CHIPS Articles: Storage of Paper Records Containing Personally Identifiable Information

The Incident

A Navy recreational office was burglarized after it was secured for the evening. The perpetrator broke into a locked file cabinet containing membership applications for 180 Navy personnel. The applications contained Social Security numbers and either a copy of a person’s passport or birth certificate, which was used to verify citizenship.

Actions Taken

No files or personal property were stolen during the burglary. However, a breach report was submitted because of the potential compromise of personal information, and written notifications were sent to the 180 people who were affected. Further, leadership requested sample application forms from similar offices and reviewed all application processes to ensure conformance to Department of the Navy policy for safeguarding PII and improve application handling.

Lessons Learned

There are a number of lessons that others can learn from this incident and that apply to handling paper records and forms that collect PII. Paper records containing PII must only be accessible to those with an official need to know. In this example, the office and file cabinet were properly secured.

However, the form used by the office was not an official Navy form. All forms that commands use to collect PII must be an official form. This means commands must follow procedures established by the DON CIO, as the Senior Military Component Official for Privacy. Forms must be reviewed by a forms manager and privacy official, and if approved, they are assigned a form number. The form must include a Privacy Act Statement and the specific authority that allows PII to be collected. Finally, the form must be registered and posted to the Naval Forms Online website (https:// navalforms.documentservices.dla.mil/). For additional information, please contact your command forms manager or OPNAV DNS-51 at (703)614-7585.

There are other considerations as well. The collection of PII may require a System of Records Notice (SORN). Please contact your command privacy official or the OPNAV DNS-36 Privacy Act Branch at (202)685-0412 to determine if a SORN is required.

If you are collecting personal information on 10 or more members of the public in a 12-month period, the form may also require Office of Management and Budget approval and an OMB control number. To determine if an OMB control number is required, contact OPNAV DNS-51 at (703)614-7585.

If the form collects SSNs, it must go through the SSN reduction review process established by the DON CIO to reduce the use of SSNs in business processes under the department’s control. If it is determined that the continued collection of SSNs is required, then a document justifying the collection must be developed and signed by a flag officer, a civilian senior executive or an individual given by direction authority. More information on the DON SSN reduction process is available at www.doncio.navy.mil/contentview.aspx?id=1912.

Minimize the collection of PII wherever possible. The Navy office in the example was collecting SSNs and verifying citizenship for members by maintaining a file copy of either their passport or birth certificate. The Department of Defense ID number or other unique identifier should be used in place of SSNs whenever possible. And while passport or birth certificate information should be confirmed, there is no need to keep a copy on file.

Finally, paper copies of the application could be scanned and filed electronically, eliminating the need to keep hard copy documents in file cabinets.

PII breaches not only cost the department scarce resources, such as time and money, but also have the potential to undermine morale and trust in the organization. Additional privacy resources can be found at www.doncio.navy.mil/privacy.

Steve Muck is the Department of the Navy privacy lead.

Steve Daughety provides support to the DON Chief Information Officer privacy team.