By Vicky Falcón
NAVAIR Public Affairs Office

The Naval Audit Service has been ‘dumpster diving’ this past year, according to a message from that organization. What they found was a lack of understanding of the Privacy Act of 1974, which establishes protections for Americans whose Personally Identifiable Information (PII) is collected by government and businesses.

The auditors found official documents bearing thousands of names, social security numbers, and other elements of PII of both uniformed and civilian personnel in the recycling and trash at a number of Navy installations.

“I’m sure it’s an issue here, as well,” said Mary Ellen Evans, Privacy Act Officer for NAWC-AD. “We need to do a better job of safe-guarding our information because you don’t know who’s looking through your trash.”

According to the Naval Audit message, one of the biggest problems they encountered was the amount of PII left unprotected in the recycling bins on base. Recyclable material containing PII is often being sent to paper mills for recycling without being rendered unrecognizable (i.e. shredded) as it should be before leaving base.

The recycling center at NAS Patuxent River sorts paper by type, but does not shred the material. Weyerhauser, an international paper company that has the recycle contract at Pax River, picks up the recyclables and takes them to Baltimore where they are sorted again and then sold to different paper mills – some of them international companies.

JD Greene, NAWC-AD Security Director, is aware of the potential security risk and has already begun investigating improved shredding and recycling options for Pax River.

“Whether recycles hold privacy act information or operationally sensitive information, we need to eliminate the risk of it getting into the wrong hands,” said Greene.

Pete Riester agrees. Riester is the director of NAVAIR security, and is in the process of developing a new NAVAIR policy for handling FOUO (For Official Use Only), PII and other sensitive information.

“Our goal is to create a single consolidated policy that addresses the handling of all sensitive materials,” said Riester, who is working closely with FOUO personnel and Frank Faust, the NAVAIR Privacy Act Administrator.

“Our end goals are the same,” he said. “We want to protect all of NAVAIR’s sensitive information.”

According to Faust, that overarching policy will comprise credible, uniform standards for protecting data, as well as answer the ‘hows’ of complying to a new NAVAIR Instruction written by the NAVAIR Privacy Act Coordinating team. That instruction should be approved and released this year.

“Employees need to know that an awareness effort is underway,” said Faust. “The law, and the Department of Defense in implementing that law, establishes standards and sets expectations. We are implementing those standards with a NAVAIR instruction. Until that is complete, common sense should rule the day.”

So how can you tell if the papers on your desk or in your recycle bin have PII?

Specific items that are considered PII are found in the Secretary of the Navy Instruction 5211.5E, dated 28 December 2005. It states that PII is any information or characteristic that may be used to distinguish or trace an individual’s identity, such as their name, Social Security number or biometric records. It also includes, but is not limited to, home address, date of birth, credit card or charge card account number, education, financial transactions, medical history, criminal or employment history, and any other personal information which is linkable to an individual.

Navy guidance states that documents and other material containing PII should not be discarded intact into trash cans and waste bins. Hard copy documents should always first be destroyed by shredding, burning or other methods that render the document beyond recognition or reconstruction.

“We need to sensitize folks that this continues to be an issue and will always be an issue,” said Faust.

The first step in that task, he explained, is education.

“Training for all personnel using PII is underway,” he added, “as is a standardized orientation for all new employees.” Faust said the Privacy Act refresh training is also being planned.

Mary Wedel is the Privacy Act Coordinator for NAWC-WD, where they are establishing a Privacy Act Committee that will include representatives from each competency.

“We are working on a draft revision of our own Privacy Act Instruction,” said Wedel, “and will use that to educate our personnel in how WD will handle PII.”

“The key,” said Evans, “is to review your internal business practice and then make changes as necessary.”

According to Evans, papers containing PII should be shredded, preferably by a cross-cut shredder or put in a burn bag to be destroyed.

NAVAIR headquarters transports 100-150 burn bags weekly to be destroyed at a burn facility in Washington, D.C.

If you don’t have access to a shredder or burn bags, Evans suggests you put your sensitive information into an envelope and secure it until you can dispose of it properly.

Faust agrees. “We need to ask ourselves, ‘Is this information something that needs to be protected?’ and then take care of it if it is,” he said, adding, “Do we need to collect and maintain the data in the first place? Just because a particular list has always been maintained, does it have to contain PII data? Such practical changes as only using partial social security numbers or omitting personal addresses or phone numbers are real actions we should consider.”

Employees who see something suspicious or who have questions regarding PII should immediately go to their supervisor or their local Privacy Act Administrator.

For more information from the Navy regarding PII, go to: www.privacy.navy.mil. For Privacy Act Information at NAWC-AD, contact [email protected]; at NAWC-WD, contact [email protected]; at NAVAIR, contact [email protected].