Improper Disposal of HR Documents

By Steve Muck - Published, August 19, 2009

The following is a recently reported compromise of personally identifiable information (PII) involving the improper disposal of human resources documents. Names have been changed or removed, but details are factual and based on reports sent to the DON CIO Privacy Office.

The Incident

Some time between late February 2009 and mid-March 2009, three boxes were discovered in a recently vacated office. The office had been completely stripped of all furniture, supplies and equipment in preparation for another office code to move in. The empty office was unlocked and probably remained so until the movers arrived with the new office equipment. The boxes contained more than 240 employee records, with Social Security numbers, home addresses and other personal information dating back to the early 1980s. All personnel in the building were questioned, but no one claimed to have any knowledge of how the boxes appeared in the empty office.

This incident is a privacy official's worst nightmare: Old records containing high-risk PII in an unlocked office that no one could account for. Like most PII breaches, this one could have easily been prevented.

Lessons Learned

  • Office moves are common and present unique challenges when moving paper and electronic records. The command privacy official should ensure that all personnel involved in an office move take extra precautions when packing, shipping and relocating records that contain PII.
  • Develop a moving plan and ensure PII safeguard considerations are factored in.
  • Human resources, law enforcement, medical, administrative, legal and financial offices are especially vulnerable to this type of PII compromise/loss due to the personal records that these offices maintain.
  • All vacated offices should be locked.
  • Remember that PII has a very long shelf life and can be used fraudulently even after a person is deceased. Commands should develop and implement a document destruction policy following guidelines issued in the DON Records Management Manual (SECNAV M-5210.1).
  • Most documents can be destroyed after five years.

Steve Muck is the DON CIO privacy team lead.

TAGS: IDManagement, Privacy

Related Resources