Large Federal government agencies across the board could be doing more to protect the personal and private information of individuals that they collect, and would benefit from beefing up the roles of their senior privacy officials, according to a new Government Accountability Office (GAO) report.
The report examines the government’s 24 CFO Act agencies, and how each has taken on the task of protecting personally identifiable information (PII). The top-line findings include:
- Most agencies put in place policies and procedures for key privacy activities including developing system of records notices to identify personal data collected and how it’s used, along with conducting privacy impact assessments;
- Agencies turned in spottier performance in establishing policies for coordination between privacy programs and other activities including information security, budget and acquisition, workforce planning, and incident response; and
- Many agencies did not fully incorporate privacy into their risk management strategies, provide for privacy officials’ input into the authorization of systems containing PII, and develop a privacy continuous monitoring strategy.
Strengthening Privacy Officials’ Roles
GAO said one way to improve agency performance on carrying out privacy policies is to beef up the roles of senior agency officials in charge of privacy.
“The 24 agencies have each designated a senior agency official for privacy,” GAO said. “However, most of these officials do not have privacy as their primary responsibility and have numerous other duties.”
“Officials with primary duties other than privacy are unlikely to spend a majority of their time focused on privacy, and agencies generally delegated operational aspects of their privacy programs to less-senior officials,” GAO said. “This makes it less likely that the senior agency officials for privacy will focus their attention on privacy in discussions with other senior agency leaders.”
Firming up the roles of agency senior privacy officials, GAO said, could make those officials “better positioned to ensure a consistent focus on privacy at the level of senior leadership, facilitate cross agency coordination, and elevate the importance of privacy.”
Challenges to better agency privacy performance often include a lack of resources, and difficulty in hiring workforce with the right skills, the report says.
GAO laid out several recommendations for Congress, the Office of Management and Budget (OMB), and Federal agencies to improve privacy performance, including:
- Congress should consider legislation to designate a dedicated, senior-level privacy official at agencies that currently lack one;
- OMB should help agencies address the privacy challenges in the report; and
- OMB, through the Federal Privacy Council (FPC) or other channels, should take steps to promote sharing of information and best practices related to conducting privacy impact assessments.
According to the report, OMB privacy officials support the idea of codifying a dedicated senior privacy official in statute, saying that would help strengthen agency programs.
“In addition, several agency officials and privacy experts noted that a senior agency leader dedicated to privacy could better ensure cross-agency coordination and elevate the importance of privacy,” GAO said. “Establishing such a position in law could enhance the leadership commitment needed to give attention to privacy issues across the government.”