Information Management: Agencies Need to Streamline Electronic Services
Federal agencies must obtain written consent from individuals before disclosing their personal information. The Office of Management and Budget issued guidance that outlined agencies' responsibilities for accepting digital access and consent forms. Agencies were to implement the requirements in this guidance by November 2021.
We found that, as of August 2022, only 1 of the 17 agencies that we reviewed had done so (the Securities and Exchange Commission). The others faced technical issues and competing priorities that have caused delays.
We recommended that agencies establish reasonable time frames for fully implementing OMB's guidance.
What GAO Found
With certain enumerated exceptions, the Privacy Act of 1974 prohibits disclosure of records to any person or agency, unless disclosure is pursuant to the prior written request by, or with the prior written consent of, the individual to whom the record pertains. As required by the Creating Advanced Streamlined Electronic Services for Constituents Act of 2019, the Office of Management and Budget (OMB) issued guidance that outlined agencies' responsibilities for accepting digitally-formatted access and consent forms from individuals who are properly identity proofed and authenticated. Agencies were to implement the requirements in the OMB guidance by November 2021. As of September 2022, one of the selected agencies—the Securities and Exchange Commission (SEC)—reported that they had fully implemented OMB's guidance. The remaining 16 agencies reported encountering technical challenges and competing priorities that have delayed them from fully implementing OMB's guidance. However, five of these agencies have established time frames for full implementation. Sharing information on SEC's success could benefit other agencies' efforts to implement OMB's requirements.
Why GAO Did This Study
The Privacy Act prohibits disclosure of records to any person or agency, unless disclosure is pursuant to the prior written request by, or with the prior written consent of, the individual to whom the record pertains. Accordingly, agencies have developed various procedures and forms by which individuals may establish their identity and request access to or provide written consent for the disclosure of their records.
To simplify and modernize this process, the CASES Act required OMB to issue applicable guidance. This guidance was to: (1) require agencies to accept electronic identity proofing and authentication; (2) create a template for electronic consent and access forms and requires each agency to post the template on the agency website; and (3) require each agency to accept electronic consent and access forms from individuals that have been properly identity proofed and authenticated.
GAO was asked to review the implementation of the CASES Act at OMB and federal agencies. GAO selected 17 agencies for review that had received 5,000 or more Freedom of Information Act requests in fiscal year 2020.
Recommendations
GAO is making a total of 12 recommendations, one to OMB to facilitate information sharing among agencies, and one to each of 11 agencies to establish reasonable time frames for fully implementing OMB guidance. Seven agencies concurred with our recommendations, while four agencies and OMB either generally agreed or did not state whether they agreed or disagreed with our recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director of the Office of Management and Budget should take steps to promote, through mechanisms such as the Federal Privacy Council and Chief Information Officers Council, sharing of information and lessons learned to help agencies implement the requirements of the CASES Act; this could include SEC sharing information on overcoming challenges and identifying lessons learned. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Defense | The Secretary of Defense should establish a reasonable time frame for when the Department of Defense will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of Health and Human Services should establish a reasonable time frame for when the Department of Health and Human Services will be able to digitally accept access and consent forms from individuals who were properly identity proofed and authenticated and post access and consent forms on the department's privacy program website. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of the Interior | The Secretary of Interior should establish a reasonable time frame for when the Department of the Interior will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Justice | The Attorney General should establish a reasonable time frame for when the Department of Justice will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Transportation | The Secretary of Transportation should establish a reasonable time frame for when the Department of Transportation will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of the Treasury | The Secretary of Treasury should establish a reasonable time frame for when the Department of the Treasury will be able to digitally accept access and consent forms from individuals who were properly identity proofed and authenticated and post access and consent forms on the department's privacy program website. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should establish a reasonable time frame for when the Department of Veterans Affairs will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the department's privacy program website. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Equal Employment Opportunity Commission | The Chair of the Equal Employment Opportunity Commission should establish a reasonable time frame for accepting remote identity proofing with authentication, digitally accepting access and consent forms from individuals who were properly identity proofed and authenticated, and posting access and consent forms on the agency's privacy program website. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Archives and Records Administration | The Archivist of the United States should establish a reasonable time frame for when the National Archives and Records Administration will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the agency's privacy program website. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should establish a reasonable time frame for when the agency will be able to accept remote identity proofing with authentication, digitally accept access and consent forms from individuals who were properly identity proofed and authenticated, and post access and consent forms on the agency's privacy program website. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Social Security Administration | The Commissioner of the Social Security Administration should establish a reasonable time frame for when the agency will post access and consent forms on the agency's privacy program website. (Recommendation 12) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|