Office of Health Affairs Has Not Implemented An Effective Privacy Management Program

We determined that the Office of Health Affairs (OHA) has not implemented an effective organizational framework for safeguarding personally identifiable information (PII). While OHA appointed a Privacy Officer, this official lacked authority and resources to carry out the required privacy management responsibilities. Given turnover in key positions, OHA leadership had not placed priority on instilling a culture of privacy which resulted in transparency and security control weaknesses. For example, OHA’s emergency medical first responders did not properly notify individuals of their privacy rights when collecting PII. OHA’s BioWatch web portal had been improperly categorized to properly safeguard PII and the portal operated on an untrusted internet site. We recommended that OHA inform its staff of the Privacy Officer’s statutory responsibilities and the need for all staff to comply with privacy requirements, implement a process to provide a Privacy Act Statement when collecting PII from individuals as required by law, and move the BioWatch web portal to a trusted domain to comply with system security requirements and to safeguard PII. We made eleven recommendations improve privacy stewardship and reduce privacy risks to PII that OHA collects and maintains.