United States Department of the Interior
OFFICE OF THE SECRETARY
Washington, D.C. 20240
Memorandum
NOV–8 2001
To: Solicitor
Inspector General
Assistant Secretaries
Heads of Bureaus and Offices
From: P.Lynn Scarlett
Assistant Secretary for Policy, Management, and Budget
Subject: Protection of Sensitive Information
The events of September 11 and the weeks that have followed should leave no doubts that we are living and working in a greatly changed world. Prominent American icons have been attacked and it is prudent to anticipate that further attacks are entirely probable. Clearly, we must make every reasonable effort to prevent unauthorized or inadvertent disclosure of particularly sensitive information that could aid in planning or executing future attacks.
The current situation requires that we reassess whether certain kinds of information, which may have been available to the public on websites, reading rooms, libraries and similar venues should continue to be available in these ways. It also requires us to reassess the extent to which other information, on internal computer systems and at other locations such as offices, needs to be made inaccessible to the public and even to employees who do not have a legitimate “need to know.” The determination of whether information is particularly sensitive requires thoughtful, rational decisions on the part of all senior managers, program managers, and information owners. To determine if certain information is particularly sensitive, at a minimum the following questions should be asked:
-
Would the decision to protect or not protect the information be in compliance with public laws, Executive Branch directions, Federal standards, and DOI’s own policies? Further, in the absence of precise guidance, would the decision to protect or not protect be considered reasonable and prudent?
-
Could a compromise of the information reasonably be expected to directly or indirectly lead to a loss of life, property, money, or public confidence?
-
Could the compromise of the information reasonably be expected to prevent or severely hamper DOI’s ability to conduct its primary missions or respond to a future attack?
Once a determination is made that the information is particularly sensitive, physical and electronic access should be restricted to only those employees or other authorized individuals with a legitimate need to know the information. At the same time we must recognize that any actions to restrict public and other access to information must be undertaken in accordance with legal requirements. Also, where an individual requests information in accordance with the requirements of the Freedom of Information Act (FOIA) or the Privacy Act, release of the information is required unless protected from release by the applicable statute.
Questions concerning the protection of information should be directed to the Deputy Chief Information Officer on (202) 208–6194. Questions concerning FOIA or Privacy Act should be directed to appropriate bureau FOIA or Privacy Act officers.