SSA balances privacy and security

In the beginning, all Social Security Administration officials in Seattle wanted were fire marshal-approved exits and entrances at their new offices.

But when fire officials rejected the agency's use of dead bolts on exit doors, SSA officials began to consider an electronic key card system that would simultaneously provide authorized access and build a digitized log of employee movement. That was in 1998.

In December, the agency published its plans for the system in the Federal Register, paving the way for all SSA regional offices to use such cards for accessing a facility and, once inside, for moving from one office or department to another.

The system would replace cipher locks that require a code but do not log when employees come and go. The new system, only used in Seattle so far, gives SSA the ability to allow individual access to buildings by position and by time of day and week. "So if we had a break-in or something strange happened, we had audit capability," said Ken St. Louis, director for security and program integrity in the Seattle office.

The new system also makes it possible to secure facilities against disgruntled former employees by simply erasing the employee's access code — something that could not be done with the cipher locks, he said.

SSA's plan has raised some opposition. The local union has filed a grievance claiming it violates the Privacy Act by creating new records on workers without first negotiating for the change and going through the required procedures.

"The primary issue is that they already installed these [locks] without going through the Federal Register," said Steve Kofahl, an SSA worker and president of the local chapter of the American Federation of Government Employees representing the Seattle region.

The Federal Register notice came three years after some locks were installed, even though the notice states the system will be implemented beginning Jan. 15, Kofahl said. "They're already in violation of the Privacy Act," he said.

But St. Louis said that although locks have been installed, no workers have been issued individual codes and the issue is still under discussion.

St. Louis said union workers are concerned that the locks "would be used in a way of monitoring employee coming and going, comparing time and attendance, etc., which was never our intention." The information could be used to bring disciplinary actions, according to the Federal Register notice (see box).

St. Louis believes that such systems may not be an issue at the Pentagon and other intelligence agencies. In those places, he said, "it's probably been a condition of employment for years, and whatever issues were raised were raised long ago and adjudicated."

A Washington, D.C.-based electronic privacy lawyer said he is not aware of any worker opposition to the systems, but thinks the issue should be discussed.

"I would think if it's not [an issue] already, it should become an issue in the [collective] bargaining process" because it changes the workplace rules, said David Sobel, general counsel for the Electronic Privacy Information Center.

The conflict represents a clash between growing security concerns at agencies and unions' obligation to protect the interests of their members.

"We're just trying to do the best we can with the technology out there for Social Security," St. Louis said.

***

A Need-to-Know Basis

The recorded comings and goings of workers whose identities are captured by the key card system will be kept secure, under rules being adopted by the Social Security Administration.

Only people authorized to view the records will be allowed to see them, the agency states in the Federal Register. Among those with a "need to know" would be supervisors or others with disciplinary powers. "The proposed system will maintain information that could lead to administrative, civil or criminal action," the policy states. "This action would occur only after an investigation."

Routine uses of the records also include providing them in response to a congressional inquiry sparked by an employee, or to the Justice Department, court or other third party when the records are part of litigation and SSA determines the information is relevant.