Section 105-64.107 - What standards of conduct apply to employees with privacy-related responsibilities?(a) Employees who design, develop, operate, or maintain Privacy Act record systems will protect system security, avoid unauthorized disclosure of information, both verbal and written, and ensure that no system of records is maintained without public notice. All such employees will follow the standards of conduct in 5 CFR part 2635, 5 CFR part 6701, 5 CFR part 735, and 5 CFR part 2634 to protect personal information.(b) Employees who have access to privacy act records will avoid unauthorized disclosure of personal information, both written and verbal, and ensure they have met privacy training requirements. All such employees will follow GSA orders HCO 9297.1 GSA Data Release Policy, HCO 9297.2A GSA Information Breach Notification Policy, HCO 2180.1 GSA Rules of Behavior for Handling Personally Identifiable Information (PII), CIO P 2100.1E CIO P GSA Information Technology (IT) Security Policy, and CIO 2104.1 GSA Information Technology (IT) General Rules of Behavior.(c)(1) The following conditions must be met for the inclusion of an unredacted (full) SSN or partially redacted (truncated) SSN on any document sent by mail on behalf of the agency:(i) The inclusion of the full SSN or truncated SSN of an individual must be required or authorized by law; and(ii) The document must be listed on the USMDL.(2) Even when the conditions set forth in paragraph (c)(1) are met, employees shall redact SSNs in all documents sent by mail where feasible. Where full redaction is not possible due to agency requirements, partial redaction to create a truncated SSN shall be preferred to no redaction.(3) In no case shall any complete or partial SSN be visible on the outside of any envelope or package sent by mail or displayed on correspondence that is visible through the window of an envelope or package. 74 FR 66246 , Dec. 15, 2009, as amended at 88 FR 32140 , May 19, 2023