GAO Report: Government Departments Need Dedicated Leaders to Oversee Privacy Achievements | Media Pyro

In late September 2022, the US Government Accountability Office (GAO) issued a comprehensive report that discussed the need for dedicated privacy leadership in executive branch departments and agencies if we are to meet our privacy goals. The report highlights how this leadership gap essentially jeopardizes well-intentioned plans and procedures to protect the personal information (PII) held by these organizations.

The GAO recommended that Congress consider legislation that would require these organizations to appoint a top-level privacy officer and issued more than 60 individual recommendations to improve privacy programs.

One of the most notable observations was how many of the 24 organizations tested actually had a privacy officer, and that they were more likely to be part of the organization’s IT department than not. However, the commonality among those burdened with privacy obligations is that they already had a full plate – and the topic of privacy was only one of their many concerns. Thus, the impetus for recommending to Congress to mandate the appointment of a special privacy chief with sole responsibility for privacy as a key part of the job.

Use of internal resources to ensure confidentiality

The review team believes that such a leader would be able to use internal resources to ensure (or at least give it a fighting chance) that privacy is addressed during the budget, as well as with HR, logistics and IT. In essence, to ensure confidentiality, it must permeate all aspects of the agency/department’s operations, not just those related to information technology.

The report notes that “Office of Management and Budget (OMB) privacy officials said they believe enshrining a special senior privacy official in the statute will strengthen the agency’s programs and enable them to better address issues.”

As the business saying goes, things seem to go more smoothly when accountability and responsibility are aligned and there is only one neck. This is perfectly consistent with 21 of the 24 subjects noting that they lack the resources to do a number of things: applying privacy processes to new technologies, integrating privacy and security controls, hiring privacy staff. They also had to face the difficulties that the government might face in retaining the necessary personnel after their training.

4 key government privacy concerns

Interestingly, 20 of the 24 agencies agreed with GAO’s recommendations to state agencies, while one (unidentified) organization disagreed with all of them. The full 64 recommendations can be read in the GAO report. These were often repeated from one agency to another, but they can be broken down into four main problem areas:

1. A number of entities require the identification and authorization of a senior privacy officer to ensure that the individual and their office are involved in the hiring, training and professional development of privacy officers.
2. Many organizations had a risk management strategy that was devoid of privacy concerns. Therefore, a frequently used recommendation was to incorporate privacy into an organization’s risk management.
3. Information technology and investment to ensure privacy controls, processes and procedures were lacking in many organizations, necessitating a recommendation to appoint a senior privacy officer to review IT capital investment and budget to ensure privacy funding.
4. Apostates exist everywhere, although the discovery of their existence in government should not surprise anyone. GAO recommends a collaborative effort to coordinate between those responsible for implementing privacy and those implementing information security solutions.

Government agencies must catch up with industry privacy practices

In a GAO Watchdog Report podcast that followed the report’s release, GAO Information Technology and Cybersecurity Director Jennifer Franks described the summary as follows: “Now is the right time to make sure that privacy is given sufficient attention at the highest levels of leadership in all of our agencies; and that all of our agencies take privacy fully into account every step of the way, so as new technologies are deployed and we collect personal information, we consider all relevant safeguards.”

Marisol Cruz Cain, also director of GAO’s Information Technology and Cybersecurity Division, noted that “The Office of Management and Budget can also help by continuing to facilitate important negotiations and information sharing between agencies.”

As Congress considers the GAO recommendation, government CISOs, CIOs, and agency heads should consider how they might implement the recommendations and include a coveted senior privacy-focused position — essentially catching up with the industry and creating a chief privacy officer.