HUD Personally Identifiable Information (PII) Records Protection and Management

We evaluated the U.S. Department of Housing and Urban Development (HUD) practices for identifying and protecting personally identifiable information (PII). The evaluation assessed HUD’s current capabilities to properly manage and protect PII and to properly maintain paper and electronic PII records. This evaluation was conducted in conjunction with the fiscal year (FY) 2019 Federal Information Security Act of 2014 (FISMA) evaluation 2019-OE-0002.We determined that HUD had taken positive steps to improve its records management practices. It had initiated modernization efforts to transition paper-based processes to electronic processes, begun addressing and closing OIG privacy-related recommendations that had been open for several years, and developed a formal communications plan to increase program awareness. The records officer had increased and improved training for records specialists in program offices and was directing an extensive records inventory project. However, HUD had not designated a Senior Agency Official for Records Management (SAORM) at the Assistant Secretary level as required by OMB, and was not meeting certain Federal requirements. HUD was not able to identify and inventory all PII, or search for or track PII. Recordkeeping practices and retention schedules were outdated, and HUD had not fully integrated the records program with risk management and information technology programs.We provide nine new recommendations designed to address HUD’s most significant legal and regulatory obligations, along with other critical challenges laid out in this report.