Page images


Subcommittee Analysis

The Civil Service Commission has thirteen data banks, eight of them computerized. I. Index


Description: (1) Purpose; (2) Contents


A. Security file (not computerized).--. (1) To provide "lead information".

(2) Developed from hearings, reports of investiga-

tions, publications of subversive organiza-
tions," newspaper articles, data on all ap-

B. Security investigations index (not com- (1) To index investigations already completed..... 10,250,000.

(2) Index only. C. Investigative files (not computerized) ---- (1) Security clearances

625,000 current, (2) Folders of investigations.

2,100,000 in Washington National

Record Center. D. Executive inventory and position files (1) "One of the principal resources by which 36,000 executives, (computerized).

agency heads can draw upon government- 6,000 positions.
wide executive manpower to fill key posi-
tions at the upper levels;" also statistical

(2) Identification data, emplyoment history, edu-

cation, special achievements on employees
GS-15 through 18, or equivalent salary
levels; and position, grade, salary, name and

social security number. E. Retirement and insurance (5 related files) (1) The administration of retirement, insurance 1,809,000 records in 5 (computerized). and occupational health programs.

files. (2) Identification data, employment and contribu

tion information, benefits on Federal em

F. Voting rights—list of eligibles (compu- (1) Maintaining lists of eligibles as required by NG.

Voting Rights Act of 1965.
(2) Identification data, geographical voting in-

formation on those registered by CSC ex

aminers. G. Examination registers (partly computer- (1) Register of those eligible for Federal employ.. 788,000 manual

ized now-to be further, but not fully, ment on the basis of having taken the civil files; 400,000 computerized). service exam.

punch cards; 12,000 magnetic tape; 1,200,000

total. (2) Identification data, test score, education. H. Civil Service Commission payroll files (4 (1) Administration within CSC.

No. 1, 6,000; No. 2, related files) (computerized).

(2) Identification, employment, pay data on CSC 6,000; No. 3, employees.

6,000: No. 4,

3,800. 1. Civil Service Commission personnel (2 (1) To administer reductions in force, other per- No. 1, 2,500; No. 2, related files) (computerized). sonnel actions.

2,500. (2) Identification data, brief employment informa

tion on CSC employees. J. Federal personnel statistics program (1) Statistical sampling of Federal workforce, for 300,000 "current (computerized). commission planning, etc.

status", 500,000 “history" (now

merged) (2) Identification, employment data on 10 percent

of Federal employees.
K. Special employment program (com- (1) Reports on employment of the mentally re-

(2) Data pulled from standard CSC forms; identifi-

cation and employment data only.
L. Federal personnel management informa- (1) Government-wide reports and statistical ma- NG.
tion system (FPMIS) (proposed).

(2) Identification data, educational achievement,

employment and leave information on all

Federal employees.
M. Minority group statistics (computerized).- (1) Implementation of equal employment oppor- NG.

tunity program.
(2) Social Security number, minority group code of

"'visually identified members of minority


II. Nature of Material Submitted

The Civil Service Commission was generally responsive, although in several categories necessary information was not provided. For example, the number of subjects was omitted from three system descriptions. The CSC's response is more than two years old, a severe limitation since the biggest system the CSC maintains (FPMIS) was at that time only in the planning stage.

The CSC was one of the first organizations polled for information on its data banks at a time when the survey had not yet been reduced to the standard three introductory questions and nineteen-question questionnaire later adopted. Consequently, the responses to the subcommittee's questions are not numbered; and the answers are somewhat scattered. However, the kinds of information provided are substantially similar to other agency answers.

The CSC's first response is divided into three sections. The first is an outline of the CSC provisions for security of information, and its procedures for releasing some of it. The second section provides detailed information about data systems that are maintained directly by the CSC. The third section describes data banks for which the CSC is primarily responsible, but direct control over which rests with other agencies. The CSC's second response describes three additional data banks (not computerized) which are the investigative files of the CSC.

All of the sample outputs which the Commission provided are omitted, since all the data elements are listed elsewhere and the format is not of particular interest. III. Comments A. Statutory Authority

The statutory authority cited by the CSC for its data banks is varied and difficult to classify. Because the mission with which Congress entrusted the CSC is very broad-to deal in general with federal employees, from their application through their retirement—the CSC tends to have at least the basis for a claim of implied statutory authority for virtually all of the CSC data banks.

Three of CSC's data banks and parts of two others are expressly authorized by statute. Data bank F, Voting Rights--List of Eligibles, is expressly mandated by the Voting Rights Act of 1965, 42 U.S.C. 1973. Data bank G, Examination Registers, is authorized by 5 U.S.C. 3301 et seq. Data bank H, CSC Payroll Files, is authorized by 31 U.S.C. 66a. In addition, the Position File in data bank D is expressly authorized by 5 U.S.C. 5114; and the Statistics file in data bank E, Retirement and Insurance, is expressly authorized by 5 U.S.C. 8347.

Derivative authorization for data banks which are necessary to carry out programs expressly established by Congressional enactment, justifies data banks J, the Federal Personnel Statistics Program, and L, the Federal Personnel Management Information System. Both data banks contain information (all of data bank J and portions of data bank L) which the CSC is authorized to collect; but these particular information systems are not expressly mandated.

Four CSC data banks have only implied authorization. These are the three investigative data banks (A, B and C) which the CSC justifies by citing a variety of statutes, 5 U.S.C. 7532, 3304, 1301, none of which is entirely satisfactory authorization, even by implication, for all of the information contained in these files. The CSC could have cited implied authority for data bank I, the CSC Personnel files. The general housekeeping statute, 5 U.S.C. 301, affords implied statutory authority which many other agencies cited to justify similar employee records.

Only two data banks are devoid of any statutory authority. These unauthorized data banks are K, Special Employment Program, and M, Minority Group Statistics. In both cases the CSC relies on express authorization by Executive Orders; but is unable to find any real statutory foundation in Congressional enactments. B. Subject Notification and Review

There is also considerable variation among the data banks with regard to subject notification and review. In the case of the investigative files (data banks A, B, C) the subject is told of information about him only if adverse action is taken based on that information. Three data banks (E, J and M) describe no provisions for notification or review. Most of the rest make no mention of notification but claim to allow subjects access on request, and state that corrections will be made if deemed proper. (See data banks F, G, I. and K). In data banks D and H provision is made for sending periodic copies of the data to the subjects. The proposed FPMIS system (data bank L) will make similar provision and will include a specific mechanism for inserting corrections. It is not clear whether there is such a mechanism for existing data banks. C. Access by Other Agencies

According to the CSC's response, information from seven of the data banks is available to other agencies. In six of the seven (data banks A, B, C, D, F and G) the CSC collects the information for the express purpose of sharing it with other agencies. The seventh is the Retirement and Insurance system. In three other banks (J, K and L), the information is routinely available to outsiders as statistical reports; but individual files are available only to the originating agency. The CSC internal files are kept internal; and the Minority Group Štatistics files are available only to the staff directly concerned with studying them. D. Public Access

Most of the CSC's files are treated as confidential, except for the routine statistical reports of information from data banks J, K and L, and the entirety of data bank F, Voting Rights List of Eligibles. E. Security Precautions

The CSC's position on security of data processing systems and the information in them is discussed in Section of the CSC's first response (Attachment 1). It appears that the CSC has been somewhat more careful to protect its facilities and data than other agencies. Physical security-electronic locks and guards—is of primary importance. In addition, the Production Control Unit appears to keep logs of computer activity. These logs are not maintained in the computer itself, but reflect an outside monitoring of input, output and some computer operations. Because all CSC computer operations seem to be batchprocessed, it is possible that no further security is necessary. But since the new government-wide system (data bank L) appears to be an online system, more stringent controls would be necessary-as the CSC has itself noted. F. Sources of Information

Since the subcommittee at no time requested that the CSC describe the sources of the information in its files, there is no direct information on this subject in the CSC responses. It appears, however, that, with the exception of the investigative files (data banks A, B and C), most of the information in the CSC files comes from the subjects themselves or from other agencies. IV. Evaluation

Considering the extent of the CSC's mandate over all federal personnel, it is significant that the number of data banks it maintains is so low, and their contents so limited. The CSC's investigative files which are obviously dangerous, are not, and probably never will be, computerized. Some of the remaining data banks, such as the Examination Register (data bank G), the Special Employment Program (data bank K) and the Minority Group Statistics System (data bank M) contain sensitive data, but appear to be carefully protected.

The great exception is the FPMIS (data bank L). The system as currently maintained is not very dangerous; and only statistical data is available outside the agency generating the information. But indications are that the system will be expanded so that many personnel actions will be taken on a government-wide basis.

Agency Response On March 9, 1970, the subcommittee initiated its requests for information about the data systems maintained by the Civil Service Commission, which contain information about individual citizens. The Civil Service Commission submitted its first reply on April 20, 1970. On July 10, 1970, the subcommittee requested further information, particularly in regard to investigative files. The Civil Service Commission responded to this further inquiry in its reply dated August 18, 1970. Although the subcommittee never requested that the Civil Service Commission respond to the standard introductory questions and questionnaire, the correspondence which appears below provides essentially the same information as other agency responses. SUBCOMMITTEE ON CONSTITUTIONAL Rights,

March 9, 1970. Hon. ROBERT E. HAMPTON, Chairman, Civil Service Commission, Washington, D.C.

DEAR MR. CHAIRMAN: In connection with our study of computers, privacy and constitutional rights, the Subcommittee is conducting a survey of federally-administered or sponsored data banks containing statistical or administrative personal information on individuals.

We are particularly interested in knowing what data banks have been and are being established by the Civil Service Commission; to what extent the total or large segments of Civil Service information about a person is physically available in one location or in one data bank such as the “Talent Bank”; and to what extent the information is decentralized in the Civil Service regions.

To assist us in our study, it would be appreciated if you would:

(1) Describe briefly the categories of data presently maintained and stored under auspices of the Civil Service Commission and the number of subject individuals covered in each category;

(2) Cite the statutory and administrative authority for each data gathering and data storing program;

(3) For each category and each conglomerate of data, indicate its present state of computerization or other mechanization for access and retrieval as well as for evaluation and analysis; and

(4) Describe plans for further computerization or mechanization. For each new data storage and processing program, please describe: (1) the advantages; and (2) the extent to which it permits correlating, common storage and multi-faceted analysis of data on a scale not hitherto available.

Has the Commission developed comprehensive guidelines governing maintenance of Commission data, access to it, review and disclosure of it, and distribution to other agencies? If so, please supply copies.

To what extent is the subject individual or his representative allowed to review the data on record about him; to supplement his file; or to explain or rebut inaccurate material? Please describe the precise limitations and the authority for each.

What aspects of the recorded data are available to other persons? Who, specifically? For what purposes? By what authority? Is a record maintained of each inspection or use of the individual's records?

For each data bank, please indicate how the information is collected, whether it is solicited from the individual, from third persons, from supervisors and fellow workers, or from existing records.

What officials in the Commission are responsible for determining the accuracy of information in the records? What provisions are made, procedurally, for deleting information found to be inaccurate or inappropriate, either on the initiative of the Commission or on motion of the individual?

What other agencies have access to information in each data bank? What agencies may utilize the data in your computerized files by coding, intercing and other devices relating to their own computers? What security devices and procedures are utilized to prevent: (1) Unauthorized access to the data file; and (2) Improper use of the information?

To what extent is the establishment and maintenance of data banks on federal employees discussed with representatives of employee unions and organizations?

What formal or informal arrangement do you have with Congressional Committees for the authorizing and reviewing of new data banks and the clearance of new record-management techniques?

Plans for computerization of federal employee records were discussed by Commission Chairman John Macy during our hearings on S. 3779 in the last Congress. At that time, the Staff Report on Modernizing the Management Information System for Federal Civilian Manpower was in draft form. We are especially interested in the status of the various proposals outlined in that report which called for a comprehensive data gathering and storage system covering former and present civilian employees.

Has this data program or the development of other comprehensive records systems been discussed before other Congressional Committees by Commission representatives? If so, would you please supply any available testimony, or citations to such hearings?

It would be helpful if you would supply copies of any statutes and regulations cited in your report to the Subcommittee, together with sample print-outs from each of the data banks.

We plan to publish the reports received in this investigation and expect them to be used by Congress in determining the need for comprehensive new laws governing computerized data banks, as well as the need for an independent agency to regulate such systems where they affect individual rights to privacy and due process.

With deep appreciation' for your assistance in our study, and with all kind wishes, I am Sincerely yours,

SAM J. Ervin, Jr., Chairman.

« PreviousContinue »