U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

TVA’s Privacy Program

Report Information

Date Issued
Report Number
2021-15779
Report Type
Audit
Description
We found several areas of the privacy program to be generally effective, including (1) completion of privacy impact assessments, (2) privacy related training taken by network users, (3) privacy considerations during the authority to operate process, (4) system categorization, (5) privacy incident response, (6) privacy-related contract terms and conditions, and (7) desktop and laptop sanitization. However, we identified seven issues that should be addressed by TVA management to further increase the effectiveness of the privacy program. Specifically, we found:1. Unsecured electronic restricted personally identifiable information on SharePoint and shared network drives. 2. Unsecured hard copy restricted personally identifiable information.3. No end user notifications for e-mail security violations.4. No technical controls for removable media.5. We could not confirm that all desktops and laptops utilize encryption.6. Privacy Act notices on TVA forms did not include all required elements.7. Not all external Web sites included privacy policies. (Note: Prior to completion of our audit, TVA Technology and Innovation took action to address the external Web sites that were missing required privacy policies.)We also found gaps between TVA’s policies and procedures and applicable federal privacy regulations and guidance.
Joint Report
Yes
Participating OIG
Tennessee Valley Authority OIG
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0
View report on Oversight.gov

Recommendations

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation review the privacy requirement gaps identified and determine the policies that should be updated based on risk

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation update Privacy Act notices on TVA forms used to collect PII in accordance with TVA policy.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation conduct a review to verify that RPII on Windows desktops and laptops is encrypted to TVA’s encryption standards.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation evaluate implementing technical controls for removable media.

We recommend the Vice President and Chief Information and Digital Officer, Technology and Innovation evaluate implementing controls for possible e-mail security violations.