At a Glance: EPA Needs to Strengthen Its Privacy Program Management Controls


<
33
\
^t0SrX
&
V PRO^4-0
o
2
Lll
o
U.S. Environmental Protection Agency
Office of Inspector General
At a Glance
2007-P-00035
September 17, 2007
Why We Did This Review
We sought to determine what
steps the U.S. Environmental
Protection Agency (EPA) took
to protect Personally
Identifiable Information.
We also sought to determine
the extent to which EPA put in
place a management structure
over the Agency's Privacy
Program.
Background
Congress passed the Privacy
Act of 1974 to protect
individual privacy. The Act
sets forth requirements for
Federal agencies when they
collect, maintain, or
disseminate information about
individuals. Personally
Identifiable Information is any
information about an
individual maintained by an
agency - including
employment, medical, and
financial information - that
can be used to trace an
individual's identity.
For further information,
contact our Office of
Congressional and Public
Liaison at (202) 566-2391.
To view the full report,
click on the following link:
www.epa.aov/oia/reports/2007/
20070917-2007-P-00035.pdf
Catalyst for Improving the Environment
EPA Needs to Strengthen Its Privacy Program
Management Controls
What We Found
Although EPA has made progress toward establishing its Privacy Program, the
program needs more emphasis. EPA needs to set up a more comprehensive
management control structure to govern and oversee the program. In particular,
EPA needs to establish goals and activities for the Privacy Program and measure
progress. Further, EPA needs to update its Privacy Program policies and establish
processes to manage and make these policies available to responsible EPA
personnel. Also, EPA needs to set up compliance and accountability processes to
ensure adherence with key Privacy Program tenets.
These weaknesses existed because of the low priority EPA managers placed on the
Privacy Program. A major loss of privacy information could result in substantial
harm, embarrassment, and inconvenience to individuals. It could lead to identity
theft or other fraudulent use of the information, which in addition to harming the
individuals involved could be costly to the Agency and its reputation. Questions
on EPA's management of privacy data could also cast doubts over the processes
EPA uses to oversee protection of the confidential business information it collects.
What We Recommend
We recommend that the EPA Office of Environmental Information's Director,
Office of Information Collection, establish goals and activities for the Agency's
Privacy Program. The Director should also establish and use performance
measures for the program. Further, the Director should update the Agency's
Privacy Program policies and procedures, establish a process for managing
compliance, and monitor compliance. We also recommend that this Director
work with the Office of Administration and Resources Management to develop
sample cascading goals and objectives that EPA managers can use to establish
Privacy Program accountability processes. The Agency agreed with the report's
findings and recommendations.

-------