Protecting personally identifiable information

  • Published
  • By Airman 1st Class Ryan Conroy
  • 31st Fighter Wing Public Affairs
AVIANO AIR BASE, Italy --  Due to an overwhelming reliance on technology in the Department of Defense today, a surge in personally identifiable information violations has taken the Freedom of Information Act and Privacy Act office by storm.

These PII breaches open up vulnerabilities to identity theft and expose operational plans--possibly placing lives in danger.

"A lot of the times, people send out unclassified information and think it is fine," said 2nd Lt. Chase Luedeke, 31st Communications Squadron operations flight deputy. "But, a lot of unclassified information pieced together could give the enemy the whole picture and jeopardize our people and our mission."

To ensure proper protection of sensitive information, personnel should understand what requires protection and what is releasable.

Air Force Instruction 33-332 states that a PII breach is "a loss of control, compromise, unauthorized disclosure, acquisition or access, or any similar term referring to situations where persons other than authorized users and those with authorized purpose have access or potential access to PII, whether physical or electronic." Examples of these breaches include:

· Names of personnel below the grade of O-7 or civilian equivalent, unless the DOD person is a director of an organization
· Marital status
· Number, name and sex of dependents
· Civilian educational degrees and major areas of study--unless the request for the information relates to the professional qualifications for federal employment
· Home of record
· Home or mailing address and phone or mobile numbers
· Age and date of birth
· Present or future assignments for overseas or for routinely deployable or sensitive units
· Office, name, state, unit address and duty phone for overseas or for routinely deployable or sensitive units
· Race and ethnic origin
· Educational level--unless for release of the information relates to the professional qualifications for federal employment
· DOD identification number

According to the FOIA/Privacy Act Office at Aviano, the top five breaches at the 31st Fighter Wing occur through:

· Emails containing PII and sent to those without an official need-to-know
           o Sending government orders to personal email addresses
           o Forwarding a list without reviewing for PII
· PII placed in recycle bins
· PII abandoned in offices
· Stolen laptop or mobile device
· Posting PII to the Web

To prevent these PII breaches, the FOIA/Privacy Act encourages these day-to-day practices:

· Removing all PII from documents before sending through email or ensuring that the recipient has an official need to know
· Use the AF Form 3227 or DD Form 2923 cover sheets on PII in your work area
· Shred or destroy PII before disposing
· Ensure websites are secure and you have authorization before posting PII
· Digitally sign and encrypt all emails containing PII

"When sending personal information over e-mail, please ensure there is an official need, all the people receiving the Privacy Act information are authorized, the e-mail is encrypted and that you digitally sign the message," said Maria Basso, 31st FW FOIA/Privacy Act Office.

To protect PII, personnel must utilize the "FOUO" phrase in the subject line and apply the following statement to the beginning of the message, "This e-mail contains FOR OFFICIAL USE ONLY (FOUO) information, which must be protected under the Privacy Act and AFI 33-332."

"We depend on technology more than ever, which means most of our information is being stored on digital media," said Luedeke. "This has made it easier for our adversaries to collect PII. Our adversaries can easily exploit PII to gain critical information, stalk, or steal the identity of a person. It is everyone's responsibility to safeguard this sensitive information."

To mitigate these breaches of security, the 24th Air Force commander implemented a new standard of consequences for every PII infringement starting in Oct., 2013. When alerted of a PII violation, an e-mail is sent to the 24th AF commander who, in turn, alerts the violator's base commander and locks down their network access pending an investigation into the incident.

"A violator's account will only be unlocked once the first O-6 in their chain of command certifies that the individual has accomplished all necessary actions, to include remedial training," said Luedeke.

For more information on PII violations and consequences, contact the base FOIA/Privacy Act Office at 632-2752.