Use and Protection of Personally Identifiable Information - Biennial Audit

Personally identifiable information (PII) is defined by the U.S. Office of Management and Budget in Memorandum 07-16 and refers to information which can be used alone to distinguish or trace an individual's identity. This includes an individual's name, social security number, biometric records, or when combined with other personal/identifying information, is linked or linkable to a specific individual, such as date and place of birth or mother's maiden name. The OIG conducted this audit as an independent review of TVA's use of PII in accordance with privacy provisions of the Consolidated Appropriations Act of 2005.This is our fourth audit since the requirement was enacted. Since the OIG's previous audit, TVA hired a Senior Program Manager for Privacy to manage the agency's privacy program. We generally found the privacy program improved since our prior audit; however, we found that controls could be strengthened in the areas of: (1) written policies, (2) storage of hard copy and electronic PII, (3) monitoring of systems containing PII, and (4) system inventory. TVA management agreed with our findings and recommendations. Summary Only