A question submitted to the "Ask an Expert" section of the Department of the Navy Chief Information Officer website underscores the need to improve business processes that involve the use of a Social Security number. While there are many legitimate requirements for SSN use, efforts must be made to reduce or eliminate reliance on this unique personal identifier. After reading the question and the DON CIO's response, consider if there are practices in your organization where a careful review of SSN use is necessary.
Question:
"Recently, a Department of the Navy employee solicited me via email regarding post Navy career opportunities. I am transitioning from the naval service next month. Without my prior approval or knowledge, the DON employee emailed me a For Official Use Only (FOUO) document containing my full SSN and date of birth to my personal/civilian email account.
I am frustrated by the lack of common sense this shipmate displayed. What if he/she had been one character off in typing my personal email address? What if my info ended up in someone else's inbox that had no need to see my personal information? We're all trained in personally identifiable information (PII), aren't we?
Bottom line: I'd like to know what the Navy's policy is regarding transmission of PII via email. For example, I have noticed a change in orders writing: no more full SSNs in message traffic or truncated SSNs posted to a public facing website. Does the same apply to other documents? Did this DON employee violate procedure when he/she sent me a FOUO document containing my PII to my personal email account? If there was a violation, how do I go about reporting this individual?
R/
-LT XXX"
Response:
"Dear LT,
Thank you for contacting the Department of the Navy Chief Information Officer. Your feedback is important to us. We are contacting the privacy officer at the command where this occurred to look into this practice. To answer your specific question about emailing sensitive PII: DON policy states that all email containing sensitive information, including PII, must be digitally signed and encrypted. New (still in draft) policy will require that any use of the SSN must be justified by applying one of 13 authorized uses of the SSN. The email you received would have to be justified using this same process.
As an FYI, the draft policy will require most Navy business practices to use the DoD ID number: Electronic Data Interchange Personal Identifier (EDIPI) number in place of the SSN. The DoD ID/EDIPI is a unique number assigned to each person in the DEERS (Defense Enrollment Eligibility Reporting System) database and does not have any commercial application.
Best regards,
The DON CIO Privacy Office"
Although the incident the lieutenant described is not standard practice according to the responsible office, officials stated that they will strengthen PII handling procedures, such as enforcing the use of the Privacy Act Statement and ensuring documents containing PII are properly marked. They will justify the continued use of the SSN in business processes to prevent a repeat occurrence. Protecting the personally identifiable information of DON personnel is of the utmost importance to Under Secretary of the Navy Robert O. Work, who made significant reduction of PII breaches a priority in the Department of the Navy. Frequent reviews of how SSNs and other PII are used by your command are an important way to ensure that such information is used only when necessary and that the proper steps are taken when handling this information. Such efforts will help the department move closer to achieving the Under Secretary's goal.
Steve Muck is the privacy lead for the Department of the Navy Chief Information Officer.