Yes, it's very piecemeal. We heard that as a consistent reflection from the departments. Each of them was picking and choosing its own adventure. Some of them were saying they had various forms of a privacy impact assessment. I also picked up that some of them were not assessing the actual tool, but their “programs”.
Why do you think it would be a problem to have a PIA on a program rather than the specificity of the tool?