Privacy Protection - TVA Use of Information in Identifiable Form

We determined: TVA's Privacy Summary Report to the OIG needed improvement in three areas.TVA's privacy policies and procedures were generally consistent with federal requirements; however, we noted (1) five areas where we believe further guidance is needed, and (2) TVA is in the process of updating its privacy policies and procedures.While TVA has made progress in implementing privacy program components, a focused effort is needed to strengthen the program by: (1) completing implementation of planned privacy assessments of all systems identified with Information in Identifiable Form (IIF), and (2) ensuring privacy activities are better integrated between TVA groups who have privacy responsibilities.TVA needs to improve its privacy practices through (1) reviews and updates of Systems of Records notices and (2) implementation of best practices on systems with IIF.At the completion of our fieldwork on March8, 2007, our review found there were no significant IIF compromises reported to the OIG for the two-year period ending December6, 2006, and no instances of criminal or civil liability relating to loss of personal information were reported by the General Counsel's office. However, an issue came to our attention subsequent to our review indicating IIF was available on temporary share drives to anyone with a TVA network account. TVA management generally agreed with our recommendations and has taken or is taking corrective action.