Printer Friendly

The DoD identification number as PII.

For many years, the Electronic Data Interchange-Personal Identifier (EDI-PI) has been a unique identifier for personnel affiliated with the Department of Defense. Until recently, it was used only by DoD information systems to facilitate machine-to-machine communications and appeared in digital signatures. When the EDI-PI was selected to become the DoD identification number, the purpose of the identifier changed.The DoD ID number is now intended to be known by the individual to whom it belongs and is used for personal access to systems, on forms, in digital signatures and for other uses typical of physical and technical identification processes.The expanded use of the DoD ID number led to questions regarding its status as personally identifiable information (PII).

Personally identifiable information refers to information that can be used to distinguish or trace an individual's identity. The definition of a record and system of records under the Privacy Act makes it clear that any "identifying number assigned to the individual" triggers provisions of the Privacy Act if the record is retrieved using a unique identifier. The loss or disclosure of the DoD ID number is considered low risk in conjunction with identity theft or fraud. Nevertheless, the Office of Management and Budget definition of PII clearly indicates that the DoD ID number is PII, regardless of its low risk of compromise.

To ensure that the DoD ID number maintains its low-risk category as PII and does not become a vulnerability like the use of an individual's Social Security number (SSN)--another high-risk personal identifier--the DoD ID number will only be used as one factor in a multifactor authentication process. In this way, knowledge of the DoD ID number alone does not grant access to records unless accompanied by another factor such as a PIN number or biometric.

The DoD ID number is not to be shared with organizations, agencies or corporations outside of DoD unless such use is established by a memorandum of understanding (MOU) with the DoD to implement a necessary DoD business activity. Such MOUs are administered by the Defense Manpower Data Center (DMDC) and include, at a minimum, provisions ensuring that the recipient uses the DoD ID number as one part of a multifactor authentication and does not share the information unless granted permission by DMDC. These rules are codified in a naval message released by the DON CIO, WASHINGTON DC 171625Z Feb 12, "Department of the Navy Social Security Number Reduction Plan Phase Three."

It is common practice today to use digital signatures which contain an individual's DoD ID number, on documents and emails. These documents and emails when sent outside the department may be made public in the authorized release of records, thereby exposing the DoD ID number.

The DoD ID number, by itself or with an associated name, shall be considered internal government operations-related PII. Since the loss, theft or compromise of the DoD ID number is low risk for possible identity theft or fraud, a PII breach report will not be initiated unless accompanied by other PII elements, such as date of birth, birthplace or mother's maiden name, which would normally require a report to be submitted.

For more information:

Removal of an SSN from ID cards: http://dpclo.defense.gov/privacy/documents/SSN%20from%20ID%20Cards.pdf

DoD Social Security Number (SSN) Reduction Plan: http://dpclo.defense.gov/privacy/documents/DTM-07-015(ch3).pdf and http://www.doncio.navy.mil/contentview.aspx?id=1912

Steve Muck is the privacy lead for the Department of the Navy Chief Information Officer (DON CIO). Steve Daughety is a privacy analyst supporting the DON CIO.
COPYRIGHT 2012 U.S. Navy
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2012 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Muck, Steve; Daughety, Steve
Publication:CHIPS
Date:Jul 1, 2012
Words:597
Previous Article:Audit readiness: the challenge.
Next Article:DoD Cyber IA Range open and ready for customers.
Topics:

Terms of use | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters