We found several areas of the privacy program to be generally effective, including (1) completion of privacy impact assessments, (2) privacy related training taken by network users, (3) privacy considerations during the authority to operate process, (4) system categorization, (5) privacy incident response, (6) privacy-related contract terms and conditions, and (7) desktop and laptop sanitization. However, we identified seven issues that should be addressed by TVA management to further increase the effectiveness of the privacy program. Specifically, we found:1. Unsecured electronic restricted personally identifiable information on SharePoint and shared network drives. 2. Unsecured hard copy restricted personally identifiable information.3. No end user notifications for e-mail security violations.4. No technical controls for removable media.5. We could not confirm that all desktops and laptops utilize encryption.6. Privacy Act notices on TVA forms did not include all required elements.7. Not all external Web sites included privacy policies. (Note: Prior to completion of our audit, TVA Technology and Innovation took action to address the external Web sites that were missing required privacy policies.)We also found gaps between TVA’s policies and procedures and applicable federal privacy regulations and guidance.
Report File
Date Issued
Submitting OIG
Tennessee Valley Authority OIG
Other Participating OIGs
Tennessee Valley Authority OIG
Agencies Reviewed/Investigated
Tennessee Valley Authority
Report Number
2021-15779
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
7
Questioned Costs
$0
Funds for Better Use
$0