U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Hotline

Report Fraud, Waste and Abuse
September 13, 2018
  • Deputy Secretary
2018-OE-0001

We conducted this evaluation to determine the effectiveness of the U.S. Department of Housing and Urban Development’s (HUD) privacy program   We assessed the adequacy of agency strategies, plans, controls and practices at the enterprise and program levels.  We also examined the level of progress achieved since we last evaluated the program in 2014.

We found that HUD had updated its privacy impact assessment processes, and took a more active role to ensure privacy is properly addressed in the agency’s technology and business operations.  HUD had also improved its incident response and reporting capabilities, strengthened the physical security and protection of its sensitive records, and continued to upgrade the privacy awareness training provided to all employees.  However, HUD had not established a strategic plan for privacy, and key initiatives were put on hold pending the staffing of key privacy program management positions.  HUD had not integrated privacy risks into its enterprise risk management (ERM) process, had not formalized many oversight practices, and lacked a structured compliance program.  Critically, HUD continued to lack the capability to fully identify and inventory its extensive holdings of personally identifiable information (PII).

We recommend HUD address the 14 remaining open recommendations from our 2014 privacy program evaluation, and address all 24 additional recommendations provided in this report.  In particular, we recommend that HUD establish a strategic plan for its privacy program, ensure the availability of adequate resources and privacy expertise, implement a formal compliance program, clarify privacy roles across the agency, develop the capability to identify and inventory all of its PII, and fully integrate the privacy program with its enterprise risk management process and with other enterprise programs.

Recommendations

Office of Administration

  •  
    Status
      Open
      Closed
    2018-OE-0001-01
    Closed on September 25, 2020

    Ensure the privacy program is staffed with experienced personnel (such as a Chief Privacy Officer) to manage the operational aspects of the program.

  •  
    Status
      Open
      Closed
    2018-OE-0001-02
    Closed on August 13, 2020

    Issue a notice at the Secretary level delegating and clarifying the authority and responsibilities of the SAOP and Privacy Office

  •  
    Status
      Open
      Closed
    2018-OE-0001-03
    Closed on January 10, 2023

    A. Document the roles and specific responsibilities of all positions assigned privacy responsibilities. B. Communicate these responsibilities on a recurring basis, at least annually, to individuals holding these positions.

  •  
    Status
      Open
      Closed
    2018-OE-0001-04
    Closed on July 10, 2024

    Implement thorough human capital processes to ensure execution of the HUD privacy program and all its requirements

  •  
    Status
      Open
      Closed
    2018-OE-0001-05
    Closed on June 25, 2020

    Finalize and approve the draft privacy program strategic plan

  •  
    Status
      Open
      Closed
    2018-OE-0001-06
    Closed on November 18, 2021

    Ensure the privacy program is integrated with the enterprise risk program and that privacy risks are incorporated into the agency risk management process

  •  
    Status
      Open
      Closed
    2018-OE-0001-07
    Closed on May 22, 2020

    Establish an executive leadership dashboard to communicate continuous monitoring of key program risks and issues

  •  
    Status
      Open
      Closed
    2018-OE-0001-08
    Closed on May 22, 2020

    A. Develop an internal privacy program communication plan to describe how privacy issues will be disseminated and best practices will be shared. B. Implement the communication plan

  •  
    Status
      Open
      Closed
    2018-OE-0001-09
    Closed on October 01, 2021

    Develop a dedicated budget to address Privacy Office training needs and initiatives

  •  
    Status
      Open
      Closed
    2018-OE-0001-10
    Closed on December 09, 2021

    Update all privacy guidance to reflect current Federal requirements and processes.

  •  
    Status
      Open
      Closed
    2018-OE-0001-11
    Closed on May 22, 2020

    Implement a formal process for the Privacy Office to issue and communicate privacy guidance, requirements, and deadlines.

  •  
    Status
      Open
      Closed
    2018-OE-0001-12
    Closed on September 17, 2020

    Update and continue to maintain a central collaboration area to include all current privacy program policies, procedures, and guidance

  •  
    Status
      Open
      Closed
    2018-OE-0001-13
    Closed on May 22, 2020

    Establish standard processes to ensure consistent work flow and communications between program office and Privacy Office personnel

  •  
    Status
      Open
      Closed
    2018-OE-0001-14
    Closed on July 10, 2024

    Ensure role-based privacy training is provided to all personnel with privacy responsibilities

  •  
    Status
      Open
      Closed
    2018-OE-0001-15
    Closed on July 10, 2024

    Ensure privacy awareness training is provided to all contractor and third party personnel

  •  
    Status
      Open
      Closed
    2018-OE-0001-16
    Closed on August 13, 2020

    Provide personnel tasked with handling Privacy Act requests with recurring training on Privacy Act exceptions

  •  
    Status
      Open
      Closed
    2018-OE-0001-17
    Closed on September 17, 2020

    Establish documentation procedures for accounting of disclosures made under the Privacy Act, as required by 5 USC 552a(c)

  •  
    Status
      Open
      Closed
    2018-OE-0001-18
    Closed on September 17, 2020

    Establish an annual computer matching activity reporting process to meet the requirements of OMB Circular A-108

  •  
    Status
      Open
      Closed
    2018-OE-0001-19
    Closed on April 08, 2021

    Determine if general support system privacy threshold assessments or privacy impact assessments should be completed; if not, document the rationale

  •  
    Status
      Open
      Closed
    2018-OE-0001-20

    Develop the technical capability to identify, inventory, and monitor the existence of PII within the HUD environment

  •  
    Status
      Open
      Closed
    2018-OE-0001-21

    Develop and implement a process to inventory all agency PII holdings not less than annually.

  •  
    Status
      Open
      Closed
    2018-OE-0001-22
    Closed on November 19, 2020

    Renew the PII minimization effort, to include a prioritization by the SAOP of specific minimization initiatives

  •  
    Status
      Open
      Closed
    2018-OE-0001-23
    Closed on July 01, 2021

    Require all system owners to review the records retention practices for each information system and take any corrective actions necessary to ensure adherence to the applicable records retention schedule

  •  
    Status
      Open
      Closed
    2018-OE-0001-24
    Closed on December 31, 2020

    A. Issue a clean desk policy prohibiting unattended and unsecured sensitive data in workplaces. B. Implement procedures to enforce the clean desk policy.