FDIC, Federal Deposit Insurance Corporation, Office of Inspector General, core values: communication, objectivity, responsibility, excellence
FDIC.GOV Office of Inspector General core values: communication, objectivity, responsibility, excellence
Search | Accessibility | Privacy | Information Quality | Contact Us | Site Map | Home

FDIC Safeguards Over Personal Employee Information

January 2006
Evaluation Report 06-005


Footnote 1:  The Office of Management and Budget (OMB) defines “information in an identifiable form” as information in a system or on-line collection that directly identifies an individual (e.g., name, address, SSN or other identifying code, telephone number, e-mail address, etc.) or by which an agency intends to identify specific individuals in conjunction with other data elements.

Footnote 2:  This Act is division H of the Consolidated Appropriations Act, 2005, Public Law No. 108-447.

Footnote 3:  A system of records refers to a group of records under the control of an agency from which information is retrieved by the name of the individual or by some other identifying particular assigned to the individual.

Footnote 4:  The Director, DIT, was also designated as the FDIC’s senior official for privacy for purposes of OMB’s Memorandum M-05-08, Designation of Senior Agency Official for Privacy, dated February 11, 2005.

Footnote 5:  The FDIC’s CIO Council advises the CIO on all aspects of adoption and use of information technology at the FDIC.

Footnote 6:  The OIG issued Report No. 05-033, Response to Privacy Program Information Request in OMB’s Fiscal Year 2005 Reporting Instructions for FISMA and Agency Privacy Management, dated September 2005. The report concluded that although the FDIC had taken a number of actions to protect information in an identifiable form, the FDIC needed to complete ongoing initiatives related to: (1) identifying all FDIC-maintained information in an identifiable form and taking appropriate actions to ensure this information is properly protected; (2) reviewing privacy policies and procedures to ensure they are current, comprehensive, and complete; and (3) implementing a corporate-wide training and education program, including job-specific training where appropriate.

Footnote 7:  According to the Privacy Act, the term “routine use” means, with respect to the disclosure of a record, the use of such record for a purpose that is compatible with the purpose for which it was collected.

Footnote 8:  On January 13, 2000, the FDIC approved for corporate employees a Transit Subsidy Program designed to encourage employees to use mass public transportation, thereby reducing the use of private automobiles for daily commuting. DOA manages this program.

Footnote 9:  According to the Personal Responsibility and Work Opportunity Reconciliation Act of 1996, as amended, federal agencies are to provide certain information about newly hired employees to the U.S. Department of Health and Human Services’ National Directory for New Hires. In 1997, OMB issued suggested “routine uses” statements regarding disclosure to the Directory.

Footnote 10:  IRS form W-2 is an individual’s wage and tax statement, which includes information such as name, address, and SSN.

Footnote 11:  Privacy Program Web site established as of September 9, 2005.

Footnote 12:  The solicitation package includes the request for proposal, a draft copy of the proposed contract, and the proposed SOW.

Footnote 13:  Evaluation Report No. 04-014, XBAT Contracting and Project Management, dated March 26, 2004.

Footnote *:  OPM Standard Form 75, Request for Preliminary Employment Data, is used by prospective employers to obtain pre employment information about an applicant when the applicant’s OPF is not available for review.

Footnote 14:  OPM SF-50 (Notification of Personnel Action) constitutes the official notice of a personnel action, including promotions, awards, bonuses, pay adjustments, and retirement plan information. The SF-50 contains personal employee information, including the employee’s full SSN.

Footnote 15:  Low-risk positions are subject to a National Agency Check (which includes fingerprinting), a credit check, and inquiries to prior employers, educational institutions, and law enforcement agencies.

Footnote 16:  Employees must have at least 1 year’s experience with FDIC to participate in the Mentoring Program.

Footnote 17:  A PIA is an analysis of how information is handled (i) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; (ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system; and (iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.

Footnote 18:  Circular 1301.3, Data Stewardship Program, dated September 4, 2001.

Footnote 19:  Remediation could include eliminating data fields within an application that contain SSNs or masking data fields containing SSNs so that system users are unable to view the SSN.

Footnote 20:  Evaluation Report No. 00-006, FDIC’s Information Handling Practices for Sensitive Employee Data, dated October 11, 2000.

Footnote 21:  Entrust is the software that the FDIC uses to encrypt and digitally sign e-mail messages and files.

Footnote 22:  Report No. 05-016, Security Controls Over the FDIC’s Electronic Mail (E-Mail) Infrastructure, dated March 2005.

Footnote 23:  OMB Memorandum M-05-15, FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated June 13, 2005.

Footnote 24:  The reference to Section 3455(b) is a reference to 44 United States Code § 3455, which FISMA added to the Code.

Footnote 25:  TruSecure is a security intelligence and service provider.

Search | Accessibility | Privacy | Information Quality | Contact Us | Site Map | Home
Last updated 01/18/2006