Summary

Government agencies have a long-standing obligation under the Privacy Act of 1974 to protect the privacy of individuals about whom they collect personal information. A number of additional laws have been enacted in recent years directing agency heads to designate senior officials as focal points with overall responsibility for privacy. GAO was asked to (1) describe laws and guidance that set requirements for senior privacy officials within federal agencies, and (2) describe the organizational structures used by agencies to address privacy requirements and assess whether senior officials have oversight over key functions. To achieve these objectives, GAO analyzed the laws and related guidance and analyzed policies and procedures relating to key privacy functions at 12 agencies.

Federal laws set varying roles and responsibilities for senior agency privacy officials. Despite much variation, all of these laws require covered agencies to assign overall responsibility for privacy protection and compliance to a senior agency official. In addition, Office of Management and Budget guidance directs agencies to designate a senior agency official for privacy with specific responsibilities. The specific privacy responsibilities defined in these laws and guidance can be grouped into six broad categories: (1) conducting privacy impact assessments (which are intended to ensure that privacy requirements are addressed when personal information is collected, stored, shared, and managed in a federal system), (2) complying with the Privacy Act, (3) reviewing and evaluating the privacy implications of agency policies, (4) producing reports on the status of privacy protections, (5) ensuring that redress procedures to handle privacy inquiries and complaints are in place, and (6) ensuring that employees and contractors receive appropriate training. The laws and guidance vary in how they frame requirements in these categories and which agencies must adhere to them. Agencies also have varying organizational structures to address privacy responsibilities. For example, of the 12 agencies we reviewed, 2 had statutorily designated chief privacy officers who also served as senior agency officials for privacy, 5 designated their agency chief information officers as their senior privacy officials, and the others designated a variety of other officials, such as the general counsel or assistant secretary for management. Further, not all of the agencies we reviewed had given their designated senior officials full oversight over all privacy-related functions. While 6 agencies had these officials overseeing all key privacy functions, 6 others relied on other organizational units not overseen by the designated senior official to perform certain key privacy functions. The fragmented way in which privacy functions were assigned to organizational units in these agencies is at least partly the result of evolving requirements in law and guidance. However, without oversight of all key privacy functions, designated senior officials may be unable to effectively serve as agency central focal points for information privacy.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Recommendations for Executive Action