Rosters are used across the Department of the Navy (DON) for many purposes, e.g., social activities, personnel recall, training, military physical readiness testing (PRT); and medical reasons, such as drug testing, and other types of appointments. As such, most rosters contain personally identifiable information (PII) and must be handled and safeguarded according to law and DON guidelines. When they are not, a breach can occur which requires reporting, possible individual notification and mitigation.
Identity theft, low morale, loss of confidence, embarrassment, time lost, and actual financial cost to the command are possible consequences. PII contained in a roster can affect DON employees — civilian, military, and contractors. In some cases, it can also affect family members and members of the public.
DON policy regarding rosters has been addressed over the years in various memoranda, articles, and privacy tips. Even though the number of PII breaches has decreased as a result, there are still too many that occur on a regular basis. This article is intended to reemphasize the proper use, handling, and safeguarding of rosters when they contain PII to further reduce the number of privacy breaches.
When creating and distributing rosters containing PII, these guidelines should always be followed:
- Use of Social Security numbers (SSN), in any form, is prohibited in rosters.
- PII collected should be kept to the bare minimum required to complete an authorized task or support mission requirements.
- A roster with PII should be accessible to only those with an official need-to-know the information included.
- Individuals should not be asked to edit and/or review their information in rosters which contain PII about other personnel.
- Rosters should be destroyed when no longer needed.
- Rosters containing PII should be marked properly. Note: New DON guidance regarding how to mark documents, emails, and spreadsheets containing PII as Controlled Unclassified Information (CUI) will be issued in the near future.
All other requirements and best practices for handling, safeguarding and transmitting PII must continue to be followed. A few of these are:
- Encrypt, digitally sign, and appropriately mark emails and other transmissions containing PII.
- Include a check of rosters in command compliance spot checks.
- If a roster containing PII is part of a spreadsheet, it is extremely important to check all tabs prior to emailing or distributing the spreadsheet to avoid a breach.
- Emphasize proper use of rosters in local command training.
- Individuals should be advised whether providing their PII is voluntary or mandatory. For example, providing birth dates for office celebrations and family/significant other phone numbers on an office recall roster is voluntary.
- Rosters should not be provided to vendors, real estate agents, e.g., or used by government employees for personal business. This is a policy violation that would constitute a reportable PII breach.
- Contact your command privacy official to determine if there are any System of Records Notice (SORN), Privacy Act Statement (PAS), and other Privacy Act requirements.
The ultimate goal for the DON enterprise is for everyone to become a Cyber Sentry, where personal commitment to safeguarding DON data is required by all. We will not be able to stop our adversaries from exploiting us unless everyone does their part.
For questions or concerns regarding the use of rosters, PII breach reporting, or any other privacy issue, please contact your command privacy official and/or refer to the privacy section of the DON CIO website: https://ww.doncio.navy.mil.
Steve Daughety is the Privacy Lead Cybersecurity & Privacy in the office of the Chief Information Security Officer (CISO), Department of the Navy CIO.