U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

TVA’s Privacy Program

Report Information

Date Issued
Report Number
2024-17478
Report Type
Audit
Description
The Office of the Inspector General performed an audit to determine if the Tennessee Valley Authority (TVA) has designed and implemented privacy requirements in accordance with the Consolidated Appropriations Act, 2005. Our scope was limited to TVA’s privacy program responsibilities as defined in the Consolidated Appropriations Act, 2005. We determined TVA had privacy policies in alignment with the Consolidated Appropriations Act, 2005. In addition, TVA had implemented requirements from the Consolidated Appropriations Act, 2005, such as sustaining privacy protection, assuring compliance with fair information practices, proposals, congressional reporting, protecting, PII, training, compliance with policies, and recording.However, we identified six issues that should be addressed by TVA management to further comply with the requirements of the Consolidated Appropriations Act, 2005, and TVA policy. Specifically, we found:1. Discrepancies between TVA privacy system inventory and the PIA inventory.2. PIAs did not follow TVA policy.3. The privacy continuous monitoring program was outdated.4. Hard copy RPII and a restricted area were not secured.5. The PIA template did not contain all required information.6. Privacy policies were not consistent with applicable legal guidance.TVA management agreed with our recommendations.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, review and update Privacy Impact Assessments in accordance with requirements outlined in TVA Standard Programs and Processes 12.501 or review Standard Programs and Processes requirements to determine appropriate cadence to review and update Privacy Impact Assessments.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, review Privacy Impact Assessments to identify systems that collect, maintain, use and/or disseminate information for members of the public, and publish them to the website in accordance with TVA policy.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, verify completion of continuous monitoring of privacy controls in accordance with the privacy continuous monitoring program.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation, take steps to ensure hard copy Restricted Personal Identifiable Information is appropriately protected.