Whistleblower Protection:

Analysis of DOD's Actions to Improve Case Timeliness and Safeguard Confidentiality

GAO-19-198: Published: Mar 7, 2019. Publicly Released: Mar 7, 2019.

Additional Materials:

Contact:

Brenda S. Farrell
(202) 512-3604
farrellb@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

People can report potential misconduct, fraud, and other wrongdoing involving DOD personnel to one of several DOD Inspector General offices. Those offices safeguard whistleblowers' personal information in order to protect them from retaliation—such as a demotion. Confidentiality can also encourage reporting.

Yet, we found that some of the guidance for the investigators doesn’t specify some key steps to protect confidentiality, and Inspector General offices have not fully restricted access to information to only those who need to know.

We made 12 recommendations to help protect whistleblowers and improve investigations.

DOD's Pentagon building.

DOD's Pentagon building.

Additional Materials:

Contact:

Brenda S. Farrell
(202) 512-3604
farrellb@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Defense Office of Inspector General (DODIG) and military service offices of inspector general (IG) met some but not all fiscal year 2018 timeliness and quality goals for handling whistleblower complaints. For example, DODIG met its goals related to referring complaints to the appropriate agency within a certain number of days. All IGs also generally met goals related to the quality of investigations. However, about 85 percent of DODIG reprisal and senior official misconduct investigations exceeded statutory and internal timeliness goals. Further, military service IGs did not meet most goals for handling cases within prescribed timeframes. For example, the service IGs averaged between 17 and 84 days to notify DODIG of their receipt of whistleblower reprisal allegations, exceeding the 10-day goal. The IGs have various initiatives underway to improve timeliness, such as a Naval IG program to reduce timeframes for initial credibility determinations. However, additional actions could provide a more targeted approach to improving performance against unmet timeliness goals—such as for senior official misconduct investigations—and better assure whistleblowers that their cases will be handled expeditiously.

DODIG and the military service IGs have policies to protect whistleblower confidentiality, but some gaps exist. For example, DODIG guidance for protecting whistleblowers who report internal DODIG misconduct does not specify key steps investigators should take to protect confidentiality, such as not identifying complainants during interviews with case subjects. Also, Air Force, Naval, and Marine Corps IG guidance does not specify when whistleblower identities can be disclosed without consent. Without updated guidance, the IGs cannot ensure the consistent implementation of confidentiality protections.

The IGs have taken steps to safeguard whistleblower information in their information technology (IT) systems and applications, such as by restricting access to case information through unique user permissions and by taking actions to follow DOD's IT risk management process. However, between 2016 and 2018, employees in all of the IGs have been able to access sensitive whistleblower information without a need to know. For example, DODIG determined that numerous restricted whistleblower records in its document repository were accessible to DODIG personnel without a need to know. Similarly, the Air Force IG's application did not restrict users from other DOD components from viewing Air Force IG case descriptions and complainant identities, while the Army IG's application and the Naval IG's system did not restrict personnel within those IGs from viewing allegations or investigations involving other personnel within those IGs. Additionally, employees in Marine Corps IG offices were able to see whistleblower cases assigned to other IG offices without a need to know. While some actions have been taken to address these issues, additional steps are needed to restrict access to case information in order to mitigate ongoing risks to whistleblower confidentiality.

DODIG generally met key documentation requirements for the 125 cases it dismissed without investigation involving civilian DOD Presidential appointees with Senate confirmation.

Why GAO Did This Study

Safeguarding confidentiality to the maximum extent possible is essential for encouraging whistleblowers to report wrongdoing without fear of reprisal. In fiscal year 2018, DODIG received over 12,000 contacts from potential whistleblowers related to fraud, waste, abuse, employee misconduct, or other violations. The National Defense Authorization Act for Fiscal Year 2017 included a provision for GAO to review the integrity of DOD's whistleblower program. This report assesses the extent to which DODIG and the military service IGs (1) met and took steps to achieve key fiscal year 2018 timeliness and quality goals, (2) established processes to protect whistleblower confidentiality, and (3) are able to safeguard sensitive information necessary to handle whistleblower complaints. It also evaluates (4) the extent to which select cases involving certain senior DOD civilian officials met key requirements.

GAO assessed fiscal year 2018 IG performance data, surveyed all 108 DODIG employees who directly handle whistleblower complaints, reviewed IT security controls, and analyzed all 125 cases involving civilian DOD Presidential appointees with Senate confirmation dismissed by DODIG in fiscal years 2013-2017.

What GAO Recommends

GAO is making 12 recommendations, including that the IGs take additional actions to improve timeliness, develop additional procedures to protect whistleblower confidentiality, and take steps to further limit IG employee access to sensitive whistleblower information. DOD concurred with all of the recommendations.

For more information, contact Brenda S. Farrell at (202) 512-3604 or farrellb@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the DOD and military service Inspectors General had convened a working group to coordinate performance improvement on unmet timeliness goals. According to the IG, the working group's recommendations are being incorporated into uniform standards for reprisal investigations that are expected to be finalized in the second quarter of fiscal year 2020. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The DOD Inspector General should coordinate with the IGs of the military services to take additional actions to improve performance against unmet timeliness goals. This includes steps to improve performance of senior official misconduct investigations and military service reprisal intakes, and to resolve disagreement on notifications. (Recommendation 1)

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: The DOD Inspector General concurred with this recommendation. In October 2019, the Director of the Office of Professional Responsibility (OPR) issued a memorandum with specific guidance for OPR personnel on protecting confidential information during misconduct investigations. For example, the guidance instructs OPR investigators to use a dedicated office that permits confidential meetings for conversations and document review. The same month, DODIG General Counsel issued a memorandum setting forth procedures for referring allegations of wrongdoing to the Council of the Inspectors General on Integrity and Efficiency (CIGIE) Integrity Committee and controlling access to related records. In January 2020, DODIG issued a new instruction that revises and updates policies, procedures, and responsibilities for OPR, including the protection of whistleblower confidentiality. By developing guidance that incorporates procedures to protect confidentiality and documents how to maintain whistleblower confidentiality throughout the CIGIE referral process, DODIG has gained reasonable assurance that its process for investigating internal misconduct allegations can fully protect the confidentiality of whistleblowers.

    Recommendation: The DOD Inspector General should issue formal guidance documenting procedures for protecting the confidentiality of whistleblowers throughout its internal misconduct investigation process. (Recommendation 2)

    Agency Affected: Department of Defense

  3. Status: Open

    Comments: The Air Force Inspector General concurred with this recommendation, and the DOD Officer of Inspector General stated in December 2019 that the Air Force Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The Air Force Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 3)

    Agency Affected: Department of Defense

  4. Status: Open

    Comments: The Marine Corps Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Marine Corps Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The Marine Corps Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 4)

    Agency Affected: Department of Defense

  5. Status: Open

    Comments: The Naval Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Naval Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The Naval Inspector General should establish procedures to fully reflect and implement DOD policy on the protection of whistleblower confidentiality. (Recommendation 5)

    Agency Affected: Department of Defense

  6. Status: Open

    Comments: The DOD Inspector General concurred with this recommendation, and stated in December 2019 that the DOD Office of Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The DOD Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access to sensitive whistleblower information in the current case management system and associated document repository is limited to information that is necessary to accomplish assigned tasks. (Recommendation 6)

    Agency Affected: Department of Defense

  7. Status: Open

    Comments: The DOD Inspector General concurred with this recommendation, and in December 2019 reported to the Chairs of the Senate and House Armed Services Committees that the future whistleblower case management system would incorporate design limits providing for access to information only by personnel necessary to accomplish assigned tasks in accordance with organizational missions and business functions. According to the IG, the system is scheduled to deploy in the third quarter of fiscal year 2020. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The DOD Inspector General should coordinate with the IGs of the military services to develop a plan to fully restrict case access in the future whistleblower enterprise case management system so that user access is limited to information necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 7)

    Agency Affected: Department of Defense

  8. Status: Open

    Comments: The DOD Inspector General concurred with this recommendation, and stated in December 2019 that the DOD Office of Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The DOD Inspector General should enhance its process for periodically reviewing whistleblower case management system and document repository user privileges by including steps to ensure that such privileges remain valid after system updates, as appropriate. (Recommendation 8)

    Agency Affected: Department of Defense

  9. Status: Open

    Comments: The Air Force Inspector General concurred with this recommendation, and stated in December 2019 that an update scheduled for the end of April 2020 would enhance access control measures in its existing applications. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The Air Force Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 9)

    Agency Affected: Department of Defense

  10. Status: Open

    Comments: The Army Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Army Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The Army Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 10)

    Agency Affected: Department of Defense

  11. Status: Open

    Comments: The Marine Corps Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Marine Corps Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The Marine Corps Inspector General should develop a plan to ensure that its redesigned whistleblower case management application restricts user access to information based on what is needed to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 11)

    Agency Affected: Department of Defense

  12. Status: Open

    Comments: The Naval Inspector General concurred with this recommendation, and the DOD Office of Inspector General stated in December 2019 that the Naval Inspector General was in the process of implementing it. We will update the status of this recommendation once we confirm what actions the department has taken.

    Recommendation: The Naval Inspector General should consider interim actions as the whistleblower enterprise case management system is being developed to help ensure that access for users of existing applications is limited to information that is necessary to accomplish assigned tasks in accordance with organizational missions and business functions. (Recommendation 12)

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Aug 6, 2020

Jul 30, 2020

Jul 27, 2020

Jul 23, 2020

Jul 22, 2020

Jul 20, 2020

Jul 16, 2020

Jun 25, 2020

Looking for more? Browse all our products here