OPM not doing enough to protect privacy on background checks, GAO says

The Office of Personnel Management isn't doing enough to make sure federal employee background investigations protect privacy, the Government Accountability Office said in a new report.

OPM's Federal Investigative Services, part of the personnel office, conducts about 2 million background checks a year that contain extensive amounts of personally identifiable information, GAO said.

However, while privacy protections are in place, there are gaps in how those protections are carried out, GAO said in a report issued Oct. 7, adding that the problems involve shortcomings in the guidance for privacy impact assessments and in the limited monitoring of how privacy protections are implemented in the field and by customer agencies.

---

Related stories:

OPM cuts security clearance processing time

Telework speeds security clearance process

---

OPM’s guidance for those assessments doesn't require that privacy risks be analyzed or mitigation strategies be identified. “Consequently, OPM cannot be sure that potential risks associated with the use of personally identifiable information in its information systems have been adequately assessed and mitigated,” GAO wrote.

Although the investigative service tracks the personally identifiable information provided to and received from field investigators, it had not monitored how well those policies are being adhered to while investigations are under way, the report said.

Also, although the investigative service has signed agreements with customer agencies related to the protection of personally identifiable information in investigation case files, the service does not monitor whether those agreements are followed, the GAO added.

“Without oversight processes for monitoring investigators’ and customer agencies’ adherence to its personally identifiable information protection policies, OPM lacks assurance that its privacy protection measures are being properly implemented,” the GAO concluded.

The report recommended that OPM:

• Develop guidance for privacy impact assessments that includes an analysis of privacy risks and mitigating techniques.
• Ensure that all existing privacy impact assessments adhere to the guidance.
• Perform periodic, structured evaluations to ensure that field investigators are protecting personally identifiable information.
• Develop and implement procedures for monitoring customer agencies’ adherence to the privacy provisions.

OPM officials agreed with the recommendations. However, they said they have recently instituted procedures to check compliance of privacy protection during investigations.