| TO: |
Stephen M. Beard |
| Deputy Assistant Inspector General for Audits
|
| FROM: |
Michael E. Bartell |
| Chief Privacy Officer (CPO) |
| Chief Information Officer (CIO) and |
| Director, Division of Information Technology (DIT)
|
| Arleas Upton Kea |
| Director, Division of Administration
|
| William F. Kroener, III |
| General Counsel
|
| DATE: |
December 16, 2005
|
| SUBJECT: |
Response to OIG Draft Report Entitled |
| FDIC Safeguards Over Personal Employee Information |
| (Assignment No. 2005-048) |
Thank you for the opportunity to respond to your draft audit report entitled FDIC Safeguards Over Personal Employee Information.
We are commenting together on the various aspects of
the draft report (rather than separately concerning issues within the scope of our respective
divisions) because of the highly cross-divisional nature of all the issues involved and the
importance of privacy matters to the Corporation in general.
We have carefully considered each of your 15 recommendations suggesting how the FDIC may further protect personal employee information. In summary, we concur with all 15 of the recommendations. Our full response to each recommendation is provided below.
Recommendation #1
That the CPO and General Counsel develop and issue an overarching privacy policy to include:
- coordination and reporting responsibilities and expectations among the CPO, the Privacy Act Clearance Officer and FOIA/Privacy Act staff, and SORN system managers;
- references to other relevant privacy and information security directives;
- key roles and responsibilities including SORN system manager responsibilities; and
- definitions for information subject to the Privacy Act and for other sensitive information terminology, such as “personally identifiable information,” and “information in an identifiable form.”
Response to Recommendation #1
We concur with this recommendation. Prior to the initiation of this audit, the FDIC had a November 30, 2005 target for completing the framework approach that would then be used to conduct the review and consolidation of existing privacy directives and policies. This information was reflected in the monthly Privacy Program status reports provided to the OIG audit team during fieldwork. The actual review of directives, policies, Web sites, etc. will be an extensive effort and require a large resource/time commitment. As such, the completion of the review and consolidation effort is expected by September 15, 2006. The resulting documentation will include:
- coordination and reporting responsibilities and expectations among the CPO, the Privacy Act Clearance Officer and FOIA/Privacy Act staff, and SORN system managers;
- references to other relevant privacy and information security directives;
- key roles and responsibilities including SORN system manager responsibilities; and
- definitions for information subject to the Privacy Act and for other sensitive information terminology, such as “personally identifiable information,” and “information in an identifiable form.”
While we recognize that the OIG has suggested that the FDIC Privacy Program Working Group accelerate their efforts to accomplish this review and consolidation effort by December 8, 2005, it is the FDIC’s position that existing policy is sufficient to meet the intent of Section 522 until the comprehensive review is completed and an overarching privacy directive is drafted, if necessary. As such, current FDIC privacy policy already satisfies the Section 522 stipulation to have implemented comprehensive privacy and data protection procedures and strategies by December 8, 2005.
Recommendation #2
That the CPO and General Counsel revise and republish the SORN for the Unofficial Personnel System to include updated, accurate:
- information about records maintained;
- references to FDIC offices, system managers, and safeguards over information; and
- identification in the System Location section of information being maintained by contractors or vendors.
Response to Recommendation #2
We concur with the recommendation to revise and republish the System of Records notice for the Unofficial Personnel
System (30-64-0015) as required by subsection (e)(4) of the Privacy Act of 1974 (5 U.S.C. § 552a). We are presently
conducting a comprehensive review of the current Unofficial Personnel System notice to ensure that personal information is
handled in full accord with privacy law and policy. This review will ensure the accuracy and completeness of the notice with
particular emphasis on changes in technology, function, and organization that may have made the notice out of date. This review
will also focus on routine use disclosures under 5 U.S.C. 552a(b)(3) to ensure they continue to be necessary and compatible with
the purpose for which the information was collected. A draft of the revised System of Records notice is expected by March 31, 2006.
Subject to approval by the Board of Directors, it is expected that the revised System of Records notice will be published in the Federal
Register by September 15, 2006, in accordance with the procedures in OMB Circular A-130, Appendix I.
Recommendation #3
That the CPO and General Counsel determine whether records detailed in the SORN for the Unofficial Personnel System should be republished as separate, individual systems of records.
Response to Recommendation #3
We concur with the recommendation to determine whether any group of records included as part of the current Unofficial Personnel System notice should be republished and managed as a separate system of records pursuant to subsection (e) of the Privacy Act of 1974 (5 U.S.C. § 552a). The scope of review for the current Unofficial Personnel System notice will include a thorough reexamination of the purposes, routine uses, and security requirements of each group of records covered by the notice. This review is designed to ensure that all groups of records are evaluated to determine whether they continue to be compatible and appropriately combined. A draft of any new System of Records notice(s) is expected by March 31, 2006. Upon approval by the Board of Directors, the revised System of Records notice will be published in the Federal Register in accordance with the procedures in OMB Circular A-130, Appendix I.
Recommendation #4
That the Director, DOA in conjunction with the General Counsel prepare a standard Privacy Act contract clause for use in all contracts involving Privacy Act information.
Response to Recommendation #4
We concur with the recommendation to prepare a standard Privacy Act contract clause for use in all contracts involving Privacy Act information. A standard Privacy Act clause has been developed in conjunction with the Legal Division and has been incorporated into our Standard Documents and the General Provisions. (See Attachment 1)
Recommendation #5
That the Director, DOA in conjunction with the General Counsel modify existing contracts discussed in this report to include specific references to the Privacy Act.
Response to Recommendation #5
We concur with the recommendation to modify existing contracts discussed in this report to include specific references to the Privacy Act. The DOA Acquisition Services Branch (ASB) is working to modify the contracts and the following table lists each contract and its status:
| Contract Number |
Contractor or Vendor |
Modify Contract to include Privacy Act Reference |
Modify Contract to include Confidentiality Clause |
Signed Confidentiality Agreement |
| 0100054CDX |
Benefits Allocation Service (BAS)—Flexible Cafeteria Benefits Program |
N/A. Initially a part of Contract. |
Completed |
Completed |
| 0100210CDX |
VSP |
Completed |
Completed |
Completed |
| 0100209CDX |
CIGNA |
(*) |
(*) |
(*) |
| 0100167CDX |
Aon Consulting |
Completed |
Completed |
Completed |
| 0100211CDX |
MetLife |
In process |
In process |
In process |
| 0100163CCD |
Labat Anderson |
N/A. Initially a part of Contract. |
In process |
In process |
| 0000526CJ3 |
JHM |
N/A. Initially a part of Contract. |
In process |
In process |
| 0500029BCE |
Contract Consultants |
In process |
In process |
In process |
| 0200004CPB |
Ikon |
In process |
In process |
N/A. Initially a part of Contract. |
| 0300091CVB |
Cendant |
In process |
N/A. Initially a part of Contract. |
In process |
| 0200133CJT |
SatoTravel |
N/A. Initially a part of Contract. |
In process |
In process |
| 0200248CDQ |
Impact Training Systems |
In process |
In process |
In process |
| 0100278CBK |
Career Development Leadership Alliance |
In process |
In process |
In process |
| N/A |
T. Rowe Price (Trust Agreement) |
In process |
N/A. Initially a part of Contract. |
N/A |
| 0400450TVB |
NFC Interagency Agreement |
N/A. Initially a part of Contract. |
In process |
N/A |
* CIGNA's legal department reviewed these agreements and responded as follows: “With respect to the first part of the document entitled "Privacy Act," we can sign it. The legal group reviewed the relevant federal statutes and it is our position that we are not "required to design, develop, or operate a system of records on individuals to accomplish an FDIC function," within the meaning of the statute. Thus, signing the agreement has no effect on the underlying policy. With respect to the second part of the document entitled "Confidentiality Agreement," CIGNA cannot sign it. Paragraph 3.b. would prevent CIGNA from performing services for the FDIC. If signed, then every time information on an FDIC employee was transferred to one of our subsidiaries, affiliates or third party vendors, CIGNA would need to get something in writing from them agreeing to the terms in the confidentiality agreement. This would be considered as a separate agreement. The underlying policy is a filed and approved document by the state insurance department. Accordingly, it cannot be modified. This contract modification only modifies our agreement with the FDIC, but not the underlying policy.” The FDIC Legal Division concurred with this interpretation and concurred in a modification to the standard form for CIGNA. As a health provider, CIGNA is bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the federal law that requires that they maintain the privacy of all patient medical and health information. The modification documentation was sent back to CIGNA for signature, but has not yet been received.
It is estimated that all contract modifications will be executed no later than January 31, 2006. The modifications will contain the newly developed Privacy Act and Confidentiality requirements as described in the response to recommendation 4 above.
Recommendation #6
That the Director, DOA in conjunction with the General Counsel require contracts which involve the electronic transmission of Privacy Act information to include encryption requirements.
Response to Recommendation #6
We concur with the recommendation that any Privacy Act information transmitted electronically should be encrypted. However, the ASB would not know the instances where Privacy Act information would be transmitted electronically between the FDIC and an outside contractor or the manner in which it should be transmitted. That requirement is best identified by the Program Office. Under the Acquisition Policy Manual, it is the responsibility of the Program Office to identify the appropriate security requirements through the Statement of Work (SOW). Further, the DOA Acquisition Policy Manual states that “IT security and monitoring requirements for contracts subject to Circular 1360.17 [Information Technology Security Guidance for FDIC Procurements/Third Parties, dated June 30, 2003] should be included in the SOW.” Given that the CPO and DIT develop privacy and data protection policy, DOA will rely on the guidance of DIT in this matter. As these standards are developed and incorporated into a SOW, they would be incorporated into the contract.
Recommendation #7
That the Director, DOA require HRB and DOF contractors listed in this report to sign contractor confidentiality agreements.
Response to Recommendation #7
DOA management concurs with the recommendation and is working to modify the contracts identified by the OIG to include the confidentiality clause as referenced in the response to recommendation 4. Please see the table under recommendation 5 for the status of these contract modifications. DOA ASB anticipates all contract modifications to be signed no later than January 31, 2006.
Recommendation #8
That the Director, DOA remind contract specialists that they should not amend contracts or waive contractor confidentiality statement requirements without Legal Division concurrence.
Response to Recommendation #8
DOA management concurs with the recommendation. In the past few months, ASB has held several training/discussion sessions with the entire staff concerning the Acquisition Policy Manual. These sessions included training/discussion focused on this issue. Also, an email reminder was sent to contract specialists December 9, 2005. (See Attachment 2) DOA management considers this recommendation closed.
Recommendation #9
That the Director, DOA ensure that regional offices employ controls over official personnel files and any other personal employee information that are equivalent to those implemented by DOA’s headquarters Human Resources Branch.
Response to Recommendation #9
DOA management concurs with this recommendation. The Human Resources Branch (HRB) will issue a memorandum to all Regional Offices by December 16, 2005 instructing the regions to: 1) specify in the SOW for the contractor-operated Official Personnel File (OPF) file rooms the tasks to be performed; 2) ensure that contractors sign confidentiality agreements; and 3) use the Automated Records Management System (ARMS) consistently to check OPFs in and out. (See Attachment 3)
However, Table 5 of the OIG’s Draft Report cites an observation regarding the HRB’s practice of transmitting the OPM Standard Form 75 (SF-75), Request for Preliminary Employee Data, by facsimile rather than by certified mail. The OIG noted that HRB officials had stated that sending SF-75s by certified mail to other agencies should be our practice. HRB management has since determined that the fax transmittal of these forms expedites the transmitting of employee information to other agencies as is preferred by these agencies. HRB, to ensure receipt, coordinates the sending and receiving of the SF-75 with the agency.
Recommendation #10
That the Director, DOA evaluate and determine whether DOA should adopt DSC’s practice of not maintaining Unofficial Personnel Files or “working files” and consider establishing a corporate-wide policy consistent with that practice.
Response to Recommendation #10
DOA management has evaluated DSC’s practices of not maintaining unofficial personnel files and the need for establishing a corporate-wide policy. DOA has determined to continue the practice of maintaining these Unofficial Personnel Files or “working files.” DOA’s administrative office in the Management Services Branch currently maintains working files on each employee within the DOA. These files contain a history of position descriptions, training authorization forms, emergency contacts, performance appraisals, SF-50s, and other documents. Employees often request access to their Unofficial Personnel File for various reasons. In addition, these files are included in the FDIC Privacy Act System of Records notice for the Unofficial Personnel System (30-64-0015) as required by the Privacy Act. The availability of the Unofficial Personnel Files would likely reduce the volume of requests for access to the OPF. In so doing, DOA reduces the possibility of compromising the OPFs and at the same time, provides a means for employees and supervisors to more efficiently and effectively access information needed on a regular basis.
From a security perspective, these files are held in a locked file cabinet inside a locked room and only the three administrative office personnel have access to the cabinet. The only people who may access an employee’s file are these three administrative personnel, the employee, and his or her supervisor. The administrative personnel also maintain a log in/log out system that tracks file access.
Finally, DOA has considered whether or not a corporate-wide policy against the practice of maintaining Unofficial Personnel Files is needed and has determined that such a policy is not needed at this time. The subject of maintaining Unofficial Personnel Files is addressed under the current Bargaining Agreement and the Corporation has complied with the notice requirements of the Privacy Act.
Recommendation #11
That the Director, DOA develop corporate guidelines detailing appropriate job tasks that interns should perform and strengthen controls over interns’ access to sensitive information.
Response to Recommendation #11
DOA management concurs that it is important to ensure that sensitive employee information is protected and we believe that proper controls are in place over student and intern access to sensitive information. All students and interns employed in the HRB participate in the Corporation’s privacy awareness training. They receive the same annual notices as other employees to complete privacy awareness training and their completion of that training is monitored. Supervisors are responsible for discussing with their students and interns the safeguarding of personal employee information at the time they are hired. Their supervisor also instructs them on and monitors their use of encryption whenever they are sending personal employee information via e-mail. Further, students and interns who are hired as year-round employees do undergo the same background investigations to which all other employees in the HRB are subject. Only summer interns receive the less rigorous background check described in the recommendation. However, if a summer intern returns to the FDIC, he or she will undergo a full background investigation, as students who are on board for more than 180 days.
We wish to point out that it would be an impossible expectation to employ students and interns in HRB without exposing them to personal employee information. Even such routine activities as opening the mail often involve access to personal employee information. All HRB employees, including students and interns, are cautioned to maintain the confidentiality of employee data. Management considers this recommendation closed.
Recommendation #12
That the Director, DOA determine whether an employee identification number or other identifier could be used in place of employees’ SSN in the Career Management Services’ mentoring program database.
Response to Recommendation #12
DOA management concurs with this recommendation and eliminated the entry of employees’ SSN in the Career Management Services’ mentoring program database as of October 2005. All further databases transmitted to the contractor will use CHRIS identification numbers rather than SSNs. In addition, mentoring program applications for all future mentoring classes will request CHRIS identification numbers rather than SSNs from the applicants. Management considers this recommendation closed.
Recommendation #13
That the CPO revise the PIA template and completed PIAs to include a question pertaining to the opportunities system users have to decline to provide information or to consent to particular uses of information and how system users may grant consent.
Response to Recommendation #13
The CPO concurs with this recommendation and has completed the update to the Privacy Impact Assessment (PIA) template to include a question pertaining to the opportunities system users have to decline to provide information or to consent to particular uses of information and how system users may grant consent. Further, the CPO has begun to revise all existing PIAs to reflect this new requirement. All existing PIAs will be revised by April 15, 2006.
Recommendation #14
That the CPO research, including discussing with CIO counterparts from other agencies and the OMB, the feasibility, benefits, and costs of requiring that contractors and vendors who are not connected to FDIC’s network, but who maintain Privacy Act information on behalf of the FDIC, receive some form of third party information technology security review.
Response to Recommendation #14
The CPO concurs with this recommendation and will work in conjunction with DOA and Legal to research the feasibility, benefits, and costs of requiring that contractors and vendors who are not connected to FDIC’s network, but who maintain Privacy Act information on behalf of the FDIC, receive some form of third party information technology security review. This research and a report on the results will be completed by June 15, 2006.
Recommendation #15
That the CPO revise FDIC Circular 1360.17, Information Technology Security Guidance for FDIC Procurements/Third Party Products, to include security expectations, including encryption requirements, for contractors and vendors that are not connected to FDIC’s network, but that maintain Privacy Act information on behalf of the FDIC.
Response to Recommendation #15
The CPO concurs with this recommendation and will enhance the security guidance provided to contractors and vendors that are not connected to FDIC’s network, but that maintain Privacy Act information on behalf of the FDIC. The enhancements will clarify what parts of the guidance apply to these types of contractors and vendors. FDIC Circular 1360.17 will be revised with these changes by September 15, 2006.
|