Audit of USAID’s Implementation of Key Components of a Privacy Program for Its Information Technology Systems

USAID's Bureau for Legislative and Public Affairs, Director of Digital Communications, fix the broken link to the privacy impact assessment for AIDNet on the Agency's external Web site, http://www.usaid.gov/privacy-policy//ia-summaries, and document the results.

USAID's Chief, Bureau for Management, Office of Management Services, Information and Records Division, work with the National Archives and Records Administration to update the electronic records disposition schedule in Automated Directives System 502 to identify the following third-party Web sites that make personally identifiable information available to the Agency: Facebook, GitHub, LinkedIn, Making All Voices Count, Twitter, and YouTube.

After final action is taken on Recommendation 1, the supervisor for the senior agency official for privacy modify the written work objectives for the senior agency official for privacy to fully incorporate accountability for privacy across the Agency.

USAID's Chief, Bureau for Management, Office of Management Services, Information and Records Division, work with the National Archives and Records Administration to update the electronic records disposition schedule in Automated Directives System 502 to identify the following Agency systems that contain personally identifiable information: Agency Correspondence Tracking System, ePerformance, End to End Travel, Partner Vetting System, and Web Time and Attendance System.

USAID's Senior Agency Official for Privacy formally establish in writing the Agency's Privacy Office within the organizational structure.

USAID's Chief Privacy Officer conduct a written comprehensive review of the Agency's privacy program and report any weaknesses identified during that review in the Agency's written plan of action and milestones required by the Federal Information Security Management Act of 2002.

After final action is taken on Recommendation 32, we recommend that USAID's Senior Agency Official for Privacy perform a written comprehensive analysis to determine the resources (including staff, budget, and tools) needed to correct the weaknesses in the Agency's privacy program, and based on that analysis, allocate the resources.

USAID's Chief Information Officer request in writing that the Agency's Management Control Review Committee make a written determination whether the weaknesses in the Agency's privacy program should be reported, tracked, and monitored as a material weakness pursuant to the Federal Managers' Financial Integrity Act of 1982.

USAID's Chief Privacy Officer perform a written privacy threshold analysis for the Agency's Wellness Staff Care Web site, https://wellnessstaffcare.usaid.gov, and, based on the results of the analysis, prepare a written privacy impact assessment and written system of record notice, if required.

USAID's Chief Information Security Officer prepare the following for the Agency's Wellness Staff Care Web site, https://wellnessstaffcare.usaid.gov:
-A documented review of the security package for the system.
-A documented review of the security risks if the Agency uses the system.
-A written authorization for the system to operate if the system meets security requirements, or if not, take action to discontinue use of the Web site and document its discontinuation.

USAID's Chief Privacy Officer update the Privacy Office's Training Plan for Basic Privacy Training (September 1, 2013) to:
-Explain what action will be taken when individuals do not meet privacy training requirements.
-Require annual privacy refresher training.

USAID's Chief Privacy Officer develop and implement written annual basic privacy training that covers the following privacy topics:
-The definition of personally identifiable information (PII).
-Applicable privacy laws, regulations, and policies.
-Restrictions on data collection, storage, and use of PII.
-Roles and responsibilities for using and protecting PII.
-Appropriate disposal of PII.
-Sanctions of a security or privacy incident involving PII.
-Roles and responsibilities in responding to PII-related incidents and reporting.
-How to respond to an incident, should one occur.
-Rules for teleworking.

USAID's Chief Privacy Officer develop and implement documented role-based privacy training for the following employees: security staff, human resources staff, contracting officers' staff, financial officers' staff, chief information security office staff, and travel staff.

USAID's Chief Privacy Officer update the Privacy Office's Role-Based Personally Identifiable Information (PII) Training Plan (November 1, 2013) to:
-Require role-based privacy training at least annually for employees in the identified roles who handle personally identifiable information.
-List the privacy topics that will be addressed for travel staff.