This report responds to two congressional requests. One request came from Sen. Thomas Carper and another was a joint request from Reps. Elijah E. Cummings and Gerald E. Connolly, Ranking Member and Vice Ranking Member of the Committee on Oversight and Government Reform, respectively. Their requests asked for an investigation into the Postal Service’s release of former U.S. Postal Inspection Service employee Abigail Spanberger’s Standard Form 86, Questionnaire for National Security Positions, and any other related personnel information. Ms. Spanberger was the Democratic candidate (now Representative-elect) for Virginia’s 7th Congressional District.

On July 9, 2018, America Rising Political Action Committee (America Rising) submitted a Freedom of Information Act (FOIA) request to the National Archives and Records Administration (NARA) seeking Ms. Spanberger’s employment information. Specifically, America Rising requested dates, annual salaries, titles, and position descriptions contained in Ms. Spanberger’s official civilian personnel file.

After receiving the request, NARA sent Ms. Spanberger’s complete official personnel file (OPF) to the Postal Service’s Human Resources Headquarters (HR-HQ) office for review, per its agreement with the Postal Service. The agreement specifies NARA will retain hard copy OPFs for the Postal Service, while the Postal Service maintains responsibility for deciding what information from those files can be released. NARA’s only role in this process was to provide Ms. Spanberger’s OPF to the Postal Service.

Upon receiving the America Rising request and OPF from NARA, an HR-HQ administrative assistant forwarded a complete copy of Ms. Spanberger’s OPF to America Rising without authorization. The administrative assistant should have forwarded the information to the HR-HQ FOIA coordinator to determine what could be released per FOIA regulations.

Prior to our audit, the Postal Service determined that the same HR-HQ administrative assistant had previously released the OPFs of three other former employees without their authorizations.

Based on the congressional requests, our objective was to evaluate the Postal Service’s past and current processes for disseminating employee information in response to FOIA requests and how planned enhancements may prevent future unauthorized disclosures.

What the OIG Found

The Postal Service did not have adequate controls in place to ensure proper release of employee information in response to FOIA requests. As a result, the Postal Service released Ms. Spanberger’s OPF and the OPFs of six other former employees without authorization – three OPFs the Postal Service identified itself and three additional OPFs we identified during our audit. According to the Postal Service Law Department’s Privacy and Records Management Office, the unauthorized release of the seven OPFs constituted a violation of federal law and Postal Service policy governing the release of personnel information. The release of this information puts these former employees at risk of identity theft and becoming a victim of financial fraud.

This occurred because HR-HQ management did not have written procedures identifying staff responsible for reviewing personnel information requests, determining what could be released under the FOIA and Privacy Act, and sending the response to the requester. HR-HQ management also did not oversee the disposition of requests and a formal, centralized list of requests was not maintained. Finally, HR-HQ staff responsible for handling requests for personnel information did not receive specific instructions for processing personnel information requests or FOIA and Privacy Act training.

The Postal Service has taken initial corrective action, such as changing and documenting procedures for handling personnel information requests, establishing a correspondence log to track personnel information requests and responses, and providing FOIA and privacy training to HR-HQ staff.

While these steps address internal control weaknesses that led to the unauthorized disclosure of OPFs, there are opportunities for Postal Service management to more effectively reduce the risk of future unauthorized releases of personnel information requests. The new procedures, Postal Service Standard Operating Procedures HR-HQ Requests for Personnel Records, were finalized on October 18, 2018, so they are not yet fully operational. Further action is required to operationalize the procedures, including effectively communicating them to and ensuring they are understood by responsible individuals. Additionally, the procedures lack a requirement for management to use the correspondence log to oversee requests and their dispositions. HR-HQ staff responsible for processing requests need to have substantive knowledge on the FOIA and Privacy Act and a working knowledge of how to implement the new procedures.

These enhancements could further reduce the risk of unauthorized releases of personnel information and violations of the Privacy Act from occurring in the future.

What the OIG Recommended

We recommend management:

  • Require the Privacy and Records Management Office staff to handle all OPFs when responding to requests for personnel information until the Postal Service Standard Operating Procedures HR-HQ Requests for Personnel Records are fully implemented and Human Resources Headquarters staff are fully trained on the Freedom of Information Act and Privacy Act.
  • Establish a process that requires the Director of National Human Resources to conduct a monthly supervisory review of personnel information requests that ensures the requests are properly documented and their dispositions are accurate.
  • Develop an annual training plan, which includes Freedom of Information Act and Privacy Act training, and Postal Service Standard Operating Procedures HR-HQ Requests for Personnel Records guidance for staff handling requests for personnel records.
  • Evaluate the effectiveness of the new procedures three months after they are fully operational, and annually thereafter, to identify and implement any needed changes.

Read full report

Comments (4)

  • anon

    Do you know if the postal service has a policy that covers employee information given out to specifically CitiBank for cards CitiBank issues to EAS employees known as there travel card? I was also not able to determine who is responsible for issuing these cards, in other words, cards are issued by CitiBank but who from the postal service tells them to do this? If there is a problem with the "travel Card" getting paid what procedure does CitiBank use to notify the person that the card was assigned to and what procedure is followed if the "travel card" is not paid, who does CitiBank contact at the Postal Service? What happens if the person the postal service has apparently ask CitiBank to send a card to them doesn't know the card supposedly was issued, never received the card, and then someone comments fraud by using the card. What happens if that person is ordered to attend a PDI from their manager and learns this and informs their manager they know nothing about the card and fraudulent transactions and their manager tells them they would look into the matter and then never does. What then happens if a year and a half later the employee finds that CitiBank sent the account to collections and when that employee tried to find information out about the account was misinformed by the collection agency and told that the account was not a government account it was that employees personal account and then refused to take it off the employee credit report, even after the employee pleaded that the account was not there and then to make matters worse the employee out of desperation pays the account to get this off their credit report and then learns that they did not remove it anyway Then when that employee tries to get management officials to look into the events they retaliate and make all kind of excuses to avoid looking into the issue because they state that they don't even know how it all works. I am just curious, how these basic things are supposed to be overseen by the Postal Service and look into by the OIG but yet I still cannot get this looked into, how do I get this corrected?

    Jul 21, 2019
  • anon

    Hello. Thanks for your comment. If you have suffered retaliation for reporting workplace violations, we recommend filing an online Whistleblower Complaint. You can access the online complaint form at www.uspsoig.gov/form/whistleblower-complaint-form.

    Jul 23, 2019
  • anon

    My bank statements, which contain alot of my personal info, Name, Account number,balance and address has not made it from the bank to my home for the last three months. I have gone to the local post office in Sand Springs Ok, and asked them about it and they just inform me that they don't have it and don't know where it is. I need help to find out what the problem is. I have addressed this with the bank and not only do they have my proper address but I have been banking with them for over 20 years and this just started around the first of this year 2019. Help me?

    Mar 15, 2019
  • anon

    My info was released in that event. How do I get help?

    Dec 22, 2018