Privacy: OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background Investigations
Highlights
Approximately 90 percent of all federal background investigations are provided by the Office of Personnel Management's (OPM) Federal Investigative Services (FIS) division. In fiscal year 2009, FIS conducted over 2 million investigations of varying types, making the organization a major steward of personal information on U.S. citizens. GAO was asked to (1) describe how OPM uses personally identifiable information (PII) in conducting background investigations and (2) assess the extent to which OPM's privacy policies and procedures for protecting PII related to investigations meet statutory requirements and align with widely accepted privacy practices. To address these objectives, GAO compared OPM and FIS policies and procedures with key privacy laws and widely accepted practices.
FIS, a component of OPM, conducts background investigations using extensive amounts of PII. Specifically, FIS collects PII from the individual being investigated, government agencies holding relevant data on the subject, and contacts familiar with the subject of the investigation. It uses this information during the four phases of the investigation process: (1) Questionnaire Submission, when requesting agencies submit a questionnaire completed by the individual who will be investigated; (2) Scheduling and Initiation, during which goals and milestones are set, automated information requests occur, and an investigator is assigned; (3) Investigation, during which an investigator gathers information from the automated requests and from interviews and prepares a report; and (4) Review, during which a reviewer determines if a report is complete before allowing it to be sent to the requesting agency. FIS has taken steps to incorporate key privacy laws and widely accepted privacy practices into policies and procedures for conducting background investigations. For example, field investigators are directed to limit collection of PII to only information relevant to an investigation, and several procedures are in place to ensure that such information is recorded as accurately as possible in OPM's systems. However, the agency has conducted limited oversight of FIS's development of privacy impact assessments (PIA), investigators' implementation of privacy protection guidance, and customer agencies' adherence to privacy agreements. A PIA is an analysis of how personal information is collected, stored, shared, and managed in a federal system. It is required by the E-Government Act of 2002. Related Office of Management and Budget guidance emphasizes the need to identify and assess privacy risks in concert with developing a PIA. However, OPM's guidance for PIAs does not require that privacy risks be analyzed or mitigation strategies be identified for those risks. Consequently, OPM cannot be sure that potential risks associated with the use of PII in its information systems have been adequately assessed and mitigated. Additionally, widely accepted privacy practices call for accountability to ensure privacy-protection policies are implemented to safeguard personal information from potential risks. Such accountability includes monitoring to ensure proper implementation of privacy protection measures. However, although FIS tracks PII that is provided to and received from field investigators, it had not monitored investigators' adherence to its policies and procedures for protecting PII while investigations are underway. Further, while FIS has developed agreements with customer agencies related to the protection of PII contained in investigation case files, it does not monitor customer agencies' implementation of these policies, even though its agreements state it is responsible for doing so. Without oversight processes for monitoring investigators' and customer agencies' adherence to its PII protection policies, OPM lacks assurance that its privacy protection measures are being properly implemented. GAO is recommending that the Director of OPM (1) develop guidance for analyzing and mitigating privacy risks in privacy impact assessments, and (2) develop and implement oversight mechanisms for ensuring that investigators properly protect PII and that customer agencies adhere to agreed-upon privacy protection measures. OPM agreed with our recommendations.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Personnel Management | To ensure that appropriate privacy protections are in place during all stages of a background investigation, the Director of the OPM should develop guidance for privacy impact assessments that directs agency officials to perform an analysis of privacy risks and identify mitigating techniques for all FIS systems that access, use, or maintain PII. |
Closed – Implemented
In August 2011, we verified that OPM, in response to our recommendation, updated its PIA guidance to direct agency officials conducting PIAs for all OPM systems (including FIS systems) to perform an analysis of privacy risks and identify mitigation techniques.
|
| Office of Personnel Management | To ensure that appropriate privacy protections are in place during all stages of a background investigation, the Director of the OPM should ensure that all existing PIAs are revised to adhere to this guidance. |
Closed – Implemented
We verified that OPM's revised privacy impact assessment (PIA) guidance requires agencies to conduct privacy risk assessments and mitigation strategies in developing system PIAs. We also verified that OPM updated its FIS background investigation systems' PIAs--including PIAs for the Electronic Questionnaires for Investigations Processing (e-QIP) and the Personnel Investigations Processing System (PIPS). These assessments included identification of potential risks and strategies to mitigate them.
|
| Office of Personnel Management | To ensure that appropriate privacy protections are in place during all stages of a background investigation, the Director of the OPM should perform periodic, structured evaluations to ensure that field investigators handle and protect PII according to agency policies and procedures while conducting their investigations. |
Closed – Implemented
In August 2011, we verified that OPM, in response to our recommendation, implemented an audit policy where periodically auditors verify, through structured evaluations, that personnel in field offices adhere to security and retention policies regarding case files and PII.
|
| Office of Personnel Management | To ensure that appropriate privacy protections are in place during all stages of a background investigation, the Director of the OPM should develop and implement procedures for monitoring customer agencies' adherence to the privacy provisions agreed to within memoranda of understanding. |
Closed – Implemented
In May 2012, we verified that OPM has established procedures to assess agency's compliance with safeguarding PII. Specifically, OPM's Agency Training and Oversight program established procedures to conduct assessments of agency compliance through on-site reviews of the location and storage of investigation files to ensure they are properly controlled and that access is limited to those requiring access to perform their assigned duties. Additionally, procedures for evaluating agency protection of PII include, among other things, assessing compliance with MOUs, Fair Credit Reporting Act, and Systems of Records.
|