PII breaches devastating to personal, national security

Published June 11, 2014
By Tech. Sgt. Hillary Stonemetz
Air Force Recruiting Service Public Affairs

JOINT BASE SAN ANTONIO-RANDOLPH, Texas -- As a recruiter, you may be tempted to take files home or leave them in the trunk of your car. No big deal, right?

Wrong. By doing so, you may be putting the Air Force, your applicant and yourself at risk.

Many documents used in Air Force Recruiting Service contain Personally Identifiable Information and are protected by AFI 33-332, Air Force Privacy Act Program. PII protection is monitored by the highest leadership levels, with breaches reported to the Pentagon. A breach can result in criminal penalties against the person responsible and civil penalties against the unit.

"PII is any information used to distinguish or trace an individual's identity," said Staff Sgt. La Keshia Joseph, AFRS knowledge operations manager. "Examples of PII include but aren't limited to -- Social Security number, date and place of birth, mother's maiden name, driver's license number, biometric records, or identification card number. This is considered to be the same information that is protected by the Privacy Act of 1974."

According to AFI 33-332, a PII breach is defined as "a loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII, whether physical or electronic."

"PII should be stored in a Privacy Act system of record such as Air Force Recruiting Information Support System (AFRISS), or a hard disk drive where necessary," Joseph said. "Minimize the storage of PII on shared drives and use appropriate permissions where only individuals with need-to-know have access. PII is not stored on SharePoint unless required for daily business or mission requirements. Appropriate permissions are applicable just as with shared network drives."

Recruiters are allowed to transport and transmit PII as long as the information is properly safeguarded from compromise. If the information is sent via email, the message must be encrypted. If the email can't be encrypted, the documents must be faxed, mailed, or sent through the Army Missile Research Development and Engineering Center Safe Access File Exchange (AMRDEC SAFE), she said.

"Individuals who inappropriately store and transmit PII outside of the Air Force or Department of Defense network will have their network accounts locked in response to the violation," Joseph said. "Depending on the significance of the incident, a thorough investigation may be initiated."

When documents or storage disks containing PII are no longer needed, they must be destroyed and not just tossed in the garbage.

"Some ways of doing that would be pulping, macerating, tearing, burning, shredding, or completely destroying the document so that PII is both unreadable and beyond reconstruction," Joseph said.

Anyone who discovers or suspects a PII breach must notify their group or squadron privacy manager within one hour. The privacy manager must notify the chain of command and the Air Force Privacy Office within 24 hours. The Air Force Privacy Office will then notify the DoD Privacy and Civil Liberties Office.

For more information, contact your group or squadron Knowledge Operations Manager or the HQ AFRS Knowledge Operations Management section at DSN 665-2426/0490/0406 or email hqafrs.ko@us.af.mil.