Summary
The Department of Homeland Security (DHS) Privacy Office was established with the appointment of the first Chief Privacy Officer in April 2003, as required by the Homeland Security Act of 2002. The Privacy Office's major responsibilities include: (1) reviewing and approving privacy impact assessments (PIA)--analyses of how personal information is managed in a federal system, (2) integrating privacy considerations into DHS decision making, (3) ensuring compliance with the Privacy Act of 1974, and (4) preparing and issuing annual reports and reports on key privacy concerns. GAO's objective was to examine progress made by the Privacy Office in carrying out its statutory responsibilities. GAO did this by comparing statutory requirements with Privacy Office processes, documents, and activities.
The DHS Privacy Office has made significant progress in carrying out its statutory responsibilities under the Homeland Security Act and its related role in ensuring compliance with the Privacy Act of 1974 and E-Government Act of 2002, but more work remains to be accomplished. Specifically, the Privacy Office has made significant progress by establishing a compliance framework for conducting PIAs, which are required by the E-Gov Act. The framework includes formal written guidance, training sessions, and a process for identifying affected systems. The framework has contributed to an increase in the quality and number of PIAs issued as well as the identification of many more affected systems. The resultant workload is likely to prove difficult to process in a timely manner. Designating privacy officers in certain DHS components could help speed processing of PIAs, but DHS has not yet taken action to make these designations. The Privacy Office has also taken actions to integrate privacy considerations into the DHS decision-making process by establishing an advisory committee, holding public workshops, and participating in policy development. However, limited progress has been made in updating public notices required by the Privacy Act for systems of records that were in existence prior to the creation of DHS. These notices should identify, among other things, the type of data collected, the types of individuals about whom information is collected, and the intended uses of the data. Until the notices are brought up-to-date, the department cannot assure the public that the notices reflect current uses and protections of personal information. Further, the Privacy Office has generally not been timely in issuing public reports. For example, a report on the Multi-state Anti-Terrorism Information Exchange program--a pilot project for law enforcement sharing of public records data--was not issued until long after the program had been terminated. Late issuance of reports has a number of negative consequences, including a potential reduction in the reports' value and erosion of the office's credibility.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Linda D. Koontz
Government Accountability Office: Information Technology
(202) 512-6240
Recommendations for Executive Action
Recommendation: The Secretary of Homeland Security should designate full-time privacy officers at key DHS components, such as Customs and Border Protection, the U.S. Coast Guard, Immigration and Customs Enforcement, and the Federal Emergency Management Agency.
Agency Affected: Department of Homeland Security
Status: In process
Comments: According to a DHS official, On November 8, 2007, Secretary Chertoff signed a memo entitled "Designation of Component Privacy Officers," directing the heads of Customs and Border Protection (CBP), Citizenship and Immigration Services (CIS), the Federal Emergency Management Agency (FEMA), Immigration and Customs Enforcement (ICE), the Office of Intelligence and Analysis (I&A), and the Science and Technology Directorate (S&T) to appoint a full-time component privacy officer. According to a DHS official, as of August 2008, ICE, FEMA, CIS, and TSA have designated component privacy officers, and many of the others have identified Privacy Points of Contact. However, DHS officials could not provide this memo or documentation of the appointment of these privacy officials at this juncture.
Recommendation: The Secretary of Homeland Security should implement a department-wide process for the biennial review of system-of-records notices, as required by the Office of Management and Budget.
Agency Affected: Department of Homeland Security
Status: In process
Comments: As of August 2008, a DHS official stated that they are in the process of performing an initial global review of SORNS, which they have deemed as necessary prior to establishing a regular biennial review. Further, he stated that the Privacy Office has begun developing a strategy for implementing its biennial review of SORNs and anticipates turning their attention to it more fully once they reduce their backlog of existing SORNS needing to be updated.
Recommendation: The Secretary of Homeland Security should establish a schedule for the timely issuance of Privacy Office reports (including annual reports), which appropriately consider all aspects of report development, including departmental clearance.
Agency Affected: Department of Homeland Security
Status: In process
Comments: As of August 2008, a DHS official stated that the 2007-2008 Annual Report is on schedule for timely submission. However, they were not able to provide documentation of a schedule ensuring the timely issuance of annual reports or an indication that a schedule has been developed.
Recommendation: The Secretary of Homeland Security should ensure that the Privacy Office's annual reports to Congress contain a specific discussion of complaints of privacy violations, as required by law.
Agency Affected: Department of Homeland Security
Status: Implemented
Comments: In April 2007, we reported on the progress of the DHS Privacy Office in carrying out its statutory responsibilities under the Homeland Security Act and its related role in ensuring E-Gov Act compliance. We noted that while they made significant progress, more work remains to be done. More specifically, we recommended that the Secretary of DHS ensure that the Privacy Office's annual reports to Congress contain a specific discussion of complaints of privacy violations. In response to our recommendation, DHS has included a discussion of privacy complaints in their 2006-2007 annual report. Furthermore, according to a DHS official, all future annual reports will include a similar section. The addition of this privacy complaints section will ensure that the DHS Privacy Office is fully meeting legal requirements, and will also increase office transparency to the public and special interest groups as it relates to privacy complaint handling and response.
