Summary
Government agencies have a long-standing obligation under the Privacy Act of 1974 to protect the privacy of individuals about whom they collect personal information. A number of additional laws have been enacted in recent years directing agency heads to designate senior officials as focal points with overall responsibility for privacy. GAO was asked to (1) describe laws and guidance that set requirements for senior privacy officials within federal agencies, and (2) describe the organizational structures used by agencies to address privacy requirements and assess whether senior officials have oversight over key functions. To achieve these objectives, GAO analyzed the laws and related guidance and analyzed policies and procedures relating to key privacy functions at 12 agencies.
Federal laws set varying roles and responsibilities for senior agency privacy officials. Despite much variation, all of these laws require covered agencies to assign overall responsibility for privacy protection and compliance to a senior agency official. In addition, Office of Management and Budget guidance directs agencies to designate a senior agency official for privacy with specific responsibilities. The specific privacy responsibilities defined in these laws and guidance can be grouped into six broad categories: (1) conducting privacy impact assessments (which are intended to ensure that privacy requirements are addressed when personal information is collected, stored, shared, and managed in a federal system), (2) complying with the Privacy Act, (3) reviewing and evaluating the privacy implications of agency policies, (4) producing reports on the status of privacy protections, (5) ensuring that redress procedures to handle privacy inquiries and complaints are in place, and (6) ensuring that employees and contractors receive appropriate training. The laws and guidance vary in how they frame requirements in these categories and which agencies must adhere to them. Agencies also have varying organizational structures to address privacy responsibilities. For example, of the 12 agencies we reviewed, 2 had statutorily designated chief privacy officers who also served as senior agency officials for privacy, 5 designated their agency chief information officers as their senior privacy officials, and the others designated a variety of other officials, such as the general counsel or assistant secretary for management. Further, not all of the agencies we reviewed had given their designated senior officials full oversight over all privacy-related functions. While 6 agencies had these officials overseeing all key privacy functions, 6 others relied on other organizational units not overseen by the designated senior official to perform certain key privacy functions. The fragmented way in which privacy functions were assigned to organizational units in these agencies is at least partly the result of evolving requirements in law and guidance. However, without oversight of all key privacy functions, designated senior officials may be unable to effectively serve as agency central focal points for information privacy.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6240
Recommendations for Executive Action
Recommendation: In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.
Agency Affected: Department of Commerce
Status: Open
Comments: In our report, we found that the senior agency official for privacy at the Department of Commerce, the Chief Information Officer, has oversight over all key privacy functions except for Privacy Act compliance and redress. In an email response sent September 1, 2009, the Department of Commerce maintains the position stated in their official comments to the report. Specifically, that applicable law does not require that the administration of the Privacy Act be consolidated with other privacy functions under the Office of the Chief Information Officer. The Department stated that without direct requirements instructing the agency to do so, it does not believe that the current oversight arrangement should be altered.
Agency Affected: Department of Defense
Status: Open
Comments: In its August 1, 2008, letter, DOD stated that the apparent success of the Department's current solution supports taking no further action based on the recommendations in our report.
Agency Affected: Department of Health and Human Services
Status: Open
Comments: In our report, we found that the senior agency official for privacy at the Department of Health and Human Services, the Chief Information Officer, has oversight over 3 of the 6 key privacy functions. The remaining three, Privacy Act compliance, policy consultation and redress are divided by two component organizations. The Department stated that based on their review, the SAOP, is adequately involved in 5 of the 6 functions. With regard to the remaining function, redress, the Department is currently reviewing how to further involve the agency's SAOP in the agency's redress activities. We were informed by an agency official that documentation supporting these assertions would be available mid-October 2009.
Agency Affected: Department of Justice
Status: Open
Comments: In our report, we found that the senior agency official for privacy at the Department of Justice, the Chief Privacy and Civil Liberties Officer, has oversight over all key privacy functions except for redress, which is handled by the individual component organizations. Since then, the agency has taken steps to ensure that the SAOP has oversight of the agency's redress activities. For example, the department has amended the agency regulations to reflect that the SAOP has authority over all of the agency's Privacy Act amendment appeals. In addition, to ensure that the SAOP does in fact have oversight over these appeals, the agency has agreed that the SAOP will conduct reviews over all of the appeals involving the application of exemptions. We are currently awaiting documentation to support these assertions.
Agency Affected: Department of Labor
Status: Open
Comments: In our report, we found that the senior agency official for privacy at the Department of Labor, the Chief Information Officer, has oversight over 3 of the 6 key privacy functions. The remaining three, Privacy Act compliance, policy consultation and training are handled by another component organization, the Office of the Solicitor. The Department maintains the position asserted in their official comments to our report. Specifically, that the joint efforts between the SAOP and the Office of the Solicitor meet the key privacy function oversight responsibilities we described in our report. As such, the agency does not believe that the current oversight arrangement should be altered.
Agency Affected: Department of the Treasury
Status: Open
Comments: As of September 24, 2009, the Department of the Treasury has yet to respond to our inquiry or provide an update on the status of this recommendation.
