The Department of the Navy is working to eliminate the unnecessary collection of Social Security numbers (SSNs) to protect your personally identifiable information (PII). The SSN is ubiquitous and one of the key data elements used to commit identity fraud. The DON has embarked on a plan to reduce the use of the SSN by eliminating it where it is not needed or replacing it with another unique identifier (e.g., the Department of Defense identification number/Electronic Data Interchange-Personal Identifier (EDI-PI)) associated with an individual’s name.
The following is a recent success story that highlights the actions an individual took to challenge the use of a form that appeared to be an unauthorized collection of PII. It is very likely that business processes within your organization are repeating a scenario similar to this. This success story should serve as a reminder to all that only approved collections of PII are authorized.
The command security manager approached his command's privacy official presenting what appeared to be a routine form and asked if it was an authorized collection of PII. The privacy official noted that the form had a Privacy Act Statement at the bottom of each page, but did not appear to be an approved DoD form because it was lacking a form number. The command staff was sensitized to the use of unauthorized forms as part of the DoD/DON SSN Reduction Plan; therefore, several staff members were reluctant to provide the information because it asked for full name, full SSN, and other PII to be used for controlled space access.
The DON privacy official contacted the DoD forms manager who agreed that the form did not appear to be official. The DoD forms manager then contacted the head of the security office responsible for the form, who is now in the process of either eliminating the form or making it an official standard form (SF) or Defense Department (DD) form. To make the form official it must be reviewed by the DoD forms manager and DoD privacy official. If PII is collected on the form, a Privacy Act Statement (PAS) must be created. If SSNs are collected on the form, there must be an approved justification that cites one of 12 valid exceptions (view "Approved Use Cases for Systems Collecting SSNs") that allow its continued use. The approved justification is an auditable record and must be signed by a flag or Senior Executive Service member, or “By Direction” authority. The forms review process is the same for all DON controlled forms.
Bravo Zulu to the personnel who alerted their privacy official that there may be a problem with PII collection using what appeared to be a routine form. Personnel should challenge any form that collects PII, does not have an official form number, and an attached Privacy Act Statement. By properly managing official forms, exposure and use of PII will be greatly reduced, and commands will be compliant with existing privacy laws and regulations.
Steve Muck is the DON CIO privacy team lead.