Lawrence Berkeley National Laboratory masthead LBNL Home A-Z Index U.S. Department of Energy logo Phone Book Jobs Search

RPM

REQUIREMENTS AND POLICIES MANUAL

Search the RPM
 
Home

Controlled and Prohibited Information Categories

    Title:

    Controlled and Prohibited Information Categories

    Publication date:

    11/28/2012

    Effective date:

    1/2/2012

    BRIEF

    Policy Summary

    The general expectation is that Berkeley Lab information can be shared without restriction. However, some categories of information may affect the legal or security status of the Laboratory and require additional controls. These categories include:

    • Protected Information, including Personally Identifiable Information (PII) and Personal Health Information (PHI)
    • Official Use Only (OUO), Controlled Unclassified Information (CUI), and Sensitive But Unclassified (SBU) Information
    • Proprietary Information (e.g., information under a Cooperative Research and Development Agreement [CRADA] or a Nondisclosure Agreement [NDA])
    • Export-controlled information
    • Information with foreign national restrictions (e.g., No Foreign National Access [NOFORN])
    • Prudent to Protect information

    This policy prohibits the following information:

    • Classified information
    • Unclassified Controlled Nuclear Information (UCNI)
    • Naval Nuclear Propulsion Information (NNPI)

    Who Should Read This Policy

    Employees and affiliates

    To Read the Full Policy, Go To:

    The POLICY tab on this wiki page

    Contact Information

    Information Technology Policy Manager
    Information Technology Division
    itpolicy@lbl.gov

    Title:

    Controlled and Prohibited Information Categories

    Publication date:

    11/28/2012

    Effective date:

    1/2/2012

    D. Policy Statement
    D.1 Prohibited Information Categories
    D.2 Controlled Information Categories
    D.3 Prudent to Protect Information

    POLICY

    A. Purpose

    This policy describes information controls to help maintain the legal and security status of Lawrence Berkeley National Laboratory (Berkeley Lab), while facilitating its scientific mission.

    B. Persons Affected

    This policy applies to employees and affiliates.

    C. Exceptions

    Not applicable.

    D. Policy Statement

    Employees and affiliates must adhere to policies, approvals, and controls for prohibited and controlled information categories. Policies and controls apply to both electronic and physical collections of information and may differ depending on whether the use is for research or operations.

    D.1 Prohibited Information Categories

    Employees and affiliates may not create, access, or store information that is prohibited at Berkeley Lab. The existence of prohibited information at Berkeley Lab, either physically or electronically, alters the fundamental security posture of the Laboratory. If employees or affiliates encounter prohibited information, they must stop work immediately and contact Blackberry Gate at (510) 486-6999 and they will enact the Classified and Sensitive Information Protocol.
    Berkeley Lab prohibits the following information categories:

    • Classified Information, including but not limited to: Secret (S), Top Secret (TS), National Security Information (NSI), Secret Restricted Data (SRD), Special Access Required (SAR), etc. This includes information that is classified but has entered the public domain.
    • Unclassified Controlled Nuclear Information (UCNI)
    • Naval Nuclear Propulsion Information (NNPI)

    D.2 Controlled Information Categories

    Berkeley Lab is an unclassified, open research environment. The Laboratory's work is such that it can be freely communicated to the scientific and technical community. The Laboratory's computing environment supports research work intended for publication. Additional steps must be taken to secure information not intended for publication when it resides on Laboratory systems.

    1. Protected Information (i.e., Personally Identifiable Information [PII] and Protected Health Information [PHI])
      1. Policy. By law, Berkeley Lab must protect the privacy and security of personal information. The collection or use of Protected Information is prohibited unless approved, and should occur under limited circumstances.
      2. Protected Information Requirements. Individuals involved in the collection, use, and management of collections of Protected Information must comply with the Protected Information Requirements, which address approvals and required protections throughout the lifecycle of the data.
      3. Reporting Unapproved Use and Other Violations. Employees and affiliates must report any unapproved use or disclosure of protected information, or for approved uses, violations of the Protected Information Requirements.
    2. Official Use Only (OUO), Controlled Unclassified Information (CUI), and Sensitive But Unclassified (SBU)
      1. Policy. Berkeley Lab does not use OUO, CUI, or SBU designations. If required and under limited circumstances, employees in Operations may receive documents with these designations (for example, DOE materials that reflect pre-decisional program information or planning information). Employees should encourage collaborators at other institutions not to use this designation for collaborative research projects or operational purposes.
      2. Approvals. Operations employees may receive limited amounts of OUO, CUI, or SBU materials during the course of their work. No additional approvals are required for this limited use. Researchers who receive material marked OUO, CUI, or SBU must seek guidance from the Export Control Officer at (510) 486-7096.
      3. Requirements
        1. Creation. Do not create CUI, OUO, or SBU Information at Berkeley Lab. Use "UC Confidential" when generating University of California records that are not publicly releasable. If under a CRADA, use "Protected CRADA Information."
        2. Management and Storage. Follow the OUO Management and Storage Requirements.
    3. Proprietary Information (e.g., Information under a CRADA or NDA)
      1. Policy. Berkeley Lab permits the use of proprietary information for both research and operations.
      2. Approvals. Technology Transfer and Intellectual Property Management (TTIPM) or the Office of Sponsored Projects and Industry Partnerships (OSPIP) must approve agreements regarding the use of proprietary information and should consult, if necessary, with physical and cyber security. The data-protection level for agreements must not exceed the Laboratory's approved data-protection level for unclassified research: Low for confidentiality, integrity, and availability per Federal Information Processing Standards Publication: Standards for Security Categorization of Federal Information and Information Systems, FIPS PUB 199.
      3. Controls
        1. Creation. Do not create proprietary information at Berkeley Lab unless approved by the Laboratory Director. Work with TTIPM or OSPIP to obtain approval.
        2. Management and Storage. Adhere to any disclosure requirements specified in signed agreements.
        3. Additional. OSPIP must approve proprietary use of Berkeley Lab resources, such as user facilities. The agreement language must limit Berkeley Lab commitments to protecting information or knowledge acquired from proprietary use of Laboratory resources.
      4. Other Applicable Policies
        1. Cooperative Research & Development Agreements (CRADAs)
        2. Material Transfer Agreements
        3. Nondisclosure Agreements
        4. Designated User Facility Agreements Overview
        5. Work for Others (WFO) Overview
    4. Export Controlled
      1. Policy. Berkeley Lab does not create export-controlled information unless approved and only in rare circumstances. In the course of research or operations, access to export-controlled information may be necessary to provide background information. Employees may not access or use export-controlled information unless approved. Employees who take on the obligation of protecting export-controlled information expose themselves to personal civil and criminal liability for export-control violations.
      2. Approvals. The Export Control Officer must approve the creation of export-controlled information. The Export Control Officer or TTIPM (for NDAs and MTAs) must approve the use of export-controlled information and ensure that its use is commensurate with Berkeley Lab requirements, including the development of a Technology Control Plan as necessary.
      3. Controls
        1. Creation. Do not create export-controlled information at Berkeley Lab unless approved by the Export Control Officer who will require a plan to ensure that the creation of export-controlled information complies with applicable laws and regulations.
        2. Management and Storage. Develop a plan to appropriately manage and store export-controlled information to ensure compliance with applicable laws and regulations. Coordinate with the Export Control Officer who will consult with physical or cyber security, as appropriate.
    5. Foreign National Access Restrictions (e.g., NOFORN Marking)
      1. Policy. Berkeley Lab operates under the University of California nondiscrimination policy, which prohibits discrimination based on nationality in the conduct of fundamental research; therefore, the Laboratory prohibits information with foreign national access restrictions unless approved.
      2. Approvals. Senior Laboratory Management and the cyber and physical security groups may receive and store this information when necessary. The Export Control Officer, with input from cyber security and physical security as needed, must approve additional exceptions.
      3. Controls
        1. Creation. Do not create materials with foreign national access restrictions at Berkeley Lab.
        2. Management and Storage. Coordinate with the Export Control Officer who will consult with physical or cyber security, as appropriate.
      4. Additional. Berkeley Lab prohibits employees from attending meetings where foreign nationals are prohibited without prior approval from the Export Control Officer.

    D.3 Prudent to Protect Information

    During the course of research or for operational purposes, employees and affiliates may generate, use, or encounter information that is Prudent to Protect. Prudent to Protect is information that should not be publicly available but does not rise to the level of requiring specific controls. Prudent to Protect information may include materials from ethics investigations, material under attorney-client privilege, animal welfare protocols, passport numbers, etc., as well as Privileged Information.

    Prudent to Protect Information is not public and may not be shared or published. Precautions must be taken to limit public exposure of this information.

    Refer to Use of Privileged Information for additional policies regarding conflict of interest.

    E. Roles and Responsibilities

    Employees and affiliates are responsible for adhering to this policy.

    F. Definitions/Acronyms

    Term

    Definition

    Protected Information

    Protected Information includes Personally Identifiable Information (PII) and Personal Health Information (PHI). Berkeley Lab defines the following data, alone or in combination, as Protected Information:

    • Social Security numbers
    • Personal financial account information
    • Driver's license numbers
    • Health information with personal identifiers, for example:
      • Name plus insurance number
      • Employee ID plus treatment information
      • Any unique ID plus any medical information

    Protected Health Information (PHI)

    Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), information, including demographic data, that relates to:

    • The individual's past, present, or future physical or mental health or condition
    • The provision of health care to the individual or
    • The past, present, or future payment for the provision of health care to the individual
      and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

    Personally Identifiable Information (PII)

    An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social Security number, (2) driver's license number or California identification card number (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, (4) medical information, (5) health insurance information. See California Civil Code Section 1798.29 for additional information.

    G. Recordkeeping Requirements

    None

    H. Implementing Documents

    Document number

    Title

    Type

    10.08.001.001

    Protected Information Requirements

    Standard

    10.08.001.002

    OUO Management and Storage Requirements

    Standard

    I. Contact Information

    Information Technology Policy Manager
    Information Technology Division
    itpolicy@lbl.gov

    J. Revision History

    Date

    Revision

    By whom

    Revision Description

    Section(s) affected

    Change Type

    1/2/2012

    0

    J. Bonaguro

    Rewrite for wiki (brief)

    All

    Minor

    11/28/2012

    1

    J. Bonaguro

    Rewrite for wiki (policy)

    All

    Minor

    DOCUMENT INFORMATION

    Title:

    Controlled and Prohibited Information Categories

    Document number

    10.08.001.000

    Revision number

    1

    Publication date:

    11/28/2012

    Effective date:

    1/2/2012

    Next review date:

    1/2/2015

    Policy Area:

    Information Categories and Controls

    RPM Section (home)

    Information Management

    RPM Section (cross-reference)

    none

    Functional Division

    Information Technology

    Prior reference information (optional)

     

    Source Requirements Documents

    • Clause I.63 - DEAR 952.204-72, Disclosure of Information (APR 1994) Section b.
    • DOE O 471.3, Identifying and Protecting Official Use Only Information
    • DOE M 471.3-1 Manual for Identifying and Protecting Official Use Only Information
    • DOE O 205.1B, Department of Energy Cyber Security Management, CRD
    • DOE P 205.1, Departmental Cyber Security Management Policy
    • UCOP IS-3, Electronic Information Security

    Implementing Documents

    Document number

    Title

    Type

    10.08.001.001

    Protected Information Requirements

    Standard

    10.08.001.002

    OUO Management and Storage Requirements

    Standard

    • No labels

    Adaptavist ThemeBuilder EngineAtlassian Confluence