Handling Sensitive Information

From Colettapedia
Jump to navigation Jump to search


Personally Identifiable Information (PII)

  • According to OMB Circular No. A-130, Personally Identifiable Information (PII) is any information that can be used to distinguish or trace an individual’s identity. It can be a name or other personal identifier that alone or when combined with other personal information, can be linked or is linkable to a specific individual, such as date and place of birth, citizenship, race, gender, photo, home address, personal e-mail address, cell phone number, etc. PII is considered sensitive if the loss of confidentiality, integrity, or availability of the data could be expected to have a serious, severe or catastrophic adverse effect on the affected individual(s) or NIH operations or assets.
PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

It is important to recognize that information that is not PII can become PII whenever additional information becomes available (in any medium and from any source) that would make it possible to identify an individual.

Examples of PII:

    Name for purposes other than contacting federal employees
    Photographic identifiers
    Biometric Identifiers
    Driver’s license number
    Vehicle identifiers
    Personal mailing/phone/email address
    Medical records number
    Medical notes
    Computer User ID

    Certificates, legal documents
    Device identifiers
    IP address (when collected with regard to a particular transaction)
    Military status
    Foreign activities
    Identifier that identifies, locates or contacts an individual
    Identifier that reveals activities, characteristics or details about a person
    Financial account information

Sensitive Information (SI)

  • Information is considered “sensitive” if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Protected Health Information (PHI)

Protected Health Information or PHI is a Health Insurance Portability and Accountability Act (HIPAA) term. PHI is any "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. NIH is not a covered entity or business associate and is not subject to HIPAA. HIPAA is pervasive in health care today. Clinicians and researchers outside of NIH may use the term when communicating about the sensitive PII that includes health history and medical notes.


    All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
        The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
        The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000 Elements or Dates (except year)
    All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    Phone & Fax Numbers
    Email Addresses
    SSNs (full number and/or last 4 digits)
    Medical Record Numbers
    Health Plan Beneficiary Numbers
    Account Numbers
    Certificate/License Numbers
    Device Identifiers/Serial Numbers
    Vehicle identifiers and serial numbers, including license plate numbers
    Web URLs
    IP Address Numbers
    Biometric identifiers (including finger and voice prints)
    Full Face Photographic and Comparable Images
    Other unique identifying number, characteristic, or code (except the unique code assigned by a Principal Investigator to code data)

Privacy Laws

The Privacy Act was enacted in 1974. The Electronic Government (E-Gov) Act was enacted in 2002 as was the Federal Information Security Modernization Act (Title III of the E-Gov Act.)

In addition to these statutes, NIH must also comply with various Office of Management & Budget (OMB) Memoranda, Circulars, and HHS and NIH Privacy Policies.

The Fair Information Practice Principles (FIPPs), rooted in a 1973 Federal Government report from the Department of Health, Education, and Welfare Advisory Committee, “Records, Computers and the Rights of Citizens,” have informed Federal statute and the laws of many U.S. states and foreign nations, and have been incorporated in the policies of many organizations around the world.

In part, the Privacy Act requires agencies to:

    Limit the collection of personal information to what is necessary
    Publish a System of Records Notice prior to storing information in a record system designed to be retrieved by a personal identifier
    Comply with the law or face civil remedies and criminal penalties

The E-Gov Act requires agencies to:

    Conduct Privacy Impact Assessments for NIH entities
    Translate privacy policies into standardized machine-readable format;
    Post privacy notices on public-facing agency websites.

FISMA requires agencies to:

    Provide a comprehensive framework for IT standards and programs;
    Ensure integrity, confidentiality and availability of personal information;
    Perform program management, evaluation, and OMB reporting activities.

Contract Clauses

When the Privacy Act (PA) applies to contracts to design, develop, manage, or operate paper and electronic systems of records (SOR), the Contracting Officer must ensure the contract solicitation and award:

    State that the PA applies
    Cite the applicable Federal Acquisition Regulation (FAR) privacy clause(s)
    Identify the federal employee who will serve as the Government monitor of the contract
    Include a copy of the applicable Privacy Act SOR Notice published in the Federal Register

When a contractor is asked to develop, access, host and/or maintain a Federal IT system, the technical proposal must include a completed Security Assessment and System Security Plan. When Federal Information System Management Act (FISMA) security requirements need to be included in the contract solicitation, the IC Project Officer, ISSO and Privacy Coordinator can assist in selecting the appropriate language pertaining to the access or use of PII.

OMB Clearance/Approval

The NIH Project Clearance Branch is the control point for the OMB clearance functions under the Paperwork Reduction Act (PRA).

OMB clearance is required for a standardized data collection from 10 or more members of the public. The OMB proposal and supporting documents must be reviewed by the NIH Privacy Act Officer to determine if the Privacy Act applies to the information collection.

Section 2035 of the 21st Century Cures Act (P.L. 114-255) exempts research conducted by NIH from PRA requirements. Materials that are being considered solely for administrative or operational purposes may still be subject to PRA requirements.

For more information, contact the Office of Policy for Extramural Research Administration, Project Clearance Branch: https://grants.nih.gov/aboutoer/oer_offices/opera.htm.

Privacy Policy

The Privacy Policy is a single, centrally located statement that is accessible from an IC’s official homepage, application or paper form used to collect information from members of the public. It should be a consolidated explanation of the IC’s general privacy-related practices.

It should specify how the IC will use PII made available to NIH, who will have access to it, with whom it will be shared outside of NIH, whether and how long NIH intends to maintain the PII, how NIH will secure the PII it uses or maintains, what other privacy risks may exist and how NIH will mitigate them.

Privacy Notices

The Privacy Notice is a brief description of how the IC’s Privacy Policy will apply in a specific situation. It should serve to notify individuals before they engage with NIH and should be provided on the specific webpage, application or paper form where individuals have the opportunity to make PII available to NIH.

The phrase “make PII available” includes any NIH action that causes PII to become available or accessible to NIH, whether or not NIH solicits or collects it. In general, an individual can make PII available to us when s/he provides, submits, communicates, links, posts or associates PII while using our websites, applications or paper forms. “Associate” can include activities commonly referred to as “friending,” “following,” “liking,” “joining a group,” becoming a “fan,” and comparable functions.

Record Retention Schedules

  • When creating a new or modifying an existing System of Records, the IC Privacy Coordinator and Records Liaison should work with the Office of the Senior Official for Privacy to ensure the appropriate records retention schedule is documented in the SORN.

Policy Documents

Social Networking

Web sites (e.g., Facebook, Twitter, YouTube, LinkedIn), web tools (e.g., Google Analytics, Project Implicit) and web-based surveys (e.g., SurveyMonkey, SurveyGizmo) are easy to use and available at little or no cost. However, they continue to raise privacy, security and legal concerns.

Federal agencies have no control over the information third-party providers collect. Before the products can be purchased or used for Federal use, they must be configured to meet government standards.

Check with your IC Communications Director before using any social media tool to communicate a message to the public on behalf of your IC. Check with your ISSO if you need, as part of your job, to access a blocked social media website. Work with the  Office of General Counsel (OGC) to determine if your IC can agree to the legal provisions of the respective “federally friendly” Terms of Service (TOS) agreement negotiated by GSA for use by agencies. Coordinate with other key stakeholders within your IC as necessary to determine how your IC can participate in the use of social media.

Cloud Computing

Cloud computing involves the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer. Examples include: data storage sites, video sites, tax preparation sites, personal health record websites, photography websites, social networking sites, etc.

NIH staff must weigh the risks, benefits and legal liabilities for exposure of agency data and analyze both the provider being used and the information being put in the cloud.

    Warning: Gmail, Yahoo! and other free email services use cloud services!
    Do the data protections meet the requirements of FISMA?
    Could information in the owner’s cloud fall into the hands of a third party? If so, could the information be released without the owner’s knowledge?
    Is the cloud provider located in another state or the European Union (EU)? If so, the data could be permanently subject to state or EU privacy laws.
    What are the cloud service provider’s Terms of Service?
    What sort of security, privacy, and data protection assurances can they provide?

Health Information Exchanges

HIE is the mobilization of healthcare information electronically across organizations within a region, community or hospital system.

HIE provides the capability to electronically move clinical information among disparate health care information systems while maintaining the meaning of the information being exchanged. The goal of HIE is to facilitate access to and retrieval of clinical data to provide safer and more timely, efficient, effective, and equitable patient-centered care. HIE is also useful to public health authorities to assist in analyses of the health of the population.

HIE systems facilitate the efforts of physicians and clinicians to meet high standards of patient care through electronic participation in a patient's continuity of care with multiple providers.

Open government

OMB M-10-06, Open Government Directive directs agencies to implement the principles of transparency, participation, and collaboration to form the cornerstone of an open government and implement solutions that actively support privacy protections.

Transparency — provides the public with information about what NIH is doing by making it available online in a format that can be retrieved, downloaded, indexed, and searched by commonly used applications.

Participation — encourages the public to contribute ideas and expertise so NIH can make policies with the benefit of information that is widely dispersed in society.

Collaboration — encourages partnerships and cooperation with other federal and non-federal governmental agencies, the public, and non-profit and private entities in order to fulfill NIH core mission activities.

3rd Party Websites/Apps/add-ons

If NIH incorporates or embeds a TPWA on an official agency Web site, the agency must:

    Take the necessary steps to disclose the involvement of the third-party;
    Provide an alert that explains to visitors they are being directed to a non-government Web site that may have a different privacy policy;
    Apply appropriate branding to distinguish TPWAs from those of the agency;
    Limit to what is necessary, the amount of information collected through the use of a TPWA;
    Allow people to opt out from using the TPWA; and
    Ensure records are preserved properly.

NIH is prohibited from using Web technologies to:

    Track user individual-level activity on the Internet outside of the website or application from which the technology originates;
    Share with other agencies, the data obtained through technologies, without the user’s explicit consent;
    Cross-reference without the user’s explicit consent, any data gathered from Web measurement and customization technologies against PII to determine the individual-level online activity; and
    Collect PII without the user’s explicit consent.


  • LinkedIn is a treasure trove of easily accessible personal information and data about company/government staff that may disclose their role in IT system management. You may not be aware that hackers who want access to highly sensitive NIH data can find their point of entry using the LinkedIn networking forum. Conducting a search for NIH will turn up any number of professional profiles, some of which will include a business e-mail address. Once hackers have seen a few e-mail addresses, they learn the NIH e-mail address structure and can build an e-mail list of employees to target. Next, they will create a phishing e-mail, send out the bait and hook you as a target! Once they are able to compromise accounts and devices on the NIH network, SSNs or other sensitive data can be stolen.

Outward-facing website considerations

  • At a minimum, you need to consult with your IC Privacy Coordinator, Information Systems Security Officer, Paperwork Reduction Act Liaison, and Contracting Officer. The name and description of the database will need to be entered in the NIH Security Authorization Tool (NSAT) and a Privacy Impact Assessment will need to be completed. The Contracting Officer will need to ensure the contract award includes language that requires the firm to comply with Federal law. If the data you intend to store in the database will be solicited from members of the public, you may need to obtain OMB clearance of your information collection. These are just a few considerations to help you proceed with your initiative, all of which will help reduce risk to you and the agency.

Is it a federal record?

  • Is it an original document that does not exist elsewhere?
  • Is it needed to conduct or facilitate agency business or does it document a business decision, transaction, function, activity, organization, policy or procedure?
  • Does is contain information that is needed or useful to NIH in carrying out its mission, such as biomedical data or research protocols?
  • Is the material included in an NIH Records Control Schedule?