Personal data requirements raise eyebrows

Privacy advocates puzzled by DHS ID card

Privacy advocates are puzzled and dismayed by the Homeland Security Department’s recent addition of new categories of personal information it plans to collect and store for all employees, contractors and volunteers who regularly access DHS facilities. The new categories of information include mother's maiden name and financial history, according to a June 25 Federal Register notice.

Information to be collected

The Homeland Security department is expanding the personal data it gathers from employees and contractors in controlling access to buildings and systems.

New categories: Maiden name, mother's maiden name, clearance level, identifying physical information, financial history, duty date and weapons-bearer designation.

Existing categories: Date of birth, Social Security number, organizational and employee affiliations, fingerprints, digital color photograph, digital signature and phone numbers.

DHS is updating the Personal Identity Verification and Identity Management System to support measures in Homeland Security Presidential Directive 12 that pertain to who gets access to buildings and computer systems.

But the new categories of data are raising eyebrows, especially the ones requiring a mother’s maiden name and financial history.

Asking for financial history information, for example, “could be benign, depending on what information is being requested. Or is bad credit now a security risk?” asked Christopher Calabrese, counsel for the American Civil Liberties Union’s Technology and Liberty Program. “And why does DHS need to know [someone's] mother’s maiden name? It seems strange."

Amy Kudwa, a DHS spokeswoman, said the “financial history” data element refers to a credit history check, which she says is standard for government employees. “We are simply moving forward with HSPD-12,” Kudwa said.

Jim Dempsey, vice president of public policy at the Center for Democracy and Technology, agreed that requesting and storing data on mother’s maiden name and financial history is risky and unusual. That kind of information would seem more appropriate for a background check or security clearance than a building access identification program, he said.

“This information collection is odd, particularly financial history,” Dempsey said. “A general principle is that the [agency] collecting the information becomes responsible for protecting it. This is sensitive information, and it looks unnecessary. They have not justified why they need this information."

Jim Harper, director of information policy studies at the Cato Institute, said the expanded data collection seems to increase the risks of possible identity theft and privacy loss for employees and contractors. Financial institutions often use mother's maiden name as an added layer of authentication for people trying to gain access to bank accounts or other financial holdings. If there were to be a data breach that allowed identity thieves to get the personal information that DHS is now requiring, knowing someone's mother's maiden name could give the thieves easier access to that person's accounts, he said.

A DHS Privacy Impact Assessment Update issued on the HSPD-12 program June 18 said the expanded amount of information collection presents no additional privacy risks. It states that all the information will be secured and protected under existing policies.

Dempsey said it appears the department has been collecting the additional categories of information in its hiring database but now will be storing it in its ID card database. Dempsey said that is troubling, because "this duplication creates another opportunity for data loss."

The HSPD-12 ID card system covers all DHS employees, contractors and their employees, consultants, and volunteers who require long-term access to DHS facilities and computer systems, the department said. The system also has been expanded to cover federal emergency responders, foreign nationals on assignment and other federal employees detailed to DHS.

Personal information provided to DHS may be shared within DHS and with appropriate federal, state, local and tribal agencies on a need-to-know basis. The records on individuals are destroyed upon notification of death or five years after the individual leaves employment or is transferred, under National Archives and Records Administration guidance.

The new categories of data also include the employee or contractor's own maiden name, clearance level, identifying physical information, duty date and weapons-bearer designation.

DHS already collects date of birth, Social Security number, organizational and employee affiliation, fingerprints, digital color photograph, digital signature and telephone number.

About the Author

Alice Lipowicz is a staff writer covering government 2.0, homeland security and other IT policies for Federal Computer Week.

The 2014 Federal 100

FCW is very pleased to profile the women and men who make up this year's Fed 100. 

Reader comments

Wed, Jul 22, 2009

I want to know when I will be able to use my HSPD-12 card to log into my computer, e-mail, myPay, TSP, LMS, GovTrip, and all of the other systems and "portals" that are part of my federal "workspace". Every one of them has a separate userid and password. I at least want to get some benefit out of all this.

Mon, Jul 20, 2009 RayW

Do not know if this is all tied into the normal clearance system, but in 1970 I had the 'honor' of filling out my first security clearance. I am coming up on my anniversary date, and noticed that the 'simple' six page form now is over *50* pages when a co-worker printed one out that he did this month. Now they want MORE information? The addition of "federal emergency responders" is bothersome, I also do volunteer emergency work as a radio operator and we have seen the DHS placing requirements on us that we have to fulfill in order to do a simple job of communications. I know that many people who do volunteer work will tell the feds to "SHOVE IT" if asked for all the information that appears to be asked for by this article. Many of us did it with the Red Cross when they wanted that information, and we do not see the DHS as any more trustworthy than some third party data aggregator hired by the Red Cross.

Mon, Jul 20, 2009 Carl

Most security leaks have been by those in financial trouble, but financial problems have not been linked to terrorism so financial disclosure is not justified.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above