SBA stumbles on e-mail privacy

7 guidelines for writing privacy policies

Policy experts say a good privacy policy allows agency managers to enforce the proper use of e-mail and prevents managers from unauthorized snooping.

The Office of Management and Budget issued a memo in 2005 that directs agencies to designate a privacy officer and create policies to protect personal information. The memo leaves the details of those policies to each department’s discretion. However, Karen Evans, OMB’s administrator for e-government and information technology, offered several policy guidelines.

  • Talk to the inspector general before writing privacy policies.

  • Make sure policies fit the agency’s mission and match the agency’s needs.

  • Maintain a balance between enforcing the proper use of e-mail and protecting employees’ privacy.

  • Write policies that are clear to employees.

  • Inform managers, supervisors and employees of their responsibility for protecting employees’ privacy rights and the consequences of violating those rights.

  • Keep the policies current.

  • Review the policies when deploying new information systems or making major changes to existing systems.


— Matthew Weigelt

The Small Business Administration has issued a temporary directive to prevent officials from accessing employees’ e-mail inboxes without prior approval from the chief privacy officer. SBA published the directive after officials discovered the agency had no e-mail policy to protect whistle-blowers.

SBA officials, with help from the agency’s general counsel and inspector general, also are drafting an agencywide policy that would establish rules for conducting an administrative review of an employee’s e-mail messages and the appropriate authorization needed for such a review.

The need for the new directive, published Oct. 17, and policy review, comes after an incident earlier this year in which an SBA manager retrieved a whistle-blower’s e-mail messages without notifying and getting approval from the agency’s chief privacy officer.

The manager, who worked at a processing and distribution center in SBA’s Office of Disaster Assistance, accessed the employee’s e-mail inbox after a congressional committee hearing at which the employee had submitted a statement and asked to remain anonymous. While working with the committee, the whistle-blower employee also was a confidential source for SBA’s IG, according to the IG’s account of the incident.

The IG concluded that the manager’s actions were inappropriate but that they did not violate rules because the agency had no clear policy or procedures governing managers’ access to employees’ e-mail. Herbert Mitchell, SBA’s associate administrator for disaster assistance, wrote to the IG that the manager involved in the incident had no intention of retaliating against the whistle-blower. However, the incident prompted the IG to notify the SBA’s chief privacy officer.

“Management’s ability to intercept confidential [e-mail messages between employees and the Office of Inspector General] raises troubling questions about whether agency employees can confidently and securely bring confidential complaints to the OIG’s attention,” Debra Ritt, assistant IG for auditing, wrote in an Oct. 19 letter to Christine Liu, SBA’s chief information officer and chief privacy officer.

The IG would not comment on the incident.

Rep. Henry Waxman (D-Calif.), chairman of the Oversight and Government Reform Committee, said Oct. 31 that agencies must maintain a proper balance between enforcing employees’ proper use of e-mail and preventing managers from misusing e-mail to obstruct an investigation.

The House, with broad support, passed Waxman’s Whistleblower Protection Enhancement Act in March. Ritt wrote to Liu that employees who bring complaints to the IG about their agency must, by law, remain confidential and be protected from retaliation. However, in practice, and in the absence of clear policies, managers often can easily find out who whistle-blowers are.

Ritt said SBA lacked a clear policy on e-mail when the incident occurred. An SBA policy document, “Appropriate Use of SBA’s Automated Information Systems,” provides no guidelines about when officials could authorize a review of employee e-mail messages, when they would require approval and who would review the messages.

The 2014 Federal 100

Get to know the 100 women and men honored this year for going above and beyond in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above