This report responds to two congressional requests. One request came from Sen. Thomas Carper and another was a joint request from Reps. Elijah E. Cummings and Gerald E. Connolly, Ranking Member and Vice Ranking Member of the Committee on Oversight and Government Reform, respectively. Their requests asked for an investigation into the Postal Service’s release of former U.S. Postal Inspection Service employee Abigail Spanberger’s Standard Form 86, Questionnaire for National Security Positions, and any other related personnel information. Ms. Spanberger was the Democratic candidate (now Representative-elect) for Virginia’s 7th Congressional District.
On July 9, 2018, America Rising Political Action Committee (America Rising) submitted a Freedom of Information Act (FOIA) request to the National Archives and Records Administration (NARA) seeking Ms. Spanberger’s employment information. Specifically, America Rising requested dates, annual salaries, titles, and position descriptions contained in Ms. Spanberger’s official civilian personnel file.
After receiving the request, NARA sent Ms. Spanberger’s complete official personnel file (OPF) to the Postal Service’s Human Resources Headquarters (HR-HQ) office for review, per its agreement with the Postal Service. The agreement specifies NARA will retain hard copy OPFs for the Postal Service, while the Postal Service maintains responsibility for deciding what information from those files can be released. NARA’s only role in this process was to provide Ms. Spanberger’s OPF to the Postal Service.
Upon receiving the America Rising request and OPF from NARA, an HR-HQ administrative assistant forwarded a complete copy of Ms. Spanberger’s OPF to America Rising without authorization. The administrative assistant should have forwarded the information to the HR-HQ FOIA coordinator to determine what could be released per FOIA regulations.
Prior to our audit, the Postal Service determined that the same HR-HQ administrative assistant had previously released the OPFs of three other former employees without their authorizations.
Based on the congressional requests, our objective was to evaluate the Postal Service’s past and current processes for disseminating employee information in response to FOIA requests and how planned enhancements may prevent future unauthorized disclosures.
What the OIG Found
The Postal Service did not have adequate controls in place to ensure proper release of employee information in response to FOIA requests. As a result, the Postal Service released Ms. Spanberger’s OPF and the OPFs of six other former employees without authorization – three OPFs the Postal Service identified itself and three additional OPFs we identified during our audit. According to the Postal Service Law Department’s Privacy and Records Management Office, the unauthorized release of the seven OPFs constituted a violation of federal law and Postal Service policy governing the release of personnel information. The release of this information puts these former employees at risk of identity theft and becoming a victim of financial fraud.
This occurred because HR-HQ management did not have written procedures identifying staff responsible for reviewing personnel information requests, determining what could be released under the FOIA and Privacy Act, and sending the response to the requester. HR-HQ management also did not oversee the disposition of requests and a formal, centralized list of requests was not maintained. Finally, HR-HQ staff responsible for handling requests for personnel information did not receive specific instructions for processing personnel information requests or FOIA and Privacy Act training.
The Postal Service has taken initial corrective action, such as changing and documenting procedures for handling personnel information requests, establishing a correspondence log to track personnel information requests and responses, and providing FOIA and privacy training to HR-HQ staff.
While these steps address internal control weaknesses that led to the unauthorized disclosure of OPFs, there are opportunities for Postal Service management to more effectively reduce the risk of future unauthorized releases of personnel information requests. The new procedures, Postal Service Standard Operating Procedures HR-HQ Requests for Personnel Records, were finalized on October 18, 2018, so they are not yet fully operational. Further action is required to operationalize the procedures, including effectively communicating them to and ensuring they are understood by responsible individuals. Additionally, the procedures lack a requirement for management to use the correspondence log to oversee requests and their dispositions. HR-HQ staff responsible for processing requests need to have substantive knowledge on the FOIA and Privacy Act and a working knowledge of how to implement the new procedures.
These enhancements could further reduce the risk of unauthorized releases of personnel information and violations of the Privacy Act from occurring in the future.
What the OIG Recommended
We recommend management:
- Require the Privacy and Records Management Office staff to handle all OPFs when responding to requests for personnel information until the Postal Service Standard Operating Procedures HR-HQ Requests for Personnel Records are fully implemented and Human Resources Headquarters staff are fully trained on the Freedom of Information Act and Privacy Act.
- Establish a process that requires the Director of National Human Resources to conduct a monthly supervisory review of personnel information requests that ensures the requests are properly documented and their dispositions are accurate.
- Develop an annual training plan, which includes Freedom of Information Act and Privacy Act training, and Postal Service Standard Operating Procedures HR-HQ Requests for Personnel Records guidance for staff handling requests for personnel records.
- Evaluate the effectiveness of the new procedures three months after they are fully operational, and annually thereafter, to identify and implement any needed changes.