Sarah Pascual (SP): Can you tell me about yourself, overview of your role and what it means to be a Privacy and Civil Liberties Officer?
LaDonne White (LW): I’ve worked in privacy for the federal government as a civilian for nine years and prior to that two years while I was active duty.
It’s a lot. [Laughs in the room] SP: It sounds like you have a lot of responsibilities! Can you talk about individual Airmen’s responsibility in data protection?
LW: I look at it like this: it’s the law. That should resonate with all our Airmen. If we’re going to collect information, there are laws in place that tell us how we’re going to protect [Airmen], and we need to assure that we are vigilant in everything, every piece of PII that we collect on our folks. It’s so often that we look at it as, “Oh, it’s just my social security number, who cares? That information has been breached already.” There are ways that you can be made whole, when your Social Security Number is stolen. But there is information on our fellow Airmen, that I may know, a supervisor or a commander may know, that we don’t want getting out of our organization or out to the units. That [information] could somehow disrupt the continuity of the operations and the trust that we have for each other.
SP: Why are we talking about data protection now? This law was enacted decades ago, why is this a hot topic now?
LW: When the Privacy Act of 1974 was established, [data] was just on paper and [voice] recordings. Now, we have so much of our information in IT systems. That data travels, not just across the Air Force and my organization, but across the entire Department of Defense and the federal government. There are a lot of individuals out there who want to do us harm—malicious actors who want to get that information, sell it and trade it, to use it for malicious purposes. [So it is important for us to show that any information given that we collect, we protect it at the highest level based on what that information warrants to ensure that these individuals don’t do us harm.] SP: So, this goes beyond the identity theft issue...
LW: Right, this is an OPSEC [operation security] issue, as well. Think about the individuals who want to do harm to our Airmen; how could a roster of personal addresses potentially bring harm to our Airmen if it falls into the wrong hands? What if it falls into the hands of a member of ISIS? Or to countries who sponsor other terrorist groups?
I consider PII— home address, phone number, personal email – to be “high impact PII” because your family is there [can be effected]. And that’s why we’re talking about it now. SP: What is one misconception that Airmen have about data protection?
LW: “It’s no big deal, I’ve seen this before - OPM, Target, Equifax, etc.” After a while people become numb to the news. Then, people take shortcuts because you say to yourself, “Nothing has really happened to me, so it’s not a big deal what I do here because the information is already out there.”
There are reasons for data breaches. Not every breach is the same. While the OPM [hack] might have had underlying security issues, Target and Equifax have financial ties. [The hackers] knew exactly what they were looking for when they were searching. Because they can’t target one particular data file of an individual, they grab everything and start sifting through it. What our Airmen have to understand is that there’s information that we have in our personnel files, disciplinary files, award files, evaluation [files], that [if spilled or leaked] can cause harm to someone’s reputation, cause embarrassment or inconvenience. The spill can affect unit effectiveness and can create a toxic work environment. When people see that personnel file that should’ve been private, people think the worst of you. That individual becomes discriminated against based on the spilled PII and their co-workers and fellow Airmen lose trust. SP: Are there common mistakes that you see?
LW: Airmen provide information [via] email to individuals who don’t have the need-to-know. That’s the biggest thing we have right now with our breaches. We have individuals who are emailing huge data rosters that were downloaded out of personnel file systems. One recent breach occurred when an email was sent with the names and SSN of over 19k to a Commander who did not need to know the SSN. This is one of the issues that we brought up to Senior Leadership. We’re developing new innovative training as well as targeted training to remind our Airmen of their responsibility to protect Privacy information.
SP: Can Airmen rely on technology to prevent their mistakes, assuming Airmen are inadvertently sending PII via email?
LW: We have technology called the DSET (Digital Signature Enforcement Tool).
That’s a problem because you’re told via the AFI, via the pop up on your computer every time you reboot your computer that you can only send PII encrypted. Okay? I’m not talking about Gmail accounts and things outside of the network because we can’t send it out there anyway. Even though it’s .mil to .mil, to be vigilant, I have to make sure that I’m sending it to you encrypted. If that information does leave the network, even though there is a layer of encryption there within the network], there’s not 100% guarantee that that information is not being seen by someone outside of our network which is why we must encrypt it [email with PII].
SP: You talked about training earlier. Where can Airmen find information, resources, or additional training about PII and data protection so that they are aware of their responsibilities and ensure they are compliant?
LW: We used to have Privacy Act and PII training in ADLS (Advanced Distributed Learning Service). It was removed from mandatory training to give Airmen their time back. We are working on finding an alternative way to provide Airmen the right information. Right now, I rely upon my privacy managers and commanders – I have a bi-weekly telecom with them to know what information to push out to the Airmen. I have my training slides, which were on ADLS. DISA (Defense Information Systems Agency) has a training site, which Airmen must take as disciplinary action, rather than prior to access to a system. US Code 552a, OMB A-130, OMB Memo 17-12, and AFI 33-332 outline what organizations should to in order to protect data
SP: What message would you suggest managers and commanders emphasize to their team/squadron?
I would like the troops to know that how we handle PII not only affects you or the person next to you, but also your families. I would say, “We must be vigilant, make sure we have the right safeguards in place. Only collect information that is needed and are allowed to collect.”
There laws and regulations that outline what authority [data collectors and processors] have to certain information and how long we’re supposed to maintain it. This is law. We have to abide by the rules set by the Privacy Act. SP: I agree, we all have to be aware of the gravity of safeguarding PII and that it extends to our families.
LW: May I just add, there are severe penalties if you willingly and/or knowingly violate [the Privacy Act]. You can face up to 5 years in prison and a five thousand dollar fine per incident. SP: So, if I have a roster of 20 people, that’s 20 incidents?
LW: Exactly. One can face federal court or receive a letter of reprimand. It depends on the offense. For civilians, there are punitive measures outlined in AF36-704. Same thing, punitive steps. If you do this the first time and it’s an accident, we slap your hand; but if it looks like you’ve done something on purpose—I’ve seen individuals fired for one offense.
SP: So, we must be thorough in marking documents with the right classification.
For additional resources on Privacy Act, please visit http://www.privacy.af.mil/.