GAO: DHS falling behind on privacy notices

The Homeland Security Department’s Privacy Office faces a huge backlog in informing the public of privacy risks related to more than 200 departmental systems, according to congressional testimony given this week by a top official at the Government Accountability Office.

The Privacy Office was established in April 2003 as the first senior-level federal privacy office created by Congress. It is charged with enforcing the provisions of the Privacy Act of 1974 and the E-Government Act of 2002, which include notifying the public of new and existing systems of records containing personal information and conducting privacy impact assessments on new and existing federal programs.

Although the DHS Privacy Office has made progress in putting together a framework for conducting the assessments and issuing the public notices, backlogs of uncompleted work are continuing to grow in both areas, Linda Koontz, GAO’s director of information management issues, told the House Judiciary Committee’s Commercial and Administrative Law Subcommittee.

For example, as of February 2007, there were 218 systems of records containing personal information at DHS for which no updated public notices had been issued under the Privacy Act, Koontz said. Most of the systems existed at component agencies before the department was formed in 2003.

Privacy officials have been focusing their attention on new systems, not pre-existing ones, so they have fallen far behind and are unlikely to catch up soon, Koontz said. Since the DHS Privacy Office was founded, it has published 56 public notices of systems of records containing personal information.

Issuing public notices for the remaining systems is the biggest challenge the office faces in complying with the Privacy Act, Koontz said.

“By not keeping its notices up-to-date, DHS hinders the public’s ability to understand the nature of DHS systems-of-records notices and how their personal information is being used and protected,” Koontz said.

Furthermore, the Privacy Office is falling behind in conducting privacy impact assessments. According to the office’s determinations, 46 DHS programs required privacy impact assessments in 2005, 143 required them in 2006, and 188 will require them in 2007. But the office has performed only 71 such assessments since it was founded, Koontz said.

In addition, the Privacy Office has damaged its credibility by releasing little information about its activities and generally issuing reports months late.

“Until its reports are issued in a timely fashion, questions about the credibility and authority of the Privacy Office will likely remain,” Koontz testified.

Among its recent recommendations, GAO advised the Privacy Office to develop a policy for the department’s use of data purchased from commercial brokers. Officials indicated that they are developing such a policy, which will be reviewed throughout DHS and by the Office of Management and Budget before it is adopted, Koontz said.

Alice Lipowicz writes for Washington Technology, an 1105 Government Information Group publication.


  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.