Audit of USAID’s Implementation of Key Components of a Privacy Program for Its Information Technology Systems
Sign inINSPECTOR GENERAL’S OFFICE
The Office of Inspector General conducted an audit of USAID's implementation of key components of a privacy program for its information technology systems.
2014 · 4 pages

Abstract
The audit aimed to determine whether USAID had implemented measures to mitigate the risk of violations against key privacy requirements. The Privacy Act of 1974, as amended, defines the rights and responsibilities for maintaining, protecting, and disclosing personal information. The act requires that agencies publish notices describing systems of records, make reasonable efforts to maintain accurate and complete records, and manage those records in a way to ensure fairness to individuals in agency programs. USAID is subject to various laws and regulations governing the protection of individuals' privacy. The Office of Management and Budget issued Memorandum M-03-22, which requires federal agencies to conduct privacy impact assessments for electronic information systems and collections and make them publicly available. USAID is also required to post privacy policies on its public Web site. The audit found that USAID did not implement key components of a privacy program for its information technology systems. Specifically, the agency did not designate a senior agency official for privacy, provide basic and role-based privacy training to employees, complete system of records notices for certain systems, and complete privacy impact assessments for third-party Web sites. Additionally, USAID did not post privacy notices for third-party Web sites that made personally identifiable information available to the agency, address all requirements in its privacy breach notification procedures, and provide working links on its external Web site to system of record notices and the privacy impact assessment for AIDNet, the agency's computer network. The agency also failed to update its electronic records disposition schedule and require in its privacy impact assessment procedures that the assessments address how people can consent to provide information for particular uses. The weaknesses identified in the audit can be attributed to USAID's lack of prioritization of its privacy program, a material weakness in its decentralized information technology security program, and a questionable allocation of resources to the program. To address these weaknesses, the audit report contains 34 recommendations to help USAID strengthen its privacy program.
Connected topics
Classification
USAID DEC