It is a rare individual who has managed to keep at least some of their personal information from being stored in a Federal government database. With this forum, hopefully we can help each other better safeguard the public’s personal information.
Privacy and OPM Investigations
October 12, 2010 at 9:04 am #112585
Title: Privacy: OPM Should Better Monitor Implementation of Privacy-Related Policies and Procedures for Background Investigations
GAO-10-849 September 7, 2010
Approximately 90 percent of all federal background investigations are provided by the Office of Personnel Management's (OPM) Federal Investigative Services (FIS) division. In fiscal year 2009, FIS conducted over 2 million investigations of varying types, making the organization a major steward of personal information on U.S. citizens. GAO was asked to (1) describe how OPM uses personally identifiable information (PII) in conducting background investigations and (2) assess the extent to which OPM's privacy policies and procedures for protecting PII related to investigations meet statutory requirements and align with widely accepted privacy practices. To address these objectives, GAO compared OPM and FIS policies and procedures with key privacy laws and widely accepted practices.
FIS, a component of OPM, conducts background investigations using extensive amounts of PII. Specifically, FIS collects PII from the individual being investigated, government agencies holding relevant data on the subject, and contacts familiar with the subject of the investigation. It uses this information during the four phases of the investigation process: (1) Questionnaire Submission, when requesting agencies submit a questionnaire completed by the individual who will be investigated; (2) Scheduling and Initiation, during which goals and milestones are set, automated information requests occur, and an investigator is assigned; (3) Investigation, during which an investigator gathers information from the automated requests and from interviews and prepares a report; and (4) Review, during which a reviewer determines if a report is complete before allowing it to be sent to the requesting agency. FIS has taken steps to incorporate key privacy laws and widely accepted privacy practices into policies and procedures for conducting background investigations. For example, field investigators are directed to limit collection of PII to only information relevant to an investigation, and several procedures are in place to ensure that such information is recorded as accurately as possible in OPM's systems. However, the agency has conducted limited oversight of FIS's development of privacy impact assessments (PIA), investigators' implementation of privacy protection guidance, and customer agencies' adherence to privacy agreements. A PIA is an analysis of how personal information is collected, stored, shared, and managed in a federal system. It is required by the E-Government Act of 2002. Related Office of Management and Budget guidance emphasizes the need to identify and assess privacy risks in concert with developing a PIA. However, OPM's guidance for PIAs does not require that privacy risks be analyzed or mitigation strategies be identified for those risks. Consequently, OPM cannot be sure that potential risks associated with the use of PII in its information systems have been adequately assessed and mitigated. Additionally, widely accepted privacy practices call for accountability to ensure privacy-protection policies are implemented to safeguard personal information from potential risks. Such accountability includes monitoring to ensure proper implementation of privacy protection measures. However, although FIS tracks PII that is provided to and received from field investigators, it had not monitored investigators' adherence to its policies and procedures for protecting PII while investigations are underway. Further, while FIS has developed agreements with customer agencies related to the protection of PII contained in investigation case files, it does not monitor customer agencies' implementation of these policies, even though its agreements state it is responsible for doing so. Without oversight processes for monitoring investigators' and customer agencies' adherence to its PII protection policies, OPM lacks assurance that its privacy protection measures are being properly implemented. GAO is recommending that the Director of OPM (1) develop guidance for analyzing and mitigating privacy risks in privacy impact assessments, and (2) develop and implement oversight mechanisms for ensuring that investigators properly protect PII and that customer agencies adhere to agreed-upon privacy protection measures. OPM agreed with our recommendations.
October 13, 2010 at 8:16 pm #112588
On one hand, I would say that it was about time that someone goes beyond the PIA and into the actual meaning behind the laws of the land, and tries to figure out what the public’s risks are within government agencies. However, on the other hand, with oversight comes the scrutiny of details that cannot be adhered to properly simply because there aren’t enough resources to accomplish the bare minimum of the task, much less the peripheral matters. With the GAO or OIG reports comes the evidence we all know about and read about in the industry papers (and even on GovLoop) each day. We can see that mitigation strategies that look great on paper that cannot come to completion because there of the lack of expertise, the lack of actual assets, and because after the story breaks something more meaty happens and we (our administrators, managers and supervisors) lose interest.
We, as privacy professionals, know the details of the deficiencies within agencies to fulfill the obligations we have toward the public’s interest. And not for the lack of trying, we strive onward knowing we don’t have the budget, interest or clout to play with the larger issues of the military endeavors, the economy and even elections. For privacy issues to have a say at the pulpit, a significant scare would have to happen. We’ve all said it. Unless there is a breach, (and a big one), the attention will not shine on privacy. We had it for a moment with the VA breach. But even with this story breaking, with the public’s privacy at risk, we were not likely to hear much in the newspapers weeks after. Nor are we likely to have a Congressman or Senator stand on the floor and call for significant reform.
I found the ending of the summary humorous.
“GAO is recommending that the Director of OPM (1) develop guidance for analyzing and mitigating privacy risks in privacy impact assessments, and (2) develop and implement oversight mechanisms for ensuring that investigators properly protect PII and that customer agencies adhere to agreed-upon privacy protection measures. OPM agreed with our recommendations.”
Of course OPM agreed to the recommendations. These two or three things are what privacy professionals are supposed to do. There are laws written about that. There is guidance written about that. There are agency-by-agency rules and regulations written for that. There are memorandums that go between CIOs and Privacy Officers promising mitigations of risk. But to properly pull off the PO&Ms or assurances, we are going to need more than just an OMB memo, GAO report and an agreement that everything will be OK. Our government officials, all the way to the top, must recognize that privacy is not just something that will mess up from time to time. It is not something that we risk. Privacy is something that we have not been protecting properly for years and years. And now, privacy has been lost… And not just by OPM, or OMB, or by this administration or that. Privacy, as a system, is lost.
So how do we find it? Simple… obey the laws, tell the truth and ask for help.
Regardless of the GAO reports, there are laws on the table that should be adhered to. Not in the way that we do the bare minimum of publishing PIAs and SORNs just because we have to. CIOs and Privacy Officers need to delve into what the laws are trying to achieve. The writers of legislation and regulation are trying to put into words how reduce or completely eliminate the risk of losing someone’s identity. It is not a “paper exercise” as I have heard someone call the FISMA. The heart of the matter is that we, as an industry, as a government, and as a society, need to recognize the importance of not only going through the motions of protecting the public’s privacy, but actually solving the issues and working together with our IT brothers and sisters to accomplish a simple human need or right. The rights to one’s own self, while having the availability of government services and advantages on hand.
The reports aside, they are meaningless without action. They are paper promises with concrete problems. Without the resources backing what the GAO wants, and without Privacy Officers having the the internal administrative power to make significant change, and without the pubic’s interest in the matter (that of those well beyond the beltway), privacy in government agencies will continue the endless cycle of doing just enough to stay out of the papers, and crossing fingers in hope that a breach does not occur, then weathering the inevitable report saying we need to do more. Until we, as privacy professionals and as and industry, are willing and able to stand up on our executive leather chairs and shout that we need more resources to search for our mission’s identity, privacy will continue to be reported lost.
You must be logged in to reply to this topic.