The Department of the Navy continues to implement guidance to better safeguard personally identifiable information (PII) by reducing or eliminating the collection, use, display and maintenance of a Social Security number (SSN) where possible. During the past 18 months, the DON has implemented two phases of its SSN reduction plan and is initiating procedures for the third phase. Results of this department-wide effort are detailed below.
During Phase 1 of the SSN reduction plan, all official DON forms collecting SSNs were reviewed and justification was required for the continued collection of SSNs. This phase further required eliminating all unofficial forms that collect PII and posting all official forms to the Naval Forms Online data repository. After reviewing more than 26,000 forms, Navy and Marine Corps forms managers eliminated the collection of a SSN by 44 percent. Phase 2 required review and justification for continued SSN collection and use for all information technology systems registered in the Department of Defense IT Portfolio Repository (DITPR)-DON and Defense Health Program System Inventory Reporting Tool (DHP-SIRT). Navy and Marine Corps information technology system program managers and privacy officials identified 45 IT systems that can either eliminate or substitute a SSN with another unique identifier. To date, both reviews have resulted in significant reductions of SSN collection, use, display and maintenance.
By January 2012, Phase 3 of the SSN reduction plan will be implemented across the department. This next phase will provide the means to substitute the electronic data interchange personal identifier, now referred to as the DoD identification number, in place of a SSN where possible. Phase 3 will also place restrictions on using a SSN in memorandums, letters, spreadsheets, and hard copy and electronic lists. Faxing documents containing a SSN will also be restricted.
PII breach metrics suggest that SSN reduction efforts are working. Breaches involving SSNs have declined by 20 percent during the past 12 months. While these efforts have or will significantly reduce SSN use, there is still more work to be done. Owners of systems and forms citing interaction with other DoD or DON systems as a reason for continued use of SSNs must regularly review the requirement and reduce or eliminate SSN use when a change in the other system makes it possible. For a list of the approved use cases for systems collecting SSNs, please go to the DON CIO website: www.doncio.navy.mil/ContentView.aspx?id=1833.
Steve Muck is the privacy lead for the Department of the Navy Chief Information Officer.