Summary
The Privacy Act regulates how federal agencies may use the personal information that individuals supply when obtaining government services or fulfilling obligations--for example, applying for a small business loan or paying taxes. GAO was asked to review, among other things, agency compliance with the Privacy Act and related guidance from the Office of Management and Budget (OMB).
Based on responses from 25 selected agencies to GAO surveys, compliance with Privacy Act requirements and OMB guidance is generally high in many areas, but it is uneven across the federal government. For example, GAO used agency responses to estimate 100 percent compliance with the requirement to issue a rule explaining to the public why personal information is exempt from certain provisions of the act. In contrast, GAO estimates 71 percent compliance with the requirement that personal information should be complete, accurate, relevant, and timely before it is disclosed to a nonfederal organization. As a result of this uneven compliance, the government cannot adequately assure the public that all legislated individual privacy rights are being protected. Agency senior privacy officials acknowledge the uneven compliance but report a number of difficult implementation issues in a rapidly changing environment. Of these issues, privacy officials gave most importance to the need for further OMB leadership and guidance. Although agencies are not generally dissatisfied with OMB's guidance on the Privacy Act, they made specific suggestions regarding areas in which additional guidance is needed, such as the act's application to electronic records. Besides these gaps in guidance, additional issues included the low agency priority given to implementing the act and insufficient employee training on the act. If these implementation issues and the overall uneven compliance are not addressed, the government will not be able to provide the public with sufficient assurance that all legislated individual privacy rights are adequately protected.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
No director on record
No team on record
No phone on record
Recommendations for Executive Action
Recommendation: To improve agency compliance with the Privacy Act, the Director, OMB, should direct agencies to correct the deficiencies in compliance with the Privacy Act that agencies identified in this report.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: Following the issuance of GAO's privacy report, OMB issued two memoranda (05-15 on June 13, 2005 and 05-08 on Feb. 11, 2005) which together direct each agency to appoint a senior official to be accountable for privacy compliance and to report an extensive amount of new information about its privacy program, including the status of corrective actions to remedy identified privacy deficiencies (as in the GAO report). This extensive new information reporting system will allow OMB to effectively oversee agency implementation of actions needed to correct the deficiencies cited in GAO's report and monitor overall agency compliance with the Privacy Act.
Recommendation: To improve agency compliance with the Privacy Act, the Director, OMB, should oversee agency implementation of actions needed to correct these deficiencies.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: Following the issuance of GAO's privacy report, OMB issued two memoranda (05-15 on June 13, 2005 and 05-08 on Feb. 11, 2005) which together direct each agency to appoint a senior official to be accountable for privacy compliance and to report an extensive amount of new information about its privacy program, including the status of corrective actions to remedy identified privacy deficiencies (as in the GAO report). This extensive new information reporting system will allow OMB to effectively oversee agency implementation of actions needed to correct the deficiencies cited in GAO's report and monitor overall agency compliance with the Privacy Act.
Recommendation: To improve agency compliance with the Privacy Act, the Director, OMB, should monitor overall agency compliance with the act.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: Following the issuance of GAO's privacy report, OMB issued two memoranda (05-15 on June 13, 2005 and 05-08 on Feb. 11, 2005) which together direct each agency to appoint a senior official to be accountable for privacy compliance and to report an extensive amount of new information about its privacy program, including the status of corrective actions to remedy identified privacy deficiencies (as in the GAO report). This extensive new information reporting system will allow OMB to effectively oversee agency implementation of actions needed to correct the deficiencies cited in GAO's report and monitor overall agency compliance with the Privacy Act.
Recommendation: To address implementation issues related to compliance with the Privacy Act, the Director should assess the need for specific changes to OMB guidance, especially with regard to electronic records, and update the guidance, as appropriate.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: OMB Memorandum 03-22 (Sept. 30, 2003) provided specific changes to OMB Guidance including a requirement for agencies to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system. Also, OMB issued two memoranda (05-15 on June 13, 2005 and 05-08 on Feb. 11, 2005) which together require agencies to report extensively on their information systems (electronic and manual), including a requirement to identify the number of systems containing identifiable information retrieved by personal identifier (making it subject to the Privacy Act).
Recommendation: To address implementation issues related to compliance with the Privacy Act, the Director should raise the awareness and commitment of senior agency officials to the importance of the principles that underlie the Privacy Act.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: OMB Memorandum 05-08 (Feb. 11, 2005) directs each agency to identify a senior official who will have overall responsibility and accountability for ensuring the agency's implementation of information privacy protections, including the agency's full compliance with federal laws, regulations, and policies related to information privacy, such as the Privacy Act. Also, each agency must (1) take appropriate steps to protect personal information from unauthorized use, access, disclosure or sharing, and to protect associated information systems from unauthorized access, modification, disruption, or destruction; (2) maintain adequate documentation regarding their compliance with these requirements; and (3) are authorized to conduct periodic reviews to promptly identify deficiencies, weaknesses, or risks. The memo also states that, when compliance issues are identified (as in the GAO report), agencies are obligated to take appropriate steps to remedy them. In addition, the senior privacy official shall ensure the agency's employees and contractors receive appropriate training and education programs governing the handling of personal information. OMB issued another memo (05-15) on June 13, 2005 that requires extensive new agency information reporting that will allow OMB to effectively monitor overall agency compliance with Memorandum 05-08. Together, these memos should raise the awareness and commitment of senior agency officials to the importance of the principles that underlie the Privacy Act.
Recommendation: To address implementation issues related to compliance with the Privacy Act, the Director should lead a governmentwide effort to (1) determine the level of resources, including human capital, currently devoted to Privacy Act implementation by both OMB and the agencies, (2) assess the level of resources needed to fully implement the act, (3) identify the gap, if any, between current and needed resources, and (4) develop a plan for addressing any gap that may exist.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: OMB Memorandum 05-08 (Feb. 11, 2005) directs each agency to identify a senior official who will have overall responsibility and accountability for ensuring the agency's full compliance with federal laws, regulations, and policies related to information privacy, such as the Privacy Act. Also, the memo states that, when compliance issues are identified (as in the GAO report), agencies are obligated to take appropriate steps to remedy them. Another OMB memo (05-15) requires agencies to report an extensive amount of information about their compliance activities, making any deficiencies transparent. By making a senior official in each agency fully accountable for compliance with privacy laws and regulations and requiring reporting of any deficiencies to OMB,GAO believes OMB has provided the leadership needed to encourage agencies to (1) determine the level of resources, including human capital, currently devoted to Privacy Act implementation by both OMB and the agencies, (2) assess the level of resources needed to fully implement the act, (3) identify the gap, if any, between current and needed resources, and (4) develop a plan for addressing any gap that may exist.
Recommendation: To address implementation issues related to compliance with the Privacy Act, the Director should oversee the development of Privacy Act training that meets the needs of the wide range of employees who carry out the act and make this training readily available to agencies.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: OMB Memorandum 05-08 (Feb. 11, 2005) directs each agency to identify a senior official who has overall agency-wide responsibility for information privacy issues. The memo states that this official shall ensure the agency's employees and contractors receive appropriate training and education programs governing the handling of personal information. In addition, OMB Memorandum 05-15 (June 13, 2005) requires the agency's senior privacy official to report to OMB its answers to various questions related to privacy training. For example, the agency is to report whether it has a (1) training program to ensure all agency personnel with access to Federal data are familiar with information privacy laws, regulations, and policies and understand the ramifications of inappropriate access and disclosure and (2) program for job-specific training (i.e., detailed training for individuals directly involved in the administration of personal information or information systems).
Recommendation: Further, the Director should oversee an assessment of the potential impact on individual privacy of federal agencies' maintaining personal information that is not subject to the act.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: OMB Memorandum 05-15 (June 13, 2005) requires agencies to report to OMB on the number of information systems containing federally-owned information in an identifiable form (both subject to the Privacy Act and not subject to the Act). For example, agencies are to report the number of systems containing information in an identifiable form and, of those, the number where information is retrieved by name or unique identifier. Using this information, OMB will be able to determine which agencies maintain personal information in systems not subject to the Privacy Act and how many such systems there are so as to assess their impact.
Recommendation: The Director should involve federal agencies as appropriate in addressing the above recommendations. One option for doing so would be to establish a multiagency working group or forum, perhaps as part of the Chief Information Officers Council.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: Following the issuance of GAO's privacy report, OMB issued Memorandum 05-08 (Feb. 11, 2005) which directs each agency to identify a senior official who is to have overall responsibility and accountability for ensuring the agency's implementation of information privacy protections, including the agency's full compliance with federal laws, regulations, and policies related to information privacy, such as the Privacy Act. The memo states that, when compliance issues are identified, agencies are obligated to take appropriate steps to remedy them. Also, OMB issued Memorandum 05-15 on June 13, 2005 which directs each agency's senior privacy official to report an extensive amount of new information about its privacy program, including the status of corrective actions to remedy identified privacy deficiencies (as in the GAO report). Finally, OMB has established a multi-agency workgroup of privacy officers who meet periodically to discuss issues of mutual concern. Together, these memos will directly involve agencies in addressing the findings in GAO's report.
