GAO's Privacy Progam: Opportunities Exist to Further Protect Personally Identifiable Information (PII)
OIG-15-1: Mar 30, 2015
Tonya R. Ford
This is a publication by GAO's Inspector General that concerns internal GAO operations. The objective of our evaluation was to examine the extent to which GAO’s privacy program protects PII under the authority and control of GAO.
What OIG Found
GAO has established a privacy program and is providing privacy awareness training to GAO staff and contractors. Our review identified opportunities to further protect PII from unauthorized access, use, or disclosure that could seriously harm individuals and the agency. For example, we identified GAO systems that unnecessarily collected Social Security Numbers and other systems that stored PII for periods beyond GAO’s records retention schedule. Minimizing the collection and retention of PII are key practices for reducing privacy risks. We also identified a gap in GAO’s background check procedures that resulted in access to confidential and sensitive PII by contractor personnel without background checks. Weak procedural safeguards do not mitigate the risk that the interests of a contractor may diverge from GAO’s interests. In addition, we identified privacy documentation and notifications that were outdated or incomplete. Without documentation and notifications regarding PII, individuals may not be adequately informed regarding GAO’s need to collect PII and its responsibility for protecting it. Finally, we determined that GAO’s inventory of systems handling PII was incomplete, which diminishes GAO’s ability to protect PII since it cannot protect what it doesn’t know exists.
What OIG Recommends
OIG recommended that the Comptroller General (CG) direct the Chief Agency Privacy Officer to: minimize the use and retention of PII in GAO systems, notify individuals how and why their PII was collected and shared, identify and address gaps in privacy documentation for outsourced systems, and update the privacy office’s inventory of systems handling PII. We also recommended that the CG direct the Chief Administrative Officer to update GAO security polices and procedures to require background checks for all contractors handling confidential or sensitive GAO data. GAO agreed with our recommendations and has taken or planned actions to address them.