Privacy:

Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions

GAO-08-603, May 30, 2008

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6240
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Government agencies have a long-standing obligation under the Privacy Act of 1974 to protect the privacy of individuals about whom they collect personal information. A number of additional laws have been enacted in recent years directing agency heads to designate senior officials as focal points with overall responsibility for privacy. GAO was asked to (1) describe laws and guidance that set requirements for senior privacy officials within federal agencies, and (2) describe the organizational structures used by agencies to address privacy requirements and assess whether senior officials have oversight over key functions. To achieve these objectives, GAO analyzed the laws and related guidance and analyzed policies and procedures relating to key privacy functions at 12 agencies.

Federal laws set varying roles and responsibilities for senior agency privacy officials. Despite much variation, all of these laws require covered agencies to assign overall responsibility for privacy protection and compliance to a senior agency official. In addition, Office of Management and Budget guidance directs agencies to designate a senior agency official for privacy with specific responsibilities. The specific privacy responsibilities defined in these laws and guidance can be grouped into six broad categories: (1) conducting privacy impact assessments (which are intended to ensure that privacy requirements are addressed when personal information is collected, stored, shared, and managed in a federal system), (2) complying with the Privacy Act, (3) reviewing and evaluating the privacy implications of agency policies, (4) producing reports on the status of privacy protections, (5) ensuring that redress procedures to handle privacy inquiries and complaints are in place, and (6) ensuring that employees and contractors receive appropriate training. The laws and guidance vary in how they frame requirements in these categories and which agencies must adhere to them. Agencies also have varying organizational structures to address privacy responsibilities. For example, of the 12 agencies we reviewed, 2 had statutorily designated chief privacy officers who also served as senior agency officials for privacy, 5 designated their agency chief information officers as their senior privacy officials, and the others designated a variety of other officials, such as the general counsel or assistant secretary for management. Further, not all of the agencies we reviewed had given their designated senior officials full oversight over all privacy-related functions. While 6 agencies had these officials overseeing all key privacy functions, 6 others relied on other organizational units not overseen by the designated senior official to perform certain key privacy functions. The fragmented way in which privacy functions were assigned to organizational units in these agencies is at least partly the result of evolving requirements in law and guidance. However, without oversight of all key privacy functions, designated senior officials may be unable to effectively serve as agency central focal points for information privacy.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.

    Agency Affected: Department of Health and Human Services

    Status: Closed - Implemented

    Comments: In our report, we found that the senior agency official for privacy at the Department of Health and Human Services, the Chief Information Officer, has oversight over 3 of the 6 key privacy functions, but not policy consultation, Privacy Act compliance or redress. Officials, in response to our recommendations, have provided additional information and documentation that shows the Senior Agency Official for Privacy has oversight over all 3 (policy consultation and Privacy Act compliance) of these 3 remaining key privacy functions. The provided documentation has addressed the recommendations.

    Recommendation: In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.

    Agency Affected: Department of Justice

    Status: Closed - Implemented

    Comments: In our report, we found that the senior agency official for privacy at the Department of Justice, the Chief Privacy and Civil Liberties Officer, has oversight over all key privacy functions except for redress, which is handled by the individual component organizations. Since then, the agency has taken steps to ensure that the SAOP has oversight of the agency's redress activities. In their January 2010 Policy, the department states that the SAOP works with and oversees the component privacy officers. The policy goes on to outline the responsibilities of these component privacy officers, including the responsibility for providing redress.

    Recommendation: In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.

    Agency Affected: Department of Labor

    Status: Closed - Not Implemented

    Comments: In our report, we found that the senior agency official for privacy at the Department of Labor, the Chief Information Officer, has oversight over 3 of the 6 key privacy functions. The remaining three, Privacy Act compliance, policy consultation and training are handled by another component organization, the Office of the Solicitor. The Department maintains the position asserted in their official comments to our report. Specifically, that the joint efforts between the SAOP and the Office of the Solicitor meet the key privacy function oversight responsibilities we described in our report. As such, the agency does not believe that the current oversight arrangement should be altered.

    Recommendation: In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.

    Agency Affected: Department of Defense

    Status: Closed - Implemented

    Comments: In May 2008, we reported that the Department of Defense (DOD) Senior Agency Official for Privacy (SAOP) did not have oversight over two of six key functions identified in our report, privacy impact assessments and redress, that Senior Agency Officials for Privacy should have. We recommended the Secretary of Defense take steps to ensure that their Senior Agency Official for Privacy have oversight over all of the key privacy functions. In August 2011, we verified that the DOD SAOP has oversight responsibilities over all key privacy functions, including privacy impact assessments and redress.

    Recommendation: In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.

    Agency Affected: Department of the Treasury

    Status: Closed - Implemented

    Comments: In August 2012, we verified that Treasury, in response to our recommendation, designated its Deputy Assistant Secretary for Privacy and Treasury Records (DASPTR) as the principal adviser to its SAOP. As adviser, the DASPTR is responsible for assisting the SAOP with monitoring department redress activities as well as ensuring departmental compliance with statutory redress requirements.

    Recommendation: In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.

    Agency Affected: Department of Commerce

    Status: Closed - Implemented

    Comments: In May 2008, we reported that the Department of Commerce (DOC) Senior Agency Official for Privacy (SAOP) did not have oversight over two of six key functions identified in our report, Privacy Act compliance and redress. We recommended the Secretary Commerce take steps to ensure that their SAOP have oversight over all of the key privacy functions. In response to our recommendations, officials provided documentation in August 2012 confirming that the department's Chief Privacy Officer (the department's SAOP) has oversight responsibilities over all key privacy functions, including Privacy Act compliance and redress.