SBA stumbles on e-mail privacy

The Small Business Administration has issued a temporary directive to prevent officials from accessing employees’ e-mail inboxes without prior approval from the chief privacy officer. SBA published the directive after officials discovered the agency had no e-mail policy to protect whistle-blowers.SBA officials, with help from the agency’s general counsel and inspector general, also are drafting an agencywide policy that would establish rules for conducting an administrative review of an employee’s e-mail messages and the appropriate authorization needed for such a review.The need for the new directive, published Oct. 17, and policy review, comes after an incident earlier this year in which an SBA manager retrieved a whistle-blower’s e-mail messages without notifying and getting approval from the agency’s chief privacy officer.The manager, who worked at a processing and distribution center in SBA’s Office of Disaster Assistance, accessed the employee’s e-mail inbox after a congressional committee hearing at which the employee had submitted a statement and asked to remain anonymous. While working with the committee, the whistle-blower employee also was a confidential source for SBA’s IG, according to the IG’s account of the incident.The IG concluded that the manager’s actions were inappropriate but that they did not violate rules because the agency had no clear policy or procedures governing managers’ access to employees’ e-mail. Herbert Mitchell, SBA’s associate administrator for disaster assistance, wrote to the IG that the manager involved in the incident had no intention of retaliating against the whistle-blower. However, the incident prompted the IG to notify the SBA’s chief privacy officer.“Management’s ability to intercept confidential [e-mail messages between employees and the Office of Inspector General] raises troubling questions about whether agency employees can confidently and securely bring confidential complaints to the OIG’s attention,” Debra Ritt, assistant IG for auditing, wrote in an Oct. 19 letter to Christine Liu, SBA’s chief information officer and chief privacy officer.The IG would not comment on the incident.Rep. Henry Waxman (D-Calif.), chairman of the Oversight and Government Reform Committee, said Oct. 31 that agencies must maintain a proper balance between enforcing employees’ proper use of e-mail and preventing managers from misusing e-mail to obstruct an investigation.The House, with broad support, passed Waxman’s Whistleblower Protection Enhancement Act in March. Ritt wrote to Liu that employees who bring complaints to the IG about their agency must, by law, remain confidential and be protected from retaliation. However, in practice, and in the absence of clear policies, managers often can easily find out who whistle-blowers are.Ritt said SBA lacked a clear policy on e-mail when the incident occurred. An SBA policy document, “Appropriate Use of SBA’s Automated Information Systems,” provides no guidelines about when officials could authorize a review of employee e-mail messages, when they would require approval and who would review the messages.