Now the press is finally reporting what is in a passport file. Not much it turns out (as I suspected):
The State Department said the only document kept in an individual's passport file is the application package. The application form includes information such as place of birth and Social Security number. The passport system has between 180 million and 200 million applications in its database.
"Passport files do not contain travel information, such as visa and entry stamps, from previous passports,'' State Department spokesman Sean McCormack said. "Almost all passport files contain only a passport application form as submitted by the applicant.''
"Passport files do not contain travel information, such as visa and entry stamps, from previous passports,'' State Department spokesman Sean McCormack said. "Almost all passport files contain only a passport application form as submitted by the applicant.''
Come to think of it, anyone who has a passport would know what is in an application. Presumably this also includes a fair number of reporters. Funny how this question wasn't asked earlier.
Another interesting factoid is that some 200 million applications are in the database. I thought that only something like 25% of US Citizens had passports (75 million or so). But I suppose the number would increase considering passport renewals and the sudden increase in applications due to new requirements for travel to Canada, Mexico, and the Caribbean.
We also learn that there are 2600 contractors and 1800 employees. 4400 total staff seems like a lot, but perhaps not unreasonable given the volume of work. I wonder how it compares to other countries or for processing other kinds of documents. . .
All in all, it is a fact that when you submit a passport application, you are providing certain personal information to the State Department. It is exactly the same kind of information you provide the IRS, a bank, and all manner of public and private entities. Lots of people see this information in the course of their work. In some small percentage of cases, your information may be looked at without good reason, but so long as the data is not leaked outside, or used for illicit purposes, the issue is minor. As a practical matter we accept this level of access to our personal information because of the convenience it provides.
Nevertheless, there does appear to be room for improvement:
1) sensitive data such as social security number or address could be masked in the system and made available only when it is really needed.
2) sensitive persons should have their data blocked from general access, such that only specially authorized staff can view it.
3) the reporting system for breaches must be strengthened so that issues are reported faster.
4) training should not use live data. . .dummy data, and test systems should be used for training. only after the training is completed should staff be given access to the live system.
These types of controls are no different from what regulators require of the private sector, with the FDA and financial regulators being two that come to mind.