In accordance with federal laws requiring agencies to establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of personally identifiable information, the Department of the Navy (DON) continues to make progress in reducing the use of
Social Security numbers (SSN) in business processes under the department's control.
As the department’s Senior Military Component Official for Privacy Safeguards, the DON Chief Information Officer has instituted a series of policies and steps that commands must take to be applied to information technology systems, shared drives, computer networks, email, paper records and websites to ensure privacy of personal information. The following success story illustrates how an organization developed a strategy to significantly reduce reliance on SSNs and better protect the privacy of DON personnel.
The Naval Education and Training Command (NETC) directed a complete review of all forms, IT systems and processes to determine and establish a baseline. Each NETC form, IT system and process was reviewed and recorded. The review identified:
- Where SSNs were collected;
- What authority allowed continued SSN use;
- If SSNs could be eliminated, masked or truncated; and
- If SSNs could be replaced with the Department of Defense identification number or other unique identifier.
The goal was to reduce the collection and use of SSNs to the bare minimum across the command without negatively affecting the NETC mission. A program manager was assigned, teams were established, charters were developed, timelines were created, and processes were validated. After eight months of hard work, NETC was able to:
- Justify continued collection of SSNs in specific required instances;
- Begin replacing SSNs with DoD ID numbers;
- Eliminate the collection of SSNs where possible;
- Crosswalk SSNs and DoD ID numbers to allow substitution in IT systems; and
- Coordinate substitution with interfacing IT systems.
NETC rejected the notion that substituting an SSN with another unique identifier "is too hard." Instead, the NETC team established a baseline, determined their resources, and discovered ways to significantly reduce the collection and use of SSNs. As a result of their efforts, the NETC team
considerably improved the protection of DON employees' privacy. The process is ongoing and significant progress continues in the reduction and use of SSNs.
Commands that would like to benefit from the experience NETC has gained through this process may contact Ivan Rivas at email@example.com. Additionally, SSN reduction resources can be accessed on the DON CIO website: www.doncio.navy.mil/privacy.
The DON's Three Phase SSN Reduction Plan
Phase 1: In July 2010, the DON Chief Information Officer (CIO) released DON CIO Washington DC 192101Z Jul 10, “Department of the Navy Social Security Number (SSN) Reduction Plan for Forms Phase One,” requiring commands to:
- Review all DON forms to identify those that collect SSNs and justify continued collection if necessary; and
- Identify forms that are not official DON forms and discontinue or take steps to make the form official.
Phase 2: In June 2011, the DON CIO issued a tasking for commands requiring:
- Review of all IT systems to identify those that collect SSNs;
- Justification to continue collection of SSNs in accordance with the Justification Memo for the Continued Collection of the SSN issued by the DON CIO and available at www.doncio.navy.mil/ContentView.aspx?id=2423;
- Identification of those systems that could eliminate collection; and
- Identification of those that could substitute another unique identifier.
Phase 3: In February 2012, “Department of the Navy Social Security Number (SSN) Reduction Plan Phase Three,” DON CIO Washington DC 171625Z Feb 12, (www.doncio.navy.mil/ContentView.aspx?id=3757) was released and:
- Authorizes the use of DoD ID numbers as substitutes for SSNs;
- Requires that collection of SSNs in memorandums, letters, spreadsheets, hard copy lists, electronic lists and surveys meet acceptable use criteria and other Privacy Act considerations;
- States that any form of an SSN will now be treated with the same sensitivity as the full SSN and considered a reportable breach if compromised;
- Prohibits SSNs in rosters; and
- Provides new policy when scanning and faxing PII.
In November 2012, the DON CIO revised the fax policy to make it less restrictive with the release of “Department of the Navy Fax Policy," DON CIO Washington DC DTG 081745Z NOV 12 – www.doncio.navy.mil/ContentView.aspx?id=4267.
Steve Muck is the Department of the Navy deputy privacy officer.
Steve Daughety provides support to the DON Chief Information Officer privacy team.