GAO report

GAO Calls on Government Agencies to Address Privacy Issues Affecting Personal Data

The Government Accountability Office has published a new report urging federal agencies to step up efforts to protect the privacy of sensitive data. The government watchdog conducted a review of 24 agencies in September 2022 and found that most of them established processes to identify types of personal data collected, performed privacy impact assessments and documented privacy program plans.

Many agencies, however, failed to fully incorporate privacy into their risk management strategies, provide for privacy officials’ input into the authorization of systems containing personally identifiable information or develop a continuous monitoring strategy for privacy, GAO said.

The agency also noted that 14 agencies using facial recognition technology to support criminal investigations employ systems from non-federal entities, posing privacy and accuracy-related risks.

GAO also warned of an increased risk of compromise to the information system applications of federal financial regulators. According to the agency, four out of five regulators it reviewed did not fully implement key privacy protection practices such as documenting actions taken to limit the collection and use of PII.

To resolve the said privacy issues, GAO asked Congress to introduce legislation that would designate a senior-level privacy official at agencies, if necessary; urged agencies using facial recognition technology to implement a mechanism to track and assess the risks of non-federal systems employees use; and encouraged the federal financial regulators to better ensure the privacy of the PII they collect, use and share.

The latest report, published on Tuesday, is the final document in a series of four high risk reports that identified 10 critical actions for addressing cybersecurity challenges in the federal government.