In early 2013, the Bureau of Naval Personnel (BUPERS) took steps to significantly improve their privacy program. What began as a core group of five privacy coordinators has evolved into a BUPERS Privacy Cadre which is led by a Privacy Program Manager. The cadre currently has 73 members throughout BUPERS and each member is formally designated and individually trained on privacy policies. Members are responsible for educating their colleagues on how to safeguard personally identifiable information (PII), conducting spot checks, reviewing business processes for the possible elimination of the Social Security number (SSN), and reporting breaches.
This article provides four examples where BUPERS has taken significant steps to reduce the use of the SSN and to better safeguard PII in its hundreds of personnel processes.
Navy Personnel Command's (NPC) PERS-3 (Personnel Information Management Department) is the coordinator for the Board for Corrections of Naval Records (BCNR). Service members and veterans petition the board to make corrections to their official records. PERS-3 is responsible for receiving cases from BCNR in Washington D.C., entering the data into a tracking database, and then delivering case files to various subject matter experts throughout NPC. The previous process required PERS-3 to manually enter each case into a database using the SSN as the individual’s primary identifier. Effective Nov. 1, 2015, PERS-3 began entering each case into a new system that tracks each case by docket number. The new process completely removes the SSN from the tracking process. This change demonstrates the continued efforts PERS-3 is taking to safeguard and protect the SSN from misuse and to comply with Phase Three of the Department of the Navy's (DON) SSN Reduction program.
NPC's PERS-13 (Casualty Branch) has been proactive in protecting PII. The PERS-13 team worked with the Defense Casualty Information Processing System (DCIPS) program manager to develop a secure web-based input system for casualty reporting using existing casualty data management technology. The deployment of an improved web-based personnel casualty reporting system illustrates the dedication this team has to protecting PII. This successful effort took over a year to complete.
Another example demonstrates BUPERS’ proactive approach to protecting PII. BUPERS webmasters spent six months reviewing over 1,200 NAVADMIN and ALNAV naval messages on the NPC website, redacting every SSN, both full and truncated (i.e., last four) — information that had previously been authorized and available to the public since 1996. Removing this sensitive information ensures that the privacy of our Sailors is maintained and removes the risk of a breach and possible identity fraud.
NPC’s PERS-313, also part of PERS-3, receives over 5,500,000 pieces of paper and electronic documents containing PII a year. That's over 90,000 pieces of paper and over 15,000 digital documents per week. Handling this enormous volume of PII on a weekly basis increases the likelihood of mishandling and potentially compromising PII. To mitigate the risks, PERS-313 developed a streamlined and efficient process, trained and educated employees on the importance of protecting PII, conducted random quality assurance checks, and continuously monitored each employee’s work. This is one more indication that the steps taken by NPC personnel are making a difference for our Sailors.
Other aspects of the BUPERS privacy program include: conducting monthly cadre meetings to provide training, discuss privacy issues and review policy updates; hosting a command privacy event to educate employees on how to safeguard PII and prevent identity theft where over 20,000 pieces of literature were handed out; providing privacy training to all new employees during command indoctrination; including privacy language in all applicable contracts and statements of work; creating a BUPERS spot-check checklist to target specific high risk areas throughout the command; creating a ‘fictitious SSN’ for use in briefs, screenshots, etc., in lieu of real SSNs; and reviewing over 1,200 BUPERS’ policies, identifying 235 that could eliminate the SSN.
Efforts to reduce the use of the SSN continue. BUPERS’ dedicated Privacy Cadre and the leadership provided by their Privacy Program Manager ensures a strong and responsive privacy program that is actively safeguarding the personal information of our military personnel.
The BUPERS Privacy Cade was a 2016 DON Privacy Program Excellence Award Winner. The Privacy Program Excellence Award is presented to an individual and a team that demonstrates commitment to privacy and advancing the effectiveness of a command privacy program. Click for more information regarding the 2016 DON IM/IT Award Winners .
DON CIO website: www.doncio.navy.mil/