To assess controls over the Flexiplace program (Flexiplace), including personally identifiable information (PII), at Office of Disability Adjudication and Review (ODAR) hearing offices.
Flexiplace allows qualified hearing office staff to perform assigned work at a management approved alternate duty station (ADS), which is typically their personal residence. As such, employees who participate in Flexiplace take claimants’ case files to their ADS. These case files can be in paper form or stored on portable devices, such as compact discs (CD) and laptop computers, and generally include claimants’ PII—Social Security numbers, names, addresses, earnings information, and medical histories.To view the full report, visit http://www.ssa.gov/oig/ADOBEPDF/A-08-09-19079.pdf
While the Social Security Administration (SSA) had implemented some preventative measures to safeguard PII removed from its premises, we determined ODAR practices may have exposed claimant data to unauthorized disclosure. For example, ODAR allowed employees to remove PII stored on unencrypted CDs. In addition, ODAR employees did not always comply with SSA’s preventative controls, such as locking claimant PII when traveling to, or working at, an ADS. We also determined that ODAR did not always identify the removal, and confirm the return, of PII. We believe ODAR should identify opportunities to better monitor employee compliance and strengthen Flexiplace controls, where practicable.
We recommend that SSA:
1. Require that ODAR employees store electronic PII on an encrypted and password‑protected laptop when working Flexiplace, until such time as a CD encryption solution for ODAR is developed.
2. Reemphasize to ODAR employees the importance of complying with all Agency PII policies and directives.
3. Consider implementing additional procedures to account for the removal and return of PII.
4. Improve monitoring of ODAR employees’ compliance with Flexiplace requirements. In addition, ODAR should take disciplinary action, such as suspending Flexiplace, for those employees who do not comply.
SSA generally agreed with the recommendations.