Personnel Privacy, New I-9 Forms, Removal of SSN Requirements and IT Involvement

Early this year I did a data flow analysis for I-9 compliance, and I blogged a few months ago about I-9 related issues in “New Tennessee Law Prohibits Using Federal Individual Taxpayer ID as Proof of Immigration Status.”
I-9 compliance issues impact many areas of an organization. However, within most organizations many areas, such as IT and information security, are not aware of the I-9 compliance issues and unknowingly put the company at noncompliance jeopardy. Compliance with any law or regulation that involves personally identifiable information (PII) usually require the involvement of legal, IT and information security areas.


On November 7 the Homeland Security Department’s U.S. Citizenship and Immigration Services (USCIS) released a revised I-9 form (formally called the “Employment Eligibility Verification Form”). This revision makes significant changes to the kinds of documents a new employee must provide to potential employer to prove his or her identity and employment eligibility.
As opposed to the previous version of the I-9 form, this new version is in compliance with the 1997 regulation implementing the Illegal Immigration Reform and Immigrant Responsibility Act of 1996 (starting on page 547).
The revised I-9 removed five (5) of the formerly acceptable types of documents from being an acceptable proof of identity and employment eligibility to eliminate the opportunities for counterfeits and fraud.
A new document was added to the list of acceptable forms of proof of identity and employment eligibility.
The acceptable documents now include:
* The most recent version of the Employment Authorization Document (Form I-766)
* A U.S. passport
* A Permanent Resident Card (Form I-551)
* An unexpired foreign passport with a temporary I-551 stamp
* An unexpired Employment Authorization Document that contains a photograph (Form I-766, I-688, I-688A, or I-688B)
* An unexpired foreign passport with an unexpired Arrival-Departure Record (Form I-94) for nonimmigrant aliens authorized to work for a specific employer
The I-9 processing procedures were also updated to reflect not only these new lists of documents, but also to help strengthen the controls to prevent tampering, fraud and counterfeits.
And this should be of interest to those of you tracking the use of social security numbers (SSNs): Additional changes include not obligating employees to provide their Social Security number in Section 1 of the form, unless the employer participates in E-Verify, DHS’s electronic employment eligibility verification system.
So how do these changes impact IT?
Here are just a few possible ways:
* There will likely need to be changes made in the applications used to process and track I-9 forms and associated information. For instance, checks to ensure only the new list of documents are used, removing the 5 documents that are no longer acceptable and adding the new document.
* There may need to be a new check added related to no longer needing to use the SSN, along with validation of E-Verify participation.
* There may need to be changes made within the databases used for storing I-9 forms and information. A new form being accepted often results in the need to restructure databases.
So, how do these changes impact information security and privacy practitioners?
Here are just a few possible ways:
* Controls need to be in place to ensure only those with a business responsibility can access the information contained on the I-9 forms.
* Retention standards need to be reviewed to ensure they are in compliance with the most up-to-date requirements.
* They need to be able to answer questions from employees and job candidates about the security and privacy of PII.
* They need to ensure SSNs are being used only as lawfully allowed throughout the organization.
See the revised I-9 here.
See the revised handbook is here.

Tags: , , , , , , , , , , , , , ,

Leave a Reply