U.S. flag

An official website of the United States government Here’s how you know

The .gov means it’s official.

Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.

The site is secure.

The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Document

We conducted this evaluation to determine the effectiveness of the U.S. Department of Housing and Urban Development’s (HUD) privacy program   We assessed the adequacy of agency strategies, plans, controls and practices at the enterprise and program levels.  We also examined the level of progress achieved since we last evaluated the program in 2014.

We found that HUD had updated its privacy impact assessment processes, and took a more active role to ensure privacy is properly addressed in the agency’s technology and business operations.  HUD had also improved its incident response and reporting capabilities, strengthened the physical security and protection of its sensitive records, and continued to upgrade the privacy awareness training provided to all employees.  However, HUD had not established a strategic plan for privacy, and key initiatives were put on hold pending the staffing of key privacy program management positions.  HUD had not integrated privacy risks into its enterprise risk management (ERM) process, had not formalized many oversight practices, and lacked a structured compliance program.  Critically, HUD continued to lack the capability to fully identify and inventory its extensive holdings of personally identifiable information (PII).

We recommend HUD address the 14 remaining open recommendations from our 2014 privacy program evaluation, and address all 24 additional recommendations provided in this report.  In particular, we recommend that HUD establish a strategic plan for its privacy program, ensure the availability of adequate resources and privacy expertise, implement a formal compliance program, clarify privacy roles across the agency, develop the capability to identify and inventory all of its PII, and fully integrate the privacy program with its enterprise risk management process and with other enterprise programs.

Recommendations
Recommendation Status Date Issued Summary
2018-OE-0001-04 Open September 13, 2018 Implement thorough human capital processes to ensure execution of the HUD privacy program and all its requirements
2018-OE-0001-14 Open September 13, 2018 Ensure role-based privacy training is provided to all personnel with privacy responsibilities
2018-OE-0001-15 Open September 13, 2018 Ensure privacy awareness training is provided to all contractor and third party personnel
2018-OE-0001-20 Open September 13, 2018 Develop the technical capability to identify, inventory, and monitor the existence of PII within the HUD environment
2018-OE-0001-21 Open September 13, 2018 Develop and implement a process to inventory all agency PII holdings not less than annually. [Dependent upon completion of Recommendation 20