FEMA has made progress implementing plans and activities to instill a culture of privacy to protect sensitive personally identifiable information but still needs an accurate inventory of its IT systems that impact privacy and faces other challenges protecting that information, the DHS inspector general has said.
It said FEMA has established a privacy office that that reports on the agency’s privacy activities to DHS, reviews suspected privacy incidents, and oversees FEMA’s privacy training.
However, FEMA needs to complete required privacy compliance analyses, including privacy threshold analyses, privacy impact assessments, and system of records notices, for 430 IT systems that were reported as unauthorized.
FEMA also must address challenges with protecting information at disaster relief sites.
The agency agreed with recommendations to implement a plan and timeline to identify and assess unauthorized systems, conduct privacy assessments of disaster relief operations to improve accountability and to meet privacy requirements, implement specialized privacy training for the disaster relief workforce, and improve managers’ capability to monitor and enforce the completion of the standardized, FEMA-wide privacy training requirements.
