SBA stumbles on e-mail privacy

7 guidelines for writing privacy policies

Policy experts say a good privacy policy allows agency managers to enforce the proper use of e-mail and prevents managers from unauthorized snooping.

The Office of Management and Budget issued a memo in 2005 that directs agencies to designate a privacy officer and create policies to protect personal information. The memo leaves the details of those policies to each department’s discretion. However, Karen Evans, OMB’s administrator for e-government and information technology, offered several policy guidelines.

  • Talk to the inspector general before writing privacy policies.

  • Make sure policies fit the agency’s mission and match the agency’s needs.

  • Maintain a balance between enforcing the proper use of e-mail and protecting employees’ privacy.

  • Write policies that are clear to employees.

  • Inform managers, supervisors and employees of their responsibility for protecting employees’ privacy rights and the consequences of violating those rights.

  • Keep the policies current.

  • Review the policies when deploying new information systems or making major changes to existing systems.

— Matthew Weigelt

The Small Business Administration has issued a temporary directive to prevent officials from accessing employees’ e-mail inboxes without prior approval from the chief privacy officer. SBA published the directive after officials discovered the agency had no e-mail policy to protect whistle-blowers.

SBA officials, with help from the agency’s general counsel and inspector general, also are drafting an agencywide policy that would establish rules for conducting an administrative review of an employee’s e-mail messages and the appropriate authorization needed for such a review.

The need for the new directive, published Oct. 17, and policy review, comes after an incident earlier this year in which an SBA manager retrieved a whistle-blower’s e-mail messages without notifying and getting approval from the agency’s chief privacy officer.

The manager, who worked at a processing and distribution center in SBA’s Office of Disaster Assistance, accessed the employee’s e-mail inbox after a congressional committee hearing at which the employee had submitted a statement and asked to remain anonymous. While working with the committee, the whistle-blower employee also was a confidential source for SBA’s IG, according to the IG’s account of the incident.

The IG concluded that the manager’s actions were inappropriate but that they did not violate rules because the agency had no clear policy or procedures governing managers’ access to employees’ e-mail. Herbert Mitchell, SBA’s associate administrator for disaster assistance, wrote to the IG that the manager involved in the incident had no intention of retaliating against the whistle-blower. However, the incident prompted the IG to notify the SBA’s chief privacy officer.

“Management’s ability to intercept confidential [e-mail messages between employees and the Office of Inspector General] raises troubling questions about whether agency employees can confidently and securely bring confidential complaints to the OIG’s attention,” Debra Ritt, assistant IG for auditing, wrote in an Oct. 19 letter to Christine Liu, SBA’s chief information officer and chief privacy officer.

The IG would not comment on the incident.

Rep. Henry Waxman (D-Calif.), chairman of the Oversight and Government Reform Committee, said Oct. 31 that agencies must maintain a proper balance between enforcing employees’ proper use of e-mail and preventing managers from misusing e-mail to obstruct an investigation.

The House, with broad support, passed Waxman’s Whistleblower Protection Enhancement Act in March. Ritt wrote to Liu that employees who bring complaints to the IG about their agency must, by law, remain confidential and be protected from retaliation. However, in practice, and in the absence of clear policies, managers often can easily find out who whistle-blowers are.

Ritt said SBA lacked a clear policy on e-mail when the incident occurred. An SBA policy document, “Appropriate Use of SBA’s Automated Information Systems,” provides no guidelines about when officials could authorize a review of employee e-mail messages, when they would require approval and who would review the messages.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Shutterstock image: looking for code.

    How DOD embraced bug bounties -- and how your agency can, too

    Hack the Pentagon proved to Defense Department officials that outside hackers can be assets, not adversaries.

  • Shutterstock image: cyber defense.

    Why PPD-41 is evolutionary, not revolutionary

    Government cybersecurity officials say the presidential policy directive codifies cyber incident response protocols but doesn't radically change what's been in practice in recent years.

  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group