SBA stumbles on e-mail privacy

7 guidelines for writing privacy policies

Policy experts say a good privacy policy allows agency managers to enforce the proper use of e-mail and prevents managers from unauthorized snooping.

The Office of Management and Budget issued a memo in 2005 that directs agencies to designate a privacy officer and create policies to protect personal information. The memo leaves the details of those policies to each department’s discretion. However, Karen Evans, OMB’s administrator for e-government and information technology, offered several policy guidelines.

  • Talk to the inspector general before writing privacy policies.

  • Make sure policies fit the agency’s mission and match the agency’s needs.

  • Maintain a balance between enforcing the proper use of e-mail and protecting employees’ privacy.

  • Write policies that are clear to employees.

  • Inform managers, supervisors and employees of their responsibility for protecting employees’ privacy rights and the consequences of violating those rights.

  • Keep the policies current.

  • Review the policies when deploying new information systems or making major changes to existing systems.


— Matthew Weigelt

The Small Business Administration has issued a temporary directive to prevent officials from accessing employees’ e-mail inboxes without prior approval from the chief privacy officer. SBA published the directive after officials discovered the agency had no e-mail policy to protect whistle-blowers.

SBA officials, with help from the agency’s general counsel and inspector general, also are drafting an agencywide policy that would establish rules for conducting an administrative review of an employee’s e-mail messages and the appropriate authorization needed for such a review.

The need for the new directive, published Oct. 17, and policy review, comes after an incident earlier this year in which an SBA manager retrieved a whistle-blower’s e-mail messages without notifying and getting approval from the agency’s chief privacy officer.

The manager, who worked at a processing and distribution center in SBA’s Office of Disaster Assistance, accessed the employee’s e-mail inbox after a congressional committee hearing at which the employee had submitted a statement and asked to remain anonymous. While working with the committee, the whistle-blower employee also was a confidential source for SBA’s IG, according to the IG’s account of the incident.

The IG concluded that the manager’s actions were inappropriate but that they did not violate rules because the agency had no clear policy or procedures governing managers’ access to employees’ e-mail. Herbert Mitchell, SBA’s associate administrator for disaster assistance, wrote to the IG that the manager involved in the incident had no intention of retaliating against the whistle-blower. However, the incident prompted the IG to notify the SBA’s chief privacy officer.

“Management’s ability to intercept confidential [e-mail messages between employees and the Office of Inspector General] raises troubling questions about whether agency employees can confidently and securely bring confidential complaints to the OIG’s attention,” Debra Ritt, assistant IG for auditing, wrote in an Oct. 19 letter to Christine Liu, SBA’s chief information officer and chief privacy officer.

The IG would not comment on the incident.

Rep. Henry Waxman (D-Calif.), chairman of the Oversight and Government Reform Committee, said Oct. 31 that agencies must maintain a proper balance between enforcing employees’ proper use of e-mail and preventing managers from misusing e-mail to obstruct an investigation.

The House, with broad support, passed Waxman’s Whistleblower Protection Enhancement Act in March. Ritt wrote to Liu that employees who bring complaints to the IG about their agency must, by law, remain confidential and be protected from retaliation. However, in practice, and in the absence of clear policies, managers often can easily find out who whistle-blowers are.

Ritt said SBA lacked a clear policy on e-mail when the incident occurred. An SBA policy document, “Appropriate Use of SBA’s Automated Information Systems,” provides no guidelines about when officials could authorize a review of employee e-mail messages, when they would require approval and who would review the messages.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • Login.gov moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group