SSA balances privacy and security

In the beginning, all Social Security Administration officials in Seattle wanted were fire marshal-approved exits and entrances at their new offices.

But when fire officials rejected the agency's use of dead bolts on exit doors, SSA officials began to consider an electronic key card system that would simultaneously provide authorized access and build a digitized log of employee movement. That was in 1998.

In December, the agency published its plans for the system in the Federal Register, paving the way for all SSA regional offices to use such cards for accessing a facility and, once inside, for moving from one office or department to another.

The system would replace cipher locks that require a code but do not log when employees come and go. The new system, only used in Seattle so far, gives SSA the ability to allow individual access to buildings by position and by time of day and week. "So if we had a break-in or something strange happened, we had audit capability," said Ken St. Louis, director for security and program integrity in the Seattle office.

The new system also makes it possible to secure facilities against disgruntled former employees by simply erasing the employee's access code — something that could not be done with the cipher locks, he said.

SSA's plan has raised some opposition. The local union has filed a grievance claiming it violates the Privacy Act by creating new records on workers without first negotiating for the change and going through the required procedures.

"The primary issue is that they already installed these [locks] without going through the Federal Register," said Steve Kofahl, an SSA worker and president of the local chapter of the American Federation of Government Employees representing the Seattle region.

The Federal Register notice came three years after some locks were installed, even though the notice states the system will be implemented beginning Jan. 15, Kofahl said. "They're already in violation of the Privacy Act," he said.

But St. Louis said that although locks have been installed, no workers have been issued individual codes and the issue is still under discussion.

St. Louis said union workers are concerned that the locks "would be used in a way of monitoring employee coming and going, comparing time and attendance, etc., which was never our intention." The information could be used to bring disciplinary actions, according to the Federal Register notice (see box).

St. Louis believes that such systems may not be an issue at the Pentagon and other intelligence agencies. In those places, he said, "it's probably been a condition of employment for years, and whatever issues were raised were raised long ago and adjudicated."

A Washington, D.C.-based electronic privacy lawyer said he is not aware of any worker opposition to the systems, but thinks the issue should be discussed.

"I would think if it's not [an issue] already, it should become an issue in the [collective] bargaining process" because it changes the workplace rules, said David Sobel, general counsel for the Electronic Privacy Information Center.

The conflict represents a clash between growing security concerns at agencies and unions' obligation to protect the interests of their members.

"We're just trying to do the best we can with the technology out there for Social Security," St. Louis said.

***

A Need-to-Know Basis

The recorded comings and goings of workers whose identities are captured by the key card system will be kept secure, under rules being adopted by the Social Security Administration.

Only people authorized to view the records will be allowed to see them, the agency states in the Federal Register. Among those with a "need to know" would be supervisors or others with disciplinary powers. "The proposed system will maintain information that could lead to administrative, civil or criminal action," the policy states. "This action would occur only after an investigation."

Routine uses of the records also include providing them in response to a congressional inquiry sparked by an employee, or to the Justice Department, court or other third party when the records are part of litigation and SSA determines the information is relevant.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.