Audit of USAID’s Implementation of Key Components of a Privacy Program for Its Information Technology Systems

USAID's Chief Privacy Officer develop and implement documented procedures for reviewing the Agency's personally identifiable information holdings. At a minimum, those procedures must include who is responsible for conducting those reviews, the schedule for conducting them, and how they will be conducted.

USAID's Chief Privacy Officer make the Agency's written schedule for reviewing its personally identifiable information holdings publicly available.

USAID's Chief Privacy Officer prepare written privacy notices and post them on the following Web sites at all locations where the public might make personally identifiable information available to the Agency, as required:
-Facebook, https://www.facebook.com/USAID
-GitHub, https://github.com/USAID
-Linkedin, http://www.linkedin.com/groups?gid=118430
-Making All Voices Count, http://www.makingallvoicescount.org
-Twitter, https://twitter.com/#!/usaid
-YouTube, http://www.youtube.com/usaidvideo

USAID's Chief Privacy Officer develop and implement a written process to periodically review the Agency's inventory of third-party Web sites for completeness, and prepare privacy notices and post them on the Web sites at all locations where the public might make personally identifiable information available to the Agency.

USAID's Chief, Systems Development Branch, either configure the server that hosts http://www.usaid.gov/comment to require the use of Transport Layer Security 1.0 or higher, or if not needed, discontinue collecting "names" on http://www.usaid.gov/comment, and document the results.

USAID's Chief Privacy Officer revise the Privacy Office's Guidance for USAID Breach Response Team (August 2007) to include:
-Instructions on how to handle a delay to send notifications of a privacy breach, including who should make this decision and what they are required to do once the decision is made.
-A statement on whether breached information was encrypted or protected by other means, when appropriate.
-A reassessment of the impact level as defined by the National Institute of Standards and Technology following an information breach.

USAID's Bureau for Legislative and Public Affairs, Director of Digital Communications, fix the broken links to the system of record notices on the Agency's external Web site, http://www.usaid.gov/privacy-program, and document the results.

USAID's Bureau for Legislative and Public Affairs, Director of Digital Communications, fix the broken link to the privacy impact assessment for AIDNet on the Agency's external Web site, http://www.usaid.gov/privacy-policy//ia-summaries, and document the results.

USAID's Chief, Bureau for Management, Office of Management Services, Information and Records Division, work with the National Archives and Records Administration to update the electronic records disposition schedule in Automated Directives System 502 to identify the following third-party Web sites that make personally identifiable information available to the Agency: Facebook, GitHub, LinkedIn, Making All Voices Count, Twitter, and YouTube.

USAID's Chief, Bureau for Management, Office of Management Services, Information and Records Division, work with the National Archives and Records Administration to update the electronic records disposition schedule in Automated Directives System 502 to identify the following Agency systems that contain personally identifiable information: Agency Correspondence Tracking System, ePerformance, End to End Travel, Partner Vetting System, and Web Time and Attendance System.

USAID's Senior Agency Official for Privacy formally establish in writing the Agency's Privacy Office within the organizational structure.

USAID's Chief Privacy Officer conduct a written comprehensive review of the Agency's privacy program and report any weaknesses identified during that review in the Agency's written plan of action and milestones required by the Federal Information Security Management Act of 2002.

After final action is taken on Recommendation 32, we recommend that USAID's Senior Agency Official for Privacy perform a written comprehensive analysis to determine the resources (including staff, budget, and tools) needed to correct the weaknesses in the Agency's privacy program, and based on that analysis, allocate the resources.

USAID's Chief Information Officer request in writing that the Agency's Management Control Review Committee make a written determination whether the weaknesses in the Agency's privacy program should be reported, tracked, and monitored as a material weakness pursuant to the Federal Managers' Financial Integrity Act of 1982.