GAO Report: Two Actions to Protect Privacy and Sensitive Data

A new report (the last of four) in the GAO’s “Cybersecurity High-Risk Series” covers two recommended actions related to Protecting Privacy and Sensitive Data:

• Improve federal efforts to protect privacy and sensitive data, such as reducing the cybersecurity risks in retirement plans
• Improve the protection of federally collected and maintained personal and sensitive data

In September 2022, the GAO’s review of 24 agencies found that most had generally established policies and procedures for key privacy program activities. However, many agencies did not fully incorporate privacy into their risk management strategies, provide for privacy officials’ input into the authorization of systems containing PII, or develop a continuous monitoring strategy for privacy. The GAO recommended Congress consider new legislation for agencies to designate a privacy official. They also recommended OMB facilitate information sharing between agencies.

The GAO also recommended that 13 agencies implement a mechanism to track the use by employees of non-federal systems that feature facial recognition technology and assess the risks of using these systems. Separately, they recommended that federal financial regulators better ensure the privacy of the PII they collect, use, and share.

Details can be found on the GAO’s website.