Treasury still working on privacy policies

The Treasury Department has consolidated all its privacy functions under a single leader, but still has not completed developing policies and procedures. While the agency's inspector general believes Treasury is adequately safeguarding taxpayers' information, he urged the department in a December report to hurry up and finalize the policies.

The integration of privacy policies and procedures in the recently established Office of Privacy and Treasury Records elevates the profile and importance of privacy across the department, said Peter McCarthy, Treasury's assistant secretary for management, chief financial officer and senior agency official for privacy.

In addition to data privacy, the new office handles records management, Freedom of Information Act disclosure, civil liberties and broader information management activities, said Elizabeth Cuffe, deputy assistant secretary for privacy and Treasury records.

“It has helped us to proactively protect information, and we’re better able to share information,” she said. Previously, these activities were split among different offices. However, she said, although the consolidation is a significant step forward, the department needs more time and attention to finish formulating privacy requirements.

Specifically, the department is still finalizing its policies and procedures related to the collection, use, disclosure and storage of personally identifiable information and the response to breaches of that data. The Office of Management and Budget and a fiscal 2005 appropriations law for the Treasury and the Transportation departments required the policies, according to consulting firm KPMG. KPMG reviewed Treasury’s privacy program for the IG.

Although several privacy policies were only in draft form when KPMG assessed the department’s progress in 2008, most Treasury agencies had begun to adopt them. Based on KPMG’s findings, the department is adequately protecting personally identifiable information on public Internet sites, intranet sites and general support systems despite its sluggishness in finalizing the policy process, according to the IG.

Many agencies might have a chief privacy officer, but they may not have integrated their activities in one organization, said Ari Schwartz, vice president of the Center for Democracy and Technology.

“This is exactly where the agencies that have been the most successful have been moving to tie all these pieces together,” he said. It has been difficult for the federal government to implement privacy requirements because of a lack of leadership, Schwartz said.

Treasury, however, must start reporting to Congress on the status of its privacy program, KPMG said. The reports provide an agency benchmark of its privacy progress and a basis for funding requests.