USAID Needs to Improve Its Privacy Program to Better Ensure Protection of Personally Identifiable Information

Audit Report
Report Number
A-000-21-001-P

Why We Did This Audit

Given an evolving cyber threat landscape and the number of cyberattacks on government agencies, effective protection of personally identifiable information—such as Social Security numbers and birth dates—remains critical. The loss of personally identifiable information can result in substantial harm to individuals, including identity theft or other fraudulent use of the information. To mitigate risks of data breaches that threaten personal privacy, USAID needs to establish and maintain a robust privacy program aimed at protecting personally identifiable information held by the Agency.

Our audit objective was to assess the extent to which USAID has implemented key elements of an effective privacy program.

Key Findings

Though USAID implemented some elements of an effective privacy program, additional key controls are needed to protect personally identifiable information. The Agency followed Federal privacy requirements to justify the need to collect Social Security numbers for systems in use, hold personally identifiable information appropriately, and publish System of Records Notices in the Federal Register. However, USAID did not fully implement key controls related to:

  • Implementing controls for data loss prevention activities,
  • Providing role-based privacy training,
  • Preparing a comprehensive list of actions needed to eliminate unnecessary Social Security numbers,
  • Updating and fully completing system of record notices, and
  • Maintaining a comprehensive inventory of third-party websites.

We are making five recommendations to improve the effectiveness of USAID’s privacy program. USAID agreed with four of our recommendations and partially agreed with one. Notwithstanding, the agency agreed to implement all five recommendations.

Recommendations

Recommendation 1

Develop and implement written procedures to:
- Periodically test the effectiveness of the rules for its data loss prevention tool and revise those rules when needed.
- Configure the Agency's data loss prevention tool to prevent the loss of other types of personally identifiable information (such as home addresses and dates of birth), in addition to Social Security numbers.
- Manage data loss prevention activities, including when staff should be notified of their violations.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 2

Revise "Information Technology (IT) Security Training-Policy, Standards, Guidelines, and Plan" to document and implement a process for:
-Providing role-based privacy training to staff that are responsible for processing personally identifiable information.
-Providing role-based privacy training to staff at least annually.
- Training staff on how to identify new privacy risks and retention schedules for personally identifiable information as required in the role-based privacy training materials.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 3

Update and implement the Agency's Social Security number reduction plan.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 4

Update and implement the Agency's "System of Records Notices Standard Operating Procedure" to:
- Align with current requirements for reviewing and updating Agency system of record notices.
- Document decisions that system changes were not significant and, thus, related system of record notices do not need to be updated.
In addition, update the following system of record notices with the missing or incomplete elements identified in Appendix B of this document, as required by Office of Management and Budget Circular A-108:
- Personnel Security and Suitability investigations records;
- Google Apps;
- Personal Services Contract records;
- Congressional relations, inquiries, and travel records; and
- Litigation records.

Questioned Cost:
$0
Funds For Better Use:
$0
Recommendation 5

Develop and implement a plan to maintain a complete, accurate inventory of the Agency's third-party websites-including periodic reminders to staff that implementing partners should notify the Agency when creating or deactivating public-facing, third-party websites-and take action, where needed, to post privacy notices on websites that collect personally identifiable information.

Questioned Cost:
$0
Funds For Better Use:
$0