Parent Policy: Controlled and Prohibited Information Categories
Document#: 10.08.001.001
If you're involved in the collection, use, and management of Personal Information rated "Controlled," you must follow the requirements in this document.
1. Baseline Requirement
Controlled Personal Information can only be stored in Institutional Business Systems:
- Human Resources Information System (HRIS)
- UCPath (not an LBL system, but approved for PII)
- Financial Management System (FMS) (Limited to a subset of financial account information for certain non-routine scenarios)
- Taleo
- REMS
- CHESS
- OHM (being replaced by CHESS)
- RADAR
- Clinic.lbl.gov (Occupational Health Record)
If you find Controlled Personal Information outside of these systems, immediately contact Cyber Security Operations at [email protected].
2. End-User Requirements
Do you use or access Controlled Information in the course of your work? If so, you must follow the requirements below to protect this information. If you need help or are confused about any requirements, contact [email protected].
2.1 How should I send or receive Controlled Information?
Permitted Methods
You may send Controlled Information (for approved business needs) by paper mail, fax, or phone. If none of these methods is sufficient, contact [email protected] for approval of another method.
Permitted Method | Quick Tips |
---|---|
Paper Mail | Onsite - single instances: Use Berkeley Lab mail services. |
Fax | We permit fax machines because they typically use phone lines - not the Internet. |
Phone | You may give information verbally over the phone. |
Prohibited Methods
If it is not on the list of permitted methods, it is prohibited. However, we’ve had specific questions about the following methods and why we prohibit them.
Prohibited Method | Why we prohibit it |
---|---|
Email is sent in the “clear”. Anyone who can see the network traffic can potentially see the contents of the email. | |
External media (USB stick, SD card, external drive, DVD, etc) | It's too easy to lose a USB stick or SD card. Most stories about loss of Controlled Information involve external media. Help us stay out of the news. |
Password Controlled files | Password protecting a Word document or zip file doesn’t protect it at all. Free tools allow an attacker to trivially break your password. |
Anything else electronic | If you know of other electronic methods, we prohibit it. But drop us an email at [email protected], and we’ll add it to this list. |
Receiving Controlled Information via Prohibited Methods
If you receive an instance of Protected Personal Information via a prohibited method:
- Ask the sender to only share Controlled Information using an approved method (if you’re responding to an email, delete the Controlled Information in your reply message).
- Record the information, if needed, in the approved system.
- Delete the information.
If you receive a collection (versus one or two pieces) of Controlled Information:
- Contact [email protected] so we can work with you to identify any new work processes or approaches that can limit this in the future.
- Delete the information as soon as possible (we're happy to help if necessary, contact [email protected])
2.2 How should I store Controlled Information?
Permitted Method: Paper
If you need to store paper collections (for approved business needs), use physical protections such as locked cabinets and/or offices. If possible, store only one copy.
Prohibited Method: Electronic
You should never store electronic Controlled Information. For example, you may not store Controlled Information on your laptop, desktop, smartphone, thumb-drive, etc. Controlled Information is only allowed in Institutional Business Systems (e.g. HRIS and FMS).
If you come across Controlled Information outside of Institutional Business Systems, you must report it immediately to [email protected].
2.3 How do I remove Controlled Information?
Electronic
If you accidentally accumulate collections or instances of Controlled Information on your computer, you must delete it as soon as possible.
- Use Spirion to find and delete Controlled Information. Instructions for Spirion on Windows.
- Contact us at [email protected] if you need additional help.
Paper
Shred paper collections when they are no longer needed (use cross-cut shredders or a secure shredding service); when appropriate, archive collections per procedures from the Archives and Records Office.
2.4 I received a request to share Controlled Information. What should I do?
You may not share Controlled Information outside of existing operational needs. If you receive a request to share Controlled Information, contact [email protected] and your line management.
2.5 How do I report concerns or problems with Controlled Information?
If you found a collection of Controlled Information or you’re worried that these requirements are not being met, contact [email protected]. We’ll work with you to troubleshoot the problem.
3. Functional (Business) Owner Requirements
If you are responsible for a business process that uses Controlled Information, you must follow the following requirements to protect this information. If you need help or are confused about any requirements, contact [email protected].
3.1 Business Case Approval
You must have an approved business need for the use of Controlled Information. The business need must demonstrate that Controlled Information is necessary versus some other identifier such as employee ID. Required approvals:
Research Purposes
The Human Subjects Committee must approve the use or collection of Controlled Information and related protocols. The Human Subjects Committee must ensure that the use or collection of Controlled Information is necessary for the purposes of research and that the researcher has adequately considered other methods.
De-identification. Researchers must de-identify Controlled Information unless approved by the Human Subjects Committee. If information is not de-identified, the researcher must follow the requirements under Required Protections for Approved Business Cases.
Operational Purposes
The appropriate Operations Division Director and the IT Division’s Privacy Coordinator must approve the collection of Controlled Information for an identified business need.
3.2 Required Protections for Approved Business Cases
- Business Process and Security Design. You must involve Computer Security Operations and the IT Division Privacy Coordinator early and throughout the design of your business process. This will help limit the amount of Controlled Information to the minimum amount possible. Contact [email protected].
- Data Collection. Design data collection to obtain only the minimum amount of Controlled Information to meet the approved need. For example, do not collect social security numbers and driver's license unless you need both; also limit the number of individuals about whom information is collected, e.g. only current versus both current and former employees.
- Storage
- Electronic Collections.
- Approved Systems. Only Institutional Business Systems (e.g. HRIS and FMS) may store Controlled Information. If a business need exists to store this information outside of approved systems, you must develop a information security plan that is approved by your line management and Cyber Security Operations.
- Prohibited Systems. You may not store Controlled Information outside of approved systems, including file shares or laptops and other portable devices.
- Transient storage. If required by the business process, you may authorize employees to process transient instances (not collections) of Controlled Information (e.g. to confirm an upload to an Institutional System) on workstations (not a portable device). However you must ensure that processes exist to ensure that the information is deleted as soon as possible and that it does not generate multiple instances of the information.
- Paper Collections. Use physical protections such as locked cabinets and offices to store paper collections. If possible, store only one copy.
- Electronic Collections.
- User Access, Roles, and Privileges.
- Access procedures and roles. Access to Controlled Information may only be granted based on a business need and should be limited to the minimum level necessary. Functional owners must establish a process to identify what roles are necessary for accessing the Controlled Information, how access is granted, when it is revoked, and any differences in access based on roles.
- Review of Access. Functional owners must regularly review who has access to Controlled Information. Two separate people should review access so that no one person can overlook their own access rights. The review of roles and access should:
- Ensure access is limited to individuals with a business need,
- Ensure access rights are appropriate for the job and no broader than necessary,
- Validate high levels of privilege, including administrative or system access, and
- Ensure adequate separation of duties for each individual.
- Sharing or Disclosing Controlled Information
- Approval. You must obtain approval for sharing Controlled Information that exceeds existing operational needs and for disclosure outside of the UC system. Laboratory Counsel must approve data sharing requests, which includes sharing Controlled Information with the DOE.
- Existing approvals include the NRDC Dosimeter metric system (SSN plus dose), FACTS, and I-9 verification e-verify.
- Criteria for Sharing or Disclosing Controlled Information. Requests for sharing UC-owned Controlled Information must have as their basis a legal requirement, contract clause, or business agreement.
- Approval. You must obtain approval for sharing Controlled Information that exceeds existing operational needs and for disclosure outside of the UC system. Laboratory Counsel must approve data sharing requests, which includes sharing Controlled Information with the DOE.
- Disposal. When the business case no longer requires Controlled Information, it must be disposed of using Berkeley Lab procedures. Securely shred paper collections. For electronic collections, work with your IT Division liaisons to ensure that they are properly removed from existing data systems.
- Third Party Providers. If Berkeley Lab contracts with another party to process, manage, or store Controlled Information, Cyber Security Operations and the Privacy Coordinator must review and approve the information security protections. Business owners are responsible for obtaining the approvals and involving relevant parties early in the provider evaluation and selection process.
This document helps implement a Laboratory policy in the Requirements and Policies Manual.
Send feedback to [email protected].