Personally identifiable information collected by the Office of Personnel Management during background investigations isn't sufficiently protected from potential breach, says the Government Accountability Office.

OPM, through its Federal Investigative Services division, conducted more than 2 million investigations of various types during fiscal 2009. That makes the agency a major steward of U.S. citizens' personal data, says the GAO in a report dated Sept. 7 but released publically Oct. 7.

And while OPM has conducted privacy risk assessments for the systems that hold information culled from background investigations, it hasn't identified controls to handle privacy risks, or even assess the systems' risks to privacy, the report states. The privacy risk assessments of two key systems, the Personnel Investigations Processing System (PIPS-R)--Reporting and the Electronic Questionnaires for Investigations Processing (e-QIP), were last updated in August 2007.

In addition, although OPM does require customer agencies to sign memorandum of understandings over the protection of background investigation data, OPM is still responsible for ensuring that personal information is protected even while at rest at other agencies, the GAO report says. But, OPM doesn't monitor agencies adherence to the protection stipulations of OPM, meaning that OPM "may not be meeting its responsibility" to protect that data, the report adds.

GAO auditors also found that no process exists within OPM to ensure that investigators comply with privacy protection policies as they perform field work. Field investigators have been involved in more than 80 percent of incidents involving lost or stolen paper files within the Federal Investigative Services in recent years.

OPM, in its response to the draft of the GAO report (which is not included in the final report), agreed with all of GAO's recommendations, but said it would be misleading to suggest that there is no oversight or monitoring of field investigators. The report acknowledges that OPM has recently started conducting physical audits of regional field investigation offices, but says those audits don't examine how field investigators protect data while traveling to conduct interviews. Nor do they ensure that only appropriate information is being gathered, the report adds.

For more:
- download the report, GAO-10-849 (.pdf)

Related Articles:
OPM, NICE work to define cybersecurity workforce problems
Feds less satisfied with telework programs, says OPM survey