The New York Times this week broke the astounding story that a GOP super PAC had somehow obtained and circulated an unredacted copy of a security clearance application for Abigail Spanberger, the former CIA officer who is running for Congress as a Democrat in Virginia’s 7th Congressional District. The document was her SF-86, the extensive, intrusive form employees and contractors fill out as part of a security clearance background investigation. Over the next 24 hours, people in and out of the media slowly pieced together how this happened, revealing a long series of agency missteps that led inexorably toward this result.

Any one of the steps would have led to a different result had the responsible people had adequate training. But because of the complicated fact pattern, coupled with the accusations and counter-accusations being hurled by both sides and by observers, much of the reporting on this has been incorrect in whole or in part, sometimes even on the nature of the legal requirements. The lapses have so alarmed some working in U.S. national security fields that more than 200 former officials have signed a letter to Jeff T.H. Pon, the director of the Office of Personnel Management (OPM), and Dan Coats, the director of national intelligence, demanding “answers” about what happened and how.

In this piece, I will endeavor to explain exactly what appears to have happened (based largely on the correspondence that has been released, the follow-up investigation by Buzzfeed News, and the U.S. Postal Service’s eventual nostra culpa for the matter) and why it was different from what one should expect, and what lessons we should draw from this case.

The Relevant Facts

Prior to running for Congress, Spanberger worked both at the CIA and the Postal Inspection Service, a little-known law enforcement agency housed in the U.S. Postal Service (USPS). Since each position required a security clearance, she completed an SF-86 for each position. America Rising, a conservative super PAC, filed a Freedom of Information Act (FOIA) request with the National Personnel Records Center (NPRC) for her personnel records during her time at the Postal Inspection Service. The NPRC pulled her Official Personnel Folder, which included her SF-86, and forwarded it to the USPS corporate office.

The USPS corporate office then forwarded the file to the Human Resources Office, which then released the entire record to America Rising, which in turn handed the information to the Congressional Leadership Fund, a super PAC allied with House Speaker Paul Ryan. The information ultimately landed in the hands of news media.

The Legal Framework

Before delving into how this went wrong, it’s important to understand the legal framework. Two laws apply here: FOIA and the Privacy Act. These laws are often considered together since they overlap significantly, but for the purposes of this discussion it is important to note their differences. FOIA is a disclosure statute, meaning that its main purpose is to mandate the public disclosure of government information. However, FOIA also includes nine categories of information that are exempt from disclosure, one of which applies to information that is protected based on privacy considerations (called “Exemption (b)(6)”). Such personal information might include, for example, a social security number, a birth date, or a home address. As an exception to the exception, however, privacy-protected information can be released if there is an overriding public interest.

The Privacy Act, in contrast, is a protective statute (although it also has disclosure components), meaning that its main purpose is to protect the privacy of individuals whose information is collected and maintained by the government. In a nutshell, it states that a government agency cannot disseminate Personally Identifiable Information (PII) about someone without that person’s consent unless an exception (called a “routine use”) applies. However, release of information through the FOIA process is a recognized routine use.

Both of these statutes apply in this situation in a mostly complementary fashion. Under FOIA, the USPS should not have released Spanberger’s personnel or security records because they are exempt from disclosure under Exemption (b)(6), unless there was a finding of an overriding public interest. Under the Privacy Act, the USPS was prohibited from releasing Spanberger’s personnel or security records without her consent unless a routine use applied.

Where It All Went Wrong

As I stated above, there were numerous bad decisions that must have occurred to lead to this result, and I’ll lay them out in roughly chronological order. Surprisingly, the stage was set for this result well before America Rising even considered filing its FOIA request, back when Spanberger still worked for the Postal Inspection Service: There was no reason for her SF-86 to even be in the Official Personnel Folder stored at the NPRC.

Civilian personnel records for employees who left federal service after 1951 are stored at the NPRC, but they remain the property of OPM. Legally, this means that the NPRC, which is a component of the National Archives and Records Administration, does not have any authority to release them to third parties, and the most it can do in response to a FOIA request is pull the appropriate personnel folder and refer the records to either OPM or the agency where the former employee worked.

This means that OPM rules apply to these records. And OPM rules state unequivocally that SF-86s are not to be filed in the Official Personnel Folder. This means that when the Postal Inspection Service put a copy of Spanberger’s SF-86 in her personnel folder, it violated OPM’s rules. Likewise, the NPRC would have violated OPM’s rules if it had added an SF-86 after it took possession of the folder when she left the Postal Inspection Service, since an Official Personnel Folder covers an entire federal career. So, first things first, the SF-86 should not have been there in the first place.

Once America Rising made its request to the NPRC, the mistakes began to pile up. An NPRC employee searched for and located Spanberger’s Official Personnel Folder. That appears to be the last correct decision anyone made in this whole story. That employee then inexplicably forwarded the folder to the USPS corporate headquarters, rather than to the appropriate FOIA office, where any responses to FOIA requests should be processed by employees who are trained in FOIA and privacy.

This mistake is exacerbated because even the USPS FOIA office would not be the appropriate recipient of such a referral, since the Postal Inspection Service is a separate component of the USPS with its own FOIA office. This means that, not only did this NPRC employee send the personnel folder to the wrong office, they referred it to the wrong office in the wrong agency.

Had they referred it to the USPS FOIA office, it undoubtedly would have been processed properly. Had they referred it to the Postal Inspection Service FOIA office, it undoubtedly would have been processed properly. Had they even referred it to the Postal Inspection Service headquarters, it probably would have been redirected to the proper office, since the Postal Inspection Service is a traditional government law enforcement agency staffed by traditional government employees who are familiar with standard Executive Branch rules and regulations, as opposed to a government-owned corporation like the USPS. This NPRC employee accordingly had a 75 percent chance of referring Spanberger’s personnel file to an office which could have properly processed the records for release, and still the person failed to do so.

The same can be said for the employee at the USPS headquarters who tasked the Human Resources Office to handle this matter. In all fairness, that employee likely did not know what they were looking at when they received the package from the NPRC, since I would hope they don’t get a lot of such incorrect referrals from the NPRC (although the USPS has suggested that it has happened more than once since June). However, once again, 75 percent chance of a correct referral, and another person took Door #4.

Once the Official Personnel Folder is forwarded to the Human Resources Office, the litany of errors is almost complete. Not only does the Human Resources employee (who was identified by America Rising shortly after the accusations began to fly) not realize that this should be handled by a FOIA office — any FOIA office — but she also apparently fails to recognize the relevance of all the mandatory privacy training she almost certainly received over the years.

Government employees can be demoted, suspended, and even fired for releasing PII, and the Privacy Act even allows for criminal liability in some cases. As a Human Resources officer, who would regularly have control over probably more PII than most of the rest of the agency, she had to have been trained in its protection. And if such training is not standard at the USPS, then that fact by itself should warrant an investigation.

Despite all that training, the USPS Human Resources employee sent a totally unredacted personnel file to a third party. This also explains why Spanberger’s requests for her own records are still being processed by the USPS FOIA office, which is undoubtedly reviewing them carefully as the law requires, while America Rising’s request moved so quickly; it did so because the wrong people were handling it.

Why It’s a Problem, and Why It’s Not

This sequence of events led to the public dissemination of a public servant’s most private information. That is undeniably a lamentable result, but not for the reasons some seem to think.

In an Aug. 29 conference call with news media, a member of Spanberger’s team stated that SF-86s “are not subject to FOIA or the Privacy Act.” I’ve seen a few people repeat this claim in discussing this case, and it’s simply wrong. SF-86s are definitely subject to both FOIA and the Privacy Act. They are generally exempt under Exemption (b)(6), but that’s different from not being subject to the laws at all.

The distinction comes from the exception to the exception, in which information that may otherwise be protected by Exemption (b)(6) must be disclosed in the presence of an overriding public interest. If SF-86s were not subject to FOIA, then no amount of public interest could compel their release, but this is not the state of the law. In fact, a portion of Attorney General Jeff Sessions’ SF-86 was released last year through the course of FOIA litigation (albeit not due to an overriding public interest), and I am currently involved as plaintiff’s counsel in FOIA litigation to access the security clearance files (including SF-86s) of several senior Trump administration officials, based on the theory of overriding public interest.

However, simply saying that an overriding public interest can result in the disclosure of such records is a far cry from saying it is a foregone conclusion. In my experience, no agency has ever released an SF-86 to a third party in the absence of a privacy waiver through FOIA without a fight. The reasons for this are obvious. Not only do these forms include an almost unimaginable amount of PII about the employees, but also about their family members, friends, and co-workers. That is why this release is so bizarre.

If the USPS Human Resources officer had redacted names, social security numbers, birthdates, addresses, and similar information, but released the rest, it could be argued that a balancing test was performed and the employee just decided the public interest was greater, but that wasn’t the case. She released everything. And in doing so, she broke almost every privacy rule in the book, as well as opening herself up to possible criminal liability. Because, as I stated above, releasing this information is only allowed under the Privacy Act if it is through a routine use, like a FOIA release made by a FOIA office, and the Human Resources officer did not do that. Because she released it outside of the FOIA process, no routine use applies.

All that said, even though this case is undeniably unfortunate, it should not be taken as an example of the evils of releasing SF-86s. It is true that there is a vested national security interest in ensuring that people are candid and forthcoming when completing these forms. But I don’t believe that the prospect of them possibly being released through FOIA in an extreme situation is enough to threaten that interest.

First of all, the form warns applicants on the second page that the information might be released through FOIA by listing the routine use of “to the news media or the general public, factual information the disclosure of which would be in the public interest and which would not constitute an unwarranted invasion of personal privacy.” Second, people completing this form have the compelling interest of wanting to obtain a security clearance, which they are very likely to be denied if an agency learns that they have withheld information; in my experience as a security clearance lawyer, few things are taken more seriously by clearance adjudicators than omitting information from an SF-86.

The balancing test exists for a reason, and it is not beyond the realm of possibility that, had this been put through the FOIA process, parts of Spanberger’s SF-86 would have been properly released. She is a candidate for elected office, and a reasonable argument can be made that the voters are entitled to know, for example, some details of her work history. The problem here is that that decision was taken out of the hands of the people trained to make it by a series of mistakes and oversights that could’ve been avoided through proper training on privacy.

The Theodore Roosevelt Federal Building that houses the Office of Personnel Management headquarters in Washington, DC. (Photo by Mark Wilson/Getty Images)