In another victory for AFGE’s National VA Council (NVAC) and Department of Veterans Affairs employees, the VA has agreed to comply with privacy laws and its own regulations after the council filed a national grievance against the agency for disclosing more than 500,000 employees’ records of COVID-19 vaccination status without employees’ permission.
In October last year, the agency disclosed a list of all employees who had certified their COVID-19 vaccination status in accordance with the VA’s Covid vaccination mandate policy. The list, which included employee names and positions, was sent to a number of people in senior leadership positions, including their executive assistants and support staff.
The VA violated the Privacy Act by disclosing personally identifiable information to individuals within the department without the express, written consent of employees or under any routine use or exception in Title 5. The Privacy Act also requires agencies to establish safeguards that ensure the security and confidentiality of records, but the department failed to do so.
On Oct. 31, 2022, the VA agreed to provide remedial training on the Privacy Act within 90 days to Healthcare Operation Center employees. Additionally, the VA will be sending a notice that an unauthorized transmission or disclosure of personal information has occurred, and that the VA will conduct any additional investigations as necessary.
“Disclosing the personal information of more than a half a million employees is unacceptable and irresponsible,” said AFGE NVAC President Alma Lee. “While we are glad that the VA has admitted to this wrongdoing and has notified our bargaining unit employees of the violation of their rights, we hope that a breach of this magnitude never happens again.”