DHS Privacy Office:

Progress Made but Challenges Remain in Notifying and Reporting to the Public

GAO-07-522: Published: Apr 27, 2007. Publicly Released: May 29, 2007.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6240
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Department of Homeland Security (DHS) Privacy Office was established with the appointment of the first Chief Privacy Officer in April 2003, as required by the Homeland Security Act of 2002. The Privacy Office's major responsibilities include: (1) reviewing and approving privacy impact assessments (PIA)--analyses of how personal information is managed in a federal system, (2) integrating privacy considerations into DHS decision making, (3) ensuring compliance with the Privacy Act of 1974, and (4) preparing and issuing annual reports and reports on key privacy concerns. GAO's objective was to examine progress made by the Privacy Office in carrying out its statutory responsibilities. GAO did this by comparing statutory requirements with Privacy Office processes, documents, and activities.

The DHS Privacy Office has made significant progress in carrying out its statutory responsibilities under the Homeland Security Act and its related role in ensuring compliance with the Privacy Act of 1974 and E-Government Act of 2002, but more work remains to be accomplished. Specifically, the Privacy Office has made significant progress by establishing a compliance framework for conducting PIAs, which are required by the E-Gov Act. The framework includes formal written guidance, training sessions, and a process for identifying affected systems. The framework has contributed to an increase in the quality and number of PIAs issued as well as the identification of many more affected systems. The resultant workload is likely to prove difficult to process in a timely manner. Designating privacy officers in certain DHS components could help speed processing of PIAs, but DHS has not yet taken action to make these designations. The Privacy Office has also taken actions to integrate privacy considerations into the DHS decision-making process by establishing an advisory committee, holding public workshops, and participating in policy development. However, limited progress has been made in updating public notices required by the Privacy Act for systems of records that were in existence prior to the creation of DHS. These notices should identify, among other things, the type of data collected, the types of individuals about whom information is collected, and the intended uses of the data. Until the notices are brought up-to-date, the department cannot assure the public that the notices reflect current uses and protections of personal information. Further, the Privacy Office has generally not been timely in issuing public reports. For example, a report on the Multi-state Anti-Terrorism Information Exchange program--a pilot project for law enforcement sharing of public records data--was not issued until long after the program had been terminated. Late issuance of reports has a number of negative consequences, including a potential reduction in the reports' value and erosion of the office's credibility.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: GAO has verified as of September 2010 that, in response to GAO's recommendation, DHS has continuously published privacy reports on an annual schedule to Congress from 2007 through 2010. By consistently issuing annual reports on a regular schedule, DHS's privacy office has improved it process for issuing its public reports on a timely basis as required by law.

    Recommendation: The Secretary of Homeland Security should establish a schedule for the timely issuance of Privacy Office reports (including annual reports), which appropriately consider all aspects of report development, including departmental clearance.

    Agency Affected: Department of Homeland Security

  2. Status: Closed - Implemented

    Comments: GAO verified as of September 2010 that, in response to GAO's recommendation, DHS has implemented a department-wide process for the biennial review of system of records notices (SORN). According to DHS's June 2010 response, DHS has reissued majority of its SORNs as part of its biennial review process; which includes a checklist for component privacy officers to identify specific issues which may trigger the need to update program SORNs. Further, DHS officials stated that the Privacy Office's compliance tracking system is used in addition to the biennial review process to track SORNs that are due for the review process.

    Recommendation: The Secretary of Homeland Security should implement a department-wide process for the biennial review of system-of-records notices, as required by the Office of Management and Budget.

    Agency Affected: Department of Homeland Security

  3. Status: Closed - Implemented

    Comments: The following components have designated full-time privacy officers: Customs and Borders Protection (CBP), Federal Emergency Management Agency (FEMA), Intelligence and Analysis (I&A), Immigrations and Customs Enforcement (ICE), National Protection and Programs Directorate (NPPD),Science and Technology Directorate (S&T), Transportation Security Administration (TSA), US Coast Guard (USCG), US Citizenship and Immigration Services (USCIS), US Secret Service (USSS), and US Visitor and Immigrant Status Indicator Technology (US-VISIT). This satisfies the recommendation

    Recommendation: The Secretary of Homeland Security should designate full-time privacy officers at key DHS components, such as Customs and Border Protection, the U.S. Coast Guard, Immigration and Customs Enforcement, and the Federal Emergency Management Agency.

    Agency Affected: Department of Homeland Security

  4. Status: Closed - Implemented

    Comments: In April 2007, we reported on the progress of the DHS Privacy Office in carrying out its statutory responsibilities under the Homeland Security Act and its related role in ensuring E-Gov Act compliance. We noted that while they made significant progress, more work remains to be done. More specifically, we recommended that the Secretary of DHS ensure that the Privacy Office's annual reports to Congress contain a specific discussion of complaints of privacy violations. In response to our recommendation, DHS has included a discussion of privacy complaints in its 2006-2007 annual report. Furthermore, according to a DHS official, all future annual reports will include a similar section. The addition of the privacy complaints section will ensure that the DHS Privacy Office is fully meeting legal requirements, and will also increase office transparency to the public and special interest groups as it relates to privacy complaint handling and response.

    Recommendation: The Secretary of Homeland Security should ensure that the Privacy Office's annual reports to Congress contain a specific discussion of complaints of privacy violations, as required by law.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Nov 6, 2014

Oct 14, 2014

Sep 30, 2014

Sep 24, 2014

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Sep 9, 2014

Looking for more? Browse all our products here