Postal Service records management is based on best practices, business needs, and legal requirements. When considering whether to release records publicly, the Postal Service balances the confidentiality and privacy of the records with the public’s right to access those records to the maximum extent possible. These considerations are in accordance with Handbook AS-353, Guide to Privacy, the Freedom of Information Act and Records Management, and 39 CFR 265, which implements the FOIA (5 U.S.C. 552) and the Privacy Act (5 U.S.C. 552a).
Protecting Postal Service information resources and sensitive information (including customer and employee PII) is an essential element of privacy considerations, and can be particularly important when the Postal Service purchases IT or other information processing and information gathering services or when we make purchases that involve the collection and generation of PII. In such cases, coordination with the CISO is necessary, as discussed in Section 8-4, Information Technology. Additional information on the security aspects of IT purchases or other information processing and information gathering services is found in Section 8-4, Information Technology.
Suppliers that have access to customer or employee data, or operate a customer Web site, may be subject to the Postal Service’s privacy requirements implementing the Privacy Act and its privacy policy posted on http://About.usps.com/who-we-are/privacy-policy/welcome.htm. Clause 1-1: Privacy Protection is incorporated by reference in Clause 4-2: Contract Terms and Conditions Required to Implement Policies, Statutes or Executive Orders when checked off by the CO. The clause must be included in:
- Contracts in which a supplier or subcontractor operates a Privacy Act system of records on the Postal Service’s behalf;
- Contracts in which a supplier or subcontractor will have access to any Postal Service customer or employee information, including address information;
- Contracts in which a supplier or subcontractor assists the Postal Service in establishing or administering a customer Web site or places links or ad banners on a Postal Service Web site or any Web site on the Postal Service’s behalf; or
- Contracts in which a supplier or subcontractor assists the Postal Service to conduct a marketing e-mail campaign.
In most cases, suppliers must turn over all customer or employee information in its possession to the Postal Service upon completion of the contract. Under certain circumstances, suppliers will retain the information, and in these cases the CO must work with the Privacy Office and Assigned counsel to ensure that all interests are protected. In all cases, purchase/SCM teams should work with the CPO and Assigned counsel to ensure that the Postal Service’s privacy commitments are upheld.