The DHS inspector general’s office has issued an advisory stating that FEMA needs to give immediate attention to its handling of personally identifiable information at disaster relief sites.
It said that during a review at the 2015 California wildfire disaster, “we observed that FEMA personnel at Disaster Recovery Centers did not properly safeguard PII, as federal guidelines require. The mishandling of PII increases the risk of identity theft and can result in substantial harm, embarrassment, inconvenience, or unfairness to individuals,” it said.
At just those centers, FEMA collected names and addresses, Social Security numbers, account numbers and other identifying information on some 4,000 applicants for assistance.
FEMA did not equip the centers with lockable containers for safeguarding the information, instead storing records in open, unsecured cardboard boxes and in file folders sitting on top of tables. Employees there said the agency seldom supplies secure containers, shredders and other such equipment.
“We also determined that some FEMA officials are not fully aware of federal privacy standards. Moreover, FEMA management and trainers lack an effective method to track employee compliance with privacy training or to promote privacy awareness at disaster relief sites,” the auditors reported.
The report said that similar problems had been pointed out in 2013 and at the time FEMA promised to take steps including conducting privacy compliance inspections at all disaster relief sites. However, officials at the California site said they were not aware of any such inspection being done there, it said.
