Review of DOT Privacy Policies and Procedures
On September 9, 2008, we issued a final report on the Review of DOT Privacy Policies and Procedures. This audit was done as required by the Fiscal Year 2005 Consolidated Appropriations Act for Transportation, Treasury, Independent Agencies, and General Government. We found that DOT has made significant progress in addressing its statutory responsibilities under the Act by designating a senior official–the departmental Chief Information Officer–to be the Chief Privacy Officer. The Department has established proper procedures and a framework for assessing the necessity of using personally identifiable information (PII) and the collection, use, and security of PII. However, tests of sampled PII systems identified deficiencies in implementation of the prescribed procedures, placing these personal data at risk. For example, the departmental privacy office had evaluation documents for only the 109 systems contained in its PII inventory; however, the office could not provide support that no PII is stored in DOT’s other 320 systems. Nine of 20 sampled systems requiring a System of Records Notice did not have one published to notify the public of the intended use of the information collected from it. Further, some systems containing PII did not meet minimum security requirements, such as encrypting PII during network transmission and using proper password controls to authenticate users. We also noted that the departmental privacy officer does not report directly to the Chief Information and Privacy Officer. In our opinion, this organization structure has reduced the visibility of the privacy program and was a major contributing factor to the deficiencies identified in this audit.