VBA Disclosed Third-Party PII to Privacy Act Requesters

A U.S. Veterans Affairs (VA) Office of Inspector General (OIG) review found unrelated third-party names and social security numbers in a random sampling of Privacy Act responses completed by Records Management Center (RMC) staff.

In May 2016, the Veterans Benefits Administration (VBA) changed its Privacy Act release policy following an OIG counsel determining that “there was legal support for releasing unredacted records” and that includes “the disclosure of third-party personally identifiable information (PII) in response to Privacy Act requests if VBA purposely included the information in the requester’s record.”

After a review of 30 random Privacy Act responses out of 65,600 requests that RMC staff completed from April 1, 2018 to Sept. 30, 2018. In 18 of those 30 responses, there were 1,027 third-party names and social security numbers.

“The review team determine disclosures under the May 2016 release policy raised legal concerns, and more importantly, put millions of people at risk of identity theft,” the OIG report said.

However, VA OIG counsel provided legal support for the disclosure practice despite the risk. The May 2016 release policy also doesn’t require staff to inform third parties that their PII was included in a veteran’s claims file.

The OIG recommended that VBA update its Privacy Act release policy and “implement a plan to ensure the RMC complies with requirements in VA Directive 6609 for mailing Privacy Act responses and ensure RMC managers receive a report for any site visit of the RMC completed by VBA and take corrective action as needed.”

The undersecretary for benefits at VBA concurred with all recommendations and provided acceptable action plans, according to the report.