US accountability office has a few dozen recommendations to meet federal data privacy
The U.S. continues to face challenges to its meet its own data privacy standards, according to a new report from the Government Accountability Office (GAO), which found 14 federal agencies lagging behind on promises to implement robust privacy plans and key practices for securing biometrics and other sensitive personal data.
Among those identified in the GAO report were the departments of Defense, Justice, Homeland Security, Treasury—and the Office of Personnel Management (OPM), which, in June 2015, was compromised by a breach that exposed the private information (including sensitive biometric data) of approximately 2.1 million people, making it one of the largest breaches in U.S. history.
The OPM accounts for six of a total 62 recommendations GAO is making to the agencies to help them bring their privacy programs and standards up to date.
“This includes fully establishing policies and procedures for coordination between privacy programs and other agency functions and incorporating privacy into risk management activities,” says the report, which was requested by members of the U.S. Senate Committee on Homeland Security & Governmental Affairs.
The GAO also puts forth one matter for congressional consideration; namely, that Congress “should consider legislation to designate a senior privacy official, such as a chief privacy officer, at agencies that currently lack such a position. This position should have privacy as its primary duty, the organizational placement necessary to coordinate with other agency functions and senior leaders, and the authority to ensure that privacy requirements are implemented and privacy concerns are elevated to the head of the agency.”
The congressional recommendation aims to address a gap in leadership and knowledge around privacy at the government level. Despite growing concerns around data breaches, and the growth of hot-button biometric technologies such as facial recognition, half of the agencies that GAO canvassed said they did not really know which of their systems collect personal data. Many cited a lack of resources. But GAO’s report was unequivocal in emphasizing the need to prioritize privacy.
“Addressing key privacy program practices, program challenges, and privacy impact assessment effectiveness requires significant leadership commitment at agencies,” said the report.
The GAO’s full report is available online.
Another recent report from the GAO noted the difficulty of maintaining oversight over government biometrics implementations amid rapid adoption of facial recognition and other technologies by federal agencies.