IG: DHS Lacks Effective Privacy Oversight

Major and minor privacy incidents have increased significantly at the Department of Homeland Security over the past two years, with increasingly web-connected systems exposing the personally identifiable information of hundreds of thousands of people.

According to an audit conducted by the agency’s inspector general, the DHS Privacy Office is not properly responding to privacy breaches or ensuring “consistent execution of privacy policies and procedures” agencywide. DHS, which maintains a large government biometric database and a range of other sensitive datasets, “does not yet have effective oversight of department-wide privacy activities, programs, and initiatives.”

Moreover, the department's privacy-related challenges appear to be growing even as the privacy office struggles to meet its mission.

According to the audit, the agency experienced six “major privacy incidents” in 2019 and 2020 after experiencing zero the previous two years. The agency defines a privacy event as major “when it involves PII of more than 100,000 individuals that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in harm to the national security interests, foreign relations, or economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.”

“Minor” privacy breaches—those that affect the confidentiality integrity, or availability of a noncritical system or nonsensitive data, or relates to a minor policy violation—also increased across the agency in 2019 and 2020. The two-year period saw 1,696 minor privacy breaches compared to 1,486 in 2017 and 2018.

In reviewing the privacy office’s privacy breach response and overall privacy policies, the IG found the DHS Privacy Office fell short of protecting privacy in numerous areas.

“The DHS Privacy Office has not established controls to ensure that privacy compliance documentation and Information Sharing Access Agreements are completed and submitted as required,” the audit states.

Further, the office “also did not monitor completion of required privacy training across the department,” nor did the office “have sufficient measures in place to ensure DHS components adhered to its privacy program.”  

“Without such measures, DHS may not be able to identify and address new privacy risks in existing systems and programs or prevent inappropriate dissemination of personally identifiable information,” the audit states.

DHS concurred with three recommendations from the IG to improve its privacy practices.