Berkeley Lab

PII & Information Security Training (SEC 0220)

Skip to end of metadata
Go to start of metadata

Information to Protect

The Laboratory Processes personal information in several contexts. "Process" in this context means any operation, including collecting, retaining, logging, generating, transforming, using, disclosing, transferring, and disposing of personal information. In most cases, personal information Processed by Berkeley Lab is owned by the University of California and must be protected according to UC Policy and California State law. This includes, for example, records related to employment. In a minority of cases, personal information is contained in DOE-owned records and must be protected consistent with DOE policy and Federal Law. 

  1. Personally Identifiable Information (PII)
  2. Prudent to Protect Information

In addition, some kinds of information are never permitted at Berkeley Lab.

    Personally Identifiable Information

    The Laboratory takes the privacy and security of personally identifiable information seriously and implements a risk-based approach to protecting it consistent with California Law and the Prime Contract. When handling certain kinds of personal information, additional precautions must be taken to ensure only those authorized employees who have a legitimate and documented need-to-know have access to that information. PII is never permitted on laptops, smartphones, tablets, desktop computers, or any portable device and must never be transmitted in email or stored on file shares.

    Any suspected or actual unauthorized access (including downloading, uploading, transferring, copying, or other like activities) to these kinds of information must be immediately reported as a potential breach. Those kinds of personal information (in addition to one's first name (or initial) and last name) are detailed below.

    • Government-Issued identifiers, including:
      • Social Security Numbers,
      • ID and Drivers' License Numbers issued by any state,
      • Tax ID numbers
      • Military ID numbers
      • Passport Numbers, and
      • Any other Unique number issued on a government document commonly used to verify the identity of a specific individual (for e.g. Green Cards).

    • Personal Financial Account Number (e.g. credit card and direct deposit information) in combination with any required security code, access code, or password that would permit access to an individual's financial account.
    • Health Information including:
      • an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional;
      • health insurance information, including an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
    • Information or data collected through the use or operation of an automated license plate recognition system.
    • Unique biometric data generated from measurements or technical analysis of human body characteristics, such as fingerprint, retina, or iris image, used to authenticate a specific individual.

    *The summary above should be sufficient for most Berkeley Lab community members; however, if you’d like to know more about the specifics of these definitions, there will be a link at the end of this training.

    Prudent to Protect

    The following categories of information are not PII, but require special handling.

    Some other kinds of information fall into the category of Prudent to Protect. They may not be covered by State or Federal Law, but they should be appropriately protected.

    A subset of protections is appropriate for these kinds of information, consult your management or the "owner" of the information for more information.

    Examples of Prudent to Protect

    This information typically requires only a subset of protections.

    • Citizenship Information,
    • Place and/or Date of Birth,
    • Information released to Berkeley Lab under an approved Non-Disclosure Agreement (NDA) or Cooperative Research and Development Agreement (CRADA)
    • Non-public information related to University procurement.
    • Some categories of pre-publication research results.

    Public Personal Information

    Just because information is personally identifiable, doesn't mean it is PII.

    For example, individual employee id#s, Berkeley Lab telephone numbers, salary information, job titles, job history and many other kinds of information are not protected.

    Summary

    While most personal information managed at the Laboratory is owned by the University, there are a few areas where the Laboratory manages or accesses this information on behalf of the Department of Energy.

    These areas can become very complicated where DOE and UC records overlap; employees should use extra caution when working with identifiable information in these contractually mandated areas:

    • Dates of Birth stored in DOE-owned records

    • Personnel Medical Records of non-staff 

    • Personnel Radiation Exposure Records

    • Personnel Security Clearance Files

    • Occupational and Industrial Accident Records

    • Employee and Visitor Access Control Records

    • Access Control Records of International Visits, Assignments, and Employment

    If you do not work with any of these records, please skip to the next tab.  Otherwise, read on.

    The Basics:

    DOE Requirements state that the Laboratory must specifically train people who work with Privacy Act data on the requirements on the Privacy Act.  The information below supplements overall Privacy training with these requirements:

    Records in these categories may be subject to additional protections and rules.  Generally, protections required for PII are always sufficient to protect these records.  Following “need to know” and reduction of data as used for Prudent to Protect information is also sufficient to meet Privacy Act Requirements (with some additional requirements below).   Employees should be extra-conscious of disclosure of any of these records outside of their approved routine uses.   

    The Privacy Act works towards four basic policy objectives:

    1. It restricts Agencies (and their contractors in our case) from disclosing identifiable information we collect.

    2. It grants individuals the right to access records kept by the government.

    3. It grants individuals the right to correct incorrect or incomplete information held by the government.

    4. It requires Agencies to disclose their information gathering practices and adhere to specific statutory requirements to manage information.

    5. It requires the commencement of a collection of federal PII on behalf and at the direction of the government that is retrieved by name or personal identifier that an associated Privacy Act System of Records Notice (SORN).

    Requirements:

    In non-Laboratory systems:

    Many of the records in these categories are managed in DOE systems such as FACTS (for foreign visits information) and REMS (for radiation exposure information).  For these kinds of systems:

    • Observe requirements identified in the contractor requirements document under DOE Order 206.1

    • Follow the system’s own guidelines for compliance with the Privacy Act.  Contact the system owner if you have questions.

    • Do not remove records from these systems except for those records created by the Laboratory and then only to accomplish approved and required functions.

    • Do not upload personal information of Laboratory staff to these systems without approval from Laboratory Counsel.


    In Laboratory Systems

    • Only manage these records in approved systems.

    • Do not disclose information in these areas to those without a need to know

    • Treat information as Prudent to Protect or PII depending on whether it contains PII as described in this training.


    In All Cases:

    • Follow all LBL policies about managing Privacy Information

    • Never store or manage Privacy Act covered information on a personally owned device or a personal account.

    • Only use approved systems for managing and storing this information.

    • Never share passwords or other credentials that would give access to Privacy Act covered information.

    • Keep paper records in locked drawers or secure offices - minimize paper record keeping wherever possible.

    • Minimize electronic collections of Privacy Act information and ensure that sharing rules are clear and provide for transparent access and enforce “need to know.”

    • Only Laboratory Counsel may approve disclosure of Records outside of LBL’s internal uses.   If you receive a request from DOE or a member of the public about identifiable records in any of these categories, immediately inform Laboratory Counsel and do not fulfill the request until you have received direction.

    • When in doubt, consult with the Laboratory Privacy Officer to confirm whether any given data collection is subject to Privacy Act requirements.


    Reporting:

    Any breach, unintentional, or non-approved disclosure of Privacy Act covered information must be immediately reported to [email protected]   Security will coordinate required reporting with the responsible parties.

    Penalties:

    Knowing and willful disclosure of records in violation of the Privacy Act is a criminal misdemeanor subject to fines up to $5000.   The Privacy Act also imposes civil penalties on violators who unlawfully refuse to amend records, grant first-party access to records, fail to maintain accurate records, fail to comply with notice requirements (including the commencement of collection of federal PII retrieved by name or personal identifier without a SORN published in the federal register), or otherwise fail to comply with the Act’s provisions.

    Questions:

    Direct questions about Privacy Act Records to [email protected]

    Prohibited

    Unclassified Controlled Nuclear Information, Classified Information, Formally Restricted Data (FRD), and almost all other kinds of protected or sensitive DOE information are not permitted at Berkeley Lab.

    In most cases export-controlled information is also prohibited on systems at Berkeley Lab; however, there are some limited exceptions with appropriate risk mitigation which may be approved by the Export Control Officer in consult with Cyber Security Operations. More information is available at the end of this training.

    Reasoning

    Why does Berkeley Lab need to avoid non-fundamental research-information?

    As contrasted with some of the DOE Labs which do classified and unclassified work (e.g., PNNL and ORNL), Berkeley Lab has lighter information protection and foreign national processing requirements because it stays clear of potentially sensitive information.

    Exceptions, even small ones, to this rule, may make this exception less clear, and thus have significant impacts to the open character of our institution.

    Additional

    Skip Prompt: Do you work with student information?

    • Yes. Continue reading
    • No. Skip to next section below below.

    Working with Student Information

    If you Process campus information, you should be aware of additional regulations which cover student information in the context of the educational setting.

    In particular, Family Educational Rights and Privacy Act (FERPA) places restrictions on the release of student information including identifiers and grades. FERPA doesn't apply to Berkeley Lab directly, but it does apply to information you may work with or encounter if you are working with a campus.

    For more information about FERPA, consult UC Berkeley policies, or those of your home institution. There is more information after this training on when FERPA applies.


    Skip Prompt: Do you utilize personally identifiable medical information including insurance information?

    • Yes. Continue reading
    • No. Click on the "Next Topic" button to continue.

    Researchers and others who utilize personally identifiable medical information including insurance information.

    Prior to 2008, personally identifiable medical information was only protected at this level if it was utilized or acquired in the context of treatment and thus covered by HIPAA. However, changes to California State Law mean that all personally identifiable medical information is now covered by California disclosure law.

    In addition, information covered by HIPAA, which includes certain categories of health information acquired in a treatment setting or in the context of an insurance relationship, is also protected – though it would normally be a subset of “medical information.”

    If you conduct medical research in collaboration with another University, note that you are covered by the rules of the institution which approved the research. However, no matter what protections are associated with the information, Personally Identifiable Medical Information, even that associated with research, must never be stored on Berkeley Lab systems without approval from both the LBNL Human Subjects Committee and Cyber Security Operations.

    Activity

    1. Can Personally Identifiable Information (PII) be sent in email?

    1. Yes, all PII can be transmitted through email

    2. Yes, PII can only be sent through email if encryption is used

    3. No, it is prohibited to share any form of PII through email

    Click for answer


    2. What must you do if you receive PII via email?

    a. Delete the email from your inbox
    b. Empty your trash to insure the email is completely removed.
    c. Notify the recipient to not send PII in email
    d. Contact [email protected]
    e. All of the Above

    Click for answer


    3. Which of these services are approved by IT to transfer PII?

    A. Google Drive
    B. Adobe Cloud
    C. HelloSign
    D. None of the above

    Click for answer