Report 2018-129 Recommendation 3 Responses

Report 2018-129: Employment Development Department: Its Practice of Mailing Documents Containing Social Security Numbers Puts Californians at Risk of Identity Theft (Release Date: March 2019)

Recommendation #3 To: Employment Development Department

To ensure that it eliminates any unnecessary uses of personal information in its external communications and to ensure that it fully protects its claimants' privacy, EDD should, by May 2019, implement its recently developed plan for reviewing new, revised, and existing documents. EDD should provide documents to us indicating the progress it has made to implement this recommendation at 60 days, six months, and one year following the release of this report. Finally, it should, by December 2021, complete its full review of existing documents and remove any unnecessary instances of personal information.

Annual Follow-Up Agency Response From October 2022

As recommended by the CSA, the EDD completed its full review of Unemployment Insurance (UI) and Disability Insurance (DI) programs' external forms to remove unnecessary personally identifiable information (PII) as of December 31, 2021. Subsequently, the EDD completed its full review of remaining Department forms for PII on June 30, 2022.

As of June 30, 2022, a total of 3,150 forms have been reviewed and the following are the outcomes of the reviews:

- 1,200 - Contained no PII

- 877 - Deemed obsolete

- 84 - Removed all PII

- 989 - Retained some element of PII. These forms went through the Forms Governance Committee (FGC) for review and approval.

The enclosures included in Recommendation Three are as follows:

- Enclosure 1 provides more details related to the above numbers and provides a high-level summary of all forms reviewed for PII by program. It includes a summary of AB 499 (Chapter 155, Statutes of 2020) and highest volume mailed (also known as Claimant's Privacy Measures [CPM]) forms.

- Enclosure 2 provides a detailed list of AB 499 in scope forms mitigated as of June 30, 2022. (UI and DI program forms.)

- Enclosure 3 provides a detailed list of CPM in scope forms mitigated as of June 30, 2022. (UI and DI program forms.)

- Enclosure 4 provides a detailed list of remaining forms reviewed for PII as of June 30, 2022. (Remaining UI and DI forms; and other EDD program and administrative forms.)

California State Auditor's Assessment of Annual Follow-Up Status: Fully Implemented

EDD provided documentation showing that it completed its review and noted whether it removed PII. EDD should continue to evaluate and eliminate any unnecessary use of PII to continue implementing our recommendation.

Annual Follow-Up Agency Response From October 2021

In 2019, EDD established a Forms Governance Committee (FGC) which has authority over all EDD forms. In 4/2019, EDD formalized an EDD-wide standardized Forms Governance Policy & Process (FGPP) which limits the display of SSN & other PII. In 5/2019, the FGC outlined the FGPP & a schedule to review all EDD forms & remove unnecessary instances of PII by 12/2021. This effort continues to meet the 12/2021 timeframe. EDD also completed an EDD Forms & Publications Manual, Master Forms List, & calendaring system to track document governance clearance for any new forms created or revised. EDD is committed to review existing forms & remove any unnecessary PII in forms that are mailed to claimants with SSNs. As of 10/1/2021, a total of 2,532 forms have been reviewed: 1,175 contained no PII; 726 deemed obsolete; 64 removed all PII; 567 retained some element of PII & FGC reviewed & approved.

Enclosure 1 details a summary of all forms reviewed for PII by program. Also included is a summary of AB 499 & highest volume mailed forms. Of the 2,532 forms reviewed, 200 were mitigated to remove the full SSN. EDD is committed to comply with AB 499 provisions to remove SSNs from all external forms as soon as feasible, by 1/1/2023. In addition to the 20* highest volume forms mitigated, 20* AB 499 in scope forms were mitigated which are included in the 200 forms. Enclosures: 2 - List of AB 499 in scope Unemployment Insurance [UI] & Disability Insurance [DI] forms mitigated to date; 3 - List of CPM in scope UI &DI forms mitigated to date; 4 - List of remaining forms reviewed for PII to date (non-AB 499 & CPM forms for UI & DI; Tax; Workforce Services; other administrative forms.)

EDD is on track to complete its full review of existing external forms for PII by 12/31/2021.

*Number represents English forms reviewed & mitigated. When an English form is reviewed & mitigated, any other non-English version of the form is also reviewed & mitigated.

California State Auditor's Assessment of Annual Follow-Up Status: Pending

1-Year Agency Response

Program areas continue to assess where unnecessary Personally Identifiable Information (PII) can be eliminated, and the Forms Governance Committee (FGC) continues reviewing revisions of each form containing PII. The FGC has reviewed and approved a total of 58 forms through February 14, 2020. Please see Enclosure 2 detailing the first 23 forms that were discussed in the six-month status report, and Enclosure 3 detailing the status of the next 35 forms.

Of the 35 forms that were reviewed since the six-month status report:

- 4 forms had the SSN removed or replaced with the last four digits.

- 6 forms will have the SSN replaced (3 of these forms are referenced in the response to Recommendation One).

- 5 forms will continue to list PII for proper identification and/or proper program administration.

- 19 forms do not have PII displayed when mailed. The forms require PII when they are returned to EDD for program administration purposes.

- 1 form contained no PII when mailed to customers or returned to EDD.

The Document Governance Group (formerly the Document Governance Unit), which coordinates the FGC's review of EDD's forms containing PII, is close to being fully staffed. To ensure EDD meets its goals, staff are focusing their efforts on the Forms Publications Manual, Master Forms List, and a Master Schedule Calendar. The EDD remains on track to complete its full review of existing documents to remove unnecessary instances of PII by December 2021.

California State Auditor's Assessment of 1-Year Status: Pending

6-Month Agency Response

Programs completed reviews of their forms. They're assessing whether unnecessary PII can be eliminated. Enclosure 2 is a tool compiled by EDD's Document Management Division (DMD) in 5/2019 for the Forms Governance Committee (FGC) and EDD program areas' use to define PII. Also, as of 8/28/19, the FGC approved 23 forms' revisions. Enclosure 3 is the form list with: form number, name, utilizing program, and outcome from the review/revision of PII. Also attached are the reviewed 23 forms.

Our initial results show we were able to remove the full SSN or limit its display to the last four digits on 11 forms. We're proposing to replace the SSN on two additional forms; they're included in the 52 forms referenced in Recommendation 1's status. For the remaining 10 forms, we'll continue to display the SSN, as it was necessary for various business reasons. Moving towards BSM implementation, we'll further evaluate the necessity to keep the SSN or remove it. EDD's DMD is analyzing five additional form revisions, which will be submitted to FGC for review.

As part of the overall plan, EDD established the Document Governance Unit (DGU) in 7/2019 that's responsible for:

- creating/maintaining a publications manual to reinforce forms/publications standards;

- creating/maintaining a master Forms List and Schedule Calendar for forms design/development;

- coordinating clearance of forms containing PII through the FGC.

We anticipate a fully staffed DGU by 1/2020. EDD's on track to complete its full review of existing documents to remove unnecessary instances of PII by 12/2021.

California State Auditor's Assessment of 6-Month Status: Pending

60-Day Agency Response

The EDD established a Forms Governance Committee on November 9, 2018, which has authority over the creation, revision, and obsolescence of all EDD forms and publications. Further, to ensure that uniform design and content standards are applied to all EDD forms and publications, the Forms Governance Committee issued an Executive Notice 19-01 (Enclosure 2—sent separately) to all EDD employees on April 15, 2019, which announced a standardized Forms Governance Policy and Process. This policy addresses limiting the display of personally identifiable information to prevent unauthorized individuals from inadvertently accessing our customers' identities.

The Forms Governance Committee met with the Document Management Division, EDD Executives, and program staff on May 23, 2019. During this meeting, we discussed the new Forms Governance Policy and Process and creation of a schedule to review all existing forms. The program areas had already been assigned the task of reviewing forms based on usage during a prior meeting convened on January 29, 2019. EDD remains committed to eliminating the use of SSNs in documents mailed to claimants. We thank the CSA for its continued professionalism during this review and will provide the required six-month status by September 27, 2019.

California State Auditor's Assessment of 60-Day Status: Pending

All Recommendations in 2018-129

Agency responses received are posted verbatim.