OPM has issued guidance to minimize the risk of identity theft and fraud by eliminating the unnecessary use of social security numbers as identifiers for federal employees, and by strengthening the protection of personal information from theft or loss.
It said the guidance is intended to lead to a more consistent and effective policy for protecting SSNs and that it was considering regulations to enforce protective measures.
Efforts are also underway to develop requirements for a new government-wide employee identifier to replace the SSN, OPM said.
The guidance calls on agencies to maintain security policies that either reference or contain a number of regulations, including the following:
-Agencies may not require individuals to disclose their SSN unless required by federal statute or specifically authorized to be used to cross check with a database operating prior to 1975.
-Agencies must also establish administrative, technical, and physical controls to protect information in personnel records.
-Managers of automated personnel records shall establish administrative, technical, physical, and security safeguards for data about individuals in automated records, including input and output documents, reports, punched cards, magnetic tapes, disks, and on-line computer storage.
-Supervisory approval should be required before an authorized individual can access, transport, or transmit information or equipment containing SSNs outside agency facilities.
-Written procedures describing the proper labeling, storage, and disposal of printed material containing Social Security Numbers and other personally identifiable data must be established and communicated to employees.
