Protecting Feds from Personal Information Release and Identity Theft: Are Current Policies Enough?
By Bob Gilson
Monday, March 24, 2008
In the wake of recent privacy-violating probing of presidential candidates' passport files and earlier losses by agencies of computers or hard drives containing sensitive employee data, it appears the risk of nosy feds, political paparazzi, curious contractors and others getting personal personnel info may be at an all time high.
So What's the Government got that So Many Want to See?
Passport files are pretty mundane with the big worry centering on Social Security Numbers (SSNs), addresses and presumably, direct phone numbers. Presumably the State Department after this embarrassment will toughen up its access processes. A much bigger concern for FedSmith readers is the info Agencies routinely collect on them from Agency Heads down the org. chart to intermittent caddies on an Air Force base's golf course.
The issue that should worry most Federal employees includes their personnel files, medical files and security related data. Employee personnel files such as the Official Personnel Folder maintained on every Fed have much more sensitive info including, in addition to SSNs, health and life insurance information, records of discipline, sensitive pre-employment questionnaires, whether a clearance exists and more.
Agencies also may keep separate files on employees that includes medical information such as diagnoses of medical conditions (mental and physical), medications prescribed and a physician's assessment of the individual's ability to work. Security files contain background investigation information including histories of criminal activity, derogatory information provided by those interviewed in connection with the investigation and just about anything else that would affect the grant of a clearance.
Who Gets to See This Stuff?
The answer to that question gets very complicated.
Obviously, those who enter data into computer systems and file any paper documents get to see it. Traditionally, this was done by the Human Resource Office, sometimes called simply "Personnel". However, in recent years, contractors have increasingly been engaged to do this work. Apparently two of the violators at State were contractors and were canned. The others, Federal employees, may take a while to deal with due to various statutory and regulatory requirements.
Who Else?
Within the Agency, simply put, the answer is those with a "need to know". Who's that? It depends. Generally, this includes human resources specialists who use the files in connection with processing a wide variety of personnel actions including promotions, permanent or temporary, details, reassignments, transfers, retirements, etc. Need to know may include Agency counsel, equal employment opportunity specialists, worker's compensation specialists, and in certain cases, managers and supervisors. As a former Fed, my experience was that access to these files was closely monitored including a requirement to sign an enclosed form whenever the file was used.
So What's the Problem?
The problem involves a number of possible ways this information may get into the wrong hands.
- The Freedom of Information/Privacy Acts balancing Act. FOIA stresses the right of citizens to know what goes on in government while the Privacy Act addresses limitations on what an Agency may protect from disclosure while making sure that information about a citizen is available to that citizen. How well the information that shouldn't be released by Agencies about its workforce depends directly on the good judgment of those who make decisions to release. You might be surprised to know that with few exceptions an individual Federal employee's name, position title, series, grade, position description, pay, awards, work location, place on the org. chart, and other information is freely available to public scrutiny.
- How good the Agency is in securing its records. The last two Agencies I worked for before retiring kept its OPFs in locked file cabinets inside a safe-like room. That's fine for paper but computer records may be difficult to protect as easily. Look around your own office. Where have you written down your passwords? Don't even think about denying you do it. If they're around, someone can find them.
- Outside the Agency access. Investigative Agencies gain access to records. My experience with MSPB's Special Counsel staff, EEO investigators and IG investigators, for example, is that they got downright uppity if a mere HR type like yours truly asked them to sign access cards before they got to review a record and absolutely apoplectic if asked to do so in the presence of an Agency HR person. My guess is that the people who do this work are almost always highly principled and give absolute attention to securing info. It's the 3% that get fired, transferred or otherwise kicked to the curb that I worry about.
- Union access. The Federal labor case law gives unions broader access to info than the Privacy Act does. Nowhere in any law or regulation is there any control on what the unions do with this information or any requirement to safeguard it. So if a Federal employee union representative gives data to a non Federal employee union representative, there are no protections at all. Agencies were been ordered by the Federal Labor Relations Authority to release to unions the home addresses of bargaining unit employees until the Supreme Court put a stop to that. What Agencies provide to avoid unfair labor practice charges or during a union-friendly administration is anyone's guess.
Is Anybody Doing Anything About This?
OPM has stepped up to the plate as part of a Presidential Identity Theft Task Force initiative. The opportunity closed on March 18 for comments on OPM's proposed regulations tightening the use of employee SSNs in routine human resource operations. In a memo from Linda Springer to Human Capital Officers last summer OPM provided guidance to agencies listing the regulations regarding personnel records and their security. Part of that memo was a list of 15 measures Agencies should take in addition to following the existing regulations. Those measures are worth reading.
I think this is a problem that will be with us for some time especially in an era where the public's right to know is considered paramount and Federal employee concerns are low on the totem pole of priorities.
As always, the above represents my personal view and not that of any employer, publisher, blog or anyone else I work with.
© 2008 Robert J. Gilson. All rights reserved. This article may not be reproduced without express written consent from Robert J. Gilson.
Readers' Comments
Posted: March 27, 2008 2:37 PM
Posted: March 27, 2008 8:41 AM
Posted: March 27, 2008 4:04 AM
View All Comments »