Skip to end of metadata
Go to start of metadata

 

 

Parent Policy: Controlled and Prohibited Information Categories
Document#: 10.08.001.001

If you're involved in the collection, use, and management of Protected Information (i.e. PII), you must follow these requirements.

 Click to answer: What is Protected Information?

Protected Information includes Personally Identifiable Information (PII). Berkeley Lab defines the following information, alone or in combination, as Protected Information:

  • Social security numbers
  • Financial account information
  • Drivers license numbers
  • California state ID number
  • Health information with personal identifiers, for example:
    • Name plus insurance number
    • Employee ID plus treatment information
    • Any unique ID plus any medical information
 Click to answer: Why are we so careful about Protected Information?

A loss of Protected Information not only affects people’s privacy, but could hurt Berkeley Lab's reputation and affect our open computing environment.

This also means that our employees are our first line of defense. Always ask yourself - do we really need to use Protected Information? Could something else, like employee ID, work just as well? If you do need to use Protected Information, read the sections below to learn how to protect it.

1. Baseline Requirement

Protected Information can only be stored in Institutional Business Systems:

  • Human Resources Information System (HRIS)
  • Financial Management System (FMS)
  • Taleo
  • REMS
  • CHESS
  • OHM (being replaced by CHESS)
  • RADAR

If you find Protected Information outside of these systems, immediately contact Cyber Security Operations at security@lbl.gov.

2. End User Requirements

Do you use or access Protected Information in the course of your work? If so, you must follow the requirements below to protect this information. If you need help or are confused about any requirements, contact security@lbl.gov.

2.1 How should I send or receive Protected Information?

Permitted Methods

You may send Protected Information (for approved business needs) by paper mail, fax, or phone. If none of these methods is sufficient, contact security@lbl.gov for approval of another method.

Permitted Method

Quick Tips

Paper Mail

Onsite - single instances: Use the Berkeley Lab mail services.
Onsite - collections: Hand deliver.
Offsite: Use a service with delivery confirmation.
Instance versus collection: Instances of Protected Information are single items, for example, one or two social security numbers. Collections contain the PII of multiple people. If it involves a spreadsheet, it's probably a collection.

Fax

We permit fax machines because they typically use phone lines - not the Internet.
Electronic fax software does have some risks. Please contact security@lbl.gov if you have questions about desktop electronic fax software.

Phone

You may give information verbally over the phone.

Prohibited Methods

If it is not on the list of permitted methods, it is prohibited. However, we’ve had specific questions about the following methods and why we prohibit them.

Prohibited Method

Why we prohibit it

Email

Email is sent in the “clear”. Anyone who can see the network traffic can potentially see the contents of the email.

External media (USB stick, SD card, external drive, DVD, etc)

It's too easy to lose a USB stick or SD card. Most stories about loss of Protected Information involve external media. Help us stay out of the news.

Password protected files

Password protecting a Word document or zip file doesn’t protect it at all. Free tools allow an attacker to trivially break your password.

Anything else electronic

If you know of other electronic methods, we prohibit it. But drop us an email at security@lbl.gov, and we’ll add it to this list.

Receiving Protected Information via Prohibited Methods

If you receive an instance of PII via a prohibited method:

  1. Ask the sender to only share Protected Information using an approved method (if you’re responding to an email, delete the Protected Information in your reply message).
  2. Record the information, if needed, in the approved system.
  3. Delete the information.

If you receive a collection (versus one or two pieces) of Protected Information:

  1. Contact security@lbl.gov so we can work with you to identify any new work processes or approaches that can limit this in the future.
  2. Delete the information as soon as possible (we're happy to help if necessary, contact security@lbl.gov)

2.2 How should I store Protected Information?

Permitted Method: Paper

If you need to store paper collections (for approved business needs), use physical protections such as locked cabinets and/or offices. If possible, store only one copy.

Prohibited Method: Electronic

You should never store electronic Protected Information. For example, you may not store Protected Information on your laptop, desktop, smartphone, thumb-drive, etc. Protected Information is only allowed in Institutional Business Systems (e.g. HRIS and FMS).

If you come across Protected Information outside of Institutional Business Systems, you must report it immediately to security@lbl.gov.

2.3 How do I remove Protected Information?

Electronic

If you accidentally accumulate collections or instances of Protected Information on your computer, you must delete it as soon as possible.

Paper

Shred paper collections when they are no longer needed (use cross-cut shredders or a secure shredding service); when appropriate, archive collections per procedures from the Archives and Records Office.

2.4 I received a request to share Protected Information. What should I do?

You may not share Protected Information outside of existing operational needs. If you receive a request to share Protected Information, contact security@lbl.gov and your line management.

2.5 How do I report concerns or problems with Protected Information?

If you found a collection of Protected Information or you’re worried that these requirements are not being met, contact security@lbl.gov. We’ll work with you to troubleshoot the problem.

3. Functional (Business) Owner Requirements

If you are responsible for a business process that uses Protected Information, you must follow the following requirements to protect this information. If you need help or are confused about any requirements, contact security@lbl.gov.

3.1 Business Case Approval

You must have an approved business need for the use of Protected Information. The business need must demonstrate that Protected Information is necessary versus some other identifier such as employee ID. Required approvals:

Research Purposes

The Human Subjects Committee must approve the use or collection of Protected Information and related protocols. The Human Subjects Committee must ensure that the use or collection of Protected Information is necessary for the purposes of research and that the researcher has adequately considered other methods.

De-identification. Researchers must de-identify Protected Information unless approved by the Human Subjects Committee. If information is not de-identified, the researcher must follow the requirements under Required Protections for Approved Business Cases.

Operational Purposes

The appropriate Operations Division Director and the IT Division’s Privacy Coordinator must approve the collection of Protected Information for an identified business need.

3.2 Required Protections for Approved Business Cases

  1. Business Process and Security Design. You must involve Computer Security Operations and the IT Division Privacy Coordinator early and throughout the design of your business process. This will help limit the amount of Protected Information to the minimum amount possible. Contact security@lbl.gov.
  2. Data Collection. Design data collection to obtain only the minimum amount of Protected Information to meet the approved need. For example, do not collect social security numbers and driver's license unless you need both; also limit the number of individuals about whom information is collected, e.g. only current versus both current and former employees.
  3. Storage
    1. Electronic Collections.
      1. Approved Systems. Only Institutional Business Systems (e.g. HRIS and FMS) may store Protected Information. If a business need exists to store this information outside of approved systems, you must develop a information security plan that is approved by your line management and Cyber Security Operations.
      2. Prohibited Systems. You may not store Protected Information outside of approved systems, including file shares or laptops and other portable devices.
      3. Transient storage. If required by the business process, you may authorize employees to process transient instances (not collections) of Protected Information (e.g. to confirm an upload to an Institutional System) on workstations (not a portable device). However you must ensure that processes exist to ensure that the information is deleted as soon as possible and that it does not generate multiple instances of the information.
    2. Paper Collections. Use physical protections such as locked cabinets and offices to store paper collections. If possible, store only one copy.
  4. User Access, Roles, and Privileges.
    1. Access procedures and roles. Access to Protected Information may only be granted based on a business need and should be limited to the minimum level necessary. Functional owners must establish a process to identify what roles are necessary for accessing the Protected Information, how access is granted, when it is revoked, and any differences in access based on roles.
    2. Review of Access. Functional owners must regularly review who has access to Protected Information. Two separate people should review access so that no one person can overlook their own access rights. The review of roles and access should:
      1. Ensure access is limited to individuals with a business need,
      2. Ensure access rights are appropriate for the job and no broader than necessary,
      3. Validate high levels of privilege, including administrative or system access, and
      4. Ensure adequate separation of duties for each individual.
  5. Sharing or Disclosing Protected Information
    1. Approval. You must obtain approval for sharing Protected Information that exceeds existing operational needs and for disclosure outside of the UC system. Laboratory Counsel must approve data sharing requests, which includes sharing Protected Information with the DOE.
      1. Existing approvals include the NRDC Dosimeter metric system (SSN plus dose), FACTS, and I-9 verification e-verify.
    2. Criteria for Sharing or Disclosing Protected Information. Requests for sharing UC-owned Protected Information must have as their basis a legal requirement, contract clause, or business agreement.
  6. Disposal. When the business case no longer requires Protected Information, it must be disposed of using Berkeley Lab procedures. Securely shred paper collections. For electronic collections, work with your IT Division liaisons to ensure that they are properly removed from existing data systems.
  7. Third Party Providers. If Berkeley Lab contracts with another party to process, manage, or store Protected Information, Cyber Security Operations and the Privacy Coordinator must review and approve the information security protections. Business owners are responsible for obtaining the approvals and involving relevant parties early in the provider evaluation and selection process.
Policy Implementing Document

This document helps implement a Laboratory policy in the Requirements and Policies Manual.

Feedback

Send feedback to ITpolicy@lbl.gov.

  • No labels