Reports & Testimonies

  • GAO’s recommendations database contains report recommendations that still need to be addressed.

    GAO’s recommendations help congressional and agency leaders prepare for appropriations and oversight activities, as well as help improve government operations. Recommendations remain open until they are designated as Closed-implemented or Closed-not implemented. You can explore open recommendations by searching or browsing.

    GAO's priority recommendations are those that we believe warrant priority attention. We sent letters to the heads of key departments and agencies, urging them to continue focusing on these issues. These recommendations are labeled as such. You can find priority recommendations by searching or browsing our open recommendations below, or through our mobile app.

  • Browse Open Recommendations

    Explore priority recommendations by subject terms or browse by federal agency

    Search Open Recommendations

    Search for a specific priority recommendation by word or phrase



  • Governing on the go?

    Our Priorities for Policy Makers app makes it easier for leaders to search our recommendations on the go.

    See the November 10th Press Release


  • Have a Question about a Recommendation?

    • For questions about a specific recommendation, contact the person or office listed with the recommendation.
    • For general information about recommendations, contact GAO's Audit Policy and Quality Assurance office at (202) 512-6100 or apqa@gao.gov.
  • « Back to Results List Sort by   

    Results:

    Subject Term: "Right of privacy"

    5 publications with a total of 30 open recommendations including 6 priority recommendations
    Director: Dave Wise
    Phone: (202) 512-2834

    1 open recommendations
    Recommendation: The Secretary of Transportation should direct NHTSA to define, document, and externally communicate the agency's roles and responsibilities in relation to connected vehicle data privacy.

    Agency: Department of Transportation
    Status: Open

    Comments: As described in the 60-day letter from October 17, 2017, NHTSA plans to create a vehicle data privacy page to be added to their website that will include information on the types of personal data collected by motor vehicles and provide links to additional resources, including the Federal Trade Commission(FTC) and industry groups. On this web page, NHTSA also plans to outline its roles and responsibilities related to vehicle data privacy. In addition, NHTSA will consult with FTC as it develops the web page content and allow for industry and public comments. We will continue to monitor NHTSA's actions related to these efforts.
    Director: Diana Maurer
    Phone: (202) 512-9627

    6 open recommendations
    including 6 priority recommendations
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the PIA development process to determine why PIAs were not published prior to using or updating face recognition capabilities, and implement corrective actions to ensure the timely development, updating, and publishing of PIAs before using or making changes to a system.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ officials did not concur with this recommendation, and stated that the FBI has established practices that protect privacy and civil liberties beyond the requirements of the law. DOJ officials stated that it will internally evaluate the PIA process as part of the Department's overall commitment to improving its processes, not in response to our recommendation. In March 2017, we followed up with DOJ to obtain its current position on our recommendation. DOJ continues to believe that its approach in designing the NGI system was sufficient to meet legal privacy requirements and that our recommendation represents a "checkbox approach" to privacy. We disagree with DOJ's characterization of our recommendation. We continue to believe that the timely development and publishing of future PIAs would increase transparency of the department's systems. We recognize the steps the agency took to consider privacy protection during the development of the NGI system. We also stand by our position that notifying the public of these actions is important and provides the public with greater assurance that DOJ components are evaluating risks to privacy when implementing systems. As a result, the recommendation remains open and unimplemented.
    Recommendation: To improve transparency and better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Attorney General should assess the SORN development process to determine why a SORN was not published that addressed the collection and maintenance of photos accessed and used through NGI for the FBI's face recognition capabilities prior to using NGI-IPS, and implement corrective actions to ensure SORNs are published before systems become operational.

    Agency: Department of Justice
    Status: Open
    Priority recommendation

    Comments: DOJ agreed, in part, with our recommendation and submitted the SORN for publication to the Federal Register on April 21, 2016, and it was published on May 5, 2016. DOJ did not agree that the publication of a SORN is required by law. We disagree with DOJ's interpretation regarding the legal requirements of a SORN. The Privacy Act of 1974 requires that when agencies establish or make changes to a system of records, they must notify the public through a SORN published in the Federal Register. DOJ's comments on our draft report acknowledge that the automated nature of face recognition technology and the sheer number of photos now available for searching raise important privacy and civil liberties considerations. DOJ officials also stated that the FBI's face recognition capabilities do not represent new collection, use, or sharing of personal information. We disagree. We believe that the ability to perform automated searches of millions of photos is fundamentally different in nature and scope than manual review of individual photos, and the potential impact on privacy is equally fundamentally different. By assessing the SORN development process and taking corrective actions to ensure timely development of future SORNs, the public would have a better understanding of how personal information is being used and protected by DOJ components. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition capabilities are being used in accordance with privacy protection laws and policy requirements, the Director of the Federal Bureau of Investigation should conduct audits to determine the extent to which users of NGI-IPS and biometric images specialists in FACE Services are conducting face image searches in accordance with Criminal Justice Information Services Division policy requirements.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In March 2017, DOJ provided us with the audit plan the CJIS Audit Unit developed in June 2016 for NGI-IPS users. In addition, DOJ reported that the CJIS Audit Unit began assessing NGI-IPS requirements at participating states in conjunction with its triennial National Identity Services audit and that, as of February 2017, the unit had conducted NGI-IPS audits of four states. Further, DOJ officials said CJIS developed an audit plan of the FACE Services Unit to coincide with the existing triennial FBI internal audit for 2018. However, DOJ did not provide the audit plan for the FACE Services Unit. DOJ officials said the methodology would be the same as the audit plan for NGI-IPS, but that methodology does not describe oversight on use of information obtained from external systems accessed by FACE Services employees. Therefore, we believe DOJ is making progress towards meeting the recommendation, but has not fully implemented our recommendation.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct tests of NGI-IPS to verify that the system is sufficiently accurate for all allowable candidate list sizes, and ensure that the detection and false positive rate used in the tests are identified.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up, as of March 2017, DOJ did not concur with this recommendation. DOJ officials stated that the FBI has performed accuracy testing to validate that the system meets the requirements for the detection rate, which fully satisfies requirements for the investigative lead service provided by NGI-IPS. We disagree with DOJ. A key focus of our recommendation is the need to ensure that NGI-IPS is sufficiently accurate for all allowable candidate list sizes. Although the FBI has tested the detection rate for a candidate list of 50 photos, NGI-IPS users are able to request smaller candidate lists (between 2 and 50 photos). FBI officials stated that they do not know, and have not tested, the detection rate for other candidate list sizes. According to these officials, a smaller candidate list would likely lower the detection rate because a smaller candidate list may not contain a likely match that would be present in a larger candidate list. However, according to the FBI Information Technology Life Cycle Management Directive, testing needs to confirm the system meets all user requirements. Because the accuracy of NGI-IPS's face recognition searches when returning fewer than 50 photos in a candidate list is unknown, the FBI is limited in understanding whether the results are accurate enough to meet NGI-IPS users' needs. DOJ officials also stated that searches of NGI-IPS produce a gallery of likely candidates to be used as investigative leads, not for positive identification. As a result, according to DOJ officials, NGI-IPS cannot produce false positives and there is no false positive rate for the system. We disagree with DOJ. The detection rate and the false positive rate are both necessary to assess the accuracy of a face recognition system. Generally, face recognition systems can be configured to allow for a greater or lesser number of matches. A greater number of matches would generally increase the detection rate, but would also increase the false positive rate. Similarly, a lesser number of matches would decrease the false positive rate, but would also decrease the detection rate. Reporting a detection rate of 86 percent without reporting the accompanying false positive rate presents an incomplete view of the system's accuracy. As a result, the recommendation remains open and unimplemented.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should conduct an operational review of NGI-IPS at least annually that includes an assessment of the accuracy of face recognition searches to determine if it is meeting federal, state, and local law enforcement needs and take actions, as necessary, to improve the system.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: As of March 2017, FBI officials stated they implemented the recommendation by submitting a paper to solicit feedback from users through the Fall 2016 Advisory Policy Board Process. Specifically, officials said the paper requested feedback on whether the face recognition searches of the NGI-IPS are meeting their needs, and input regarding search accuracy. According to FBI officials, no users expressed concern with any aspect of the NGI-IPS meeting their needs, including accuracy. Although FBI's action of providing working groups with a paper presenting GAO's recommendation is a step, the FBI's actions do not fully meet the recommendation. The FBI's paper was presented as informational, and did not result in any formal responses from users. We disagree with the FBI's conclusion that receiving no responses on the informational paper fulfills the operational review recommendation, which includes determining that NGI-IPS is meeting user's needs. As such, we continue to recommend the FBI conduct an operational review of NGI-IPS at least annually.
    Recommendation: To better ensure that face recognition systems are sufficiently accurate, the Director of the Federal Bureau of Investigation should take steps to determine whether each external face recognition system used by FACE Services is sufficiently accurate for the FBI's use and whether results from those systems should be used to support FBI investigations.

    Agency: Department of Justice: Federal Bureau of Investigation
    Status: Open
    Priority recommendation

    Comments: In comments on our draft report in 2016, and reiterated during recommendation follow-up in 2017, DOJ officials did not concur with this recommendation and had no plans to implement it. DOJ officials stated that the FBI has no authority to set or enforce accuracy standards of face recognition technology operated by external agencies. In addition, DOJ officials stated that the FBI has implemented multiple layers of manual review that mitigate risks associated with the use of automated face recognition technology. Further, DOJ officials stated there is value in searching all available external databases, regardless of their level of accuracy. We disagree with the DOJ position. We continue to believe that the FBI should assess the quality of the data it is using from state and federal partners. We acknowledge that the FBI cannot and should not set accuracy standards for the face recognition systems used by external partners. We also do not dispute that the use of external face recognition systems by the FACE Services Unit could add value to FBI investigations. However, we disagree with FBI's assertion that no assessment of the quality of the data from state and federal partners is necessary. We also disagree with the DOJ assertion that manual review of automated search results is sufficient. Even with a manual review process, the FBI could miss investigative leads if a partner does not have a sufficiently accurate system. By relying on its external partners' face recognition systems, the FBI is using these systems as a component of its routine operations and is therefore responsible for ensuring the systems will help meet FBI's mission, goals and objectives. The recommendation remains open and unimplemented.
    Director: Wilshusen, Gregory C
    Phone: (202) 512-6244

    17 open recommendations
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should revise guidance on computer matching to clarify whether front-end verification queries are covered by the Computer Matching Act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should direct agencies to address all key elements when preparing cost-benefit analyses.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To make government-wide computer matching program planning efforts more consistent, the Director of OMB should ensure that agencies receive assistance in implementing computer matching programs as envisioned by the act.

    Agency: Executive Office of the President: Office of Management and Budget
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Agriculture should ensure the DIB performs annual reviews and submits annual reports on the agency's computer matching activities, as required by the act.

    Agency: Department of Agriculture
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Education should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Education
    Status: Open

    Comments: The Department of Education stated that it has already developed policies and procedures for preparing cost-benefit analyses related to computer matching agreements (CMA). The agency believes these analyses already incorporate the appropriate key elements, although it continues to reexamine them in the interest of continuous improvement. ED also noted that not all key elements apply to every computer matching program. For example, the agency did not think it appropriate to address the recovery of improper payments and debts for matching programs to establish eligibility. However, we believe all key elements should be addressed in cost benefit analyses, even if only to note that certain types of benefits have been considered and determined not to be applicable in the specific circumstances of a given computer matching program. Without a thorough assessment, the Data Integrity Board may not have sufficient information to determine whether a thorough cost analysis has been conducted. In 2017, the agency provided three cost benefit analyses from recent CMAs that include personnel and computer costs.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Health and Human Services should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: We have not yet received information needed to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Homeland Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Homeland Security
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should develop and implement policies and procedures for cost-benefit analyses related to computer matching agreements to include key elements such as personnel and computer costs, as well as avoidance of future improper payments and recovery of improper payments and debts.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Labor should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Department of Labor
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Secretary of Veterans Affairs should ensure the DIB reviews cost-benefit analyses to make certain cost savings information for the computer matching program is included before approving CMAs.

    Agency: Department of Veterans Affairs
    Status: Open

    Comments: We have not yet received information to validate the agency's actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Recommendation: To improve the implementation of the act, the Administrator of Social Security should ensure the DIB performs annual reviews and submits annual reports on agency computer matching activities, as required by the act.

    Agency: Social Security Administration
    Status: Open

    Comments: We have not yet received information to validate agency actions on this recommendation. Subsequent to the agency stating that is has taken action, we plan to verify whether implementation has occurred.
    Director: Kohn, Linda T
    Phone: (202) 512-7114

    5 open recommendations
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should direct Centers for Medicare & Medicaid Services (CMS) to establish key requirements for qualified CDRs that focus on improving quality and efficiency. These requirements could include, for example, having CDRs (1) identify key areas of opportunity to improve quality and efficiency for their target populations and collect additional measures designed to address them, (2) collect a core set of measures established by CMS, and (3) demonstrate that their processes for auditing the accuracy and completeness of the data they collect are systematic and rigorous.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: As it has since initiation of the qualified CDR program, CMS continues to allow qualified CDRs to choose what quality measures they will track within very broad parameters. While it has developed a PQRS cross-cutting measure set requirement for physicians using other reporting mechanisms, this requirement does not apply to qualified CDRs. CMS officials report that they have addressed data accuracy and completeness by sharing with qualified CDRs issues and discrepancies that have been found in the data submitted so far.
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should direct CMS to establish a requirement for qualified CDRs to demonstrate improvement on key measures of quality and efficiency for their target populations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: CMS officials report that they are working to implement this recommendation, but they have not yet put forward any specific proposals to address it.
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should direct CMS to establish a process for monitoring compliance with requirements for qualified CDRs that draws on relevant expert judgment. This process should assess CDR performance on each requirement in a way that takes into account the varying circumstances of CDRs and their available opportunities to promote quality and efficiency improvement for their target populations.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The limited changes for qualified clinical data registries that CMS outlined in its CY2016 proposed rule in July 2015 do not address this recommendation. CMS officials report that they are working to implement this recommendation, but the approach they describe focuses on assessing changes in the data submitted by qualified CDRs over several years.
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should determine and implement actions to reduce barriers to the development of qualified CDRs, such as (1) developing guidance that clarifies Health Insurance Portability and Accountability Act requirements to promote participation in qualified CDRs; (2) working with private sector entities to make relevant multipayer cost data available to qualified CDRs; (3) testing one or more models of shared savings between Medicare and qualified CDRs that achieve reduced Medicare expenditures with improved quality of care, and (4) providing technical assistance to qualified CDRs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The limited changes for qualified clinical data registries that CMS outlined in its CY2016 proposed rule in July 2015 do not address the specific barriers to the development of qualified CDRs that we identified in our report. However, CMS officials report that they have provided technical assistance to qualified CDRs through monthly support calls and an annual kick-off meeting held in spring 2015.
    Recommendation: To help ensure that qualified CDRs promote improved quality and efficiency of physician care for Medicare beneficiaries, the Secretary of Health and Human Services should determine key data elements needed by qualified CDRs--such as those relevant for a required core set of measures--and direct Office of the National Coordinator for Health Information Technology and CMS to include these data elements, if feasible, in the requirements for certification of EHRs under the EHR incentive programs.

    Agency: Department of Health and Human Services
    Status: Open

    Comments: The limited changes for qualified clinical data registries that CMS outlined in its CY2016 proposed rule in July 2015 do not address this recommendation.
    Director: Cackley, Alicia P
    Phone: (202) 512-8678

    1 open recommendations
    Recommendation: Congress should consider strengthening the current consumer privacy framework to reflect the effects of changes in technology and the marketplace--particularly in relation to consumer data used for marketing purposes--while also ensuring that any limitations on data collection and sharing do not unduly inhibit the economic and other benefits to industry and consumers that data sharing can accord. Among the issues that should be considered are: (1) the adequacy of consumers' ability to access, correct, and control their personal information in circumstances beyond those currently accorded under FCRA; (2) whether there should be additional controls on the types of personal or sensitive information that may or may not be collected and shared; (3) changes needed, if any, in the permitted sources and methods for data collection; and (4) privacy controls related to new technologies, such as web tracking and mobile devices.

    Agency: Congress
    Status: Open

    Comments: As of April 2017, Congress has not taken action on this matter.