Commentary Search

Privacy Act, personally identifiable information: What you need to know to protect you

  • Published
  • By Robert Hughes
  • 90th Communications Squadron Knowledge Operations chief
A couple of weeks ago, my brother called me upset after just finding out he was a victim of identity theft. Without going into too much detail, another man using his name and date of birth was acquiring prescription drugs from a pharmacy in another state via his health savings plan. My brother spent an enormous amount of time trying to find out how and why this happened. He wondered if there was anything he could have done to prevent it. Maybe he could have, or maybe not. Identity theft is rampant in our society and we all must take every precaution to protect our personally identifiable information from theft.

Personally identifiable information is defined as "information about an individual that identifies, links, relates or is unique to or describes him or her such as a social security number, age, military rank, civilian grade, marital status, race, salary, home/office phone numbers, other demographic, biometric, personal, medical and financial information, etc." Now, some of this information singularly may not constitute or lead to a breach, but collectively, they can cause someone serious harm if they are compromised.

Many of us use email as part of our jobs to transmit data every single day. It is a very convenient way to transmit data, but we must take precautions when sending information, especially anything that contains PII. It is recommended that we don't send PII via email if there is another means to do so. If you must send PII via email, it must be encrypted. Guidance can be found in Air Force Instruction 33-332, The Air Force Privacy and Civil Liberties Program, on rules for encrypting emails. Recently, there have been numerous incidents of personnel from bases throughout the Air Force sending PII via email without encrypting it. If you discover this has occurred, it is your duty to report it immediately to the base Privacy Act manager. There are notifications that must be made immediately.

Additionally, did you know it is illegal to send PII from a .mil account to your home email account? F.E. Warren had two incidents recently where individuals sent spreadsheets home to personal email accounts to do work. The spreadsheets contained the names, social security numbers, dates of birth and other demographic information of more than 700 personnel. There are no security measures that can be taken to protect that information once it leaves the installation. There is however, someone watching for this specifically. The 68th Network Warfare Squadron has specific software that looks for and detects anything that resembles PII on all emails leaving a .mil address. Once they detect it, a downward notification process ensues, all the way to the base Privacy Act manager. The senior ranking commander of the unit affected is then notified, appoints an investigating officer and the investigation begins. Members can be criminally charged, imprisoned and/or fined for their mistake. The NWS has a 95 percent capture rate for these infractions.

The 90th Communications Squadron personnel also perform regular scans of the base shared drives and SharePoint to locate folders that contain PII that are not properly secured. These folders must be "locked down" by the owner and should limit access to only those who have a need to know. Storing any documents containing PII on these drives is prohibited unless properly secured.

There are various steps one can take to help secure PII:
  • - Never send for-official-use-only information/PII to an email address outside of Department of Defense or Air Force channels to include a personal account such as Yahoo, Bresnan, etc. This includes spreadsheets, data bases or any other documents containing PII.
  • - Emails will always be encrypted when they contain for-official-use-only and PII. If you can't encrypt it, don't send it.
  • - Use email to send PII as a last resort; when feasible, hand carry the information across base.
  • - Never store PII on SharePoint or shared drives unless the information/folder is secured and only viewable by authorized personnel.
  • - Never send recall rosters or other documents containing PII to workflow or organizational boxes; emails sent to these boxes cannot be encrypted.
  • - AFI 33-332 contains more in depth information on how to protect PII.
  • - A Frequently Asked Questions Guide can be found at: https://warren.eis.af.mil/90msg/90cs/sco/scok/foiapa/Privacy%20Act%20Information%20Continuity/Forms/AllItems.aspx.
It is everyone's responsibility to protect PII so it cannot be used to steal one's identity. Don't just turn your back on such an incident, as your own personal information could be compromised too. If you have specific questions, please contact Dan Dial, base Privacy Act manager, at 773-6145.