The DoD Identification Number as PII
Published, July 26, 2012
For many years, the Electronic Data Interchange-Personal Identifier (EDI-PI) has been a unique identifier for personnel affiliated with the Department of Defense. Until recently, it was used only by DoD information systems to facilitate machine-to-machine communications and appeared in digital signatures. When the EDI-PI was selected to become the DoD identification number, the purpose of the identifier changed.
The DoD ID number is now intended to be known by the individual to whom it belongs and is used for personal access to systems, on forms, in digital signatures and for other uses typical of physical and technical identification processes. The expanded use of the DoD ID number led to questions regarding its status as personally identifiable information (PII).
PII refers to information that can be used to distinguish or trace an individual's identity. The definition of a record and system of records under the Privacy Act makes it clear that any "identifying number assigned to the individual" triggers provisions of the Privacy Act if the record is retrieved using a unique identifier. The loss or disclosure of the DoD ID number is considered low risk in conjunction with identity theft or fraud. Nevertheless, the Office of Management and Budget definition of PII clearly indicates that the DoD ID number is PII, regardless of its low risk of compromise. To ensure that the DoD ID number maintains its low-risk category as PII and does not become a vulnerability like the use of an individual's Social Security number (SSN) — another high-risk personal identifier — the DoD ID number will only be used as one factor in a multifactor authentication process. In this way, knowledge of the DoD ID number alone does not grant access to records unless accompanied by another factor such as a pin number or biometric.
The DoD ID number is not to be shared with organizations, agencies or corporations outside of
DoD unless such use is established by a memorandum of understanding (MOU) with the DoD to implement a necessary DoD business activity. Such MOUs are administered by the Defense Manpower Data Center (DMDC) and include, at a minimum, provisions ensuring that the recipient uses the DoD ID number as one part of a multifactor authentication and does not share the information unless granted permission by DMDC. These rules are codified in a naval message released by the DON CIO, Feb 12, "Department of the Navy Social Security Number Reduction Plan Phase Three."
It is common practice today to use digital signatures which contain an individual's DoD ID number, on documents and emails. These documents and emails when sent outside the department may be made public in the authorized release of records, thereby exposing the DoD ID number.
The DoD ID number, by itself or with an associated name, shall be considered internal government operations-related PII. Since the loss, theft or compromise of the DoD ID number is low risk for possible identity theft or fraud, a PII breach report will not be initiated unless accompanied by other PII elements, such as date of birth, birthplace or mother's maiden name, which would normally require a report to be submitted.
For more information:
For more Privacy Tips, visit: www.doncio.navy.mil/ContentView.aspx?id=906