Officials assigned to protect personal data like Social Security numbers and other records at the Defense Department usually are not specifically trained in the requirements of the 1974 Privacy Act.
Moreover, the military departments and agencies manage the data separately in a decentralized system. While a single Pentagon office is supposed to ensure compliance with the law, it has "failed to ensure that DOD consistently
implemented Privacy Program policy for reporting, collecting, using, safeguarding, and maintaining personal information."
That is the conclusion of a recent investigation by the Defense Department inspector general.
"The personal information contained in DOD systems could be vulnerable to access by unauthorized personnel and individuals identified in systems of records vulnerable to identify theft and fraudulent activities. Effective oversight and administration of the DOD Privacy Act program is contingent on the allocation of sufficient resources and establishment of internal control mechanisms to verify accomplishments of the program's intent," states the June 13 report.
In an electronic era where much of that information is stored on computers and networks, the potential for compromised data is significant. A year ago, a laptop and external hard drive belonging to the Veterans Affairs Department and containing millions of Social Security numbers and birthdates of veterans and military personnel was stolen. It was eventually recovered intact.
"Federal agencies have a special duty to protect personally identifiable information. The increased focus on privacy following information losses at numerous federal agencies has resulted in (the Office of Management and Budget) placing additional requirements on already thinly resourced DOD privacy program staff, and the current decentralized program cannot provide an effective response. DOD privacy officials do not consistently implement safeguards and policies for protecting personal privacy information as required by the Privacy Act, and component privacy officers do not oversee privacy programs within their components."