GAO report: government departments need dedicated leaders to oversee privacy goals

The US Government Accountability Office (GAO) released a comprehensive report in late September 2022 that discussed the need for dedicated privacy leadership within the departments and agencies of the executive branch of government if goals surrounding privacy are to be achieved. The report highlighted how this void in leadership was in essence putting at risk well-intentioned plans and procedures for protecting the personal identifiable information (PII) held within those entities.

The GAO recommended that Congress consider legislation that would require a dedicated senior-level privacy official be named within these organizations and sent along more than 60 individual recommendations to enhance privacy programs.

One of the most salient observations was how many of the 24 entities reviewed had indeed assigned an individual to be responsible for privacy and that they were as likely to be within the entity’s IT department as not. However, the commonality among those saddled with the privacy responsibilities is that they already had a full plate – and the topic of privacy was but one of many of their concerns. Thus, the impetus for the recommendation to Congress to mandate the assignment of a dedicated privacy executive with the sole responsibility of privacy as their key job element.

Harnessing internal resources to ensure privacy goals

The belief of the inspecting team is that such an executive would be able to harness the internal resources to ensure (or at least give a fighting chance) that privacy is addressed at the budget table, as well as with HR, logistics, and IT. In essence, to ensure privacy gets addressed, it would have to permeate all aspects of the agency/department’s operations, not just those touched by information technology.

The report noted that “Office of Management and Budget (OMB) privacy staff stated that they believed codifying a dedicated senior privacy official in the statute would strengthen agency programs and better enable them to address challenges.”

As the business adage goes, things seem to run smoother when accountability and responsibility are aligned and there is only one neck to choke. This aligns perfectly with the observation offered by 21 of the 24 entities that they lacked sufficient resources to get a number of jobs done: applying privacy processes to new technologies, integrating privacy and security controls, hiring privacy personnel. They also had to contend with the difficulties government can face in retaining the necessary personnel once they are trained.

4 key government privacy concerns

The GAO recommendations to government agencies, interestingly, were agreed to by 20 of the 24 agencies, with one (unidentified) entity disagreeing with all. The 64 recommendations can be read in full in the GAO report. They were often repetitive from one agency to the next, yet can be broken down into four salient areas of concern:

1. A number of entities needed to identify and empower the senior official responsible for privacy so as to ensure the individual and their office is involved in the hiring, training, and professional development of employees concerned with privacy.
2. Many entities had a risk management strategy that was devoid of privacy concerns. Therefore, an often-seen recommendation was to incorporate privacy into the organization’s risk management.
3. Information technology and investments to ensure privacy controls, processes, and procedures were lacking in many organizations, necessitating the recommendation that a senior privacy official be identified to review IT capital investment and budget with an eye to ensuring privacy is funded.
4. Silos exist everywhere, though to find that they exist in government should surprise no one. The GAO recommends that a concerted effort be made to coordinate between those who are responsible for implementing privacy and those who are implementing information security solutions.

Government agencies need to catch up with industry privacy practices

In a GAO’s Watchdog Report podcast that followed the release of the report, GAO Director of Information Technology and Cybersecurity Jennifer Franks characterized the bottom line as: “The time is right to make sure privacy receives a sufficient amount of attention at the highest levels of all of our agencies leadership; and that all of our agencies are fully considering privacy at every step so that when new technologies are deployed and that we are collecting personal information, that we’re considering all of the appropriate safeguards.” 

Marisol Cruz Cain, also a director of information technology and cybersecurity at the GAO, noted that “the Office of Management and Budget can also help with the effort by continuing to facilitate important conversations and information-sharing among the agencies.”

As Congress mulls the GAO recommendation, government CISOs, CIOs, and heads of agency should be considering how they might implement the recommendations and incorporate the desired executive position focused on privacy – in essence catching up with industry and creating a chief privacy officer.