The following is a recently reported compromise of personally identifiable information (PII) involving the improper disposal of human resources documents. Incidents such as this will be reported in each CHIPS magazine to increase PII awareness. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.
Some time between late February 2009 and mid-March 2009, three boxes were discovered in a recently vacated office. The office had been completely stripped of all furniture, supplies and equipment in preparation for another office code to move in. The empty office was unlocked and probably remained so until the movers arrived with the new office equipment. The boxes contained more than 240 employee records, with Social Security numbers, home addresses and other personal information dating back to the early 1980s. All personnel in the building were questioned, but no one claimed to have any knowledge of how the boxes appeared in the empty office.
This incident is a privacy official's worst nightmare: Old records containing high-risk PII in an unlocked office that no one could account for. Like most PII breaches, this one could have easily been prevented.
Additional privacy protection information can be found on the DON CIO Web site: www.doncio.navy.mil.
• Office moves are common and present unique challenges when moving paper and electronic records. The command privacy official should ensure that all personnel involved in an office move take extra precautions when packing, shipping and relocating records that contain PII.
• Develop a moving plan and ensure PII safeguard considerations are factored in.
• Human resources, law enforcement, medical, administrative, legal and financial offices are especially vulnerable to this type of PII compromise/loss due to the personal records that these offices maintain.
• All vacated offices should be locked.
• Remember that PII has a very long shelf life and can be used fraudulently even after a person is deceased. Commands should develop and implement a document destruction policy following guidelines issued in the DON Records Management Manual (SECNAV M-5210.1) available from the DON CIO Web site, www.doncio.navy.mil, under the Policy and Guidance tab.
• Most documents can be destroyed after five years.
Steve Muck is the DON CIO privacy team lead.