HUD’s Office of Administration, in coordination with OCIO, should update and communicate its PII minimization plan. The plan should include detailed procedures to regularly review and remove unnecessary PII collections in accordance with OMB Circular A-130 (IG FISMA metric 35).

The OIG has determined that the contents of this recommendation would not be appropriate for public disclosure and has therefore limited its distribution to selected officials.

Designate a Senior Agency Official for Records Management at the Assistant Secretary level or its equivalent.

Update and issue agency formal records policy, including detailed procedures and requirements for completing and maintaining program office and agencywide inventories of systems, records, and PII.

Establish and disseminate a policy on safeguarding or prohibiting the transportation of PII records out of the office for telework purposes.

Complete the development of performance measures and establish a formal records evaluation process to measure the effectiveness and progress of the records management program.

Standardize processes and duties for all RMLOs.

Conduct a staffing resource assessment for the HUD records program and identify any skills gaps or resource needs.

Ensure the privacy program is staffed with experienced personnel (such as a Chief Privacy Officer) to manage the operational aspects of the program.

Issue a notice at the Secretary level delegating and clarifying the authority and responsibilities of the SAOP and Privacy Office

A. Document the roles and specific responsibilities of all positions assigned privacy responsibilities. B. Communicate these responsibilities on a recurring basis, at least annually, to individuals holding these positions.

Implement thorough human capital processes to ensure execution of the HUD privacy program and all its requirements

Finalize and approve the draft privacy program strategic plan

Ensure the privacy program is integrated with the enterprise risk program and that privacy risks are incorporated into the agency risk management process

Establish an executive leadership dashboard to communicate continuous monitoring of key program risks and issues

A. Develop an internal privacy program communication plan to describe how privacy issues will be disseminated and best practices will be shared. B. Implement the communication plan

Develop a dedicated budget to address Privacy Office training needs and initiatives

Update all privacy guidance to reflect current Federal requirements and processes.

Implement a formal process for the Privacy Office to issue and communicate privacy guidance, requirements, and deadlines.

Update and continue to maintain a central collaboration area to include all current privacy program policies, procedures, and guidance