Rosters serve a useful and valid purpose for communicating important information to command personnel and their families, but the personally identifiable information (PII) they may contain must be properly maintained and protected.
Rosters are used to notify individuals of building, base and office closings, personnel movements, physical readiness tests, various medical and drug tests and classroom administration functions. Social rosters allow commands to easily contact family members for social functions, access requests and other events.
The information in this article applies to all Department of the Navy (DON) rosters.
For all rosters that contain PII, the following rules should be applied:
- Restrict access to only those with an official need to know.
- Mark as "FOUO — Privacy Sensitive." This includes rosters maintained inside and outside the workplace.
- Rosters should only be transmitted as email attachments when the email is digitally signed and encrypted.
- DON policy prohibits rosters from collecting Social Security numbers in any form (e.g., full, truncated, etc.).
- Rosters stored on a shared drive or SharePoint portal must have appropriate access controls.
- Always minimize the collection of PII. Collect only those PII elements that are required.
- Provide a Privacy Act statement any time PII is solicited directly from an individual, whether in writing or electronically. Contact your privacy officer for more information.
- When obtaining information for a social roster, ensure military family members and other non-military personnel, including minors, know the collection of their information is voluntary.
- Ensure all rosters are used only for their intended purpose and not provided to vendors, real estate agents, etc.
Additional privacy resources can be found on the DON CIO website at www.doncio.navy.mil/privacy.
Steve Daughety is the privacy lead for the Department of the Navy Chief Information Officer.