We evaluated the Department of Homeland Security (DHS) National Applications Office (NAO) privacy stewardship to determine whether the NAO is conducting activities to instill and promote a culture of privacy, and its planned operations are in compliance with privacy regulations. Privacy stewardship includes privacy integration in the program mission and strategic plans, established privacy requirements at the outset of program initiation, procedures and training for operational and staff accountability for privacy protections, and a privacy framework for internal control and external oversight.
Generally, NAO is making good progress in developing an effective privacy program for its operations. Specifically, NAO involved the DHS Privacy Office early in program planning and development of key organizational documents. Also, NAO acknowledges privacy requirements and states a commitment to privacy in its Charter. By doing so, NAO signaled its intent to incorporate accepted privacy principles in its policies and operating procedures. We identified several elements that serve as a framework for NAO’s privacy stewardship. These include ongoing privacy oversight by departmental privacy and civil liberties officers, public notice of system of records, training of NAO personnel, and approved risk assessments. However, a revised Privacy Impact Assessment and a Civil Liberties Impact Assessment reflecting changes in the Charter are still necessary prior to NAO becoming operational.
In our report, we made two recommendations to strengthen privacy stewardship at the NAO. The Under Secretary for Intelligence & Analysis concurred with our findings and recommendations. We consider these recommendations resolved, but open, pending our review of documentation provided by the NAO.
