Just got off the telephone with a client in Georgia where the DCAA office requested the contractor to email copies of every employee’s driver’s license to prove that they were real. The contractor successfully declined the request.
On the other side of the country, another DCAA has requested access to the contractor’s I9’s. I am encouraging the contractor to decline this request.
Researching the issue I stumbled on DCAA’s The Privacy Act: An Employee’s Guide to Privacy. Here is one of the many relevant statements made within this DCAA document:
The Privacy Act provides the Government with a framework in which to conduct its day-today business when that business requires the collection or use of information about individuals. Specifically, it requires that the Government:
- Maintain no secret files on individuals;
- Inform individuals at the time it is collecting information about them, why this information is needed, and how it will be used;
- Assure that personal information is used only for the reasons given, or seek the person’s permission when another purpose for its use is considered necessary or desirable;
- Allow individuals to see the records kept on them; and provide individuals with the opportunity to correct inaccuracies in their records.
The Privacy Act binds Federal agencies to a “code of fair information practices.” The code sets standards which each Federal agency must meet as it collects, maintains, and uses information.
Or under the responsibilities of DCAA Employees:
You must collect only personal information that is relevant and necessary, not simply useful, to accomplish a specific objective. Whenever you request personal information from someone, you must inform him or her in writing of the legal authority for requesting the information, the purpose for collecting it, what routine uses will be made of this information, whether a response is mandatory or voluntary, and what will be the effect if he or she refuses to respond. Also, whenever you ask a person for his or her social security number, you must state the legal authority and purpose for requesting it, and whether a response is mandatory or voluntary. You should always attempt to collect personal information directly from the individual rather than from other sources wherever practicable