Treasury must finalize privacy policies, auditors say
- By Mary Mosquera
- Dec 24, 2008
The Treasury Department needs to finalize policies and procedures to
safeguard the privacy of sensitive information, department auditors
The policies relate to the collection, use, disclosure and
storage of personally identifiable information as required by the
Office of Management and Budget and various statutes, said the Treasury
Office of Inspector General, which contracted with KPMG to perform the
A fiscal 2005 appropriations law requires agencies to
appoint a chief privacy officer, establish privacy and data protection
policies, prepare progress reports for the department IG and Congress,
and commission a review by an independent third party, said Joel
Grover, Treasury’s deputy assistant IG for financial management and
information technology audits.
“Without formal directives and
policies…information in an identifiable form may not be adequately
protected,” KPMG said in its report released Dec. 10 through the IG’s
Although several privacy policies were still in draft
form, most Treasury agencies, except the Internal Revenue Service, have
begun to adopt them, KPMG said. For example, agencies have performed
privacy impact assessments on information systems and provided training
on the responsibilities of individuals authorized to access sensitive
information, the auditors said.
Based on its inspections, KPMG
auditors wrote that “Treasury is adequately protecting [personally
identifiable information] on public Internet sites, intranet sites and
general support systems.”
Treasury needs to finalize its
policies and start providing reports to the IG’s office and Congress on
their status, KPMG said. Treasury has not submitted reports because of
competing priorities and limited resources, the auditors noted, adding
that the reports provide a benchmark for progress in privacy and data
protection and a foundation for establishing funding requests.
has had a chief privacy officer since 2005. It established the Office
of Privacy and Treasury Records in March and made it responsible for
consolidating privacy functions, said Peter McCarthy, Treasury’s
assistant secretary for management, chief financial officer and the
agency’s senior official for privacy matters. The Office of the Chief
Information Officer previously handled those responsibilities.
all privacy functions under a single line of authority, McCarthy said
he is committed to strengthening the information privacy program and
fulfilling all requirements.
Mary Mosquera is a reporter for Federal Computer Week.