At DHS, risk assessment backlog looms

The Homeland Security Department's Privacy Office faces a huge backlog in informing the public of privacy risks related to more than 200 departmental systems, according to congressional testimony given this week by a top official at the Government Accountability Office.

The Privacy Office was established in April 2003 as the first senior-level federal privacy office created by Congress. It is charged with enforcing the provisions of the Privacy Act of 1974 and the E-Government Act of 2002, which include notifying the public of new and existing systems of records containing personal information and conducting privacy impact assessments on new and existing federal programs.

While the DHS Privacy Office has made progress in putting together a framework for conducting the assessments and for issuing the public notices, backlogs of uncompleted work are continuing to grow in both areas, Linda Koontz, director of information management issues for the GAO, told the House Judiciary's Subcommittee on Commercial and Administrative Law.

For example, as of February 2007 there were 218 systems of records containing personal information being collected at DHS for which no updated public notices had been issued under the Privacy Act, Koontz said. Most of the systems are legacy systems, which existed in component agencies before the department was formed in 2003.

Privacy officer personnel have been focusing their attention on new systems, and not on pre-existing systems, and have fallen far behind and are unlikely to catch up soon, Koontz said. Since the DHS privacy office was founded, it has published 56 public notices of systems of records containing personal information.

Issuing public notices for the hundreds of legacy systems remaining is the Privacy Office's "biggest challenge" it faces in complying with the Privacy Act, Koontz said.

"By not keeping its notices up to date, DHS hinders the public's ability to understand the nature of DHS systems-of-records notices and how their personal information is being used and protected," Koontz said.

Furthermore, the Privacy Office is falling behind in conducting privacy impact assessments. According to the privacy's offices determinations, 46 DHS programs required privacy impact assessments in 2005, 143 required them in 2006, and 188 will require them in 2007. But the pace of the assessments is not keeping up to date: only 71 such assessments have been performed by the office since it was founded, Koontz said.

Furthermore, the privacy office also has damaged its credibility by releasing little information about its activities and in generally issuing reports months late.

"Until its reports are issued in a timely fashion, questions about the credibility and authority of the Privacy Office will likely remain," Koontz testified.

Among its recent recommendations to the Privacy Office, the GAO has advised that the office develop a policy for the department's uses of commercial data purchased from commercial data brokers. The office indicated that it is developing such a policy, which will be reviewed throughout DHS also by the Office of Management and Budget before it is adopted, Koontz said.