TVA’s Privacy Program

The Office of the Inspector General performed an audit to determine if the Tennessee Valley Authority (TVA) has designed and implemented privacy requirements in accordance with the Consolidated Appropriations Act, 2005. Our scope was limited to TVA’s privacy program responsibilities as defined in the Consolidated Appropriations Act, 2005. We determined TVA had privacy policies in alignment with the Consolidated Appropriations Act, 2005. In addition, TVA had implemented requirements from the Consolidated Appropriations Act, 2005, such as sustaining privacy protection, assuring compliance with fair information practices, proposals, congressional reporting, protecting, PII, training, compliance with policies, and recording.However, we identified six issues that should be addressed by TVA management to further comply with the requirements of the Consolidated Appropriations Act, 2005, and TVA policy. Specifically, we found:1. Discrepancies between TVA privacy system inventory and the PIA inventory.2. PIAs did not follow TVA policy.3. The privacy continuous monitoring program was outdated.4. Hard copy RPII and a restricted area were not secured.5. The PIA template did not contain all required information.6. Privacy policies were not consistent with applicable legal guidance.TVA management agreed with our recommendations.