The DON SSN Reduction Plan Continues
By Steve Muck - Published, October 27, 2011
The Department of the Navy is eliminating the unnecessary collection of Social Security numbers (SSNs) to protect personally identifiable information (PII). The SSN, to include any form of the SSN, such as truncated, masked, partially masked, encrypted or disguised, is ubiquitous and a key data element used to commit identity fraud.
The DON is eliminating SSN use where it is not necessary, or replacing it with another unique identifier, such as the Department of Defense identification number (DoD ID), which is associated with an individual's name. This article summarizes the department's SSN reduction efforts.
Phase 1 began in August 2010 with the release of a naval message issued by the DON CIO DTG 192101Z JUL 10: "DON Social Security Number Reduction Plan for Forms Phase One."
The message states that all DON forms managers must:
• Identify and review all official forms that collect SSNs;
• Justify continued use of SSNs by a flag officer or senior executive service employee (SES) who will validate and sign a Secretary of the Navy (SECNAV) 5213/1 SSN Reduction Review form for each official DON form to be used;
• Eliminate the SSN component from the form or eliminate the form itself;
• Identify and eliminate, or make official all "bootleg" forms (see section below for information on this topic) that collect SSNs and consequently have not been approved by a forms manager;
• Post all official forms to the DON Naval Forms Online website at https://navalforms.daps.dla.mil; and
• Provide the date the justification is completed for forms that continue to collect SSNs.
Status: Two rounds of reviews initiated with work still in progress. In almost every command review, 50 percent of the forms found to collect SSNs were either eliminated or the SSN component was removed from the form.
Phase 2 began in June 2011. All DON information technology system owners were notified that they must: identify and review all DON IT systems that collect SSNs; justify continued use of SSNs by a flag or SES employee who will sign a memo for each IT system; post the signed memo to the DoD IT Portfolio Repository-DON (DITPR-DON); and ensure all SSN/PII questions are accurately reported.
Status: Early results of the review are positive. DITPR-DON privacy data accuracy improved. Each reporting command shows an average 20 percent reduction in the number of IT systems that collect SSNs.
Phase 3 implementation will result in the elimination of SSNs from forms, electronic collections, surveys, spreadsheets and hard copy lists that continue to rely on SSNs as a unique identifier. The DON is waiting for the release of a Defense Department instruction regarding reduction of SSN use in the DoD before implementing this next phase. The instruction will provide guidelines regarding the substitution of the DoD ID number for the SSN in many DoD and DON business processes. Phase 3 will also place restrictions on the use of memorandums, email, spreadsheets, electronic reports and hard copy lists that contain SSNs.
Status: The Defense Department is performing a final review of the instruction prior to publication in the Federal Register. The DON will announce implementation of Phase 3 after the release of the DoD instruction.
What is a bootleg form?
Have you ever wondered if a request for your SSN on a Defense Department form is an authorized collection? Forms that are not official are also referred to as bootleg forms. Here are some things to look for to determine if the form is official:
• Does the form have a form control number, such as "SECNAV 5211/1," on the bottom of each page?
• Does the form display the date it was created?
• Does the form, which has been pre-populated with PII, include the privacy warning, "FOR OFFICIAL USE ONLY – PRIVACY ACT SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both criminal and civil penalties" within the body of the form?;
• Does the form, which requests PII directly from the user, have a Privacy Act Statement (PAS) within the body of the form on the last page? A PAS includes:
• The authorizing authority (usually a law or statute) for collecting privacy information;
• The purpose of the form (e.g., why the privacy information is being collected);
• The routine users of the form and any system of record notice published, if applicable; and
• Disclosure rules — such as what happens if the requested PII is not provided.
Bootleg forms should be sent to your forms manager for review. If you do not have a forms manager, contact your legal department or email the DON forms manager Barbara Figueroa at firstname.lastname@example.org for assistance.
Steve Muck is the privacy lead for the Department of the Navy Chief Information Officer.