GAO Report: Federal Agencies Lack Senior Leadership to Effectively Implement Privacy Programs
September 23, 2022
A Government Accountability Office (GAO) report, prepared in consultation with privacy experts including EPIC Senior Counsel John Davisson, canvassed 24 federal government agencies and found that most have failed to fully implement statutory privacy requirements. The GAO found that despite the massive amount of personally identifiable information (PII) collected by these agencies and the increasing sophistication of technology, most agencies struggled to fund and implement critical privacy program practices. Less than half the agencies surveyed have developed a privacy risk management framework, and ten agencies have not properly implemented a strategy for continuously monitoring for privacy risks. Further, agencies identified significant shortcomings in their privacy impact assessments (PIAs), including failures to initiate PIAs early enough in the process to be effective, or an inability to hold agency staff accountable for failing to complete PIAs.
The GAO recommended that Congress consider legislation to designate a senior privacy official at agencies and give that individual sufficient authority to ensure privacy requirements are implemented. The GAO further recommended that the Director of OMB share information and best practices across agencies, including application of privacy requirements and risk management to emerging technology, as well as information relating to PIAs.
EPIC has long worked to promote the use of privacy impact assessments and to ensure strict adherence with PIA requirements. Most recently, in EPIC v. USPS, EPIC brought suit to stop the U.S. Postal Service’s law enforcement arm from using facial recognition and social media monitoring tools at least until the agency has completed required privacy impact assessments.