OPM not doing enough to protect privacy on background checks, GAO says

GAO report says White House falling short on privacy oversight

The Office of Personnel Management isn't doing enough to make sure federal employee background investigations protect privacy, the Government Accountability Office said in a new report.

OPM's Federal Investigative Services, part of the personnel office, conducts about 2 million background checks a year that contain extensive amounts of personally identifiable information, GAO said.

However, while privacy protections are in place, there are gaps in how those protections are carried out, GAO said in a report issued Oct. 7, adding that the problems involve shortcomings in the guidance for privacy impact assessments and in the limited monitoring of how privacy protections are implemented in the field and by customer agencies.


Related stories:

OPM cuts security clearance processing time

Telework speeds security clearance process


OPM’s guidance for those assessments doesn't require that privacy risks be analyzed or mitigation strategies be identified. “Consequently, OPM cannot be sure that potential risks associated with the use of personally identifiable information in its information systems have been adequately assessed and mitigated,” GAO wrote.

Although the investigative service tracks the personally identifiable information provided to and received from field investigators, it had not monitored how well those policies are being adhered to while investigations are under way, the report said.

Also, although the investigative service has signed agreements with customer agencies related to the protection of personally identifiable information in investigation case files, the service does not monitor whether those agreements are followed, the GAO added.

“Without oversight processes for monitoring investigators’ and customer agencies’ adherence to its personally identifiable information protection policies, OPM lacks assurance that its privacy protection measures are being properly implemented,” the GAO concluded.

The report recommended that OPM:

  • Develop guidance for privacy impact assessments that includes an analysis of privacy risks and mitigating techniques.
  • Ensure that all existing privacy impact assessments adhere to the guidance.
  • Perform periodic, structured evaluations to ensure that field investigators are protecting personally identifiable information.
  • Develop and implement procedures for monitoring customer agencies’ adherence to the privacy provisions.

OPM officials agreed with the recommendations. However, they said they have recently instituted procedures to check compliance of privacy protection during investigations.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.