LBNL Implementation
CRD Clause/Language | Implementation | Assurance Systems | Status |
1(a) Ensure compliance with privacy requirements, specifically those provided in the Privacy Act of 1974, as amended at Title 5 United States Code (U.S.C.) 552a, and take appropriate actions to assist DOE in complying with Section 208 of the E-Government Act of 2002, and associated Office of Management and Budget (OMB) directives. | This has been implemented. LBL's Privacy Program addresses the handling of both UC-owned Personal Information and DOE-owned PII. Compliance with the Privacy Act is established as to DOE-owned PII. Otherwise, LBL manages UC-owned personal information according with UC policy and California law. Although the ownership status of a record set is outcome-determinative on what requirements apply to its processing, some requirements apply equally to the handling of both UC- and DOE-proprietary records. | The Privacy Program oversees compliance with these requirements. Privacy by design assessments are specifically tailored to evaluating which, if any, Privacy Act and/or E-Gov requirements apply to a specific personal information collection. Where those requirements are triggered, the Privacy Officer ensures that they are addressed. | In compliance. |
1(b) b. Ensure that contractor employees are aware of their responsibility for— (1) safeguarding Personally Identifiable Information (PII); (2) reporting suspected or confirmed breach of PII; and (3) complying with the Privacy Act, when required. | This requirement is implemented through training and awareness, including Berkeley Lab's RPM. See Security for Information Technology and PII & Information Security Training. | Training materials are reviewed periodically by the Privacy Officer pursuant to changes in the regulatory environment, enduser feedback, and stakeholder [SOMETHING]. | In compliance. Privacy training modules are under review and will be updated during FY 2021-22. |
2 (a) Ensure contractor employees are made aware of their roles and responsibilities for reporting suspected or confirmed breach of PII. | This requirement is implemented through training and awareness, including Berkeley Lab's RPM. See Security for Information Technology and PII & Information Security Training. Note that Privacy training modules are under review and will be updated during FY 2021-22. | Berkeley Lab’s training system tracks enduser completion of training modules. | In compliance. |
2 (b) Ensure contractor employees are cognizant of the following DOE Privacy Rules of Conduct. At a minimum, ensure contractor employees: (1) Are trained in their responsibilities regarding the safeguarding of PII. (2) Do not disclose any PII contained in any SOR except as authorized. (3) Report any suspected or confirmed breach of PII involving Federal information, without unreasonable delay, consistent with the agency’s breach response procedures outlined in DOE O 206.1 and US-CERT notification guidelines. (4) Assist with the investigation and mitigation of harm (including necessary PII removal or encryption within the IT system, notifications, credit monitoring, and other appropriate measures) following a breach of PII involving Federal information under the custody of the contractor. (5) Observe the requirements of DOE directives concerning marking and safeguarding sensitive information, including, when applicable, DOE O 471.3, Identifying and Protecting Official Use Only Information, current version. (6) Collect only the minimum PII necessary for the proper performance of a documented agency function. (7) Do not place PII on shared drives, intranets or websites without permission of the System Owner. (8) Challenge anyone who asks to see the PII for which they are responsible. | This requirement is implemented through training and awareness, including Berkeley Lab's RPM. See Security for Information Technology and PII & Information Security Training. Note that Privacy training modules are under review and will be updated during FY 2021-22. | See above. | In compliance. |
2 (c) Ensure that contractor employees complete an Annual Privacy Awareness Training that includes the requirements of DOE O 206.1 and sign the completion certificate acknowledging their responsibility for maintaining and protecting Privacy Act information prior to being authorized access to all information systems. | We track training completion of our annual privacy and security training (SEC201) and of the Protected Information Training modules. | See above. Employee training completion records are tied and timestamped to employee IDs. | In compliance. |
2 (d) Ensure contractor employees are cognizant of the fact that PII subject to the requirements of the Privacy Act must be maintained in a Privacy Act SOR. | This is incorporated into Berkeley Lab's role-based training modules. | See above. | In compliance. |
2 (e) Ensure that contractor employees recognize differences between PII and the Privacy Act and the different obligations created by both authorities. Most personal information about an individual will fall under both the Privacy Act and OMB directives governing the safeguarding of PII. However, contractors must be cognizant that these are two separate authorities that impose different responsibilities on federal and contractor employees for safeguarding information. PII that is in a SOR is subject to the restrictions and penalties of the Privacy Act. PII not maintained in a Privacy Act SOR should be protected and only disclosed for authorized purposes. | This is incorporated into Berkeley Lab's role-based training modules. | See above. | In compliance. |
2 (f) Ensure contractor employees are cognizant of the fact that non-compliance with the Privacy Act carries criminal and civil penalties. | This is incorporated into Berkeley Lab's role-based training modules. | See above. | In compliance. |
2 (g) Allow and cooperate with inspection or investigation to determine compliance with this CRD | Berkeley Lab cooperates with DOE on any inspection or investigation initiated by DOE as needed. | N/A | In compliance. |
