48 F
Washington D.C.
Friday, March 24, 2023

GAO Provides an Update on Federal Protection of Privacy and Data

In its last in a series of four reports regarding federal cybersecurity, the Government Accountability Office (GAO) has assessed how the government and agencies protect privacy and sensitive data. Since 2010, GAO has made 236 recommendations with respect to protecting cyber critical infrastructure. Some of these are yet to be implemented.

In GAO’s September 2022 review of 24 agencies, the watchdog found that most had generally established policies and procedures for key privacy program activities. These activities included, among other things, developing system-of-records notices that identify types of personal data collected, conducting privacy impact assessments, and documenting privacy program plans. Agencies varied in establishing policies and procedures for coordinating privacy programs with other agency functions. Further, many agencies did not fully incorporate privacy into their risk management strategies, provide for privacy officials’ input into the authorization of systems containing PII, or develop a continuous monitoring strategy for privacy. Without fully establishing these elements of their privacy programs, GAO says agencies have less assurance that they are consistently implementing privacy protections. The watchdog called on Congress to consider legislation to designate a dedicated, senior-level privacy official at agencies that lacked one. GAO also made recommendations to the Office of Management and Budget to facilitate information sharing to help agencies address selected challenges and better implement privacy impact assessments. 

In June 2021, GAO reported on the results of our survey of 42 federal agencies that employ law enforcement officers about their use of facial recognition technology. Twenty reported owning systems with facial recognition technology or using systems owned by other entities, such as other federal, tribal, state, local, and territorial governments and non-government entities. Agencies reported using the technology to support several activities (e.g., criminal investigations) and in response to COVID-19 (e.g., to verify an individual’s identity remotely). All 14 agencies that GAO reviewed who reported using the technology to support criminal investigations also reported using systems owned by non-federal entities. However, only one of those 14 was aware of what non-federal systems employees used. GAO recommended that 13 federal agencies implement a mechanism to track what non-federal systems with facial recognition technology employees use and assess the risks of using these systems.

In January 2022, GAO reported that the five federal financial regulators it reviewed had built more than 100 information system applications that regularly collect and use extensive amounts of PII to fulfill their regulatory missions. These regulators collect PII directly from individuals and financial institutions and share it with entities such as banks or service providers, contractors and other third parties, and other federal and state regulators. Regulators use the PII to conduct supervisory examinations of financial institutions and to receive and respond to complaints or inquiries from customers. GAO found however that four of the regulators did not fully implement key practices in other privacy protection areas. Accordingly, GAO made several recommendations that federal financial regulators better ensure the privacy of the PII that they collect, use, and share.

Read the full report at GAO

Homeland Security Todayhttp://www.hstoday.us
The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Related Articles

- Advertisement -

Latest Articles