Berkeley Lab

Computer Security Annual Training (SEC 0201)

Skip to end of metadata
Go to start of metadata

Loss of PII or PHI

    Throughout this course, we'll often start by asking you a question and then provide an answer and discussion. Our first topic starts with the question below.

    Question

    A manager in Human Resources is working on a report to submit to DOE on new hires. As part of this work, a colleague emails him a list of Berkeley Lab employees that includes their name and social security numbers.

    What should the manager do?

    1. Keep the data encrypted on his hard drive and send an encrypted version to DOE
    2. Delete the information and report it to security@lbl.gov
    3. Remove the social security numbers before sharing with DOE
    4. Work with the sender to determine a way to share a paper version of the data.

    Need help?

    Use these links:
    Policy and guidance on Protected Information

    Berkeley Lab prohibits sending Personally Identifiable Information (PII) via email. In this scenario, an employee emails a form of PII - social security number plus name.

    Since PII should not be sent via email, the correct response was #2 - Delete the information and report it to security@lbl.gov. PII should never be shared via email unless the use has been approved by Cyber Security Operations and appropriate protections are put in place.

    Why not #1: Keep the data encrypted on his hard drive and send an encrypted version to DOE?
    PII should never be stored outside of the Human Resources Information System (HRIS) and the Financial Management System (FMS) or in this case, on the manager's hard drive. Cyber Security Operations will help you identify how to share the data with DOE.

    Why not #3 or 4: Remove the social security numbers or Find a way to share a paper version?
    Removing the social security numbers or sharing a paper version doesn't change the fact that the data was already emailed and is outside of HRIS or FMS.

    Question

    Researchers in the Life Sciences Division are studying the long-term effects of radiation exposure. They have access to radiation exposure records for individuals working at the Lab in the 1970s. They plan to follow up with these individuals and assess their health.

    How should the researchers address any potential privacy issues?

    1. De-identify this information.
    2. Contact security@lbl.gov to help assess security controls for this information.
    3. Request review from the Human Subjects Committee.
    4. Lock up the original information.

    Need help?

    Use these links:
    Policy and guidance on Protected Information

    This example involves work-related health information since it is health information plus a personal identifier. In this case, the health information is the individual's radiation exposure. By law, we must report breaches of health information, which would probably end up making news (we prefer being on the front page for Nobel prizes!).

    The correct response was both 2 and 3. The researchers should:

    • #2: Contact security@lbl.gov to help assess information security controls for this information. Cyber Security Operations must approve information security controls for the use of health information outside of business systems. Controls will depend on each case.
    • #3: Request review from the Human Subjects Committee. Any research involving human data requires approval from the Human Subjects Committee.

    Why not #1: De-identify this information?
    This is also usually required. However, there may be cases where the research requires identified information. The Human Subjects Committee decides what is appropriate.

    Why not #4 Lock up the original information?
    If it was a paper collection of PII, Cyber Security Operations will probably require that you lock up the information. But this is determined on a case-by-case basis.

    The previous examples illustrated Personally Identifiable Information (PII) that is considered Protected Information and is protected by State and Federal Law.

    To avoid loss or breaches of PII, the following data is prohibited outside of HRIS or FMS (our Institutional Business Systems):

    • Social security numbers
    • Financial account information
    • Drivers license numbers
    • Health information with personal identifiers, for example:
      • Name plus insurance number
      • Employee ID plus treatment information
      • Any unique ID plus any medical information

    If you don't know what HRIS or FMS is, that's a good sign you should not have PII!

    Researchers, work through the Human Subjects Committee in coordination with the cyber security team.

    The following examples are NOT PII:

    • Employee ID alone
    • De-identified health information
    • Phone numbers

    Take Home

    The top threat to Berkeley Lab is the loss of Personally Identifiable Information (PII). Not only could this harm our reputation, it would likely result in controls and restrictions that would damage our open computing environment and as a result, damage science.

    Do

    • If you see PII anywhere it does not belong, report it to security@lbl.gov. If you prefer, we can keep your report anonymous.
    • If you are involved in any process that may involve PII, contact security@lbl.gov and we'll help you develop the best information security controls for your process.

    Do not

    • Do not store PII on your computer, smart phones, external hard drives, or network-mounted/mapped drives, usually indicated by drive letters such as H: T: or V:.
    • Do not email PII.
    • Do not store PII outside of HRIS or FMS, the institutional systems for human resources and financial information.
    • Do not store paper collections of PII unless approved by Cyber Security Operations.