Ames Laboratory Privacy and Personally

Identifiable Information (PII) Training

The Privacy Act•Allows the Laboratory to maintain information about an individual that is relevant and necessary.

•All DOE employees and contractors are subject and must comply.

•Complying with the Privacy Act

- Governs the ability to maintain, collect, use, or disseminate a record about an individual

•Safeguarding PII

- Define and protect

System of Records• Information collected must be stored in a System of Records (SOR).• SORs at the Ames Laboratory include:

– Foreign Visits and Assignments.– Access Control (photographs).– Personnel Radiation.

Potential Privacy Violations

• Evaluate your day-to-day activities• Phone Calls

– Ensure that shared data meets the need-to-know requirement.– Be conscious of your surroundings.– Do not use wireless or cordless phones when discussing PII.

• Common Information Handling Errors– Unauthorized information sharing– Browsing or using personal information

Penalties- Criminal misdemeanor for each offense- Fines up to $5,000- Civil penalties

Privacy PrinciplesIt is each employee’s responsibility to:• Assess and determine whether or not the information used is

considered Protected PII.• Protect the privacy of the individuals who entrust us with their

information.• Only share Protected PII with others for authorized purposes. Check

with HR before sharing Protected PII information with a third party.• Limit the exposure of Protected PII data and disclose the information

on a “need to know” basis.• Think Twice Rule:

• Is it reasonable?• Is it necessary?

Recognizing PII Systems and Data

• DOE defines two classes of PII data:– Public PII data is available in public sources such as phone

books, public web pages, business cards, etc.– Protected PII data is not available in public sources, and, if

compromised, can cause serious or severe harm to an individual (ie. identity theft).

• PII systems are used to store and process Protected PII data for multiple individuals.

Protected PII Examples– Social Security Numbers (SSN)– When associated with an individual (SSN + any of the following)

– Place of Birth– Date of Birth– Mother’s maiden name– Biometric data– Medical information– Criminal history– Financial information– Employment history

– Ratings– Disciplinary actions

Public PII Examples– Individual’s name or other identifier– Phone numbers– Email addresses– Digital pictures– Medical information pertaining to work status (X

is out sick today)– Medical information included in a health or

safety report– Personal information stored by individuals about

themsevles on their assigned workstation or laptop

– Birthday cards– Birthday emails

– Resumes, unless they include a Social Security Number

– Present and past position titles and occupational series

– Present and past grades

– Written biographies

– Academic credentials

– Present and past annual salary rates

• performance awards and bonuses

• Incentive awards

• Merit pay

• Meritorious or Distinguished Executive Ranks

• Allowance and differentials

PII Protection Standards• Requires NIST Low Baseline controls (see NIST document 800-53 for more details)• Protect to the same level as other program / department data

Protected PII• Requires NIST Moderate Baseline controls (see References for more details)• Any suspected compromise of Protected PII data MUST be reported to Cyber Security staff within 45

minutes.• May not be stored on portable media (ie. CDs, USB keys, or backup media) without FIPS 140-2 compliant

encryption (see the IS office for details).– Files stored on portable media must be deleted within 90 days or approval for continued use is documented.

• May not be stored on portable computing devices (ie. laptops or PDAs) without a waiver from DOE.• Any system used to store this data must reside within a moderate network enclave.

– No Internet Access except by request.– Any remote access requires 2-factor authentication– Users may not have Administrative privileges.

• Workstations used to access PII data must implement 10 minute screen locks, and must only be used by users authorized to access PII data.

Public PII

Ames Laboratory PII Reporting Process

• A device designated as a PII system must be reported to the HR office. – Be alert for systems not previously designated as a PII System.

• The system will be located in the Moderate Enclave and moderate security controls will be applied (details available in the references).

• Annual training will be required for all users of the system.

• An annual review of the system will be conducted to ensure controls are in place.

Recommendations• Limit the number of systems storing PII data.

– A central system is available to provide storage of PII data and controlled data access via Microsoft file shares. Encrypted backups are performed on a daily basis. This system is covered by appropriate moderate controls. Use this system for storing PII data instead of a desktop device. Contact the IS Office at 4-8348 or cybersec@ameslab.gov for more information.

• Data retention and disposal.– PII should be limited to only that information which is specifically needed to carry out

duties.– PII data should only be retained for as long as is necessary to fulfill its intended purpose.

– Appropriately dispose of PII when it is no longer necessary to retain it.– Contact the HR Office with questions.

• Know the flow of PII data. – Where does the data come from? – How is it backed up? – Which users and which computers need access to the data?

PII Incident Reporting• Protected PII, regardless of whether it is in paper or electronic form, must

be protected from unauthorized access or disclosure throughout its lifecycle.

• [PII, DOE O 206.1] Any known or suspected loss of control or unauthorized disclosure of Protected PII must be reported.

• [Privacy Act] Any unauthorized disclosure of Protected PII contained in any System of Records (SOR).

• Suspected or confirmed incidents involving the breach of Protected PII or SOR must be reported to the IS Office (4-8348 or cybersec@ameslab.gov) within 45 minutes of discovery.

Summary

It is your responsibility to Safeguard PII

Loss of PII:– Can lead to identity theft (which is costly to the individual

and the government)– Can result in adverse actions being taken against the

employee who loses PII– Can erode confidence in the Government’s ability to

protect personal information

References• Policy, Procedures, Guides and Forms for Ames Laboratory:

- https://www.ameslab.gov. Select Forms & Documents (lower left).

- The Policy section details the controls required in the 800-53 Moderate baselines, and the Moderate CSPP.

• DOE Order 206.1 Department of Energy Privacy Program:- https://www.directives.doe.gov/directives/current-directives/206.1-BOrder/view

• NIST Special Publications for protecting Moderate data: - http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf- http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf

Confidentiality Agreement

• Please print and sign the Ames Laboratory Confidentiality Agreement (you must be logged into the Ames Laboratory website to access the document) and return to Human Resources in 105 TASF.

Assessment Tool

• Please return to Cyber Train:– Click on “My Record,” and “Classes”– Click on the course test icon

• You must achieve 80% on the test, and you can only attempt it once.