Title:  The Federal Government Collects Large Amounts of Personal Data.
But How Is It Protected? 

Description: Privacy has become a more significant issue in recent years
as new technologies collect and share more and more personal data. The
federal government is among those collecting large amounts of personal
data, including taxpayer information. How do federal agencies protect
your data and what challenges do they face in their efforts? We find out
from GAO's Jennifer Franks and Marisol Cruz Cain.

Related GAO Work: GAO-22-105065, Privacy: Dedicated Leadership Can
Improve Programs and Address Challenges

Released: September 2022

[Music]

[Jennifer Franks:] With the vast amounts of data that are being
collected, protecting our personal information is increasingly important
and challenging.

[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report, your source for
news and information from the U.S. Government Accountability Office. I'm
your host, Holly Hobbs. Privacy has become an increasingly significant
issue in recent years as new technologies collect and share more and
more personal data. The federal government is among those collecting
large amounts of personal data, including taxpayer information. Today,
we'll find out how federal agencies protect your data and what
challenges they've reported in this effort. Joining us are Jennifer
Franks, an expert on federal data systems, and Marisol Cruz Cain, an
expert on privacy and data protection. Thanks for joining us.

[Jennifer Franks:] Thanks for having me, Holly.

[Marisol Cruz Cain:] Thank you, Holly.

[Holly Hobbs:] So, Jennifer, we've done a lot of work on the federal
government's use of individual's personal data and cybersecurity. How is
this report different and what's new?

[Jennifer Franks:] So this is the first report we've done that looks at
privacy programs across the executive branch. And in particular, we
looked at the 24 major departments and agencies and whether they have
the leadership and the programs, policies and even procedures in place
to make sure privacy protections are consistently implemented. And our
results provide a broader picture of the state of privacy programs
across the federal government.

[Holly Hobbs:] So specifically, we looked at how some federal agencies
protect personal data. What themes did we find?

[Jennifer Franks:] So all of the agencies we looked at have privacy
programs in place. And each of these programs had already assigned roles
and responsibilities for protecting personal data. And over half of
these agencies have responsibilities in place. But they had assigned
those responsibilities to individuals in their IT offices. And then
others had assigned responsibilities to their offices of administration
or even their general counsel offices. But generally speaking, the
agencies had responsibility aligned with privacy requirements and even
managing privacy risk. And what's key about this is that privacy risks
include things such as personal information being collected by agencies,
so that inappropriate information access would have the appropriate
safeguards in place.

[Holly Hobbs:] So, Marisol, when we looked at these roles and policies
what did we find?

[Marisol Cruz Cain:] We found that some agencies weren't always making
sure that their privacy programs were in coordination with other
important agency functions, such as IT budgeting and workforce planning.
We also found that agencies approach to incorporating the privacy
considerations into protecting IT systems weren't consistent. And many
of these IT systems have large amounts of personal information that's
important to protect.

[Holly Hobbs:] And our report also talked about some of the challenges
federal agencies face in trying to protect this data. What did the
agencies tell us?

[Marisol Cruz Cain:] Well, the agencies identified several challenges.
Most often they were related to not having enough resources, enough
qualified privacy staff, and understanding how privacy requirements
should be applied to new technologies such as AI and facial recognition.
The agencies also told us that they struggle with holding staff that are
not in their privacy program, accountable for implementing privacy
requirements, or even making sure that they're aware that privacy
requirements exist.

[Holly Hobbs:] So are agencies doing anything like assessing privacy
risks?

[Marisol Cruz Cain:] Agencies are conducting privacy impact assessments
to make sure that they protect the public's privacy. These assessments
are intended to identify the type of information they're collecting and
what the privacy risks are. They also promote transparency with the
public. Since the agencies are required to publish the results on their
websites. But we did find that agencies aren't always conducting the
analysis in a timely fashion and their privacy programs don't always
know of all of the technology that the agency is using to collect
personal information. So while the assessments are really important,
they are and always done in the right fashion.

[Holly Hobbs:] Jennifer In our prior work, we've talked about the need
for federal leadership when it comes to addressing cybersecurity risk.
Did we find something similar for data privacy?

[Jennifer Franks:] So yes, we actually did find some similar
characteristics in the areas of data privacy. And while our agencies in
the review had all designated a senior official to oversee their
programs, each of these officials also had a number of other demanding
responsibilities. So given the gaps in agency policies and challenges
they face, we found that having a senior official whose responsibility
was directly aligned to managing privacy could perhaps better strengthen
a privacy program for that agency and help them to overcome some
foreseen challenges.

{MUSIC}

[Holly Hobbs:] So it sounds like federal agencies have taken actions to
protect taxpayer data and individuals' privacy. But that there were a
number of challenges involving aligning resources, coordination and
leadership that, if in place, wouldbetter ensure the effectiveness of
federal efforts. So, Jennifer, what additional actions could federal
agencies take to better protect individuals' personal privacy and data?

[Jennifer Franks:] So in this report, we made over 60 recommendations to
the agencies to address the gaps we found in their various policies and
procedures related to their privacy programs. For example, we also
recommended for agencies to strengthen coordination between their
privacy and other agency programs, and then fully incorporate privacy
into perhaps their risk management processes. We also recommended that
the Office of Management and Budget to facilitate more information
sharing across the agencies, which can perhaps help them to address some
of the challenges across the government.

[Holly Hobbs:] And Marisol, some of the problems are bigger than
agencies authority to address them. Did we ask Congress to consider any
actions?

[Marisol Cruz Cain:] We asked Congress to consider establishing in law a
senior level privacy official for all of the agencies that currently
don't have one. The official would be similar to a CIO, but their duties
would be focused solely on privacy. We'd want this person to provide
focused leadership and make sure that privacy is getting enough
attention from all of the other agency leaders.

[Holly Hobbs:] And last question, what's the bottom line of this report?
Jennifer, maybe you can start us off. 

[Jennifer Franks:] So the bottom line is, with all of these new
technologies and the vast amounts of data that are being collected,
protecting our personal information is increasingly important and
challenging. And because of this, the time is right to make sure that
privacy receives a sufficient amount of attention at the highest levels
of all of our agencies leadership; and that all of our agencies are
fully considering privacy at every step so that when new technologies
are deployed and that we are collecting personal information, that we're
considering all of the appropriate safeguards.

[Holly Hobbs:] And Marisol?

[Marisol Cruz Cain:] It's also really essential for the agencies to make
sure that their programs are following all of the key practices for
safeguarding this important personal information. The Office of
Management and Budget can also help with the effort by continuing to
facilitate important conversations and information sharing among the
agencies so that they can each benefit from each other's experience with
managing risks and protecting people's private information.

[Holly Hobbs:] That was Jennifer Franks and Marisol Cruz Cain talking
about GAO's recent review of federal efforts to protect individual's
personal data. Thanks for your time, ladies.

[Jennifer Franks:] Thank you for having us.

[Marisol Cruz Cain:] Thank you.

[Holly Hobbs:] And thank you for listening to the watchdog report. To
hear more podcasts, subscribe to us on Apple Podcasts, Spotify, or
wherever you listen and make sure to leave a rating and review to let
others know about the work we're doing. For more from the congressional
watchdog, the U.S. Government Accountability Office, visit us at
GAO.gov.