Privacy: Dedicated Leadership Can Improve Programs and Address Challenges

GAO-22-105065 Published: Sep 22, 2022. Publicly Released: Sep 22, 2022.
Jump To:
Fast Facts

Federal agencies that collect personally identifiable information—such as birthplaces and Social Security numbers—are required to establish programs to protect it.

The 24 agencies we examined had designated a senior agency official for privacy, as required. However, these officials may have numerous other duties and may not bring a needed focus on privacy. They generally delegated many aspects of privacy programs to less-senior officials.

We recommended that Congress consider legislation to designate dedicated, senior-level privacy officials. We also made more than 60 other recommendations to strengthen agency privacy programs.

A graphic of a phone, which shows a colorful padlock on the screen, surrounded by illustrated eyes.

Skip to Highlights
Highlights

What GAO Found

The 24 Chief Financial Officer (CFO) Act of 1990 agencies varied in the extent to which they addressed key practices for implementing privacy programs:

  • Agencies generally established policies and procedures for key privacy activities. These included developing system of records notices, to identify personal data collected and how they are used; conducting privacy impact assessments; and documenting privacy program plans.
  • Agencies varied in establishing policies and procedures for coordination between privacy programs and other agency activities, such as information security, budget and acquisition, workforce planning, and incident response.
  • Many agencies did not fully incorporate privacy into their risk management strategies, provide for privacy officials' input into the authorization of systems containing personally identifiable information (PII), and develop a privacy continuous monitoring strategy.

Extent to Which 24 Chief Financial Officers Act of 1990 Agencies Addressed Key Practices for Establishing a Privacy Program

Extent to Which 24 Chief Financial Officers Act of 1990 Agencies Addressed Key Practices for Establishing a Privacy Program

Without fully establishing these elements of their privacy programs, agencies have less assurance that they are consistently implementing privacy protections.

Agencies most frequently cited the following challenges in implementing their privacy programs (see table). Additional information sharing could help agencies address selected challenges.

24 Chief Financial Officer Act of 1990 Agency Challenges in Implementing Privacy Programs

Challenge

Number of agencies reporting challenge

Having sufficient resources

21

Applying privacy requirements to new technologies

20

Hiring privacy personnel

17

Integrating privacy and security controls

16

Coordinating with other agency offices and programs

15

Ensuring agency programs are implementing privacy requirements

15

Retaining privacy personnel

15

Training privacy professionals

14

Source: GAO analysis of agency data. | GAO-22-105065

Agencies and privacy experts identified benefits of privacy impact assessments, including providing public information and managing risks. However, they also identified factors that can limit the assessments' effectiveness. These include agencies not always initiating privacy impact assessments early enough to affect program decisions; privacy programs not aware of all agency systems with PII; and privacy programs unable to hold agency staff accountable for developing privacy impact assessments.

Addressing key privacy program practices, program challenges, and privacy impact assessment effectiveness requires significant leadership commitment at agencies. In accordance with Office of Management and Budget (OMB) guidance, the 24 agencies have each designated a senior agency official for privacy. However, most of these officials do not have privacy as their primary responsibility and have numerous other duties relating to, for example, managing IT and information security. Officials with primary duties other than privacy are unlikely to spend a majority of their time focused on privacy, and agencies generally delegated operational aspects of their privacy programs to less-senior officials. This makes it less likely that the senior agency officials for privacy will focus their attention on privacy in discussions with other senior agency leaders.

The shortcomings in agency policies and challenges they reported could be better addressed by a senior-level official with privacy as a primary area of responsibility. In particular, such an official could be better positioned to ensure a consistent focus on privacy at the level of senior leadership, facilitate cross-agency coordination, and elevate the importance of privacy. OMB privacy staff stated that they believed codifying a dedicated senior privacy official in statute would strengthen agency programs and better enable them to address challenges. In addition, several agency officials and privacy experts noted that a senior agency leader dedicated to privacy could better ensure cross-agency coordination and elevate the importance of privacy. Establishing such a position in law could enhance the leadership commitment needed to give attention to privacy issues across the government.

Why GAO Did This Study

The protection of personal privacy has become a more significant issue in recent years with the advent of new technologies and the proliferation of personal information. Federal agencies collect and process large amounts of PII for various government programs. Accordingly, they must ensure that any PII they collect, store, or process is protected from unauthorized access, tampering, or loss.

Federal agencies are required to establish privacy programs for the protection of PII that they collect and process. Among other things, this includes designating a senior agency official for privacy with overall responsibility for the agency's privacy program. In addition, agencies are to conduct privacy impact assessments to analyze how personal information is collected, stored, shared, and managed in a federal system.

GAO was asked to review federal agencies' privacy programs. This report examines (1) the extent to which agencies have established programs for ensuring privacy protections; (2) challenges agencies reported experiencing in implementing their privacy programs; (3) reported benefits and limitations in agencies' use of privacy impact assessments; and (4) the extent to which agencies have senior leadership dedicated to privacy issues.

To do so, GAO compared policies and procedures at the 24 CFO Act agencies to key practices for establishing privacy programs. These practices included privacy compliance activities, coordination between privacy and other agency programs or functions, and activities to manage privacy risks.

In addition, GAO surveyed the 24 agencies on benefits and limitations of privacy impact assessments, and on challenges in implementing their privacy programs. GAO also interviewed privacy experts, relevant agency officials, and staff at OMB's privacy branch.

Skip to Recommendations

Recommendations

GAO is recommending one matter for congressional consideration, that Congress consider legislation to designate a dedicated, senior-level privacy official at agencies that currently lack one. GAO is also making two recommendations to OMB to facilitate information sharing to help agencies address selected challenges and better implement privacy impact assessments.

Finally, GAO is making 62 recommendations to selected agencies to fully implement key practices for their privacy programs. This includes fully establishing policies and procedures for coordination between privacy programs and other agency functions and incorporating privacy into risk management activities.

Twenty agencies, including OMB, agreed with the recommendations, and several described planned actions to implement them. One agency did not explicitly state whether it agreed with the recommendations, but generally agreed with the report. One agency disagreed with the recommendations, while another disagreed with some recommendations and partially agreed with others. Two agencies stated that they had no comments on the report. GAO continues to believe all of its recommendations are warranted.

Matter for Congressional Consideration

Matter Status Comments
Congress should consider legislation to designate a senior privacy official, such as a chief privacy officer, at agencies that currently lack such a position. This position should have privacy as its primary duty, the organizational placement necessary to coordinate with other agency functions and senior leaders, and the authority to ensure that privacy requirements are implemented and privacy concerns are elevated to the head of the agency.
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should take steps to promote, through the Federal Privacy Council or other channels, sharing of information and best practices to help agencies address challenges identified in this report, including the application of privacy requirements and risk management to new and emerging technologies and integrating security and privacy controls. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should take steps to promote, through the Federal Privacy Council or other channels, the sharing of information, best practices, and other resources related to conducting privacy impact assessments. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should document program management controls and common privacy controls in place or planned for meeting applicable requirements and managing risks. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance, and develop and document this strategy. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 7)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Agriculture The Secretary of Agriculture should establish a time frame for fully developing a privacy continuous monitoring strategy, and develop and document this strategy. (Recommendation 8)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Commerce The Secretary of Commerce should ensure that its organization-wide risk management strategy includes key elements, including a determination of privacy risk tolerance. (Recommendation 9)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should establish a time frame for fully defining a process to ensure that the senior agency official for privacy or other designated senior privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy, and document this process. (Recommendation 10)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance, and develop and document this strategy. (Recommendation 11)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Defense The Secretary of Defense should establish a time frame for fully developing a privacy continuous monitoring strategy, and develop and document this strategy. (Recommendation 12)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Education The Secretary of Education should establish a time frame for updating the department's policies for creating, reviewing, and publishing system of records notices, and make these updates. (Recommendation 13)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Energy The Secretary of Energy should establish a time frame for fully defining a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy, and document this process. (Recommendation 14)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Energy The Secretary of Energy should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 15)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Energy The Secretary of Energy should establish a time frame for fully defining the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 16)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Health and Human Services The Secretary of Health and Human Services should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 17)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 18)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 19)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Homeland Security The Secretary of Homeland Security should fully develop and document a privacy continuous monitoring strategy. (Recommendation 20)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 21)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 22)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Housing and Urban Development The Secretary of Housing and Urban Development should establish a time frame for fully developing a privacy continuous monitoring strategy, and develop and document this strategy. (Recommendation 23)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Interior The Secretary of the Interior should establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance, and develop and document this strategy. (Recommendation 24)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Justice The Attorney General should incorporate privacy into an organizationwide risk management strategy that includes a determination of risk tolerance. (Recommendation 25)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Justice The Attorney General should establish a time frame and fully develop and document a privacy continuous monitoring strategy. (Recommendation 26)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Labor The Secretary of Labor should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 27)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Labor The Secretary of Labor should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 28)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Labor The Secretary of Labor should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 29)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of State The Secretary of State should establish a time frame for incorporating privacy into an organization-wide risk management strategy that includes a determination of risk tolerance, and develop and document this strategy. (Recommendation 30)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of State The Secretary of State should establish a time frames for fully defining and the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 31)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of State The Secretary of State should establish a time frame for fully developing a privacy continuous monitoring strategy, and develop and document this strategy. (Recommendation 32)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Transportation The Secretary of Transportation should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 33)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Transportation The Secretary of Transportation should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 34)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Treasury The Secretary of the Treasury should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 35)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Treasury The Secretary of the Treasury should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 36)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Treasury The Secretary of the Treasury should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 37)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Treasury The Secretary of the Treasury should establish a time frame for fully defining the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 38)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of the Treasury The Secretary of the Treasury should fully develop and document a privacy continuous monitoring strategy. (Recommendation 39)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should establish a time frame for defining a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests, and document this process. (Recommendation 40)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 41)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 42)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Department of Veterans Affairs The Secretary of Veterans Affairs should ensure that its privacy continuous monitoring strategy includes a catalog of privacy controls and defines the frequency at which they are to be assessed. (Recommendation 43)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency The Administrator of EPA should fully develop and document a privacy continuous monitoring strategy. (Recommendation 44)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
General Services Administration The Administrator of GSA should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 45)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
General Services Administration The Administrator of GSA should establish a time frame for fully defining a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy, and document that process. (Recommendation 46)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
General Services Administration The Administrator of GSA should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 47)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The Administrator of NASA should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 48)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Aeronautics and Space Administration The Administrator of NASA should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 49)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Nuclear Regulatory Commission The Chairman of NRC should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 50)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Nuclear Regulatory Commission The Chairman of NRC should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. (Recommendation 51)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Personnel Management The Director of OPM should establish a time frame for updating the agency's policy for creating, reviewing, and publishing system of records notices, and make these updates. (Recommendation 52)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Personnel Management The Director of OPM should define and document procedures for coordination between privacy and information security functions. (Recommendation 53)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Personnel Management The Director of OPM should fully define and document a policy and process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 54)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Personnel Management The Director of OPM should incorporate privacy into an organizationwide risk management strategy that includes a determination of risk tolerance. (Recommendation 55)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Personnel Management The Director of OPM should establish a time frame for fully defining the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 56)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Personnel Management The Director of OPM should fully develop and document a privacy continuous monitoring strategy. (Recommendation 57)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Small Business Administration The Administrator of SBA should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 58)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Social Security Administration The Commissioner of SSA should define and document procedures for coordination between privacy and information security functions. (Recommendation 59)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Social Security Administration The Commissioner of SSA should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests to ensure privacy requirements and associated controls are explicitly identified and included with respect to any IT resources that will involve PII. (Recommendation 60)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Social Security Administration The Commissioner of SSA should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. (Recommendation 61)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Social Security Administration The Commissioner of SSA should establish a time frame for fully defining the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages, and document these roles. (Recommendation 62)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
U.S. Agency for International Development The Administrator of USAID should fully define and document a process for ensuring that the senior agency official for privacy, or other designated privacy official, reviews IT capital investment plans and budgetary requests. (Recommendation 63)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
U.S. Agency for International Development The Administrator of USAID should incorporate privacy into an organization-wide risk management strategy that includes a determination of risk tolerance. (Recommendation 64)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Full Report

GAO Contacts