The Office of Inspector General (OIG) at the U.S. Agency for International Development (USAID) found the agency needs to do more to strengthen its privacy program in order to better protect personally identifiable information (PII) and mitigate the risk of a privacy breach.
In a new audit, the OIG said USAID has not fully implemented key controls to protect PII in five different areas.
According to the audit, USAID lacked controls for data loss prevention activities, failed to provide role-based privacy training to all of its staff who handle PII, didn’t outline actions needed to eliminate unnecessary social security numbers, didn’t update or complete outdated System of Records Notices (SORNs), and failed to maintain an inventory of its third-party websites.
“USAID will continue to face an increased risk of a breach and related financial loss without having written procedures to help prevent data loss, revising privacy training standards, identifying actions needed to eliminate unnecessary SSNs and SORN procedures, and maintaining a current third-party website inventory,” the audit says. “These key elements of a privacy program are needed to protect PII and provide the public with sufficient information about records containing their information so that they know how their PII is safeguarded against misuse.”
OIG made recommendations for USAID to implement controls for all five areas discussed. USAID agreed with four of the five recommendations, claiming its system location in the SORN is current.
However, an agency official later confirmed the SORN system location was not current and still needed to be updated.
Ultimately, USAID pledged to address all five problem areas and implement the OIG’s five recommendations for each.