While DHS has established policies to comply with privacy laws it is not sufficiently tracking compliance, including on whether employees are taking required training on protecting personally identifiable information, an IG report has said.
It said that over 2017-2020 DHS reported nearly 3,200 minor privacy violations plus six major incidents, those involving information on more than 100,000 people. One of those incidents involved release by FEMA to a contractor of some 2.3 million people affected by hurricanes and wildfires.
It cited issues including that DHS has not “established controls to ensure that privacy compliance documentation and information sharing access agreements are completed and submitted,” and that it did not “perform periodic reviews for new or evolving privacy risks.”
DHS also did not sufficiently monitor completion of required privacy training, the report said. By the IG’s analysis, between 12 and 19 percent of employees each year did not such training department-wide in those years, with shortfalls especially high at FEMA and DHS headquarters.
“Routine training is a key element of developing and maintaining an effective privacy culture. DHS employees and contractors must understand how to safeguard PII. Without effective oversight to ensure employees and contractors are adequately informed about privacy requirements, the Department’s PII is susceptible to breaches,” it said.