DHS Privacy Office: Progress Made but Challenges Remain in	 
Notifying and Reporting to the Public (27-APR-07, GAO-07-522).	 
                                                                 
The Department of Homeland Security (DHS) Privacy Office was	 
established with the appointment of the first Chief Privacy	 
Officer in April 2003, as required by the Homeland Security Act  
of 2002. The Privacy Office's major responsibilities include: (1)
reviewing and approving privacy impact assessments		 
(PIA)--analyses of how personal information is managed in a	 
federal system, (2) integrating privacy considerations into DHS  
decision making, (3) ensuring compliance with the Privacy Act of 
1974, and (4) preparing and issuing annual reports and reports on
key privacy concerns. GAO's objective was to examine progress	 
made by the Privacy Office in carrying out its statutory	 
responsibilities. GAO did this by comparing statutory		 
requirements with Privacy Office processes, documents, and	 
activities.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-522 					        
    ACCNO:   A68847						        
  TITLE:     DHS Privacy Office: Progress Made but Challenges Remain  
in Notifying and Reporting to the Public			 
     DATE:   04/27/2007 
  SUBJECT:   Data integrity					 
	     Federal regulations				 
	     Homeland security					 
	     Information disclosure				 
	     Information technology				 
	     Policy evaluation					 
	     Privacy law					 
	     Records						 
	     Reporting requirements				 
	     Right of privacy					 
	     Agency missions					 
	     Information management				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-522

   

     * [1]Results in Brief
     * [2]Background

          * [3]Privacy Office Responsibilities

     * [4]DHS Privacy Office Has Made Significant Progress Establishin

          * [5]The Privacy Office Has Made Significant Progress in Reviewin

               * [6]The Privacy Office Has Established a PIA Compliance
                 Framewor
               * [7]The Privacy Office Has Integrated PIA Development into
                 DHS M
               * [8]The Privacy Office Is Taking Steps to Streamline PIA
                 Review
               * [9]Privacy Office Efforts Have Helped to Identify the Need
                 for

          * [10]The Privacy Office Has Taken Steps to Integrate Privacy Into

               * [11]The Data Privacy and Integrity Advisory Committee Was
                 Establ
               * [12]Privacy Office Workshops Have Highlighted Key Issues
               * [13]Privacy Office Officials Have Participated in the DHS
                 Decisi
               * [14]The Privacy Office Has Coordinated Activities with the
                 DHS O

          * [15]Although Privacy Act Processes Have Been Established, Little
          * [16]Privacy Office Has Generally Not Issued Reports in a Timely

     * [17]Conclusions
     * [18]Recommendations for Executive Action
     * [19]Agency Comments and Our Evaluation
     * [20]Appendix I: Objective, Scope, and Methodology
     * [21]Appendix II: The Fair Information Practices
     * [22]Appendix III: Department of Homeland Security Data Privacy a
     * [23]Appendix IV: Comments from the Department of Homeland Securi
     * [24]Appendix V: GAO Contact and Staff Acknowledgments

          * [25]GAO Contact
          * [26]Staff Acknowledgments

               * [27]Order by Mail or Phone

Report to Congressional Requesters

United States Government Accountability Office

GAO

April 2007

DHS PRIVACY OFFICE

Progress Made but Challenges Remain in Notifying and Reporting to the
Public

GAO-07-522

Contents

Letter 1

Results in Brief 2
Background 4
DHS Privacy Office Has Made Significant Progress Establishing Processes to
Ensure Implementation of Privacy Protections, but More Work Remains 10
Conclusions 30
Recommendations for Executive Action 31
Agency Comments and Our Evaluation 31
Appendix I Objective, Scope, and Methodology 34
Appendix II The Fair Information Practices 36
Appendix III Department of Homeland Security Data Privacy and Integrity
Advisory Committee Publications 37
Appendix IV Comments from the Department of Homeland Security 38
Appendix V GAO Contact and Staff Acknowledgments 44

Tables

Table 1: Summary of DHS Privacy Office Reports by Date Released 27
Table 2: The Fair Information Practices 36

Figures

Figure 1: DHS Privacy Office Organizational Structure 5
Figure 2: DHS PIA Development Process 13
Figure 3: The PIA Review Process 15
Figure 4: Numbers of PIAs Published Annually for DHS Systems 16

Abbreviations

CBP Customs and Border Protection
DHS Department of Homeland Security
E-Gov Act E-Government Act
FOIA Freedom of Information Act
MATRIX Multi-state Anti-Terrorism Information Exchange
OCIO Office of the Chief Information Officer
OECD Organization for Economic Cooperation and Development
OMB Office of Management and Budget
PIA privacy impact assessment
PTA privacy threshold analysis
TSA Transportation Security Administration
RFID radio frequency identification
US-VISIT U.S. Visitor and Immigrant Status Indicator

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office
Washington, DC 20548

April 27, 2007

Congressional Requesters

As you know, the Homeland Security Act of 2002 created the first
statutorily required senior privacy official at any federal agency. This
law mandated the appointment of a senior official at the Department of
Homeland Security (DHS) to assume primary responsibility for privacy
policy, including, among other things, assuring that the use of
technologies sustains and does not erode privacy protections relating to
the use, collection, and disclosure of personal information.^1 The DHS
Privacy Office was formally established with the appointment of the first
DHS Chief Privacy Officer on April 16, 2003.

The Privacy Office is responsible for ensuring that DHS is in compliance
with federal laws that govern the use of personal information by the
federal government. Among these laws are the Homeland Security Act of 2002
(as amended by the Intelligence Reform and Terrorism Prevention Act of
2004), the Privacy Act of 1974, and the E-Government Act of 2002. ^2 Under
the Privacy Act, federal agencies must issue public notices that identify,
among other things, the type of data collected, the types of individuals
about whom information is collected, the intended uses of the data, and
procedures that individuals can use to review and correct personal
information. The E-Government Act (E-Gov Act) requires agencies to conduct
privacy impact assessments (PIA) of privacy risks associated with
information technology used to process personal information.^3 In
addition, the Privacy Office is required by the Homeland Security Act to
report annually on its activities, and it has been directed by Congress to
prepare reports on specific topics. The Privacy Office's major
responsibilities can be summarized into four broad categories: (1)
reviewing and approving PIAs, (2) integrating privacy considerations into
DHS decision making, (3) reviewing and approving public notices required
by the Privacy Act, and (4) preparing and issuing reports.

^1Homeland Security Act of 2002, Sec. 222, Pub. L. 107-296 (Nov. 25,
2002).

^2Section 222 of the Homeland Security Act, as amended by section 8305 of
the Intelligence Reform and Terrorism Prevention Act of 2004, Pub. L.
108-458 (Dec. 17, 2004), 6 U.S.C. S 142; Privacy Act of 1974, 5 U.S.C. S
552a; section 208 of the E-Government Act of 2002, Pub. L. 107-347 (Dec.
17, 2002).

^3A PIA is an analysis of how personal information is collected, stored,
shared, and managed in a federal system to ensure that privacy
requirements are addressed.

You asked us to examine progress made by the Privacy Office in
implementing its statutory requirements. Specifically, as agreed with your
staff, our objective was to assess the progress of the DHS Privacy Office
in carrying out its responsibilities under federal privacy laws, including
the Homeland Security Act and the E-Gov Act.

To address our objective, we analyzed the Homeland Security Act and other
relevant laws and regulations to identify DHS Privacy Office
responsibilities. We analyzed Privacy Office policies, guidance, and
reports, and interviewed Privacy Office officials to assess plans,
priorities, and processes for implementing statutory requirements using
available resources. We assessed progress made by the Privacy Office by
comparing this information against its statutory responsibilities. We
evaluated Privacy Office policies, guidance, and processes to ensure
compliance with the E-Gov Act of 2002 and the Privacy Act of 1974,
including PIA and system-of-records notice processes, and assessed the
progress made by the office in implementing these processes. We also
interviewed former chief privacy officers, privacy advocacy groups,
cognizant component-level officials, and members of the DHS Data Privacy
and Integrity Advisory Committee. Our work was performed in accordance
with generally accepted government auditing standards. Our objective,
scope, and methodology are discussed in more detail in appendix I.

Results in Brief

The DHS Privacy Office has made significant progress in carrying out its
statutory responsibilities under the Homeland Security Act and its related
role in ensuring E-Gov Act compliance, but more work remains to be
accomplished. Specifically, the Privacy Office has established processes
for ensuring departmental compliance with the PIA requirement in the E-Gov
Act. It has done this by developing a compliance framework that includes
formal written guidance, a template for conducting assessments, training
sessions, a process for identifying systems that require assessments, and
a process for reviewing and approving assessments. Instituting this
framework has led to increased attention to privacy requirements on the
part of departmental components, contributing to an increase in the
quality and number of PIAs issued. It has also proved beneficial in
identifying systems that require an assessment, from 46 identified in
fiscal year 2005 to a projected 188 in fiscal year 2007. However, the
resulting increase in the workload is likely to prove difficult to process
in a timely manner. Designating privacy officers in certain key DHS
components could help speed processing of PIAs, but DHS has not yet done
this.

The Privacy Office has taken actions to integrate privacy considerations
into the DHS decision-making process through a variety of actions,
including establishing a federal advisory committee, raising awareness of
privacy issues through a series of public workshops, and participating in
policy development for several major departmental initiatives. These
actions serve, in part, to address the mandate to assure technologies
sustain and do not erode privacy protections. The Privacy Office's
participation in policy decisions provides an opportunity for privacy
concerns to be raised explicitly and considered in the development of DHS
policies. In addition, the office has taken steps to address its mandates
to evaluate regulatory and legislative proposals involving personal
information and to coordinate with the DHS Officer for Civil Rights and
Civil Liberties.

While substantial progress has been made in these areas, limited progress
has been made in other important aspects of privacy protection. For
example, while the Privacy Office has reviewed, approved, and issued 56
new and revised Privacy Act public notices since its establishment, little
progress has been made in updating notices for "legacy" systems of
records--older systems of records that were originally developed by other
agencies prior to the creation of DHS. According to Privacy Office
officials, they have focused their attention on reviewing and approving
PIAs and developing notices for new systems and have given less priority
to revising notices for legacy systems. However, because many of these
notices are not up-to-date, the department cannot be assured that the
privacy implications of its many systems that process and maintain
personal information have been fully and accurately disclosed to the
public.

Further, the Privacy Office has generally not been timely in issuing
public reports, potentially limiting their value and impact. The Homeland
Security Act requires that the Privacy Officer report annually to Congress
on its activities, including complaints of privacy violations. However,
the office has issued only two annual reports within the 3-year period
since it was established in April 2003, and one of these did not include
complaints of privacy violations as required. In addition, other reports
to Congress on several specific topics have been late. The office also
initiated its own investigations of specific programs and produced reports
on these reviews, but several of them were not publicly released until
long after concerns had been addressed. For example, a report on the
Multi-state Anti-Terrorism Information Exchange program--a pilot project
for law enforcement sharing of public records data--was not issued until
long after the program had been terminated. Late issuance of reports has a
number of negative consequences beyond failure to comply with mandated
deadlines, including a potential reduction in the reports' value and
erosion of the office's credibility.

We are making recommendations to the Secretary of Homeland Security to
designate component-level privacy officers at key components, ensure that
Privacy Act notices reflect current DHS activities, and help the Privacy
Office meet its obligations and issue reports in a timely manner.

In its written comments on a draft of this report, DHS generally agreed
with our recommendations and described actions initiated to address them.

Background

The DHS Privacy Office was established with the appointment of the first
Chief Privacy Officer in April 2003. The Chief Privacy Officer is
appointed by the Secretary and reports directly to him. Under departmental
guidance, the Chief Privacy Officer is to work closely with other
departmental components, such as the General Counsel's Office and the
Policy Office, to address privacy issues. The Chief Privacy Officer also
serves as the designated senior agency official for privacy, as has been
required by the Office of Management and Budget (OMB) of all major
departments and agencies since 2005.^4

The positioning of the Privacy Office within DHS differs from the approach
used for privacy offices in other countries, such as Canada and the
European Union, where privacy offices are independent entities with
investigatory powers. Canada's Privacy Commissioner, for example, reports
to the Canadian House of Commons and Senate and has the power to summon
witnesses and subpoena documents. In contrast, the DHS privacy officer
position was established by the Homeland Security Act as an internal
component of DHS. As a part of the DHS organizational structure, the Chief
Privacy Officer has the ability to serve as a consultant on privacy issues
to other departmental entities that may not have adequate expertise on
privacy issues.

^4Office of Management and Budget, Designation of Senior Agency Officials
for Privacy, M-05-08 (Feb. 11, 2005).

The office is divided into two major functional groups addressing Freedom
of Information Act (FOIA)^5 and privacy responsibilities, respectively.
Within each functional group, major responsibilities are divided among
senior staff assigned to oversee key areas, including international
privacy policy, departmental disclosure and FOIA, privacy technology, and
privacy compliance operations. There are also component-level and
program-level privacy officers at the Transportation Security
Administration (TSA), U.S. Visitor and Immigrant Status Indicator
Technology (US-VISIT) program, and U.S. Citizenship and Immigration
Services. Figure 1 details the structure of the DHS Privacy Office.

Figure 1: DHS Privacy Office Organizational Structure

^5Our review did not include an assessment of the Privacy Office's FOIA
responsibilities.

When the Privacy Office was initially established, it had 5 full-time
employees, including the Chief Privacy Officer. Since then, the staff has
expanded to 16 full-time employees. The Privacy Office has also hired
private contractors to assist in meeting its obligations. As of February
2007, the Privacy Office had 9 full-time and 3 half-time contractor staff
in addition to its full-time employees. The first Chief Privacy Officer
served from April 2003 to September 2005, followed by an Acting Chief
Privacy Officer who served through July 2006. In July 2006, the Secretary
appointed a second permanent chief privacy officer.

In 2004, the Chief Privacy Officer established the DHS Data Privacy and
Integrity Advisory Committee, which is to advise the Secretary and the
Chief Privacy Officer on "programmatic, policy, operational,
administrative, and technological issues within DHS" that affect
individual privacy, data integrity, and data interoperability. The
Advisory Committee is composed of privacy professionals from the private
sector and academia and is organized into three subcommittees; Data
Integrity and Information Protection, Privacy Architecture, and Data
Acquisition and Use. To date, the Advisory Committee has issued reports on
several privacy issues, such as use of commercial data and radio frequency
identification (RFID)^6 technology, and has made related policy
recommendations to the department. The Advisory Committee's charter
requires that the committee meet at least once a year; however, thus far
it has met quarterly. The Advisory Committee meetings, which are open to
the public, are used to discuss progress on planned reports, to identify
new issues, to receive briefings from DHS officials, and to hold panel
discussions on privacy issues.

Privacy Office Responsibilities

The Privacy Office is responsible for ensuring that DHS is in compliance
with federal laws that govern the use of personal information by the
federal government. Among these laws are the Homeland Security Act of 2002
(as amended by the Intelligence Reform and Terrorism Prevention Act of
2004), the Privacy Act of 1974, and the E-Gov Act of 2002. Based on these
laws, the Privacy Office's major responsibilities can be summarized into
four broad categories: (1) reviewing and approving PIAs, (2) integrating
privacy considerations into DHS decision making, (3) reviewing and
approving public notices required by the Privacy Act, and (4) preparing
and issuing reports.

^6RFID is an automated data-capture technology that can be used to
electronically identify, track, and store information contained on a tag.
RFID technology provides identification and tracking capabilities by using
wireless communication to transmit data.

    Reviewing and approving PIAs

Section 208 of the E-Gov Act is designed to enhance protection of
personally identifiable information in government information systems and
information collections by requiring that agencies conduct PIAs. According
to OMB guidance,^7 a PIA is an analysis of how information is handled: (1)
to ensure that handling conforms to applicable legal, regulatory, and
policy requirements regarding privacy; (2) to determine the risks and
effects of collecting, maintaining, and disseminating personally
identifiable information in an electronic information system; and (3) to
examine and evaluate protections and alternative processes for handling
information to mitigate potential risks to privacy.

Agencies must conduct PIAs before they (1) develop or procure information
technology that collects, maintains, or disseminates personally
identifiable information or (2) initiate any new data collections of
personal information that will be collected, maintained, or disseminated
using information technology--if the same questions are asked of 10 or
more people. To the extent that PIAs are made publicly available,^8 they
provide explanations to the public about such things as what information
will be collected, why it is being collected, how it is to be used, and
how the system and data will be maintained and protected. Further, a PIA
can serve as a tool to guide system development decisions that have a
privacy impact.

The Privacy Office is responsible for ensuring departmental compliance
with the privacy provisions of the E-Gov Act. Specifically, the chief
privacy officer must ensure compliance with the E-Government Act
requirement that agencies perform PIAs. In addition, the Homeland Security
Act requires the chief privacy officer to conduct a PIA for proposed rules
of the department on the privacy of personal information. The Privacy
Office's involvement in the PIA process also serves to address the
Homeland Security Act requirement that the chief privacy officer assure
that technology sustains and does not erode privacy protections.

^7Office of Management and Budget, OMB Guidance for Implementing the
Privacy Provisions of the E-Government Act of 2002, M-03-22 (Washington,
D.C.: Sept. 26, 2003).

^8Section 208(b)(1)(B)(iii) of the E-Gov Act requires agencies, if
practicable, to make PIAs publicly available through agency Web sites,
publication in the Federal Register, or by other means. Pub. L. 107-347
(Dec. 17, 2002).

    Integrating privacy considerations into the DHS decision-making process

Several of the Privacy Office's statutory responsibilities involve
ensuring that the major decisions and operations of the department do not
have an adverse impact on privacy. Specifically, the Homeland Security Act
requires that the Privacy Office assure that the use of technologies by
the department sustains, and does not erode, privacy protections relating
to the use, collection, and disclosure of personal information. The act
further requires that the Privacy Office evaluate legislative and
regulatory proposals involving the collection, use, and disclosure of
personal information by the federal government. It also requires the
office to coordinate with the DHS Officer for Civil Rights and Civil
Liberties on those issues.

    Reviewing and approving public notices required by the Privacy Act

The Privacy Office is required by the Homeland Security Act to assure that
personal information contained in Privacy Act systems of records is
handled in full compliance with fair information practices as set out in
the Privacy Act of 1974. The Privacy Act places limitations on agencies'
collection, disclosure, and use of personally identifiable information
that is maintained in their systems of records. The act defines a record
as any item, collection, or grouping of information about an individual
that is maintained by an agency and contains that individual's name or
other personal identifier, such as a Social Security number. It defines
"system-of-records" as a group of records under the control of any agency
from which information is retrieved by the name of the individual or by an
individual identifier. The Privacy Act requires agencies to notify the
public, via a notice in the Federal Register, when they create or modify a
system-of-records. This notice is known as a system-of-records notice and
must include information such as the type of information collected, the
types of individuals about whom information is collected, the intended
"routine" uses of the information, and procedures that individuals can use
to review and correct their personal information.^9 The act also requires
agencies to define--and limit themselves to--specific purposes for
collecting the information.^10

9Under the Privacy Act of 1974, the term routine use means (with respect
to the disclosure of a record) the use of a record for a purpose that is
compatible with the purpose for which it was collected. 5 U.S.C. S
552a(a)(7).

The Fair Information Practices, which form the basis of the Privacy Act,
are a set of principles for protecting the privacy and security of
personal information that were first proposed in 1973 by a U.S. government
advisory committee.^11 These principles were intended to address what the
committee considered the poor level of protection then being afforded to
privacy under contemporary law. Since that time, the Fair Information
Practices have been widely adopted as a benchmark for evaluating the
adequacy of privacy protections. Appendix II contains a summary of the
Fair Information Practices.

    Preparing and issuing reports

The Homeland Security Act requires the Privacy Office to prepare annual
reports to Congress detailing the department's activities affecting
privacy, including complaints of privacy violations and implementation of
the Privacy Act of 1974. In addition to the reporting requirements under
the Homeland Security Act, Congress has occasionally directed the Privacy
Office to report on specific technologies and programs. For example, in
the conference report for the DHS appropriations act for fiscal year 2005,
Congress directed the Privacy Office to report on DHS's use of data mining
technologies.^12 Congress asked for a follow-up report on data mining in
the conference report for the fiscal year 2007 DHS appropriations bill.^13
The Intelligence Reform and Terrorism Prevention Act of 2004 also required
the Chief Privacy Officer to submit a report to Congress on the privacy
and civil liberties impact of the DHS-maintained Automatic Selectee and
No-Fly lists, which contain names of potential airline passengers who are
to be selected for secondary screening or not allowed to board aircraft.
In addition, the Privacy Office can initiate its own investigations and
produce reports under its Homeland Security Act authority to report on
complaints of privacy violations and assure technologies sustain and do
not erode privacy protections.

^10Agencies are allowed to claim exemptions from provisions of the Privacy
Act if the records are used for specific purposes, such as law
enforcement. 5 U.S.C. S 552a(j)&(k).

^11Congress used the committee's final report as a basis for crafting the
Privacy Act of 1974. See U.S. Department of Health, Education, and
Welfare, Records, Computers and the Rights of Citizens: Report of the
Secretary's Advisory Committee on Automated Personal Data Systems (July
1973).

^12Conference Report on H.R. 4567, Department of Homeland Security
Appropriations Act, 2005, House Report 108-774 (Oct. 9, 2004).

^13Conference Report on H.R. 5441, Department of Homeland Security
Appropriations Act, 2007, House Report 109-699 (Sept. 28, 2006).

DHS Privacy Office Has Made Significant Progress Establishing Processes to
Ensure Implementation of Privacy Protections, but More Work Remains

The DHS Privacy Office has made significant progress in addressing its
statutory responsibilities under the Homeland Security Act by developing
processes to ensure implementation of privacy protections in departmental
programs. For example, the Privacy Office has established processes for
ensuring departmental compliance with the PIA requirement in the E-Gov Act
of 2002. Instituting this framework has led to increased attention to
privacy requirements on the part of departmental components, contributing
to an increase in the quality and number of PIAs issued.

The Privacy Office has addressed its mandate to assure that technologies
sustain, and do not erode, privacy protections through a variety of
actions, including implementing its PIA compliance framework, establishing
a federal advisory committee, raising awareness of privacy issues through
a series of public workshops, and participating in policy development for
several major DHS initiatives. The office has also taken action to address
its mandate to evaluate regulatory and legislative proposals involving the
use of personal information by the federal government and has coordinated
with the DHS Officer for Civil Rights and Civil Liberties.

While substantial progress has been made in these areas, limited progress
has been made in other important aspects of privacy protection. For
example, while the Privacy Office has reviewed, approved, and issued 56
new and revised Privacy Act system-of-records notices since its
establishment, little progress has been made in updating notices for
legacy systems of records--older systems of records that were originally
developed by other agencies prior to the creation of DHS. Because many of
these notices are not up-to-date, the department is not in compliance with
OMB requirements that system-of-records notices be reviewed biennially,
nor can it be assured that the privacy implications of its many systems
that process and maintain personal information have been fully and
accurately disclosed to the public.

Further, the Privacy Office has generally not been timely in issuing
public reports, potentially limiting their value and impact. The Homeland
Security Act requires that the Privacy Office report annually to Congress
on department activities that affect privacy, including complaints of
privacy violations. However, the office has issued only two annual reports
within the 3-year period since it was established in April 2003, and one
of these did not include complaints of privacy violations as required. In
addition, required reports on several specific topics have also been late.
In addition, the office initiated its own investigations of specific
programs and produced reports on these reviews, several of which were not
publicly released until long after concerns had been addressed. Late
issuance of reports has a number of negative consequences beyond failure
to comply with mandated deadlines, including a potential reduction in the
reports' value and erosion of the office's credibility.

The Privacy Office Has Made Significant Progress in Reviewing and Approving
PIAs, but Faces an Increasing Workload

One of the Privacy Office's primary responsibilities is to review and
approve DHS PIAs, thus ensuring departmental compliance with the privacy
provisions (section 208) of the E-Gov Act of 2002. The E-Gov Act requires
that federal agencies perform PIAs before developing or procuring
technology that collects, maintains, or disseminates personally
identifiable information, or when initiating a new collection of
personally identifiable information using information technology. In
addition, the Homeland Security Act also specifically directs the office
to perform PIAs for proposed departmental rules concerning the privacy of
personal information. Further, the Privacy Office's involvement in the PIA
process also addresses its broad Homeland Security Act requirement to
"assure that technology sustains and does not erode privacy protections."

  The Privacy Office Has Established a PIA Compliance Framework

The centerpiece of the Privacy Office's compliance framework is its
written guidance on when a PIA must be conducted, how the associated
analysis should be performed, and how the final document should be
written. Although based on OMB's guidance,^14 the Privacy Office's
guidance goes further in several areas. For example, the guidance does not
exempt national security systems^15 and also clarifies that systems in the
pilot testing phase are not exempt. The DHS guidance also provides more
detailed instructions than OMB's guidance on the level of detail to be
provided. For example, the DHS guidance requires a discussion of a
system's data retention period, procedures for allowing individual access,
redress, correction of information, and technologies used in the system,
such as biometrics or RFID.

^14OMB, Guidance for Implementing the Privacy Provisions of the
E-Government Act of 2002, M-03-22 (Sept. 26, 2003).

^15A national security system is defined by the Clinger-Cohen Act as an
information system operated by the federal government, the function,
operation, or use of which involves: (a) intelligence activities, (b)
cryptologic activities related to national security, (c) command and
control of military forces, (d) equipment that is an integral part of a
weapon or weapons system, or (e) systems critical to the direct
fulfillment of military or intelligence missions, but does not include
systems used for routine administrative and business applications, such as
payroll, finance, logistics, and personnel management.

The Privacy Office has taken steps to continually improve its PIA
guidance. Initially released in February 2004, the guidance has been
updated twice, in July 2005 and March 2006. These updates have increased
the emphasis on describing the privacy analysis that should take place in
making system design decisions that affect privacy. For example, regarding
data retention, the latest guidance requires program officials to explain
why the personal information in question is needed for the specified
retention period. Based on feedback from DHS components, the Privacy
Office plans to update the guidance again in 2007 to clarify questions on
data mining and the use of commercial data. To accompany its written
guidance, the Privacy Office has also developed a PIA template and a
number of training sessions to further assist DHS personnel.

In addition to written guidance and training, the office developed a
procedure, called a privacy threshold analysis (PTA), for identifying
which DHS systems contain personally identifiable information and which
require PIAs. The privacy threshold analysis is a brief assessment that
requires system owners to answer six basic questions on the nature of
their systems and whether the systems contain personally identifiable
information. System owners complete the privacy threshold analysis
document and submit it to the Privacy Office for an official determination
as to whether a PIA is required. As of January 2006, all DHS systems have
been required to perform privacy threshold analyses.

Our analysis of published DHS PIAs shows significant quality improvements
in those completed recently compared with those from 2 or 3 years ago.
Overall, there is a greater emphasis on analysis of system development
decisions that impact privacy, because the guidance now requires that such
analysis be performed and described. For example, the most recent PIAs
include separate privacy impact analyses for several major topics,
including planned uses of the system and information, plans for data
retention, and the extent to which the information is to be shared outside
of DHS. This contrasts to the earliest PIAs published by the Privacy
Office, which do not include any of these analyses.

The emphasis on analysis should allow the public to more easily understand
a system and its impact on privacy. Further, our analysis found that use
of the template has resulted in a more standardized structure, format, and
content, making the PIAs more easily understandable to the general reader.

In addition to its positive impact on DHS, the Privacy Office's framework
has been recognized by others outside of DHS. For example, the Department
of Justice has adopted the DHS Privacy Office's guidance and template with
only minor modifications. Further, privacy advocacy groups have commended
the Privacy Office for developing the guidance and associated training
sessions, citing this as one of the office's most significant
achievements. Figure 2 illustrates the steps in the development process as
established by the Privacy Office's guidance.

Figure 2: DHS PIA Development Process

  The Privacy Office Has Integrated PIA Development into DHS Management
  Processes

In addition to written guidance, the Privacy Office has also taken steps
to integrate PIA development into the department's established operational
processes. For example, the Privacy Office coordinated with the Office of
the Chief Information Officer (OCIO) to include the privacy threshold
analysis requirement as part of OCIO's effort to compile an inventory of
major information systems required by the Federal Information Security
Management Act.^16 Through this coordination, the Privacy Office was able
to get the PTA requirement incorporated into the software application that
DHS uses to track agency compliance with the Federal Information Security
Management Act. The Privacy Office also coordinated with OCIO to include
submission of a privacy threshold analysis as a requirement within the
larger certification and accreditation process. The process requires IT
system owners to evaluate security controls to ensure that security risks
have been properly identified and mitigated. The actions they have taken
are then scored, and systems must receive a certain minimum score in order
to be certified and accredited.^17 The inclusion of the PTA as part of the
systems inventory and in the certification and accreditation process has
enabled the Privacy Office to better identify systems containing
personally identifiable information that may require a PIA.

Further, the Privacy Office is using the OMB Exhibit 300 budget process^18
as an additional opportunity to ensure that systems containing personal
information are identified and that PIAs are conducted when needed. OMB
requires agencies to submit an Exhibit 300 Capital Asset Plan and Business
Case for their major information technology systems in order to receive
funding. The Exhibit 300 template asks whether a system has a PIA and if
it is publicly available. Because the Privacy Office gives final
departmental approval for all such assessments, it is able to use the
Exhibit 300 process to ensure the assessments are completed. According to
Privacy Office officials, the threat of losing funds has helped to
encourage components to conduct PIAs. Integration of the PIA requirement
into these management processes is beneficial in that it provides an
opportunity to address privacy considerations during systems development,
as envisioned by OMB's guidance.

^16The Federal Information Security Management Act establishes federal
requirements for securing information and information systems that support
federal agency operations and assets; it requires agencies to develop
agencywide information security programs that extend to contractors and
other providers of federal data and systems. Title III, E-Government Act
of 2002, Pub. L. 107-347 (Dec. 17, 2002).

^17An IT system must undergo certification and accreditation every 3 years
to ensure that it is in compliance with OMB and National Institute of
Standards and Technology guidance. For DHS systems, the completion of a
privacy threshold analysis contributes to a system's overall certification
and accreditation score.

^18OMB Circular No. A-11, Part 7, Planning, Budgeting, Acquisition, and
Management of Capital Assets (Washington, D.C.: June 2006).

  The Privacy Office Is Taking Steps to Streamline PIA Review and Approval

Because of concerns expressed by component officials that the Privacy
Office's review process took a long time and was difficult to understand,
the office has made efforts to improve the process and make it more
transparent to DHS components. Specifically, the office established a
five-stage review process. Under this process, a PIA must satisfy all the
requirements of a given stage before it can progress to the next one. The
review process is intended to take 5 to 6 weeks, with each stage intended
to take 1 week. Figure 3 illustrates the stages of the review process.

Figure 3: The PIA Review Process

  Privacy Office Efforts Have Helped to Identify the Need for an Increasing
  Number of PIAs

Through efforts such as the compliance framework, the Privacy Office has
steadily increased the number of PIAs it has approved and published each
year.^19 As shown in figure 4, PIA output by the Privacy Office has more
than doubled since 2004. According to Privacy Office officials, the
increase in output was aided by the development and implementation of the
Privacy Office's structured guidance and review process. In addition,
Privacy Office officials stated that as DHS components gain more
experience, the output should continue to increase.

^19As of February 2007, the Privacy Office had approved and published a
total of 71 PIAs. Of these, 46 were new, 20 were updates to preexisting
documents, and 5 were PIAs for agency rules. Section 222 of the Homeland
Security Act requires the Chief Privacy Officer to "[conduct] a privacy
impact assessment of proposed rules of the Department or that of the
Department on the privacy of personal information including the type of
personal information collected and the number of people affected."

Figure 4: Numbers of PIAs Published Annually for DHS Systems

Because the Privacy Office has focused departmental attention on the
development and review process and established a structured framework for
identifying systems that need PIAs, the number of identified DHS systems
requiring a PIA has increased dramatically. According to its annual
Federal Information Security Management Act reports, DHS identified 46
systems as requiring a PIA in fiscal year 2005 and 143 systems in fiscal
year 2006. Based on the privacy threshold analysis process, the Privacy
Office estimates that 188 systems will require a PIA in fiscal year 2007.

Considering that only 25 were published in fiscal year 2006, it will
likely be very difficult for DHS to expeditiously develop and issue PIAs
for all of these systems because developing and approving them can be a
lengthy process. According to estimates by Privacy Office officials, it
takes approximately six months^20 to develop and approve a PIA, but the
office is working to reduce this time.

The Privacy Office is examining several potential changes to the
development process that would allow it to process an increased number of
PIAs. One such option is to allow DHS components to quickly amend
preexisting PIAs. An amendment would only need to contain information on
changes to the system and would allow for quicker development and review.
The Privacy Office is also considering developing standardized PIAs for
commonly-used types of systems or uses. For example, such an assessment
may be developed for local area networks. Systems intended to collect or
use information outside what is specified in the standardized PIA would
need approval from the Privacy Office.

Of potential help in dealing with an increasing PIA workload is the
establishment of full-time privacy officers within key DHS components.
Components with a designated privacy officer have generally produced more
PIAs than components without privacy officers. Of the eleven DHS
components that have published PIAs, only three have designated privacy
officers. Yet these three components account for 57 percent of all
published DHS PIAs.^21 Designating privacy officers in key DHS components,
such as Customs and Border Protection, the U.S. Coast Guard, Immigration
and Customs Enforcement, and the Federal Emergency Management Agency,
could help in drafting PIAs that could be processed by the Privacy Office
more expeditiously. Components such as these have a high volume of
programs that interface directly with the public. Although the Privacy
Office has also recommended that such privacy officers be designated, the
department has not yet appointed privacy officers in any of these
components. Until DHS does so, the Privacy Office will likely continue to
be challenged in ensuring that PIAs are prepared, reviewed, and approved
in a timely fashion.

^20Although PIA development time is not formally tracked, DHS
component-level officials reported it could take significantly longer than
6 months to develop a PIA.

^21Of the DHS components that have published PIAs, three have designated
privacy officers: TSA, the US-VISIT program, and the U.S. Citizenship and
Immigration Services.

The Privacy Office Has Taken Steps to Integrate Privacy Into DHS Decision Making

The Privacy Office has also taken steps to integrate privacy
considerations in the DHS decision-making process. These actions are
intended to address a number of statutory requirements, including that the
Privacy Office assure that the use of technologies sustain, and do not
erode, privacy protections; that it evaluate legislative and regulatory
proposals involving the collection, use, and disclosure of personal
information by the federal government; and that it coordinate with the DHS
Officer for Civil Rights and Civil Liberties.

  The Data Privacy and Integrity Advisory Committee Was Established to Provide
  Outside Advice

In 2004, the first Chief Privacy Officer established the DHS Data Privacy
and Integrity Advisory Committee to advise her and the Secretary on issues
within the department that affect individual privacy, as well as data
integrity, interoperability, and other privacy-related issues. The
committee has examined a variety of privacy issues, produced reports, and
made recommendations. Most recently, in December 2006, the committee
adopted two reports; one on the use of RFID for identity verification, and
another on the use of commercial data. As previously mentioned, the
Privacy Office plans to update its PIA guidance to include further
instructions on the use of commercial data. According to Privacy Office
officials, this update will be based, in part, on the advisory committee's
report on commercial data. Appendix III contains a full list of the
advisory committee's publications.

In addition to its reports, which are publicly available, the committee
meets quarterly in Washington, D.C., and in other parts of the country
where DHS programs operate. These meetings are open to the public and
transcripts of the meetings are posted on the Privacy Office's Web
site.^22 DHS officials from major programs and initiatives involving the
use of personal data such as US-VISIT, Secure Flight, and the Western
Hemisphere Travel Initiative, have testified before the committee. Private
sector officials have also testified on topics such as data integrity,
identity authentication, and RFID.

Because the committee is made up of experts from the private sector and
the academic community, it brings an outside perspective to privacy issues
through its reports and recommendations. In addition, because it was
established as a federal advisory committee, its products and proceedings
are publicly available and thus provide a public forum for the analysis of
privacy issues that affect DHS operations.

^22Reports produced by the DHS Data Privacy and Integrity Advisory
Committee and transcripts of quarterly meetings can be found at
http://www.dhs.gov/xinfoshare/committees/editorial_0512.shtm .

  Privacy Office Workshops Have Highlighted Key Issues

The Privacy Office has also taken steps to raise awareness of privacy
issues by holding a series of public workshops. The first workshop, on the
use of commercial data for homeland security, was held in September 2005.
Panel participants consisted of representatives from academia, the private
sector, and government. In April 2006, a second workshop addressed the
concept of public notices and freedom of information frameworks. More
recently, in June 2006, a workshop was held on the policy, legal, and
operational frameworks for PIAs and privacy threshold analyses and
included a tutorial for conducting PIAs.^23 Hosting public workshops is
beneficial in that it allows for communication between the Privacy Office
and those who may be affected by DHS programs, including the privacy
advocacy community and the general public.

  Privacy Office Officials Have Participated in the DHS Decision-making Process

Another part of the Privacy Office's efforts to carry out its Homeland
Security Act requirements is its participation in departmental policy
development for initiatives that have a potential impact on privacy. The
Privacy Office has been involved in policy discussions related to several
major DHS initiatives and, according to department officials, the office
has provided input on several privacy-related decisions. The following are
major initiatives in which the Privacy Office has participated.

    Passenger name record negotiations with the European Union

United States law requires airlines operating flights to or from the
United States to provide the Bureau of Customs and Border Protection (CBP)
with certain passenger reservation information for purposes of combating
terrorism and other serious criminal offenses.^24 In May 2004, an
international agreement on the processing of this information was signed
by DHS and the European Union.^25 Prior to the agreement, CBP established
a set of terms for acquiring and protecting data on European Union
citizens, referred to as the "Undertakings."^26 In September 2005, under
the direction of the first Chief Privacy Officer, the Privacy Office
issued a report on CBP's compliance with the Undertakings in which it
provided guidance on necessary compliance measures and also required
certain remediation steps. For example, the Privacy Office required CBP to
review and delete data outside the 34 data elements permitted by the
agreement. According to the report, the deletion of these extraneous
elements was completed in August 2005 and was verified by the Privacy
Office.

^23In addition, in November 2006, the Privacy Office, US-VISIT program,
and the DHS Biometrics Coordination Group sponsored a conference on
privacy issues related to biometric technology; however, this conference
was not open to the public or the media.

^2449 U.S.C. Chapter 449.

^25The EU Data Protection Directive (Article 25(6) of Directive 95/46/EC)
generally prohibits cross-border sharing with non-EU countries unless the
receiving entity demonstrates that it has adequate data protection
standards.

In October 2006, DHS and the European Union completed negotiations on a
new interim agreement concerning the transfer and processing of passenger
reservation information. The Director of International Privacy Policy
within the Privacy Office participated in these negotiations along with
others from DHS in the Policy Office, Office of General Counsel, and CBP.

    Western Hemisphere Travel Initiative

The Western Hemisphere Travel Initiative is a joint effort between DHS and
the Department of State to implement new documentation requirements for
certain U.S. citizens and nonimmigrant aliens entering the United States.
DHS and State have proposed the creation of a special identification card
that would serve as an alternative to a traditional passport for use by
U.S. citizens who cross land borders or travel by sea between the United
States, Canada, Mexico, the Caribbean, or Bermuda.^27 The card is to use a
technology called vicinity RFID to transmit information on travelers to
CBP officers at land and sea ports of entry. Advocacy groups have raised
concerns about the proposed use of vicinity RFID because of privacy and
security risks due primarily to the ability to read information from these
cards from distances of up to 20 feet. The Privacy Office was consulted on
the choice of identification technology for the cards. According to the
DHS Policy Office, Privacy Office input led to a decision not to store or
transmit personally identifiable information on the RFID chip on the card.
Instead, DHS is planning on transmitting a randomly generated identifier
for individuals, which is to be used by DHS to retrieve information about
the individual from a centralized database.

^26DHS Privacy Office, A Report Concerning Passenger Name Record
Information Derived From Flights Between the U.S. and The European Union
(Sept. 19, 2005).

^2771 Federal Register 60928-60932 (Oct. 17, 2006).

    REAL ID Act of 2005

Among other things, the REAL ID Act^28 requires DHS, in consultation with
the Department of Transportation and the states, to issue regulations that
set minimum standards for state-issued REAL ID drivers' licenses and
identification cards to be accepted for official purposes after May 11,
2008. Advocacy groups have raised a number of privacy concerns about REAL
ID, chiefly that it creates a de facto national ID that could be used in
the future for privacy-infringing purposes and that it puts individuals at
increased risk of identity theft. The DHS Policy Office reported that it
included Privacy Office officials, as well as officials from the Office of
Civil Rights and Civil Liberties, in developing its implementing rule for
REAL ID.^29 The Privacy Office's participation in REAL ID also served to
address its requirement to evaluate legislative and regulatory proposals
concerning the collection, use, and disclosure of personal information by
the federal government.^30 According to its November 2006 annual report,
the Privacy Office championed the need for privacy protections regarding
the collection and use of the personal information that will be stored on
the REAL ID drivers' licenses. Further, the office reported that it funded
a contract to examine the creation of a state federation to implement the
information sharing required by the act in a privacy-sensitive manner.

    Use of commercial data

As we have previously reported, DHS has used personal information obtained
from commercial data providers for immigration, fraud detection, and
border screening programs but, like other agencies, does not have policies
in place concerning its uses of these data.^31 Accordingly, we recommended
that DHS, as well as other agencies, develop such policies. In response to
the concerns raised in our report and by privacy advocacy groups, Privacy
Office officials said they were drafting a departmentwide policy on the
use of commercial data. Once drafted by the Privacy Office, this policy is
to undergo a departmental review process (including review by the Policy
Office, General Counsel, and Office of the Secretary), followed by a
review by OMB prior to adoption.

^28Division B, Emergency Supplemental Appropriations Act for Defense, the
Global War on Terror, and Tsunami Relief, 2005, Pub. L. 109-13 (May 11,
2005).

^29The Intelligence Reform Act of 2004 requires the DHS Privacy Officer to
coordinate activities with the DHS Officer for Civil Rights and Civil
Liberties. Participation in this working group is one example of
coordination between the two offices.

^30Privacy Office officials reported that they use the OMB legislative
review process and the publication of rules in the Federal Register as
mechanisms for reviewing emerging rules and legislation. In addition, the
Privacy Office recently created a Director of Legislative and Regulatory
Affairs position to coordinate, among other things, review of proposed
privacy legislation and rulemakings. This position was filled in February
2007.

^31GAO, Personal Information: Agency and Reseller Adherence to Key Privacy
Principles, [29]GAO-06-421 (Washington, D.C.: Apr. 4, 2006).

These examples demonstrate specific involvement of the Privacy Office in
major DHS initiatives. However, Privacy Office input is only one factor
that DHS officials consider in formulating decisions about major programs,
and Privacy Office participation does not guarantee that privacy concerns
will be fully addressed. For example, our previous work has highlighted
problems in implementing privacy protections in specific DHS programs,
including Secure Flight^32 and the ADVISE program.^33 Nevertheless, the
Privacy Office's participation in policy decisions provides an opportunity
for privacy concerns to be raised explicitly and considered in the
development of DHS policies.

  The Privacy Office Has Coordinated Activities with the DHS Officer for Civil
  Rights and Civil Liberties

The Privacy Office has also taken steps to address its mandate to
coordinate with the DHS Officer for Civil Rights and Civil Liberties on
programs, policies, and procedures that involve civil rights, civil
liberties, and privacy considerations, and ensure that "Congress receives
appropriate reports on such programs." The DHS Officer for Civil Rights
and Civil Liberties cited three specific instances where the offices have
collaborated. First, as stated previously, both offices have participated
in the working group involved in drafting the implementing regulations for
REAL ID. Second, the two offices coordinated in preparing the Privacy
Office's report to Congress assessing the privacy and civil liberties
impact of the No-Fly and Selectee lists used by DHS for passenger
prescreening. Third, the two offices coordinated on providing input for
the "One-Stop Redress" initiative, a joint initiative between the
Department of State and DHS to implement a streamlined redress center for
travelers who have concerns about their treatment in the screening
process.

^32GAO, Aviation Security: Transportation Security Administration Did Not
Fully Disclose Uses of Personal Information during Secure Flight Program
Testing in Initial Privacy Notices, but Has Recently Taken Steps to More
Fully Inform the Public, [30]GAO-05-864R (Washington, D.C.: July 22,
2005).

^33GAO, Data Mining: Early Attention to Privacy in Developing a Key DHS
Program Could Reduce Risks, [31]GAO-07-293 (Washington, D.C.: Feb. 28,
2007).

Although Privacy Act Processes Have Been Established, Little Progress Has Been
Made in Updating Public Notices for DHS Legacy Systems-of-Records

The DHS Privacy Office is responsible for reviewing and approving DHS
system-of-records notices to ensure that the department complies with the
Privacy Act of 1974. Specifically, the Homeland Security Act requires the
Privacy Office to "assur[e] that personal information contained in Privacy
Act systems of records is handled in full compliance with fair information
practices as set out in the Privacy Act of 1974." The Privacy Act requires
that federal agencies publish notices in the Federal Register on the
establishment or revision of systems of records. These notices must
describe the nature of a system-of-records and the information it
maintains. Additionally, OMB has issued various guidance documents for
implementing the Privacy Act. OMB Circular A-130, for example, outlines
agency responsibilities for maintaining records on individuals and directs
government agencies to conduct biennial reviews of each system-of-records
notice to ensure that it accurately describes the system-of-records.^34

The Privacy Office has taken steps to establish a departmental process for
complying with the Privacy Act. It issued a management directive that
outlines its own responsibilities as well as those of component-level
officials. Under this policy, the Privacy Office is to act as the
department's representative for matters relating to the Privacy Act. The
Privacy Office is to issue and revise, as needed, departmental regulations
implementing the Privacy Act and approve all system-of-records notices
before they are published in the Federal Register. DHS components are
responsible for drafting system-of-records notices and submitting them to
the Privacy Office for review and approval. The management directive was
in addition to system-of-records notice guidance published by the Privacy
Office in August 2005. The guidance discusses the requirements of the
Privacy Act and provides instructions on how to prepare system-of-records
notices by listing key elements and explaining how they must be addressed.
The guidance also lists common routine uses and provides standard language
that DHS components may incorporate into their notices. As of February
2007, the Privacy Office had approved and published 56 system-of-records
notices, including updates and revisions as well as new documents.

In establishing Privacy Act processes, the Privacy Office has also begun
to integrate the system-of-records notice and PIA development processes.
The Privacy Office now generally requires that system-of-records notices
submitted to it for approval be accompanied by PIAs. This is not an
absolute requirement, because the need to conduct PIAs, as stipulated by
the E-Gov Act, is not based on the same concept of a "system-of-records"
used by the Privacy Act. Nevertheless, the Privacy Office's intention is
to ensure that, when the requirements do coincide, a system's PIA is
aligned closely with the related system-of-records notice.

^34OMB, Management of Federal Information Resources, Circular A-130,
Appendix 1 (Nov. 28, 2000).

However, the Privacy Office has not yet established a process for
conducting a biennial review of system-of-records notices, as required by
OMB. OMB Circular A-130 directs federal agencies to review their notices
biennially to ensure that they accurately describe all systems of records.
Where changes are needed, the agencies are to publish amended notices in
the Federal Register.^35

The establishment of DHS involved the consolidation of a number of
preexisting agencies, thus, there are a substantial number of systems that
are operating under preexisting, or "legacy," system-of-records
notices--218, as of February 2007. ^36 These documents may not reflect
changes that have occurred since they were prepared. For example, the
system-of-records notice for the Treasury Enforcement and Communication
System has not been updated to reflect changes in how personal information
is used that has occurred since the system was taken over by DHS from the
Department of the Treasury.

The Privacy Office acknowledges that identifying, coordinating, and
updating legacy system-of-records notices is the biggest challenge it
faces in ensuring DHS compliance with the Privacy Act. Because it focused
its initial efforts on PIAs and gave priority to DHS systems of records
that were not covered by preexisting notices, the office did not give the
same priority to performing a comprehensive review of existing notices.
According to Privacy Office officials, the office is encouraging DHS
components to update legacy system-of-records notices and is developing
new guidance intended to be more closely integrated with its PIA guidance.
However, no significant reduction has yet been made in the number of
legacy system-of-records notices that need to be updated.

^35OMB gives agencies the option to publish one annual comprehensive
publication consolidating minor changes.

^36DHS system-of-records are covered by preexisting notices through the
operation of a savings provision in the Homeland Security Act of 2002. 6
U.S.C. S 552.

By not reviewing notices biennially, the department is not in compliance
with OMB direction. Further, by not keeping its notices up-to-date, DHS
hinders the public's ability to understand the nature of DHS
systems-of-records notices and how their personal information is being
used and protected. Inaccurate system-of-records notices may make it
difficult for individuals to determine whether their information is being
used in a way that is incompatible with the purpose for which it was
originally collected.

Privacy Office Has Generally Not Issued Reports in a Timely Fashion

Section 222 of the Homeland Security Act requires that the Privacy Officer
report annually to Congress on "activities of the department that affect
privacy, including complaints of privacy violations, implementation of the
Privacy Act of 1974, internal controls, and other matters." The act does
not prescribe a deadline for submission of these reports; however, the
requirement to report "on an annual basis" suggests that each report
should cover a 1-year time period and that subsequent annual reports
should be provided to Congress 1 year after the previous report was
submitted. Congress has also required that the Privacy Office report on
specific departmental activities and programs, including data mining and
passenger prescreening programs. In addition, the first Chief Privacy
Officer initiated several investigations and prepared reports on them to
address requirements to report on complaints of privacy violations and to
assure that technologies sustain and do not erode privacy protections.

In addition to satisfying mandates, the issuance of timely public reports
helps in adhering to the fair information practices, which the Privacy
Office has pledged to support. Public reports address openness--the
principle that the public should be informed about privacy policies and
practices and that individuals should have a ready means of learning about
the use of personal information--and the accountability principle--that
individuals controlling the collection or use of personal information
should be accountable for taking steps to ensure implementation of the
fair information principles.

The Privacy Office has not been timely and in one case has been incomplete
in addressing its requirement to report annually to Congress. The Privacy
Office's first annual report, issued in February 2005, covered 14 months
from April 2003 through June 2004. A second annual report, for the next 12
months, was never issued. Instead, information about that period was
combined with information about the next 12-month period, and a single
report was issued in November 2006 covering the office's activities from
July 2004 through July 2006. While this report generally addressed the
content specified by the Homeland Security Act, it did not include the
required description of complaints of privacy violations.

Other reports produced by the Privacy Office have not met mandated
deadlines or have been issued long after privacy concerns had been
addressed. For example, although Congress required a report on the privacy
and civil liberties effects of the No-Fly and Automatic Selectee Lists^37
by June 2005, the report was not issued until April 2006, nearly a year
late. In addition, although required by December 2005, the Privacy
Office's report on DHS data mining activities was not provided to Congress
until July 2006 and was not made available to the public on the Privacy
Office Web site until November 2006.

In addition, the first Chief Privacy Officer initiated four investigations
of specific programs and produced reports on these reviews. Although two
of the four reports were issued in a relatively timely fashion, the other
two reports were issued long after privacy concerns had been raised and
addressed. For example, a report on the Multi-state Anti-Terrorism
Information Exchange (MATRIX) program, initiated in response to a
complaint by the American Civil Liberties Union submitted in May 2004, was
not issued until two and a half years later, long after the program had
been terminated. As another example, although drafts of the
recommendations contained in the Secure Flight report were shared with TSA
staff as early as summer 2005, the report was not released until December
2006, nearly a year and a half later. Table 1 summarizes DHS Privacy
Office reports issued to date, including both statutorily required as well
as self-initiated reports.

^37These lists are used by TSA and CBP for screening airline and cruise
line passengers. Individuals on the lists may be denied boarding or
selected for additional screening.

Table 1: Summary of DHS Privacy Office Reports by Date Released

Report             Description                        Date released        
Report to the      This report provides the results   February 2004        
Public on the      of a study initiated in September                       
Events Surrounding 2003 in response to a potential                         
the jetBlue Data   privacy violation by TSA that took                      
Transfer           place in 2001 and 2002, prior to                        
                      TSA becoming a part of DHS. The                         
                      incident involved the transfer of                       
                      passenger name records from                             
                      jetBlue Airways to the Department                       
                      of Defense, a transfer that                             
                      occurred with involvement by TSA                        
                      personnel. The report presented                         
                      findings on the incident and                            
                      offers recommendations including                        
                      that TSA employees attend                               
                      comprehensive privacy training and                      
                      that DHS establish guidelines for                       
                      data sharing, including sharing                         
                      with the private sector for                             
                      security purposes.                                      
First annual       This report, required by Section   February 2005        
report             222 of the Homeland Security Act,                       
                      discusses Privacy Office                                
                      activities from April 2003 though                       
                      June 2004. Among other things, the                      
                      report describes the establishment                      
                      of the Privacy Office as well as                        
                      actions to comply with statutory                        
                      requirements including efforts to                       
                      implement the PIA requirement and                       
                      ensure compliance with the Privacy                      
                      Act. The report also describes                          
                      complaints of privacy violations                        
                      as required by the Homeland                             
                      Security Act, including those                           
                      related to the Computer Assisted                        
                      Passenger Prescreening II program,                      
                      the transfer of passenger name                          
                      record data from jetBlue to the                         
                      Department of Defense, and the                          
                      Multi-State Anti-Terrorism                              
                      Information Exchange program.                           
Second annual      This report was drafted but never  No report            
report             released. The content of this      issued--merged with  
                      report was merged with that of the third annual report  
                      third annual report.                                    
Report Concerning  In May 2004, an international      September 19, 2005   
Passenger Name     agreement regarding the processing                      
Record Information of passenger name records was                           
Derived from       signed by DHS and the European                          
Flights between    Union. Prior to the agreement, CBP                      
the U.S. and the   established a set of terms by                           
European Union     which these records were to be                          
                      provided to and protected by CBP,                       
                      referred to as the "Undertakings."                      
                      The first Chief Privacy Officer                         
                      initiated a review of CBP's                             
                      compliance with representations                         
                      made in the Undertakings in                             
                      November 2004 and completed her                         
                      review in September 2005. In the                        
                      report, the Privacy Office found                        
                      CBP generally in compliance with                        
                      the Undertakings but also noted                         
                      that during the course of the                           
                      review, areas for improvement were                      
                      identified to achieve fuller                            
                      compliance. The Privacy Office                          
                      provided guidance on necessary                          
                      compliance measures and also                            
                      required certain remediation                            
                      steps. For example, the Privacy                         
                      Office required CBP to review and                       
                      delete data outside the 34 data                         
                      elements permitted by the                               
                      agreement.                                              
Impact of the      Section 4012(b)(2) of the          April 27, 2006       
Automatic Selectee Intelligence Reform and Terrorism                       
& No Fly List on   Prevention Act of 2004 required                         
Privacy & Civil    the DHS Privacy Officer to prepare                      
Liberties          and submit a report to Congress by                      
                      June 2005 assessing the impact of                       
                      the Automatic Selectee and No-Fly                       
                      lists on privacy and civil                              
                      liberties. These lists are used by                      
                      TSA and CBP for screening airline                       
                      and cruise line passengers.                             
                      Individuals on the lists may be                         
                      denied boarding or selected for                         
                      additional screening.                                   
Data mining report House Conference Report 108-774 on Congress: July 6,    
                      the DHS 2005 Appropriations Act    2006                 
                      required a report on DHS data                           
                      mining activities by December      Public: November 29, 
                      2005. This report catalogued DHS   2006                 
                      data mining activities and                              
                      included descriptions of the                            
                      purposes of the programs; data                          
                      sources; deployment dates; and                          
                      policies, procedures, and                               
                      guidance. The report includes a                         
                      number of recommendations aimed at                      
                      mitigating the privacy risks                            
                      associated with data mining. In                         
                      the fiscal year 2007 DHS                                
                      appropriations conference report,                       
                      Congress required the Privacy                           
                      Office to report again on DHS data                      
                      mining activities, including                            
                      progress made in implementing the                       
                      July 2006 report's                                      
                      recommendations.                                        
Third annual       This report covers the Privacy     Congress: November   
report             Office's activities from July 2004 17, 2006             
                      through July 2006. The report                           
                      describes its efforts to "build a  Public: November 28, 
                      culture of privacy attentiveness   2006                 
                      at DHS," a discussion of                                
                      responding to national and global                       
                      challenges and a review of                              
                      outreach efforts such as public                         
                      workshops and Data Privacy and                          
                      Integrity Advisory Committee                            
                      meetings. The report does not                           
                      contain a discussion of complaints                      
                      of privacy violations, as required                      
                      by the Homeland Security Act.                           
Secure Flight      This is the final report on an     December 22, 2006    
report             investigation initiated by the                          
                      first Chief Privacy Officer in                          
                      response to concerns raised by GAO                      
                      about Secure Flight commercial                          
                      data testing in June 2005. The                          
                      Privacy Office found that the                           
                      commercial data test conducted in                       
                      connection with the Secure Flight                       
                      program did not match TSA's public                      
                      announcements. The report offers a                      
                      number of recommendations for the                       
                      Secure Flight program.                                  
MATRIX             The MATRIX program pilot project   December 22, 2006    
                      was a "proof of concept" initiated                      
                      in response to the need for                             
                      information sharing within state                        
                      law enforcement communities and                         
                      was funded through grants by the                        
                      Department of Justice and DHS. The                      
                      project used information                                
                      technology as a means to more                           
                      quickly access, share, and analyze                      
                      public records to assist law                            
                      enforcement. The first Chief                            
                      Privacy Officer initiated a review                      
                      of the MATRIX pilot project, to                         
                      which DHS contributed funding, in                       
                      response to a May 2004 complaint                        
                      by the American Civil Liberties                         
                      Union. This investigation was                           
                      announced in the Privacy Office's                       
                      first annual report (covering                           
                      April 2003-July 2004) and states                        
                      that the results of the MATRIX                          
                      program report "will be made                            
                      public in the near future in a                          
                      forthcoming report." Although the                       
                      report was not issued until                             
                      December 2006, the MATRIX program                       
                      had been effectively ended in                           
                      April 2005. The report concludes                        
                      that the MATRIX program pilot                           
                      project lost public support                             
                      because it failed to consider and                       
                      adopt comprehensive privacy                             
                      protections from the beginning.                         
                      Although the program was already                        
                      defunct, the Privacy Office                             
                      offered recommendations as                              
                      "lessons learned."                                      

Source: GAO analysis of DHS Privacy Office reports.

According to Privacy Office officials, there are a number of factors
contributing to the delayed release of its reports, including time
required to consult with affected DHS components as well as the
departmental clearance process, which includes the Policy Office, the
Office of General Counsel, and the Office of the Secretary. After that,
drafts must be sent to OMB for further review. In addition, the Privacy
Office did not establish schedules for completing these reports that took
into account the time needed for coordination with components or
departmental and OMB review.

Regarding the omission of complaints of privacy violations in the latest
annual report, Privacy Office officials noted that the report cites
previous reports on Secure Flight and the MATRIX program, which were
initiated in response to alleged privacy violations, and that during the
time period in question there were no additional complaints of privacy
violations. However, the report itself provides no specific statements
about the status of privacy complaints; it does not state that there were
no privacy complaints received.

Late issuance of reports has a number of negative consequences beyond
noncompliance with mandated deadlines. First, the value these reports are
intended to provide is reduced when the information contained is no longer
timely or relevant. In addition, since these reports serve as a critical
window into the operations of the Privacy Office and on DHS programs that
make use of personal information, not issuing them in a timely fashion
diminishes the office's credibility and can raise questions about the
extent to which the office is receiving executive-level attention. For
example, delays in releasing the most recent annual report led a number of
privacy advocates to question whether the Privacy Office had adequate
authority and executive-level support. Congress also voiced this concern
in passing the Department of Homeland Security Appropriations Act of 2007,
which states that none of the funds made available in the act may be used
by any person other than the Privacy Officer to "alter, direct that
changes be made to, delay, or prohibit the transmission to Congress" of
its annual report.^38 In addition, on January 5, 2007, legislation was
introduced entitled Privacy Officer with Enhanced Rights Act of 2007. This
bill, among other things, would provide the Privacy Officer with the
authority to report directly to Congress without prior comment or
amendment by either OMB officials or DHS officials who are outside the
Privacy Office.^39 Until its reports are issued in a timely fashion,
questions about the credibility and authority of the Privacy Office will
likely remain.

^38Department of Homeland Security Appropriations Act, 2007 (Pub. L.
109-295). The President's signing statement to that act stated, among
other things, "the executive branch shall construe section 522 of the act,
relating to privacy officer reports, in a manner consistent with the
President's constitutional authority to supervise the unitary executive
branch."

^39Subtitle B of Tile VIII of H.R. 1, "Implementing the 9/11 Commission
Recommendations Act of 2007," introduced on January 5, 2007. The
legislation also grants the Privacy Officer investigative authority,
including subpoena power.

Conclusions

The DHS Privacy Office has made significant progress in implementing its
statutory responsibilities under the Homeland Security Act; however, more
work remains to be accomplished. The office has made great strides in
implementing a process for developing PIAs, contributing to greater output
over time and higher quality assessments. The Privacy Office has also
provided the opportunity for privacy to be considered at key stages in
systems development by incorporating PIA requirements into existing
management processes. However, the Privacy Office faces a difficult task
in reviewing and approving PIAs in a timely fashion for the large number
of systems that require them. Component-level privacy officers could help
coordinate processing of PIAs. Until DHS appoints such officers, the
Privacy Office will not benefit from their potential to help speed the
processing of PIAs.

Although the Privacy Office has made progress publishing new and revised
Privacy Act notices since its establishment, privacy notices for DHS
legacy systems of records have generally not been updated. The Privacy
Office has not made it a priority to address the OMB requirement that
existing notices be reviewed biennially. Until DHS reviews and updates its
legacy notices as required by federal guidance, it cannot assure the
public that its notices reflect current uses and protections of personal
information.

Further, the Privacy Office has not issued reports in a timely fashion,
and its most recent annual report did not address all of the content
specified by the Homeland Security Act, which requires the office to
report on complaints of privacy violations. There are a number of factors
contributing to the delayed release of its reports, including time
required to consult with affected DHS components as well as the
departmental clearance process, and there is no schedule for reviews to be
completed and final reports issued. Late issuance of reports has a number
of negative consequences beyond failure to comply with mandated deadlines,
such as a perceived and real reduction in their value, a reduction in the
office's credibility, and the perception that the office lacks
executive-level support. Until DHS develops a schedule for the timely
issuance of reports, these negative consequences are likely to continue.

Recommendations for Executive Action

We recommend that the Secretary of Homeland Security take the following
four actions:

           o Designate full-time privacy officers at key DHS components, such
           as Customs and Border Protection, the U.S. Coast Guard,
           Immigration and Customs Enforcement, and the Federal Emergency
           Management Agency.
           o Implement a department-wide process for the biennial review of
           system-of-records notices, as required by OMB.
           o Establish a schedule for the timely issuance of Privacy Office
           reports (including annual reports), which appropriately consider
           all aspects of report development, including departmental
           clearance.
           o Ensure that the Privacy Office's annual reports to Congress
           contain a specific discussion of complaints of privacy violations,
           as required by law.
			  
			  Agency Comments and Our Evaluation

           We received written comments on a draft of this report from the
           DHS Departmental GAO/Office of Inspector General Liaison
           Office, which are reproduced in appendix IV. In its comments, DHS
           generally agreed with the content of the draft report and its
           recommendations and described actions initiated to address them.

           In its comments, DHS stated that it appreciated GAO's
           acknowledgement of its success in creating a standardized process
           for developing privacy compliance documentation for individual
           systems and managing the overall compliance process. DHS also
           stated that it appreciated recognition of the establishment of the
           DHS Data Privacy and Integrity Advisory Committee and the Privacy
           Office's public meetings and workshops. In addition, DHS provided
           additional information about the international duties of the
           Privacy Office, specifically its outreach efforts with the
           European Union and its participation in regional privacy groups
           such as the Organization for Economic Cooperation and Development
           (OECD) and the Asian Pacific Economic Cooperation forum. DHS also
           noted that it had issued its first policy guidance memorandum
           regarding handling of information on non-U.S. persons.

           Concerning our first recommendation that it designate full-time
           privacy officers in key departmental components, DHS noted that
           the recommendation was consistent with a departmental management
           directive on compliance with the Privacy Act and stated that it
           would take the recommendation "under advisement." DHS noted that
           component privacy officers not only make contributions in terms of
           producing privacy impact assessments, but also provide day-to-day
           privacy expertise within their components to programs at all
           stages of development.

           DHS concurred with the other three recommendations and noted
           actions initiated to address them. Specifically, regarding our
           recommendation that DHS implement a process for the biennial
           review of system of records notices required by OMB, DHS noted
           that it is systematically reviewing legacy system-of-records
           notices in order to issue updated notices on a schedule that gives
           priority to systems with the most sensitive personally
           identifiable information. DHS also noted that the Privacy Office
           is to issue an updated system-of-records notice guide by the end
           of fiscal year 2007. Concerning our recommendation related to
           timely reporting, DHS stated that the Privacy Office will work
           with necessary components and programs affected by its reports to
           provide for both full collaboration and coordination within DHS.
           Finally, regarding our recommendation that the Privacy Office's
           annual reports contain a specific discussion of privacy
           complaints, as required by law, DHS agreed that a consolidated
           reporting structure for privacy complaints within the annual
           report would assist in assuring Congress and the public that the
           Privacy Office is addressing the complaints that it receives.

           As agreed with your offices, unless you publicly announce the
           contents of this report earlier, we plan no further distribution
           until 30 days from the report date. At that time, we will send
           copies of this report to the Secretary of Homeland Security and
           other interested congressional committees. Copies will be made
           available to others on request. In addition, this report will be
           available at no charge on our Web site at www.gao.gov .

           If you have any questions concerning this report, please call me
           at (202) 512-6240 or send e-mail to [email protected] . Contact
           points for our Offices of Congressional Relations and Public
           Affairs may be found on the last page of this report. Key
           contributors to this report are listed in appendix V.

           Linda D. Koontz
			  Director
			  Information Management Issues

           List of Requesters

           The Honorable Jerrold Nadler
			  Chairman
			  Subcommittee on the Constitution, Civil Rights, and Civil Liberties
			  Committee on the Judiciary
			  House of Representatives

           The Honorable Chris Cannon
			  Ranking Member
			  Subcommittee on Commercial and Administrative Law
			  Committee on the Judiciary
			  House of Representatives

           The Honorable Mel Watt
			  The Honorable Steve Chabot
			  House of Representatives
			  
			  Appendix I: Objective, Scope, and Methodology

           Our objective was to assess the progress of the Department of
           Homeland Security (DHS) Privacy Office in carrying out its
           responsibilities under federal law, including the Homeland
           Security Act of 2002 and the E-Government Act of 2002.

           To address this objective, we analyzed the Privacy Office's
           enabling statutes, Section 222 of the Homeland Security Act;
           Section 8305 of the Intelligence Reform and Terrorism Prevention
           Act of 2004; and applicable federal privacy laws, including the
           Privacy Act of 1974 and Section 208 of the E-Government Act, to
           identify DHS Privacy Office responsibilities. We reviewed and
           analyzed Privacy Office policies, guidance, and reports, and
           interviewed Privacy Office officials, including the Chief Privacy
           Officer, the Acting Chief of Staff, and the Director of Privacy
           Compliance, to identify Privacy Office plans, priorities, and
           processes for implementing its responsibilities using available
           resources. We did not review or assess the Privacy Office's
           Freedom of Information Act responsibilities.

           To further address our objective, we assessed the Privacy Office's
           progress by comparing the information we gathered with the
           office's statutory requirements and other responsibilities. We
           evaluated Privacy Office policies, guidance, and processes for
           ensuring compliance with the Homeland Security Act, the Privacy
           Act, and the E-Government Act. We analyzed the system-of-records
           notices and PIA development processes and assessed the progress of
           the office in implementing these processes. This analysis included
           analyzing Privacy Office privacy impact assessment output by
           fiscal year and assessing improvements to the overall quality of
           published privacy impact assessments and guidance over time.

           In addition, we interviewed the DHS Officer for Civil Rights and
           Civil Liberties, component-level privacy officers at the
           Transportation Security Administration, US-Visitor and Immigrant
           Status Indicator Technology, and U.S. Citizenship and Immigration
           Services, and cognizant component-level officials from Customs and
           Border Protection, Immigration and Customs Enforcement, and the
           DHS Policy Office. We also interviewed former DHS Chief Privacy
           Officers; the chair and vice-chair of the DHS Data Privacy and
           Integrity Advisory Committee, and privacy advocacy groups,
           including the American Civil Liberties Union, the Center for
           Democracy and Technology, and the Electronic Privacy Information
           Center.

           We performed our work at the DHS Privacy Office in Arlington,
           Virginia, and major DHS components in the Washington, D.C.,
           metropolitan area. In addition, we attended DHS Data Privacy and
           Integrity Advisory Committee public meetings in Arlington,
           Virginia, and Miami, Florida. Our work was conducted from June
           2006 to March 2007 in accordance with generally accepted
           government auditing standards.
			  
			  Appendix II: The Fair Information Practices

           The Fair Information Practices are not precise legal requirements.
           Rather, they provide a framework of principles for balancing the
           need for privacy with other public policy interests, such as
           national security, law enforcement, and administrative efficiency.
           Ways to strike that balance vary among countries and according to
           the type of information under consideration. The version of the
           Fair Information Practices shown in table 1 was issued by the
           Organization for Economic Cooperation and Development (OECD) in
           1980^1 and it has been widely adopted.

Table 2: The Fair Information Practices

Principle                Description                                       
Collection limitation    The collection of personal information should be  
                            limited, should be obtained by lawful and fair    
                            means, and, where appropriate, with the knowledge 
                            or consent of the individual.                     
Data quality             Personal information should be relevant to the    
                            purpose for which it is collected and should be   
                            accurate, complete, and current as needed for     
                            that purpose.                                     
Purpose specification    The purposes for the collection of personal       
                            information should be disclosed before collection 
                            and on any change to that purpose, and its use    
                            should be limited to those purposes and           
                            compatible purposes.                              
Use limitation           Personal information should not be disclosed or   
                            otherwise used for other than a specified purpose 
                            without consent of the individual or legal        
                            authority.                                        
Security safeguards      Personal information should be protected with     
                            reasonable security safeguards against risks such 
                            as loss or unauthorized access, destruction, use, 
                            modification, or disclosure.                      
Openness                 The public should be informed about privacy       
                            policies and practices, and individuals should    
                            have ready means of learning about the use of     
                            personal information.                             
Individual participation Individuals should have the following rights: to  
                            know about the collection of personal             
                            information, to access that information, to       
                            request correction, and to challenge the denial   
                            of those rights.                                  
Accountability           Individuals controlling the collection or use of  
                            personal information should be accountable for    
                            taking steps to ensure the implementation of      
                            these principles.                                 

Source: Organization for Economic Cooperation and Development.

^1OECD, Guidelines on the Protection of Privacy and Transborder Flow of
Personal Data (Sept. 23, 1980). The OECD plays a prominent role in
fostering good governance in the public service and in corporate activity
among its 30 member countries. It produces internationally agreed-upon
instruments, decisions, and recommendations to promote rules in areas
where multilateral agreement is necessary for individual countries to make
progress in the global economy.

Appendix III: Department of Homeland Security Data Privacy and Integrity
Advisory Committee Publications

The Use of Commercial Data. Report No. 2006-03. December 6, 2006.

The Use of RFID for Human Identity Verification. Report No. 2006-02.
December 6, 2006.

Framework for Privacy Analysis of Programs, Technologies, and
Applications. Report No. 2006-01. March 7, 2006.

Recommendations on the Secure Flight Program. Report No. 2005-02. December
6, 2005.

The Use of Commercial Data to Reduce False Positives in Screening
Programs. Report No. 2005-01. September 28, 2005.

Appendix IV: Comments from the Department of Homeland Security

Appendix V: GAO Contact and Staff Acknowledgments

GAO Contact

Linda D. Koontz, (202) 512-6420, [email protected]

Staff Acknowledgments

Major contributors to this report were John de Ferrari, Assistant
Director; Nancy Glover; Anthony Molet; David Plocher; and Jamie Pressman.

(310767)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

References

Visible links
  29. http://www.gao.gov/cgi-bin/getrpt?GAO-06-421
  30. http://www.gao.gov/cgi-bin/getrpt?GAO-05-864R
  31. http://www.gao.gov/cgi-bin/getrpt?GAO-07-293
*** End of document. ***