INFORMATION MANAGEMENT PRACTICES

Information management practices refer to the techniques and procedures used to control the many operations performed on information to accomplish the command's objectives. They do not extend to the essential managerial determination of the need for and uses of information in relation to any command's mission. In this context, information management includes data collection, validation and transformation; information processing or handling; record keeping; information control, display, and presentation; and, finally, standardization of information management operations.

Before enacting new policies in personal data handling procedures, AIS technical managers should analyze current practices. To facilitate the explanation of their roles, the information management guidelines presented in the following material are grouped into major categories: handling of personal data, maintenance of records to trace the disposition of personal data, data processing practices, programming practices, assignment of responsibilities, and procedural inspecting. Every practice presented may not be required at every Navy AIS facility by upper management. Select only the suggested practices relevant to the designated command's environment and mission, or approved by upper management.

Handling of Personal Data

Access to personal information will be limited to authorized individuals of agencies in the Department of Defense who have an official need for the record, except when the information is otherwise releasable under the disclosure or access provisions of the Privacy Act.

The following practices are suggested for the handling of personal data:

Prepare a procedures handbook. Describe the precautions to be used and obligations of computer facility personnel during the physical handling of all personal data. Include a reference regarding the applicability of the procedures to those government contractors who are subject to the Privacy Act. Personal information that is processed, accessed, maintained, or disposed of by contractors must be handled within the terms and conditions of Section 7-104.96 of the Defense Acquisition Regulation.

Label all recording media that contain personal data. Labeling the media reduces the probability of accidental abuse of personal data. It also aids in fixing the blame in the event of negligent or willfully malicious abuse. If the information resides on removable storage media, it should be externally labeled. External warnings must clearly indicate that the media contain personal information subject to the Privacy Act; for example, PERSONAL DATA-PRIVACY ACT of 1974. Note that abbreviations must not be used.

Store personal data in a manner that conditions users to respect its confidentiality. For example, store personal data under lock and key when not being used.

If a program generates reports containing personal data, have the program print clear warnings of the presence of such data on the reports.

Color code all computer tape reels, disk pack covers, and so on, which contain personal data, so they can be afforded the special protection required by law.

Keep a record of all categories of personal data contained in computer-generated reports. This facilitates compliance with the requirements that each command identify all personal data files and their routine uses by the command.

Carefully control products of intermediate processing steps. For example, control scratch tapes and disk packs to ensure they do not contribute to unauthorized disclosure of personal data.

Maintain an up-to-date hard-copy authorization list. The list should include all individuals (computer personnel as well as system users) allowed to access personal data. It is used in access control and authorization validation.

Maintain an up-to-date hard-copy data dictionary. This dictionary should be the complete inventory of personal data files within the computer facility to account for all obligations and risks.

Maintenance of Records to Trace the Disposition of Personal Data

The following practices are suggested for the maintenance of records:

Establish procedures for maintaining correct, current accounting of all new personal data brought into the computer facility.

Log each transfer of storage media containing personal data to or from the computer facility.

Maintain logbooks for terminals used to access personal data by system users.

Data Processing Practices

The following practices are suggested for data processing procedures:

Use control numbers to account for personal data upon receipt and during input, storage, and processing.

Verify the accuracy of the personal data acquisition and entry methods employed.

Take both regular and unscheduled inventories of all tape and disk storage media to ensure accurate accounting for all personal data.

Use carefully devised backup procedures for personal data. A copy of the data should be kept at a second location if its maintenance is required by law.

Create a records retention timetable covering all personal data and stating minimally the data type, the retention period, and the authority responsible for making the retention decision.

After a computer failure, check all personal data that was being processed at the time of failure for inaccuracies resulting from the failure.

If the data volumes permit economic processing, some sensitive applications may use a dedicated processing period.

Examine files created from files known to contain personal data to ensure they cannot be used to regenerate any personal data. A formal process must be established to determine and certify that such files are releasable in any given instance.

In aggregating personal data, consider whether the consequentfile has been increased in value to a theft-attracting level.

When manipulating aggregations and combinations of personal data, make it impossible to trace any information concerning an individual. Take steps so that no inference, deduction, or derivation processes can be used to recover personal data.

Programming Practices

The following practices are suggested for programming procedures:

Subject all programming development and modification to independent checking by a second programmer, bound by procedural requirements developed by a responsible supervisor.

Inventory current programs that process or access personal data; verify their authorized usage.

Enforce programming practices that clearly and fully identify personal data in any computer program.

Strictly control and require written authorization for all operating system changes that involve software security.

Assignment of Responsibilities

The following practices are suggested for the assignment of responsibilities:

Designate an individual responsible for examining facility practices in the storage, use, and processing of personal data, including the use of security measures, information management practices, and computer system access controls. Both internal uses and the authorized external transfer of data should be considered by this individual and any risks reported to the relevant upper management authority and the AIS technical manager.

Designate an individual responsible during each processing period (shift) for ensuring the facility is adequately staffed with competent personnel and enforcing the policies for the protection of personal data.

Ensure that all military, civil service, and other employees engaged in the handling or processing of personal data adhere to established codes of conduct.

Procedural Inspecting

Whenever appropriate, conduct an independent examination of established procedures. Inspections of both specific information flow and general practices are possible. The following points should be considered when developing an inspection:

Inspecting groups can be established within organizations to provide assurance of compliance independent of those directly responsible.

Independent, outside inspectors can be contacted to provide similar assurance at irregular intervals.

Inspection reports should be maintained for routine inspection and used to provide additional data for tracing compromises of confidentiality.