Privacy Act: OMB Leadership Needed to Improve Agency Compliance
GAO-03-304
Published: Jun 30, 2003. Publicly Released: Jul 30, 2003.
Skip to Highlights
Highlights
The Privacy Act regulates how federal agencies may use the personal information that individuals supply when obtaining government services or fulfilling obligations--for example, applying for a small business loan or paying taxes. GAO was asked to review, among other things, agency compliance with the Privacy Act and related guidance from the Office of Management and Budget (OMB).
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Office of Management and Budget | To improve agency compliance with the Privacy Act, the Director, OMB, should direct agencies to correct the deficiencies in compliance with the Privacy Act that agencies identified in this report. |
Following the issuance of GAO's privacy report, OMB issued two memoranda (05-15 on June 13, 2005 and 05-08 on Feb. 11, 2005) which together direct each agency to appoint a senior official to be accountable for privacy compliance and to report an extensive amount of new information about its privacy program, including the status of corrective actions to remedy identified privacy deficiencies (as in the GAO report). This extensive new information reporting system will allow OMB to effectively oversee agency implementation of actions needed to correct the deficiencies cited in GAO's report and monitor overall agency compliance with the Privacy Act.
|
Office of Management and Budget | To improve agency compliance with the Privacy Act, the Director, OMB, should oversee agency implementation of actions needed to correct these deficiencies. |
Following the issuance of GAO's privacy report, OMB issued two memoranda (05-15 on June 13, 2005 and 05-08 on Feb. 11, 2005) which together direct each agency to appoint a senior official to be accountable for privacy compliance and to report an extensive amount of new information about its privacy program, including the status of corrective actions to remedy identified privacy deficiencies (as in the GAO report). This extensive new information reporting system will allow OMB to effectively oversee agency implementation of actions needed to correct the deficiencies cited in GAO's report and monitor overall agency compliance with the Privacy Act.
|
Office of Management and Budget | To improve agency compliance with the Privacy Act, the Director, OMB, should monitor overall agency compliance with the act. |
Following the issuance of GAO's privacy report, OMB issued two memoranda (05-15 on June 13, 2005 and 05-08 on Feb. 11, 2005) which together direct each agency to appoint a senior official to be accountable for privacy compliance and to report an extensive amount of new information about its privacy program, including the status of corrective actions to remedy identified privacy deficiencies (as in the GAO report). This extensive new information reporting system will allow OMB to effectively oversee agency implementation of actions needed to correct the deficiencies cited in GAO's report and monitor overall agency compliance with the Privacy Act.
|
Office of Management and Budget | To address implementation issues related to compliance with the Privacy Act, the Director should assess the need for specific changes to OMB guidance, especially with regard to electronic records, and update the guidance, as appropriate. |
OMB Memorandum 03-22 (Sept. 30, 2003) provided specific changes to OMB Guidance including a requirement for agencies to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system. Also, OMB issued two memoranda (05-15 on June 13, 2005 and 05-08 on Feb. 11, 2005) which together require agencies to report extensively on their information systems (electronic and manual), including a requirement to identify the number of systems containing identifiable information retrieved by personal identifier (making it subject to the Privacy Act).
|
Office of Management and Budget | To address implementation issues related to compliance with the Privacy Act, the Director should raise the awareness and commitment of senior agency officials to the importance of the principles that underlie the Privacy Act. |
OMB Memorandum 05-08 (Feb. 11, 2005) directs each agency to identify a senior official who will have overall responsibility and accountability for ensuring the agency's implementation of information privacy protections, including the agency's full compliance with federal laws, regulations, and policies related to information privacy, such as the Privacy Act. Also, each agency must (1) take appropriate steps to protect personal information from unauthorized use, access, disclosure or sharing, and to protect associated information systems from unauthorized access, modification, disruption, or destruction; (2) maintain adequate documentation regarding their compliance with these requirements; and (3) are authorized to conduct periodic reviews to promptly identify deficiencies, weaknesses, or risks. The memo also states that, when compliance issues are identified (as in the GAO report), agencies are obligated to take appropriate steps to remedy them. In addition, the senior privacy official shall ensure the agency's employees and contractors receive appropriate training and education programs governing the handling of personal information. OMB issued another memo (05-15) on June 13, 2005 that requires extensive new agency information reporting that will allow OMB to effectively monitor overall agency compliance with Memorandum 05-08. Together, these memos should raise the awareness and commitment of senior agency officials to the importance of the principles that underlie the Privacy Act.
|
Office of Management and Budget | To address implementation issues related to compliance with the Privacy Act, the Director should lead a governmentwide effort to (1) determine the level of resources, including human capital, currently devoted to Privacy Act implementation by both OMB and the agencies, (2) assess the level of resources needed to fully implement the act, (3) identify the gap, if any, between current and needed resources, and (4) develop a plan for addressing any gap that may exist. |
OMB Memorandum 05-08 (Feb. 11, 2005) directs each agency to identify a senior official who will have overall responsibility and accountability for ensuring the agency's full compliance with federal laws, regulations, and policies related to information privacy, such as the Privacy Act. Also, the memo states that, when compliance issues are identified (as in the GAO report), agencies are obligated to take appropriate steps to remedy them. Another OMB memo (05-15) requires agencies to report an extensive amount of information about their compliance activities, making any deficiencies transparent. By making a senior official in each agency fully accountable for compliance with privacy laws and regulations and requiring reporting of any deficiencies to OMB,GAO believes OMB has provided the leadership needed to encourage agencies to (1) determine the level of resources, including human capital, currently devoted to Privacy Act implementation by both OMB and the agencies, (2) assess the level of resources needed to fully implement the act, (3) identify the gap, if any, between current and needed resources, and (4) develop a plan for addressing any gap that may exist.
|
Office of Management and Budget | To address implementation issues related to compliance with the Privacy Act, the Director should oversee the development of Privacy Act training that meets the needs of the wide range of employees who carry out the act and make this training readily available to agencies. |
OMB Memorandum 05-08 (Feb. 11, 2005) directs each agency to identify a senior official who has overall agency-wide responsibility for information privacy issues. The memo states that this official shall ensure the agency's employees and contractors receive appropriate training and education programs governing the handling of personal information. In addition, OMB Memorandum 05-15 (June 13, 2005) requires the agency's senior privacy official to report to OMB its answers to various questions related to privacy training. For example, the agency is to report whether it has a (1) training program to ensure all agency personnel with access to Federal data are familiar with information privacy laws, regulations, and policies and understand the ramifications of inappropriate access and disclosure and (2) program for job-specific training (i.e., detailed training for individuals directly involved in the administration of personal information or information systems).
|
Office of Management and Budget | Further, the Director should oversee an assessment of the potential impact on individual privacy of federal agencies' maintaining personal information that is not subject to the act. |
OMB Memorandum 05-15 (June 13, 2005) requires agencies to report to OMB on the number of information systems containing federally-owned information in an identifiable form (both subject to the Privacy Act and not subject to the Act). For example, agencies are to report the number of systems containing information in an identifiable form and, of those, the number where information is retrieved by name or unique identifier. Using this information, OMB will be able to determine which agencies maintain personal information in systems not subject to the Privacy Act and how many such systems there are so as to assess their impact.
|
Office of Management and Budget | The Director should involve federal agencies as appropriate in addressing the above recommendations. One option for doing so would be to establish a multiagency working group or forum, perhaps as part of the Chief Information Officers Council. |
Following the issuance of GAO's privacy report, OMB issued Memorandum 05-08 (Feb. 11, 2005) which directs each agency to identify a senior official who is to have overall responsibility and accountability for ensuring the agency's implementation of information privacy protections, including the agency's full compliance with federal laws, regulations, and policies related to information privacy, such as the Privacy Act. The memo states that, when compliance issues are identified, agencies are obligated to take appropriate steps to remedy them. Also, OMB issued Memorandum 05-15 on June 13, 2005 which directs each agency's senior privacy official to report an extensive amount of new information about its privacy program, including the status of corrective actions to remedy identified privacy deficiencies (as in the GAO report). Finally, OMB has established a multi-agency workgroup of privacy officers who meet periodically to discuss issues of mutual concern. Together, these memos will directly involve agencies in addressing the findings in GAO's report.
|
Full Report
Topics
Federal agenciesInformation disclosureNoncompliancePrivacy lawRight of privacyPrivacy rightsPersonally identifiable informationSystems of recordsInformation systemsSurveys