SBA stumbles on e-mail privacy

7 guidelines for writing privacy policies

Policy experts say a good privacy policy allows agency managers to enforce the proper use of e-mail and prevents managers from unauthorized snooping.

The Office of Management and Budget issued a memo in 2005 that directs agencies to designate a privacy officer and create policies to protect personal information. The memo leaves the details of those policies to each department’s discretion. However, Karen Evans, OMB’s administrator for e-government and information technology, offered several policy guidelines.

  • Talk to the inspector general before writing privacy policies.

  • Make sure policies fit the agency’s mission and match the agency’s needs.

  • Maintain a balance between enforcing the proper use of e-mail and protecting employees’ privacy.

  • Write policies that are clear to employees.

  • Inform managers, supervisors and employees of their responsibility for protecting employees’ privacy rights and the consequences of violating those rights.

  • Keep the policies current.

  • Review the policies when deploying new information systems or making major changes to existing systems.


— Matthew Weigelt

The Small Business Administration has issued a temporary directive to prevent officials from accessing employees’ e-mail inboxes without prior approval from the chief privacy officer. SBA published the directive after officials discovered the agency had no e-mail policy to protect whistle-blowers.

SBA officials, with help from the agency’s general counsel and inspector general, also are drafting an agencywide policy that would establish rules for conducting an administrative review of an employee’s e-mail messages and the appropriate authorization needed for such a review.

The need for the new directive, published Oct. 17, and policy review, comes after an incident earlier this year in which an SBA manager retrieved a whistle-blower’s e-mail messages without notifying and getting approval from the agency’s chief privacy officer.

The manager, who worked at a processing and distribution center in SBA’s Office of Disaster Assistance, accessed the employee’s e-mail inbox after a congressional committee hearing at which the employee had submitted a statement and asked to remain anonymous. While working with the committee, the whistle-blower employee also was a confidential source for SBA’s IG, according to the IG’s account of the incident.

The IG concluded that the manager’s actions were inappropriate but that they did not violate rules because the agency had no clear policy or procedures governing managers’ access to employees’ e-mail. Herbert Mitchell, SBA’s associate administrator for disaster assistance, wrote to the IG that the manager involved in the incident had no intention of retaliating against the whistle-blower. However, the incident prompted the IG to notify the SBA’s chief privacy officer.

“Management’s ability to intercept confidential [e-mail messages between employees and the Office of Inspector General] raises troubling questions about whether agency employees can confidently and securely bring confidential complaints to the OIG’s attention,” Debra Ritt, assistant IG for auditing, wrote in an Oct. 19 letter to Christine Liu, SBA’s chief information officer and chief privacy officer.

The IG would not comment on the incident.

Rep. Henry Waxman (D-Calif.), chairman of the Oversight and Government Reform Committee, said Oct. 31 that agencies must maintain a proper balance between enforcing employees’ proper use of e-mail and preventing managers from misusing e-mail to obstruct an investigation.

The House, with broad support, passed Waxman’s Whistleblower Protection Enhancement Act in March. Ritt wrote to Liu that employees who bring complaints to the IG about their agency must, by law, remain confidential and be protected from retaliation. However, in practice, and in the absence of clear policies, managers often can easily find out who whistle-blowers are.

Ritt said SBA lacked a clear policy on e-mail when the incident occurred. An SBA policy document, “Appropriate Use of SBA’s Automated Information Systems,” provides no guidelines about when officials could authorize a review of employee e-mail messages, when they would require approval and who would review the messages.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group