GAO: DHS falling behind on privacy notices

The Homeland Security Department’s Privacy Office faces a huge backlog in informing the public of privacy risks related to more than 200 departmental systems, according to congressional testimony given this week by a top official at the Government Accountability Office.

The Privacy Office was established in April 2003 as the first senior-level federal privacy office created by Congress. It is charged with enforcing the provisions of the Privacy Act of 1974 and the E-Government Act of 2002, which include notifying the public of new and existing systems of records containing personal information and conducting privacy impact assessments on new and existing federal programs.

Although the DHS Privacy Office has made progress in putting together a framework for conducting the assessments and issuing the public notices, backlogs of uncompleted work are continuing to grow in both areas, Linda Koontz, GAO’s director of information management issues, told the House Judiciary Committee’s Commercial and Administrative Law Subcommittee.

For example, as of February 2007, there were 218 systems of records containing personal information at DHS for which no updated public notices had been issued under the Privacy Act, Koontz said. Most of the systems existed at component agencies before the department was formed in 2003.

Privacy officials have been focusing their attention on new systems, not pre-existing ones, so they have fallen far behind and are unlikely to catch up soon, Koontz said. Since the DHS Privacy Office was founded, it has published 56 public notices of systems of records containing personal information.

Issuing public notices for the remaining systems is the biggest challenge the office faces in complying with the Privacy Act, Koontz said.

“By not keeping its notices up-to-date, DHS hinders the public’s ability to understand the nature of DHS systems-of-records notices and how their personal information is being used and protected,” Koontz said.

Furthermore, the Privacy Office is falling behind in conducting privacy impact assessments. According to the office’s determinations, 46 DHS programs required privacy impact assessments in 2005, 143 required them in 2006, and 188 will require them in 2007. But the office has performed only 71 such assessments since it was founded, Koontz said.

In addition, the Privacy Office has damaged its credibility by releasing little information about its activities and generally issuing reports months late.

“Until its reports are issued in a timely fashion, questions about the credibility and authority of the Privacy Office will likely remain,” Koontz testified.

Among its recent recommendations, GAO advised the Privacy Office to develop a policy for the department’s use of data purchased from commercial brokers. Officials indicated that they are developing such a policy, which will be reviewed throughout DHS and by the Office of Management and Budget before it is adopted, Koontz said.

Alice Lipowicz writes for Washington Technology, an 1105 Government Information Group publication.