The GAO audited six DHS data-mining systems, which extract information from large volumes of data, and concluded that none of them had implemented a fully effective framework for proper privacy protection. For the six systems, DHS failed to implement fully sound practices for organizational competence, evaluations of system effectiveness and privacy protections, executive review, and transparency and oversight through the systems' life cycle.
“By not consistently performing necessary evaluations and reviews of these systems, DHS and its component agencies risk developing and acquiring systems that do not effectively support their agencies' missions and do not adequately ensure the protection of privacy-related information”, the GAO warned.
The report said that the department faces a number of challenges in ensuring its data-mining systems are effective and protect privacy: reviewing and overseeing systems once they are in operation, stabilizing and implementing acquisition policies throughout the department, and ensuring that privacy sensitive systems have timely and up-to-date privacy reviews.
“Until DHS addresses these challenges, it will be limited in its ability to ensure that its systems have been adequately reviewed, are operating as intended, and are appropriately protecting individual privacy and assuring transparency to the public”, the government watchdog warned.
Reps. Brad Miller (D-N.C.) and Donna Edwards (D-Md.), who requested the GAO study, said that one of the “most disturbing findings” in the report was that the Immigration and Customs Enforcement Pattern Analysis and Information Collection (ICEPIC) program rolled out its law enforcement sharing component before it was approved by the DHS privacy office, according to a report by PCWorld.
The GAO is recommending that DHS address gaps in data-mining evaluation policies and shortfalls in its system evaluations and privacy protections, including conducting privacy impact assessments (PIAs) for confidential information.
DHS concurred with the GAO recommendations and identified measures to implement them. Regarding the recommendation on PIAs, DHS said it “recognizes that PIAs are often the most complete and sometimes the only public description of DHS systems and practices.”