IG: 5 Things USAID Needs to Do to Better Protect Personally Identifiable Information

The U.S. Agency for International Development has improved its protections for personally identifiable information in recent years, including collecting less of it and developing plans to ensure that data remains secure. But a new audit shows the agency still has a ways to go.

“The audit objective was to assess the extent to which USAID has implemented key elements of an effective privacy program,” the agency’s inspector general wrote in the new report. “Specifically, we assessed USAID’s implementation of the following elements due to their importance in reducing the risk of inappropriate use or loss of PII: monitoring potential PII loss; providing role-based privacy training; reducing PII holdings, including SSNs; completing System of Records Notices; and posting privacy notices.”

Previous audits—including a report issued in 2014—showed USAID struggled with privacy protections, “including policies and procedures, training and monitoring for compliance.”

The agency has made significant strides since then, the new report shows, though there is still room for improvement.

USAID met many of the privacy standards the IG was looking for in the latest audit, including justifying the collection of Social Security numbers, developing plans to protect PII and publishing System of Records Notices, or SORNs in the Federal Register.

“Yet USAID faced an increased risk of a breach and related financial loss because it had not implemented other key privacy controls needed to protect PII and to provide the public with sufficient information about records containing their information,” the audit states.

The IG identified five areas where USAID could improve privacy protections:

• Implementing controls for data loss prevention activities, including properly configuring the agency’s data loss prevention tool. The agency uses the Google DLP tool to prevent users from sending emails that could compromise sensitive information. “Three days during audit fieldwork, OIG sent a total of nine emails containing fillable PDF forms and Excel spreadsheets with fictitious PII, including SSNs, names, home addresses, email addresses, telephone numbers, and dates of birth,” the report states. “However, USAID’s Google DLP tool did not capture those outgoing emails and prevent them from being sent.”
• Providing role-based privacy training. The audit found the vast majority of USAID staff did not take the required annual training. Even if they had, “the training materials did not include some privacy topics.”
• USAID officials issued a plan in 2014 to reduce the use of Social Security numbers, however that document did not include a comprehensive list of actions needed to eliminate unnecessary use of the number but rather, “only contained steps that the agency would take to identify which systems and forms needed to be revised.”
• Updating and fully completing SORNs. Of the five tested during the audit, three had one outdated or missing element as required by the Office of Management and Budget and two had 11 or more outdated or missing elements.
• Maintaining a comprehensive inventory of third-party websites. The current inventory does not include URLs for 202 of the 264 websites listed and the 23 third-party sites were left off the list, including all social media sites. “Without an accurate and complete inventory of third-party websites that make PII available to the agency, USAID was unable to determine the extent to which privacy notices were placed on third-party websites and if additional privacy notices needed to be posted,” the report states.

USAID officials agreed with four recommendations, though only partially agreed with the IG’s “framing” of responsibilities with regard to updating SORNs.

“USAID acknowledges the intent of this recommendation and acknowledges its responsibility to ensure that all SORNs remain accurate, up-to-date, and appropriately scoped,” agency officials wrote in their response. “USAID disagrees, however, with the framing of this recommendation, noting that USAID policy does not authorize the CIO to take unilateral action to publish or maintain SORNs.”

But ultimately, officials said they would implement all five recommendations.