The Department of the Navy's Information Technology Magazine Notify Me of New Issue
Email this Article Email   

CHIPS Articles: PII Lessons Learned from the DON CIO

PII Lessons Learned from the DON CIO
By DON CIO Privacy Team - April-June 2016
The DON Privacy office has received numerous reports of breach incidents involving the discovery of personally identifiable information (PII) left in vacated office spaces. In these incidents, file cabinets, desk drawers, and boxes were found to contain documents such as personnel files, visitor logs, fitness reports, and medical records. Unfortunately, identifying the office or command that is accountable can be difficult, as is determining accurate contact information for the individual owners of PII documents found. To increase awareness of this problem and what we can all do to prevent such events, a summary of recent incidents and the resulting lessons learned are provided below.

Recent incidents reported to the DON Privacy office:

  • Boxes of PII stored in an unused shed adjacent to a hangar for six years.
  • Many documents containing PII found in an office of an administrative building abandoned for six years after base realignment and closure.
  • Boxes of PII found in the attic of an Echelon II headquarters building.
  • File cabinet containing PII with proper DD Form 250 (Material Inspection and Receiving Report) transfer document found at the local Defense Reutilization Material Office (DRMO).
  • PII found behind in office furniture on a decommissioned ship.

Lessons Learned:

  • Out-dated files containing sensitive PII present as much risk to individuals as current files still in use.
  • All office moves have the potential to result in the loss or potential compromise of PII.
  • As implied in the avoidance steps below, poor planning and a lack of management oversight are the leading causes of these breach incidents.
  • Condemned or abandoned buildings should be thoroughly inspected and then secured.
  • Condemned or abandoned buildings should be re-inspected on an annual basis.

How can these incidents be avoided?

  • Develop a checklist for all office moves/closures that includes an item to search for PII.
  • Ensure vacated office spaces are thoroughly searched and all documents are removed from desks and file cabinets.
  • Ensure spaces are secured after buildings are vacated.
  • Package all PII documents prior to office moves/closures and ensure all containers are accounted for at the new office.
  • Destroy PII that is no longer required to be stored prior to an office move in accordance with the Department of the Navy Records Management Manual.
  • Mark documents containing PII per the SECNAVINST 5211.5 DON Privacy Program series.
  • Conduct a thorough inspection of desks, file cabinets, and other office equipment before disposal.

Reference documents cited above as well as additional privacy resources can be found on the DON CIO website.
Related CHIPS Articles
Factsheet: National Background Investigations Bureau
OPM Announces New Chief Information Officer
DON IT West and East 2017 Conference Registration Now Open
Download CHIPS Magazine Mobile App!
Enterprise Software Agreements
Related DON CIO News
DON IT West and East 2017 Conference Registration Now Open
Strengthening Privacy Awareness and Protection
Navy Mobile Apps Bring Information and Training to Your Smartphone and Tablet
DON IT Conference Presentations Available
Building on DON Success; Meeting New Challenges
Related DON CIO Policy
DITPR-DON Process Guidance v1.0
Code of Federal Regulations (32 CFR Part 701)
DON Privacy Program and Appointment of the Senior Military Component Official for Privacy
Privacy Act of 1974
CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988