Parent Policy: Controlled and Prohibited Information Categories
If you're involved in the collection, use, and management of Protected Information (i.e. PII), you must follow these requirements.
Click to answer: What is Protected Information?
Protected Information includes Personally Identifiable Information (PII). Berkeley Lab defines the following information, alone or in combination, as Protected Information:
- Social security numbers
- Financial account information
- Drivers license numbers
- California state ID number
- Health information with personal identifiers, for example:
- Name plus insurance number
- Employee ID plus treatment information
- Any unique ID plus any medical information
Click to answer: Why are we so careful about Protected Information?
A loss of Protected Information not only affects people’s privacy, but could hurt Berkeley Lab's reputation and affect our open computing environment.
This also means that our employees are our first line of defense. Always ask yourself - do we really need to use Protected Information? Could something else, like employee ID, work just as well? If you do need to use Protected Information, read the sections below to learn how to protect it.
1. Baseline Requirement
Protected Information can only be stored in Institutional Business Systems:
- Human Resources Information System (HRIS)
- Financial Management System (FMS)
- OHM (being replaced by CHESS)
If you find Protected Information outside of these systems, immediately contact Cyber Security Operations at firstname.lastname@example.org.
2. End User Requirements
Do you use or access Protected Information in the course of your work? If so, you must follow the requirements below to protect this information. If you need help or are confused about any requirements, contact email@example.com.
2.1 How should I send or receive Protected Information?
You may send Protected Information (for approved business needs) by paper mail, fax, or phone. If none of these methods is sufficient, contact firstname.lastname@example.org for approval of another method.
Onsite - single instances: Use the Berkeley Lab mail services.
Onsite - collections: Hand deliver.
Offsite: Use a service with delivery confirmation.
Instance versus collection: Instances of Protected Information are single items, for example, one or two social security numbers. Collections contain the PII of multiple people. If it involves a spreadsheet, it's probably a collection.
We permit fax machines because they typically use phone lines - not the Internet.
Electronic fax software does have some risks. Please contact email@example.com if you have questions about desktop electronic fax software.
You may give information verbally over the phone.
If it is not on the list of permitted methods, it is prohibited. However, we’ve had specific questions about the following methods and why we prohibit them.
Why we prohibit it
Email is sent in the “clear”. Anyone who can see the network traffic can potentially see the contents of the email.
External media (USB stick, SD card, external drive, DVD, etc)
It's too easy to lose a USB stick or SD card. Most stories about loss of Protected Information involve external media. Help us stay out of the news.
Password protected files
Password protecting a Word document or zip file doesn’t protect it at all. Free tools allow an attacker to trivially break your password.
Anything else electronic
If you know of other electronic methods, we prohibit it. But drop us an email at firstname.lastname@example.org, and we’ll add it to this list.
Receiving Protected Information via Prohibited Methods
If you receive an instance of PII via a prohibited method:
- Ask the sender to only share Protected Information using an approved method (if you’re responding to an email, delete the Protected Information in your reply message).
- Record the information, if needed, in the approved system.
- Delete the information.
If you receive a collection (versus one or two pieces) of Protected Information:
- Contact email@example.com so we can work with you to identify any new work processes or approaches that can limit this in the future.
- Delete the information as soon as possible (we're happy to help if necessary, contact firstname.lastname@example.org)
2.2 How should I store Protected Information?
Permitted Method: Paper
If you need to store paper collections (for approved business needs), use physical protections such as locked cabinets and/or offices. If possible, store only one copy.
Prohibited Method: Electronic
You should never store electronic Protected Information. For example, you may not store Protected Information on your laptop, desktop, smartphone, thumb-drive, etc. Protected Information is only allowed in Institutional Business Systems (e.g. HRIS and FMS).
If you come across Protected Information outside of Institutional Business Systems, you must report it immediately to email@example.com.
2.3 How do I remove Protected Information?
If you accidentally accumulate collections or instances of Protected Information on your computer, you must delete it as soon as possible.
Shred paper collections when they are no longer needed (use cross-cut shredders or a secure shredding service); when appropriate, archive collections per procedures from the Archives and Records Office.
2.4 I received a request to share Protected Information. What should I do?
You may not share Protected Information outside of existing operational needs. If you receive a request to share Protected Information, contact firstname.lastname@example.org and your line management.
2.5 How do I report concerns or problems with Protected Information?
If you found a collection of Protected Information or you’re worried that these requirements are not being met, contact email@example.com. We’ll work with you to troubleshoot the problem.
3. Functional (Business) Owner Requirements
If you are responsible for a business process that uses Protected Information, you must follow the following requirements to protect this information. If you need help or are confused about any requirements, contact firstname.lastname@example.org.
3.1 Business Case Approval
You must have an approved business need for the use of Protected Information. The business need must demonstrate that Protected Information is necessary versus some other identifier such as employee ID. Required approvals:
The Human Subjects Committee must approve the use or collection of Protected Information and related protocols. The Human Subjects Committee must ensure that the use or collection of Protected Information is necessary for the purposes of research and that the researcher has adequately considered other methods.
De-identification. Researchers must de-identify Protected Information unless approved by the Human Subjects Committee. If information is not de-identified, the researcher must follow the requirements under Required Protections for Approved Business Cases.
The appropriate Operations Division Director and the IT Division’s Privacy Coordinator must approve the collection of Protected Information for an identified business need.
3.2 Required Protections for Approved Business Cases
- Business Process and Security Design. You must involve Computer Security Operations and the IT Division Privacy Coordinator early and throughout the design of your business process. This will help limit the amount of Protected Information to the minimum amount possible. Contact email@example.com.
- Data Collection. Design data collection to obtain only the minimum amount of Protected Information to meet the approved need. For example, do not collect social security numbers and driver's license unless you need both; also limit the number of individuals about whom information is collected, e.g. only current versus both current and former employees.
- Electronic Collections.
- Approved Systems. Only Institutional Business Systems (e.g. HRIS and FMS) may store Protected Information. If a business need exists to store this information outside of approved systems, you must develop a information security plan that is approved by your line management and Cyber Security Operations.
- Prohibited Systems. You may not store Protected Information outside of approved systems, including file shares or laptops and other portable devices.
- Transient storage. If required by the business process, you may authorize employees to process transient instances (not collections) of Protected Information (e.g. to confirm an upload to an Institutional System) on workstations (not a portable device). However you must ensure that processes exist to ensure that the information is deleted as soon as possible and that it does not generate multiple instances of the information.
- Paper Collections. Use physical protections such as locked cabinets and offices to store paper collections. If possible, store only one copy.
- User Access, Roles, and Privileges.
- Access procedures and roles. Access to Protected Information may only be granted based on a business need and should be limited to the minimum level necessary. Functional owners must establish a process to identify what roles are necessary for accessing the Protected Information, how access is granted, when it is revoked, and any differences in access based on roles.
- Review of Access. Functional owners must regularly review who has access to Protected Information. Two separate people should review access so that no one person can overlook their own access rights. The review of roles and access should:
- Ensure access is limited to individuals with a business need,
- Ensure access rights are appropriate for the job and no broader than necessary,
- Validate high levels of privilege, including administrative or system access, and
- Ensure adequate separation of duties for each individual.
- Sharing or Disclosing Protected Information
- Approval. You must obtain approval for sharing Protected Information that exceeds existing operational needs and for disclosure outside of the UC system. Laboratory Counsel must approve data sharing requests, which includes sharing Protected Information with the DOE.
- Existing approvals include the NRDC Dosimeter metric system (SSN plus dose), FACTS, and I-9 verification e-verify.
- Criteria for Sharing or Disclosing Protected Information. Requests for sharing UC-owned Protected Information must have as their basis a legal requirement, contract clause, or business agreement.
- Disposal. When the business case no longer requires Protected Information, it must be disposed of using Berkeley Lab procedures. Securely shred paper collections. For electronic collections, work with your IT Division liaisons to ensure that they are properly removed from existing data systems.
- Third Party Providers. If Berkeley Lab contracts with another party to process, manage, or store Protected Information, Cyber Security Operations and the Privacy Coordinator must review and approve the information security protections. Business owners are responsible for obtaining the approvals and involving relevant parties early in the provider evaluation and selection process.