DON SSN Reduction Plan
By Steve Muck - Published, January 21, 2011
The Social Security number (SSN) has evolved beyond its intended purpose to become the identifier of choice for many of the business processes within the Department of the Navy. While use of the SSN has become the enabler to identify and authenticate individuals, it is one of the key elements used for identity theft and fraud. Widespread use of the SSN has reached unacceptable levels and requires a department-wide effort to eliminate or reduce the collection, use, display and storage of this sensitive data element.
The SSN reduction plan will consist of two phases. Phase One is currently in progress. Phase Two will be implemented when Department of Defense guidance has been released. Details are provided below.
Phase One – Currently in Progress:
Phase Two – Awaiting Department of Defense Guidance:
- Justify continued use and collection of SSNs in all official Navy and Marine Corps forms.
- Catalog all official DON forms using Naval Forms Online: https://navalforms.daps.dla.mil.
- Eliminate all unofficial forms in use; either stop using or validate for official use. DON forms management officers, consulting with the Privacy Official, draft justifications using Secretary of the Navy Forms Management Manual (SECNAV M-5213.1) of January 2010 for all forms that fall within their area of responsibility. This includes: DD/SD forms, component-wide forms, command forms and installation forms. All reviews must include:
- Copy of Privacy Act Statement;
- Copy of official form;
- Acceptable use (from list of 12). If you use "Other Cases," you must describe;
- Actions taken to truncate, hide or mask SSN;
- Statement regarding impact to business process if SSN were to be eliminated;
- Potential for SSN to be replaced with another unique identifier;
- Justify continued use and collection of SSNs in all information technology (IT) systems registered
in the DoD Information Technology Portfolio Repository (DITPR)-DON;
- DON Chief Information Officer will submit changes to the program manager that mirror the forms review process in April 2011 to eliminate the need for a data call; and
- Data fields in DITPR-DON for IT systems with personally identifiable information (PII) must be verified for accuracy.
- Where continued use of SSNs is required, substitute another unique identifier for the SSN.
Steve Muck is the DON CIO privacy team lead.
- Without controls in place, the substitute for the SSN could become sensitive PII.
- Despite the current SSN Reduction Plan, human error will still result in the loss and compromise of the SSN.
- The DON does not control many of the forms requiring use of the SSN.
- Elimination of the SSN or substituting the SSN for another identifier will incur unfunded program costs especially with IT systems.