Email this Article Email   

CHIPS Articles: DON Employee Challenges use of Unauthorized DoD "Form"

DON Employee Challenges use of Unauthorized DoD "Form"
By Steve Muck - April-June 2011
The Department of the Navy is working to eliminate the unnecessary collection of Social Security numbers (SSNs) to protect your personally identifiable information (PII). The SSN is ubiquitous and one of the key data elements used to commit identity fraud. The DON has embarked on a plan to reduce the use of the SSN by eliminating it where it is not needed or replacing it with another unique identifier (e.g., the Department of Defense identification number/Electronic Data Interchange-Personal Identifier (EDI-PI)) associated with an individual’s name.

The following is a recent success story that highlights the actions an individual took to challenge the use of a form that appeared to be an unauthorized collection of PII. It is very likely that business processes within your organization are repeating a scenario similar to this. This success story should serve as a reminder to all that only approved collections of PII are authorized.

The command security manager approached his command's privacy official presenting what appeared to be a routine form and asked if it was an authorized collection of PII. The privacy official noted that the form had a Privacy Act Statement at the bottom of each page, but did not appear to be an approved DoD form because it was lacking a form number. The command staff was sensitized to the use of unauthorized forms as part of the DoD/DON SSN Reduction Plan; therefore, several staff members were reluctant to provide the information because it asked for full name, full SSN, and other PII to be used for controlled space access.

The DON privacy official contacted the DoD forms manager who agreed that the form did not appear to be official. The DoD forms manager then contacted the head of the security office responsible for the form, who is now in the process of either eliminating the form or making it an official standard form (SF) or Defense Department (DD) form. To make the form official it must be reviewed by the DoD forms manager and DoD privacy official. If PII is collected on the form, a Privacy Act Statement (PAS) must be created. If SSNs are collected on the form, there must be an approved justification that cites one of 12 valid exceptions (view "Approved Use Cases for Systems Collecting SSNs") that allow its continued use. The approved justification is an auditable record and must be signed by a flag or Senior Executive Service member, or “By Direction” authority. The forms review process is the same for all DON controlled forms.

Bravo Zulu to the personnel who alerted their privacy official that there may be a problem with PII collection using what appeared to be a routine form. Personnel should challenge any form that collects PII, does not have an official form number, and an attached Privacy Act Statement. By properly managing official forms, exposure and use of PII will be greatly reduced, and commands will be compliant with existing privacy laws and regulations.

Steve Muck is the DON CIO privacy team lead.

Related CHIPS Articles
Related DON CIO News
Related DON CIO Policy

CHIPS is an official U.S. Navy website sponsored by the Department of the Navy (DON) Chief Information Officer, the Department of Defense Enterprise Software Initiative (ESI) and the DON's ESI Software Product Manager Team at Space and Naval Warfare Systems Center Pacific.

Online ISSN 2154-1779; Print ISSN 1047-9988
Hyperlink Disclaimer