background Investigation Process Involves Extensive Collection
and Use of PII:
FIS conducts background investigations using extensive amounts of PII
collected from a variety of sources. FIS uses a combination of
automated and manual steps during the course of a background
investigation. These steps can be categorized into four distinct
phases: (1) Questionnaire Submission, (2) Scheduling and Initiation,
(3) Investigation, and (4) Review. Figure 1 provides an overview of
the background investigation process delineating these four phases.
Figure 1: Key Steps in FIS's Background Investigation Process:
[Refer to PDF for image: flow chart]
1. Questionnaire Submission:
Electronic Questionnaires for Investigations Processing (e-QIP) system:
Questionnaire submitted by agency[A];
Personnel Investigations Processing System (PIPS):
Questionnaire reviewed[A]:
Complete[A]?
Yes: continue to #2;
No: Return to agency.
2. Scheduling and Initiation:
Investigation initiated[B];
National Agency Check (NAC)[B]:
FBI[A];
DOD[A];
Other agency[A].
Automated inquiries[B].
Case assigned to investigator[B].
3. Investigation:
PIPS-Reporting (PIPS-R):
Case investigated:
Federal investigator[A] or Contractor investigator[A].
4. Review:
Reviewed for completeness[A]:
Complete[A]?
Yes: Agency makes employment/clearance determination (adjudication);
No: Return case to investigation.
Source: GAO analysis of OPM data.
[A] Human interaction.
[B] Automated process.
[End of figure]
The following sections outline detailed steps and how PII is used
within each of the phases of FIS's background investigation process
and the measures taken within each phase to protect PII.
Phase 1: Questionnaire Submission:
In order to initiate an investigation, a questionnaire must be
submitted with the required information and accepted by FIS. Figure 2
shows detailed steps in the questionnaire submission phase.
Figure 2: Questionnaire Submission Phase Detailed Steps:
[Refer to PDF for image: flow chart]
1. Questionnaire Submission:
Electronic Questionnaires for Investigations Processing (e-QIP) system:
Security officer[A];
Applicant[A];
Questionnaire submitted by agency[A].
Personnel Investigations Processing System (PIPS):
Case file created[A];
Physical case file created[A];
Questionnaire reviewed by contractor[A];
Complete[A]?
Yes: Investigation initiated[B];
No: Able to correct[A]?
Yes: Questionnaire reviewed by contractor[A];
No: Questionnaire returned to agency[A].
Source: GAO analysis of OPM data.
[A] Human interaction.
[B] Automated process.
[End of figure]
1. A security officer at the requesting agency forwards to the
subject--the individual who will be investigated--an investigative
questionnaire, which seeks information on the subject's personal
history and includes identifying information such as the subject's
first and last name, Social Security number, and place and date of
birth. In addition, subjects are asked to provide personal information
on family members, friends, and other contacts. The questionnaire can
be completed either electronically using OPM's Electronic
Questionnaires for Investigations Processing (e-QIP) system or in
paper form. Most questionnaires are currently completed electronically.
2. The completed questionnaire is reviewed by the originating agency's
security office and then sent with supporting documentation, such as
fingerprints, to FIS. If a questionnaire is submitted electronically
using e-QIP, it is automatically uploaded into the Personnel
Investigations Processing System (PIPS), a FIS system containing over
15 million background investigation records of federal employees,
military personnel, and contractors used for the automated entry,
scheduling, case control, and closing of background investigations.
Should FIS receive a paper questionnaire, the information is manually
entered into PIPS.
3. Once a questionnaire is received at FIPC, a physical case file is
created that contains the questionnaire, a summary sheet,[Footnote 10]
and any documentation provided as a supplement to the questionnaire.
4. Before the investigation is initiated, the questionnaire must pass
a review by a FIS contractor for completeness and identification of
any obvious errors. If there is missing or erroneous information, or
required attachments that are missing, such as fingerprints, FIS
contractors first attempt to correct this with the agency. If this is
unsuccessful, the investigation request is returned to the agency. If
the questionnaire is deemed complete, the contractor completes the on-
line screening or data entry process in PIPS to initiate the
investigation.
Phase 2: Scheduling and Initiation:
After a questionnaire is accepted by FIS, the associated investigation
is scheduled and initiated. Figure 3 represents detailed steps in this
phase.
Figure 3: Scheduling and Initiation Phase Detailed Steps:
[Refer to PDF for image: flow chart]
2. Scheduling and Initiation:
Personnel Investigations Processing System (PIPS):
Investigation initiated/Goals and milestones established:
National Agency Check (NAC)[B]:
FBI[A];
DOD[A];
Other agency[A].
Automated inquiries[B].
Case assigned to investigator[B].
Source: GAO analysis of OPM data.
[A] Human interaction.
[B] Automated process.
[End of figure]
Once online screening or data entry is completed, PIPS initiates a
four-step scheduling process:
1. Goals and milestones are established for the initial security
clearance investigation to comply with statutory requirements.
Investigation timelines are based on provisions of the Intelligence
Reform and Terrorism Prevention Act of 2004, which required
adjudicative agencies to develop plans to ensure that, to the extent
practical, determinations could be made on at least 90 percent of all
applications for a security clearance within 60 days, with no longer
than 40 days allotted for the investigation and 20 days allotted for
the adjudication.[Footnote 11]
2. PIPS requests information through a National Agency Check (NAC): a
set of queries sent to national record repositories, such as OPM, the
FBI, and Department of Defense (DOD) investigation databases; and a
fingerprint-based criminal history check through the FBI.[Footnote 12]
Once the agencies have manually or electronically checked their
databases for the information, the results are returned to FIS
headquarters and stored in PIPS or in the physical case file after
being scanned into PIPS. The results returned to FIS can include FBI
fingerprint and investigation records, DOD investigations records, and
the subject's credit history.
3. PIPS automatically readies inquiries in the form of scannable
inquiries that are mailed to a variety of entities--including
universities and local law enforcement--and individuals listed as
contacts by the subject. The inquiries include questions concerning
the subject's character and what association an entity or individual
had with the subject. Once a recipient returns the completed scannable
inquiries, FIS uses high-speed scanners to upload these data into PIPS.
4. PIPS automatically assigns the investigation to a field office
based on the zip code for the activities to be covered. A supervisory
agent in charge at the office assigns the items to be completed to a
specific investigator. Often, work is assigned to multiple
investigators who are responsible for conducting the investigation.
Processes exist to reassign a case if there is a better located
investigator. The investigators assigned to conduct the field work for
the investigation may be contractors or federal employees. When the
investigator receives the assignment, he or she is provided the case
papers in hard copy or electronic form. The investigator may also
receive a summary of the NAC items once they have been completed.
Phase 3: Investigation:
Once assigned to the case, an investigator receives the case
information and conducts the investigation of the subject. The
detailed steps for the Investigation phase are displayed in Figure 4.
Figure 4: Investigation Phase Detailed Steps:
[Refer to PDF for image: flow chart]
3. Investigation:
PIPS-Reporting (PIPS-R):
Case investigated: Interviews[A] with:
Federal investigator[A] or Contractor investigator[A].
Investigation report sent for review[A].
Source: GAO analysis of OPM data.
[A] Human interaction.
[B] Automated process.
[End of figure]
1. When an investigator has been assigned a case in PIPS, he or she
can access the case information maintained in the system. The
investigator can input the results of the interviews and record checks
into templates in PIPS-Reporting (PIPS-R)--a computer application
housed on the investigator's laptop computer, which is used to
electronically document the investigation and transmit the
investigation report electronically to FIPC. PIPS-R temporarily stores
the report of investigation, while the physical case file is
maintained at FIPC.
2. Investigators gather information on the subject including data
about the subject received during interviews with the contacts listed
in the questionnaire. Investigators share limited personal information
on a subject with identified contacts during an interview. Information
obtained from these interviews includes character descriptions and
details of any criminal activities. The information is used to
determine the accuracy of subject-provided information and generate
further leads to complete an investigation. This part of the process
may take several weeks, as investigators attempt to contact and
interview multiple contacts. PIPS-R requires the investigators to
enter information into templates that allow PIPS-R to compile the
information into a report.
3. Upon completion of the investigation, the investigator closes the
case in PIPS-R and electronically transfers the data into PIPS. The
investigator then delivers the case notes to an assigned regional
investigations office, where the notes are shredded 30 days after the
case is closed. The report in PIPS-R is manually deleted by the
investigator 30 days after the case is closed.
Phase 4: Review:
Upon the completion of the field work by the investigators, a case
review is initiated to ensure the investigative report is complete.
Figure 5 outlines detailed steps in the Review phase.
Figure 5: Review Phase Detailed Steps:
[Refer to PDF for image: flow chart]
4. Review:
Personnel Investigations Processing System (PIPS):
Case reviewer determines completeness[A]:
Complete[A]? No:
Case investigated[A];
Investigation report[A];
Returned to Case reviewer[A].
Complete[A]? Yes:
Sent to Agency[A]:
Complete[A]? Yes: Agency makes employment/clearance determination
(adjudication);
Complete[A]? No:
Returned to Case reviewer[A].
Source: GAO analysis of OPM data.
[A] Human interaction.
[B] Automated process.
[End of figure]
1. A case reviewer at FIPC determines the completeness of the
investigation and identifies any inconsistencies, errors, and
omissions in the investigator's report. For example, if the
investigator did not corroborate the subject's education, the
investigator may need to interview educational sources.
2. Should the reviewer identify any discrepancies or omissions, the
case is returned to the investigator for correction, sometimes through
additional field work.
3. If the reviewer determines that the case is completed, FIS closes
the case and provides a summary report to the agency that requested
the investigation for adjudication. Currently this is done by mailing
a hard copy of the report to the agency or using electronic delivery
with agencies that have signed up for electronic dissemination.
4. The agency may return an investigation to FIS for further work if
it does not provide the information necessary to make an adjudication
decision.
5. The investigation information is kept by FIS for varying time
periods. The main case file within FIPC is scanned and saved as an
electronic image within 30 days of a case closing. After 30 days, the
physical case file, along with the investigator's notes, and PIPS-R
records are destroyed. The scanned file is maintained either
electronically or on microfilm, according to OPM's retention
guidelines, for 16 or 25 years if potentially actionable issues exist
or unless the record becomes part of a new investigation.
FIS Has Taken Steps to Ensure Privacy Policies and Procedures Meet
Statutory Requirements and Align with Fair Information Practices, but
Oversight of Implementation is Limited:
FIS has taken steps to incorporate key privacy principles into
policies and procedures that guide and direct agency officials in
performing background investigations. Specifically, FIS has complied
with requirements of the Privacy Act and E-Government Act by
publishing information on its use of PII and by conducting privacy
impact assessments of its major information systems. However, it has
not assessed the risks associated with the use of PII, an important
element of conducting a privacy impact assessment. In addition, while
FIS policies and practices for conducting investigations generally
align with the Fair Information Practices, the agency has exercised
only limited oversight of the use of PII by its field investigators
and customer agencies.
OPM Privacy Policies Meet Statutory Requirements, but the Agency does
not Assess Privacy Risks of Handling PII:
The major requirements for the protection of personal privacy by
federal agencies come from two laws, the Privacy Act of 1974 and the
privacy provisions of the E-Government Act of 2002. Under the Privacy
Act, federal agencies must issue public notices, known as System of
Records Notices (SORN), in the Federal Register identifying, among
other things, the type of data collected, the types of individuals
about whom information is collected, and procedures that individuals
can use to review and correct personal information. To address Privacy
Act requirements, OPM published two SORNs that apply to FIS's
information systems, known as the Central 9 and Internal 16 notices.
These notices include--among other things--a description of FIS's
purpose for collecting and using personal information and how
individuals can access and correct information maintained about them.
For example, both SORNs state that individuals can request access to
records by writing to FIPC.
In addition to notice requirements established by the Privacy Act,
federal agencies are tasked by the E-Government Act to conduct privacy
impact assessments (PIA) to ensure the protection of PII. As described
earlier, a PIA is an analysis of how personal information is
collected, stored, shared, and managed in a federal system. In
response to these requirements, OMB has developed guidance for
agencies on conducting PIAs.
Assessing privacy risks is an important element of a PIA intended to
help program managers and system owners determine appropriate privacy
protection policies and techniques to implement those policies. A
privacy risk analysis should be performed to determine the nature of
privacy risks and the resulting impact if corrective actions are not
in place to mitigate those risks. For example, in ensuring that
personal information is used only for specified purposes--the use
limitation principle--system owners should identify potential ways in
which unauthorized use could occur and implement privacy controls to
prevent disclosure of personal data for such uses.
OPM has developed assessments for a number of systems throughout the
agency. For example, assessments for key FIS systems such as PIPS and
e-QIP have been developed and approved by OPM's Chief Privacy Officer.
These assessments were last revised in August 2007.
Although OPM developed PIAs for each of the key FIS background
investigation systems, it did not assess the risks associated with the
handling of PII within the systems or identify mitigating controls to
address risks. For example, the assessment prepared for PIPS provided
general descriptions of system functions--such as that sources of
information will be "directly from the person to whom the information
pertains, from other people, other sources, such as databases, Web
sites, etc."--but did not include analysis of privacy risks associated
with this broad collection of personal information. Without analyzing
privacy risks, agency officials may be forgoing opportunities to
identify measures that could be taken to mitigate them and enhance
privacy protections.
Current OPM guidance on PIAs does not instruct divisions to conduct
privacy risk analysis. Instead it directs officials to answer general
questions for each system to aid OPM's Privacy Office in assessing
potential privacy risks. While OPM guidance emphasizes the need for
system owners to provide detailed information in response to
questions, the guidance does not instruct system owners to assess
privacy risks. Until the current guidance is revised to require risk
analysis and new and existing PIAs are updated to include risk
analyses, OPM will continue to have limited assurance that PII
contained in its systems is being properly protected from potential
privacy threats.
FIS Has Taken Steps to Institute Protections that Align with the Fair
Information Practices:
FIS has taken steps to include privacy protections in its procedures
for conducting background investigations. Privacy protections can be
categorized in relation to the Fair Information Practices, which, as
discussed earlier, form the basis for privacy laws such as the Privacy
Act. In a number of cases, the protections instituted by FIS can be
aligned with the Fair Information Practices. For example, the agency's
publication of privacy notices addresses the openness and individual
participation principles. The principles can be applied in varying
degrees to all FIS activities that involve PII. The following are
selected FIS procedures that illustrate specific ways in which the
Fair Information Practices have been addressed.
* Collection limitation. FIS investigators are directed to limit the
PII they collect and include in their investigation reports to
information directly relevant to the assigned investigation.
Investigators do not report PII in the investigation reports unless
they develop information that varies from the subject-provided
information. If an investigator collects information that is not
vital, he or she is to destroy the information at the end of the
investigation. This information is included with the investigator's
notes and returned to the supervisor's office when the investigator
has completed his or her portion of the case. The information is then
destroyed 30 days after the case is closed. This aligns with the
principle that the collection of PII should be limited.
* Data quality. When FIS receives a hard copy questionnaire, two
personnel input the same PII data into PIPS. The system then confirms
that both inputs match exactly before uploading the questionnaire data
into PIPS, thus helping to ensure that the information provided in the
hard copy questionnaire is correctly transferred to the electronic
system. Additionally, FIS officials review the final investigation
report prior to its delivery to the customer agency in order to ensure
that the investigator took all of the steps necessary to conduct the
investigation and that there are no errors or omissions in the report.
Finally, in an effort to ensure completeness of an investigation, a
customer agency can request additional investigative work be conducted
by FIS if it identifies inaccuracies in the final investigation report
or areas that require additional information prior to making an
adjudication decision. This aligns with the principle that the
collected information should be accurate and complete.
* Purpose specification. Questionnaire forms used by FIS--such as the
Standard Form 86--include disclaimer language that informs the subject
that the information he or she provides will only be used for the
purpose of the specific background investigation and lists the reasons
the information may be disclosed. Further, automated inquiry forms
sent out during the Scheduling and Initiation phase contain disclaimer
language that specifies that information provided on the forms will be
used solely for the related investigation. This aligns with the
principle that the purposes of an information collection should be
disclosed before collection.
* Use limitation. FIS agreements with customer agencies limit how
background investigation reports may be used by stating that
information provided by FIS should be used only for the purpose of
adjudication. Additionally, all attempts to access case files within
PIPS (e.g., viewing or editing) are recorded in an automated log file.
These logs are reviewed daily by FIS personnel to identify
unauthorized access attempts that violate agency restrictions on use.
This aligns with the principle that the information should not be
disclosed or used for anything other than the specified purpose.
* Security safeguards. FIS uses a collection of security safeguards to
protect and control access to PII located physically at FIPC. Physical
security controls and processes include (1) screening individuals with
metal detectors and x-ray machines prior to entry to the facility; (2)
using electronically coded cards and badges to grant access to the
room containing hard copies of active case files; (3) checking
manifests of case files mailed to other facilities to ensure that the
contents of the files have not changed; and (4) ensuring the proper
destruction of investigative materials with locked disposal bins and
supervised shredding by a FIS official. FIS officials also reported
that a number of information security measures are used to protect
personal information maintained in FIS systems.[Footnote 13] For
example, FIS policy requires that access to PIPS is to be limited to
officials who are authorized by their respective agencies' security
offices and have appropriate background investigations.[Footnote 14]
The system is also to restrict agency user access to information from
cases they have been specifically authorized to review. Furthermore,
officials stated that annual security assessments are conducted on all
FIS systems to ensure that they are compliant with governmentwide
information security control standards, including National Institute
of Standards and Technology (NIST) Special Publication 800-53[Footnote
15] and Federal Information Processing Standard (FIPS) 140-2.[Footnote
16] This aligns with the principle that information should be
protected with security safeguards against risks such as unauthorized
access, use, or modification.
FIS Oversight of the Implementation of Privacy Protections is Limited:
Although FIS has established a number of privacy protection measures
for its investigations program that reflect the Fair Information
Practices, it has taken limited steps to oversee its field
investigators and customer agencies to ensure they are implementing
the measures appropriately. Such oversight would align with the
accountability principle, which states that individuals controlling
the collection or use of PII should be accountable for ensuring the
implementation of the Fair Information Practices. Without such
oversight, it is unclear whether the agency's protection measures are
being properly implemented.
FIS Has Not Ensured that Investigators are Following PII Protection
Policies and Procedures:
In recent years, field investigators have been involved in over 80
percent of reported incidents of lost or stolen paper files in the FIS
division (see figure 6). As previously discussed, the more than 7,000
field investigators who conduct background investigations for OPM
collect and are responsible for safeguarding extensive amounts of PII.
As a result, these field investigators are key to ensuring that PII is
properly protected, especially when it is in paper form.
Figure 6: Reported Incidents of Lost or Stolen Paper Files Associated
with Background Investigations:
[Refer to PDF for image: stacked vertical bar graph]
Number of reported incidents:
Fiscal year: 2008;
Involving field investigators: 76;
Not involving field investigators: 10;
Total: 86.
Fiscal year: 2009;
Involving field investigators: 53;
Not involving field investigators: 6;
Total: 59.
Fiscal year: 2010 (as of 5-21-10);
Involving field investigators: 14;
Not involving field investigators: 3;
Total: 17.
Sources: Federal Investigative Services division, OPM.
[End of figure]
Recently, FIS has taken steps to promote better accountability for the
protection of personal information provided to and received from
investigators. This includes providing training to all employees and
holding a "No PII Loss Week," during which all staff were encouraged
to focus on proper handling and storing of PII in their possession.
Oversight of these investigators and FIS employees can ensure that
appropriate protections are being implemented for the PII contained in
investigative files. Recent recommendations by the OPM OIG highlight
the importance of such oversight.[Footnote 17] In response to
recommendations by the OIG to conduct oversight, FIS officials began
conducting periodic checks of documents received from investigators
once an investigation is closed to encourage a full and proper
accounting of PII.
However, FIS officials had not monitored whether investigators are
following agency policies described in the Investigator's Handbook and
the Policy On The Protection Of Personally Identifiable Information
(PII) for handling PII while investigative activity is underway.
Officials from the agency's oversight groups responsible for federal
and contract investigators said they used other methods for
determining investigators' adherence to PII protection requirements.
For example, officials stated the investigators are required to report
to their supervisors daily on the case information or other PII they
have with them during the course of their work. This is to account for
the information they have on hand if there is a loss or the
investigator becomes incapacitated due to an accident or medical
emergency. The tallies provided by the investigators are intended to
allow their supervisors to account for all such information. In
addition, officials from FIS oversight units recently began conducting
physical audits of regional field offices to determine compliance with
PII requirements.
Although these recent efforts may increase assurance that
investigators are adequately accounting for the investigative files in
their possession, no process currently exists to monitor
investigators' compliance with FIS privacy protection policies as they
perform their field work. For example, FIS does not have procedures
for examining how investigators protect information while traveling to
conduct interviews or how they ensure that only appropriate
information is being gathered. Without an oversight mechanism to
ensure investigators' adherence to PII protection policies during
investigations--such as through periodic, structured evaluations by
supervisors--the agency lacks assurance that sensitive information is
being handled appropriately during this critical phase of the
background investigation process.
FIS Has Not Monitored Customer Agencies' Implementation of Privacy
Protections:
We previously reported on the federal legal framework for privacy
protection, including issues and challenges associated with ensuring
compliance with privacy protections when PII is transferred among
agencies.[Footnote 18] We highlighted the need for an effective
oversight structure to monitor how PII is protected. For example,
requiring agencies to establish agreements with external government
entities before sharing PII is a practical method that enables an
agency's privacy controls to be forwarded to its recipients, thus
offering assurance that personal information is adequately protected
from privacy risks following the data transfer. Designating entities
within those agreements who are responsible for ensuring the proper
implementation of privacy requirements is also consistent with the
Fair Information Practice of accountability, which calls for those who
control the collection or use of personal information to be held
accountable for taking steps to ensure it is protected.
FIS relies on memoranda of understanding (MOU) with its customer
agencies to establish procedures and policies for protecting PII
related to background investigation case files, and these agreements
specifically designate OPM as being responsible for ensuring that
customer agencies comply with the requirements of the Privacy Act when
handling PII received from OPM. Within these agreements, FIS outlines,
among other things, system security controls, appropriate uses of
investigative information, and other provisions for adherence to the
Privacy Act. For example, the agency's e-Delivery system--an
information system used to electronically assemble and deliver closed
case files from FIS to requesting agencies--includes a description of
security and privacy expectations and responsibilities necessary for
agencies to utilize the system.
However, OPM has not taken any steps to carry out its responsibility
for ensuring that personal information is protected at customer
agencies. Specifically, it does not monitor customer agencies'
adherence to the requirements agreed upon through the MOUs. FIS
officials stated that they visit customer agencies on a recurring
basis to review other aspects of the agreements but that reviews of
customer agencies' privacy protection measures take place only if a
potential compromise of PII has been identified. Although these
frequent visits to customer agencies provide opportunities for OPM to
ensure that customer agencies are protecting PII properly, without
focusing on privacy protections outlined within the MOUs as a key
element of its established process, OPM may not be meeting its
responsibility to ensure that agencies comply with the requirements of
the MOU. As a result, OPM may not have reasonable assurance that the
personal information contained within background investigation files
is being appropriately used and adequately protected by customer
agencies.
Conclusions:
OPM and FIS have incorporated key privacy principles into their
processes and documentation that guide agency officials in the
performance of background investigations. Key agency activities
include measures addressing the Fair Information Practices, and steps
have been taken to meet requirements of the Privacy Act and the E-
Government Act.
However, limited oversight of the implementation of key processes
reduces assurances that PII is properly protected. Current OPM
guidance does not require assessments of the privacy impact of FIS
systems to be accompanied by privacy risk analyses. Until the guidance
requires privacy risk analyses with PIAs and existing PIAs are revised
to include privacy risk analyses, OPM will continue to have limited
assurance that PII contained in its systems is being properly
protected.
While FIS has policies and procedures to protect PII used by its field
investigators, there is no process to assess the level of protection
of PII provided by these investigators while investigative activity is
underway. Without an oversight mechanism that directly assesses
investigators' adherence to OPM PII protection policies, the agency
lacks assurance that PII is being properly protected.
Finally, OPM does not actively monitor customer agency adherence to
requirements for protecting PII as established in MOUs it has with its
customers. As a result, FIS may not have reasonable assurance that the
personal information contained within background investigation files
is being appropriately used and adequately protected by customer
agencies.
Recommendations for Executive Action:
To ensure that appropriate privacy protections are in place during all
stages of a background investigation, we recommend that the Director
of the OPM take the following four actions:
* develop guidance for privacy impact assessments that directs agency
officials to perform an analysis of privacy risks and identify
mitigating techniques for all FIS systems that access, use, or
maintain PII;
* ensure that all existing PIAs are revised to adhere to this guidance;
* perform periodic, structured evaluations to ensure that field
investigators handle and protect PII according to agency policies and
procedures while conducting their investigations; and:
* develop and implement procedures for monitoring customer agencies'
adherence to the privacy provisions agreed to within memoranda of
understanding.
Agency Comments and Our Evaluation:
In written comments on a draft of this report transmitted via e-mail
by the GAO audit liaison, OPM agreed with our recommendations.
However, OPM disagreed with the report's finding regarding protection
of PII by field investigators, stating that it was written in a way
that suggested that there is no oversight or monitoring. OPM noted
that it recently implemented procedures for checking compliance by
both federal and contract investigators to agency PII protection
requirements. OPM requested that language in the report be modified to
recognize these recent efforts.
We adjusted language within our report to clarify the nature of OPM's
oversight activities at the time of our review. In addition, the draft
report highlighted such recent efforts by FIS to monitor investigator
compliance, including daily checks by supervisors of investigator
inventories of case information and the division's recently developed
program for conducting physical audits of regional field offices to
determine compliance with PII requirements. Nevertheless, these recent
efforts by FIS have yet to demonstrate that investigators are
monitored for compliance while conducting investigations. For example,
FIS had yet to develop procedures for examining how investigators
protect information while traveling to conduct interviews or how they
ensure that only appropriate information is being gathered.
In addition, OPM provided technical comments that were addressed as
appropriate.
As agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. We will then send copies of this report to
interested congressional committees and the Director of the Office of
Personnel Management. The report also is available at no charge on the
GAO Web site at [hyperlink, http://www.gao.gov].
If you or your staff have any questions regarding this report, please
contact me at (202) 512-6244 or at wilshuseng@gao.gov. Contact points
for our Offices of Congressional Relations and Public Affairs may be
found on the last page of this report. Key contributors to this report
are listed in appendix II.
Signed by:
Gregory C. Wilshusen:
Director, Information Security Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to determine:
* how the Office of Personnel Management (OPM) uses personally
identifiable information (PII)[Footnote 19] in conducting background
investigations, and:
* the extent to which OPM's privacy policies and procedures for
protecting PII related to investigations meet statutory requirements
and align with widely accepted privacy practices.
To address our first objective, we identified key steps in the
agency's background investigation process by analyzing OPM and Federal
Investigative Services (FIS) division policies, procedures, and
guidance; conducting site visits of FIS headquarters at the Federal
Investigations Processing Center (FIPC) in Boyers, Pennsylvania; and
interviewing FIS officials involved in overseeing and conducting key
steps in the process located at FIPC and at OPM headquarters. We
compiled a four-phase description of the investigation process and
confirmed the accuracy of its contents with FIS officials in an
iterative fashion.
To address our second objective, we reviewed OPM and FIS privacy
policies and procedures and analyzed agency actions to (1) comply with
the Privacy Act of 1974 and the E-Government Act of 2002 and (2) align
with the Fair Information Practices, a set of widely accepted privacy
principles. We interviewed OPM's Chief Information Officer in order to
obtain information on OPM policies and procedures on the protection of
PII and how OPM monitors compliance with its privacy policies and
procedures. We also interviewed key FIS officials, including those
from the agency's Field Management Oversight Group, Contract
Development and Oversight Group, and the Memorandum of
Understanding/Liaisons Group, to discuss their practices and
procedures for protecting personal information when performing their
oversight responsibilities. Additionally, we reviewed previous GAO and
OPM Office of the Inspector General reports pertinent to engagement
objectives.
We conducted this performance audit from October 2009 to September
2010 in the Washington, D.C., and Boyers, Pennsylvania, areas, in
accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
[End of section]
Appendix II: GAO Contact and Staff Acknowledgments:
GAO Contact:
Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov:
Staff Acknowledgments:
In addition to the contact above, John de Ferrari, Assistant Director;
Sher`rie Bacon; Neil Doherty; Matthew Grote; Nicholas Marinos; Lee
McCracken; David Plocher; and Jeffrey Woodward made key contributions
to this report.
[End of section]
Footnotes:
[1] Moderate and high-risk positions refer to the potential for
moderate or exceptionally serious impact to the integrity and
efficiency of the service.
[2] The White House, Exec. Order No. 12958, Classified National
Security Information, § 1.3 (Apr. 17, 1995) (as amended), 5 C.F.R.
§1312.4 (2008).
[3] For purposes of this report, the terms personal information and
personally identifiable information are used interchangeably to refer
to any information about an individual maintained by an agency,
including (1) any information that can be used to distinguish or trace
an individual's identity, such as name, Social Security number, date
and place of birth, mother's maiden name, or biometric records, and
(2) any other information that is linked or linkable to an individual,
such as medical, educational, financial, and employment information.
[4] OMB, Guidance for Implementing the Privacy Provisions of the E-
Government Act of 2002, Memorandum M-03-22 (Washington, D.C., Sept.
26, 2003).
[5] U.S. Department of Health, Education, and Welfare, Records,
Computers and the Rights of Citizens: Report of the Secretary's
Advisory Committee on Automated Personal Data Systems (Washington,
D.C., July 1973).
[6] OECD, Guidelines on the Protection of Privacy and Transborder Flow
of Personal Data (Sept. 23, 1980). OECD plays a prominent role in
fostering good governance in the public service and in corporate
activity among its 30 member countries. It produces internationally
agreed-upon instruments, decisions, and recommendations to promote
rules in areas where multilateral agreement is necessary for
individual countries to make progress in the global economy.
[7] As directed by OMB Memorandum M-05-08, the senior agency official
for privacy is responsible for, among other things, ensuring agency
compliance with all federal privacy laws and has responsibility for
playing a central policy-making role in the development of policy
proposals that implicate privacy issues.
[8] OPM, Investigator's Handbook (July 2007); OPM, Policy on the
Protection of Personally Identifiable Information (PII) (Nov. 15,
2009).
[9] OPM OIG, Audit of the Security of Personally Identifiable
Information in the Federal Investigative Service Division of the U.S.
Office of Personnel Management, Report No. 4A-IS-00-08-014 (Apr. 21,
2009).
[10] The summary sheet allows FIS contractors to quickly see the case
number, the name of the subject, and if there are any attachments with
the questionnaire.
[11] Pub. L. No. 108-458, § 3001(g) (2004). Executive Order 13467
defines adjudication as the evaluation of pertinent data in a
background investigation, as well as any other available information
that is relevant and reliable, to determine whether an individual is
(1) suitable for government employment; (2) eligible for logical and
physical access; (3) eligible for access to classified information;
(4) eligible to hold a sensitive position; or (5) fit to perform work
for or on behalf of the government as a contractor employee.
[12] Other sources can include military personnel records, official
personnel folders and information obtained from Citizenship and
Immigration Services, investigative agencies, federal agency security
offices, and the Central Intelligence Agency.
[13] Due to the scope of our review, we did not test the effectiveness
of physical and information security controls.
[14] An approved user located at FIPC can directly access the system
using his or her assigned unique username and password. If accessing
the system remotely, users are required to log into a FIS Web portal
prior to logging onto PIPS.
[15] National Institute of Standards and Technology, Information
Security: Recommended Security Controls for Federal Information
Systems, NIST Special Publication 800-53 (Gaithersburg, Md., August
2009).
[16] National Institute of Standards and Technology, Security
Requirements for Cryptographic Modules, FIPS PUB 140-2 (Gaithersburg,
Md., May 25, 2001).
[17] OPM OIG, Audit of the Security of Personally Identifiable
Information in the Federal Investigative Service Division of the U.S.
Office of Personnel Management, Report No. 4A-IS-00-08-014 (Apr. 21,
2009).
[18] GAO, Privacy: Alternatives Exist for Enhancing Protection of
Personally Identifiable Information, [hyperlink,
http://www.gao.gov/products/GAO-08-536] (Washington, D.C.: May 19,
2008).
[19] For purposes of this report, the terms personal information and
personally identifiable information are used interchangeably to refer
to any information about an individual maintained by an agency,
including (1) any information that can be used to distinguish or trace
an individual's identity, such as name, Social Security number, date
and place of birth, mother's maiden name, or biometric records, and
(2) any other information that is linked or linkable to an individual,
such as medical, educational, financial, and employment information.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
