PII and Records Management
By DON CIO Privacy Team - Published, November 4, 2009
A successful command privacy program must include an aggressive records review and disposal component. While hard copy files cannot be ignored, the volume of electronic data files is a much larger issue and must be aggressively addressed by local commands/units.
Personally Identifiable Information (PII) is inextricably linked to records management. PII is stored on virtually every DON-owned or leased computer and includes both classified and unclassified files. Careful management of this sensitive data will prevent potential data breaches in the future. A key reference in managing records review and disposal is the Department of the Navy Records Management Manual (SECNAV M-5210.1). This Privacy Tip highlights the need for commands to develop clear guidance for the collection and retention of PII as an integral part of their records management program.
Some valuable tips when managing your PII records disposal program are:
- PII and records management are an all-hands responsibility.
- For non-federal records, always apply the "golden rule," "If you don't store it, you can't lose or compromise it." If it is a federal record, you must maintain it IAW its National Archives approved disposition.
- Use the SECNAV Records Management Manual (SECNAV M-5210.1) to identify when documentary material, including email, are considered official records. Retain these records until destruction/deletion is authorized IAW the SECNAV M-5210.1. The SECNAV M-5210.1 contains the DON's disposition schedules approved by the National Archives.
- Proper electronic and paper file disposal enhances network security, minimizes physical storage costs, and frees up valuable network storage space.
- PII and records disposal programs must include procedures for all personnel who permanently detach from their respective command/units.
- The user/owner of files is responsible for screening both electronic and hard copy files for unnecessary PII collection and does so on a routine and ongoing basis.
- All personal email, personal correspondence and personal electronic files that do not qualify as federal records shall be clearly designated as such and shall at all times be maintained separately from the office's records. Delete or destroy when the documents are no longer needed or the member is permanently leaving the command.
- Local procedures will include an annual record's review, disposition of content and electronic files/account delegation.
- Command records managers in consultation with privacy coordinators should ensure that federal records are not inadvertently deleted. When questions arise, they should work with their higher echelon records manager, local counsel or Staff Judge Advocate to resolve.
- When there is any question regarding whether or not to retain a specific document, email or file, users should err on the side of retention.
- Commands/units should inform new employees of their responsibility to maintain data/records, how to properly store, file and dispose of records, as well as their PII handling responsibilities.
- Web-based training for PII handling is available for Navy personnel on Navy Knowledge Online, as a PDF on the DON CIO website, and for Marine Corps personnel on Marine.net.