Skip to Highlights
Highlights

Government agencies have a long-standing obligation under the Privacy Act of 1974 to protect the privacy of individuals about whom they collect personal information. A number of additional laws have been enacted in recent years directing agency heads to designate senior officials as focal points with overall responsibility for privacy. GAO was asked to (1) describe laws and guidance that set requirements for senior privacy officials within federal agencies, and (2) describe the organizational structures used by agencies to address privacy requirements and assess whether senior officials have oversight over key functions. To achieve these objectives, GAO analyzed the laws and related guidance and analyzed policies and procedures relating to key privacy functions at 12 agencies.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of the Treasury In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.
Closed - Implemented
In August 2012, we verified that Treasury, in response to our recommendation, designated its Deputy Assistant Secretary for Privacy and Treasury Records (DASPTR) as the principal adviser to its SAOP. As adviser, the DASPTR is responsible for assisting the SAOP with monitoring department redress activities as well as ensuring departmental compliance with statutory redress requirements.
Department of Defense In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.
Closed - Implemented
In May 2008, we reported that the Department of Defense (DOD) Senior Agency Official for Privacy (SAOP) did not have oversight over two of six key functions identified in our report, privacy impact assessments and redress, that Senior Agency Officials for Privacy should have. We recommended the Secretary of Defense take steps to ensure that their Senior Agency Official for Privacy have oversight over all of the key privacy functions. In August 2011, we verified that the DOD SAOP has oversight responsibilities over all key privacy functions, including privacy impact assessments and redress.
Department of Labor In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.
Closed - Not Implemented
In our report, we found that the senior agency official for privacy at the Department of Labor, the Chief Information Officer, has oversight over 3 of the 6 key privacy functions. The remaining three, Privacy Act compliance, policy consultation and training are handled by another component organization, the Office of the Solicitor. The Department maintains the position asserted in their official comments to our report. Specifically, that the joint efforts between the SAOP and the Office of the Solicitor meet the key privacy function oversight responsibilities we described in our report. As such, the agency does not believe that the current oversight arrangement should be altered.
Department of Justice In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.
Closed - Implemented
In our report, we found that the senior agency official for privacy at the Department of Justice, the Chief Privacy and Civil Liberties Officer, has oversight over all key privacy functions except for redress, which is handled by the individual component organizations. Since then, the agency has taken steps to ensure that the SAOP has oversight of the agency's redress activities. In their January 2010 Policy, the department states that the SAOP works with and oversees the component privacy officers. The policy goes on to outline the responsibilities of these component privacy officers, including the responsibility for providing redress.
Department of Health and Human Services In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.
Closed - Implemented
In our report, we found that the senior agency official for privacy at the Department of Health and Human Services, the Chief Information Officer, has oversight over 3 of the 6 key privacy functions, but not policy consultation, Privacy Act compliance or redress. Officials, in response to our recommendations, have provided additional information and documentation that shows the Senior Agency Official for Privacy has oversight over all 3 (policy consultation and Privacy Act compliance) of these 3 remaining key privacy functions. The provided documentation has addressed the recommendations.
Department of Commerce In order to ensure that their senior agency officals for privacy (SAOP) function effectively as central focal points for privacy management, the Attorney General and the Secretaries of Commerce, Defense, Health and Human Services, Labor, and Treasury should take steps to ensure that their SAOPs have oversight over all key privacy functions.
Closed - Implemented
In May 2008, we reported that the Department of Commerce (DOC) Senior Agency Official for Privacy (SAOP) did not have oversight over two of six key functions identified in our report, Privacy Act compliance and redress. We recommended the Secretary Commerce take steps to ensure that their SAOP have oversight over all of the key privacy functions. In response to our recommendations, officials provided documentation in August 2012 confirming that the department's Chief Privacy Officer (the department's SAOP) has oversight responsibilities over all key privacy functions, including Privacy Act compliance and redress.

Full Report

GAO Contacts