RPM | REQUIREMENTS AND POLICIES MANUAL

Viewable by the world

    Title:

    Privacy Policy

    Publication date:

    10/27/2021

    Effective date:

    10/27/2021

    BRIEF

    Policy Summary

    This policy describes Lawrence Berkeley National Laboratory's (Berkeley Lab's) approach to managing privacy risks.

    Who Should Read This Policy

    • Employees and affiliates
    • Other users of Berkeley Lab IT, including collaborators and visitors

    To Read the Full Policy, Go To:

    The POLICY tab on this wiki page

    Contact Information

    Laboratory Privacy Officer
    Information Technology Division
    [email protected]

    Title:

    Privacy Policy

    Publication date:

    10/27/2021

    Effective date:

    10/27/2021

    POLICY

    A. Purpose

    Lawrence Berkeley National Laboratory (Berkeley Lab) has an interest in ensuring the privacy of its workforce members, research subjects, and visitors is respected consistent with University of California and Department of Energy (DOE) policy, the California Constitution, and state and federal privacy laws and regulations. This policy articulates Berkeley Lab's policy position on privacy and how workforce members must handle personal information gathered and used in furtherance of the Laboratory's mission. It also serves to ensure that Berkeley Lab complies with applicable data protection laws, regulations, and contractual obligations, and adequately protects the information of staff, customers, and research and business partners.

    B. Persons Affected

    This policy applies to employees, affiliates, and casual users of Berkeley Lab IT and resources, including collaborators and visitors as to processing of personal information.

    C. Exceptions

    Not applicable.

    D. Policy Statement

    1. Risk-Based Approach. All personal information is not created equal and therefore should not all be protected the same way. This policy requires the Privacy Officer to develop processes and controls for identifying, assessing, and managing privacy risks proactively. The Privacy Officer shall work cross-functionally with Laboratory Management to coordinate implementation of these controls consistently and commensurably with the risks certain business processes pose to individual autonomy or information privacy. To the greatest extent possible, controls shall be built into business processes by design.
    2. Individual Autonomy and Expectations of Privacy by Berkeley Lab Workforce. The Privacy Officer shall coordinate the implementation of controls addressing end users' expectations of privacy, monitoring, and/or surveillance of Berkeley Lab staff activities and use of Laboratory IT, and limitations on access to Laboratory IT without express consent by the end user consistent with the following:
      1. Expectations of Privacy. Users have no expectation of privacy when using Laboratory IT, subject to limitations set by law and regulations, University Policy, and Department of Energy Orders as implemented into the Prime Contract.
      2. Acceptable Use. Subject to limitations set by Berkeley Lab policy, end users are permitted to make incidental personal use of Laboratory IT. However, incidental personal use of Laboratory IT is not subject to greater privacy protection than that of routine business use of Laboratory IT.
      3. Monitoring, Surveillance, and Access to Information About or Held by Berkeley Lab staff. The unauthorized monitoring and surveillance of Berkeley Lab staff is strictly prohibited. Authorization will be granted by Laboratory Management in consultation with Laboratory Counsel only where necessary to carry out a legitimate Laboratory function, be subject to appropriate oversight, be appropriately limited in time, place, manner, and scope, and be documented in writing.
    3. Information Privacy. The Privacy Officer shall coordinate the implementation of controls addressing the appropriate processing of personal information in connection with furthering the Laboratory's mission consistent with the following:
      1. Governance. Berkeley Lab's Privacy Program is supported by the following:
        1. Laboratory Privacy Officer. The Deputy Director of Operations shall appoint a Laboratory Privacy Officer to work cross-functionally with Laboratory Management on carrying out the intent of this policy. The Privacy Officer shall be a subject-matter expert capable of exercising independent and sound judgment, represent the Laboratory in internal and external fora, champion cross-functional projects, and conduct duties as assigned to ensure the Laboratory remains in compliance with applicable laws, regulations, policies, and contractual requirements.
        2. Privacy Committee. The Laboratory Privacy Officer may chair a Privacy Committee charged with coordinating activities related to advancing Berkeley Lab's Privacy Program objectives consistent with this policy. The Laboratory Privacy Officer may also lead specialized and cross-functional working groups composed of subject-matter experts in specific areas. Additional standards, implementation specifications, and guidance issued by these groups shall serve as extensions of this policy.
        3. Program Documentation, Review, and Authorization. The Laboratory Privacy Officer shall document the Privacy Program consistent with applicable requirements and periodically revise the documentation to ensure it remains current and in compliance with Berkeley Lab's legal, regulatory, contractual, and policy obligations.
      2. Minimization. Berkeley Lab Workforce must limit the collection, use, disclosure, or storage of personal information to that which is relevant and necessary to accomplish the Laboratory's mission and as required or authorized by the California Constitution or statute, or mandated by the federal government.
      3. Proper Basis for Processing of Personal Information. Berkeley Lab Management must process personal information only where the processing is supported by a proper basis. Proper basis includes:
        1. Consent. Where practicable or legally required, Berkeley Lab Workforce may process personal information pursuant to the appropriate consent given by the relevant data subject. Appropriate consent is that which is reasonable under the specific circumstances of the information processing and, where applicable, complies with applicable laws and regulations. Examples of appropriate consent include implied and express (in writing or electronically signed).
        2. Contract Performance. Berkeley Lab Workforce may process personal information to the extent necessary to perform a contract to which the individual is a party.
        3. Where Legally Permitted or Required. Berkeley Lab Management and workforce members may process personal information to the extent necessary to comply with legal or regulatory obligations, as required under the DOE Prime Contract, or as permitted under California or federal law. This includes processing personal information in the course of internal investigations, in connection with lawsuits or as directed by a tribunal with appropriate jurisdiction, for the proper functioning of the Laboratory, to protect the safety and well-being of individuals or the Laboratory community, and as otherwise permitted or required by law, University Policy, or Department of Energy directive.
        4. Specific Prohibitions on Processing of Personal Information. The following uses of personal information are prohibited without approval by the Privacy Officer.
          1. Use of Protected Personal Information as a personal identifier;
          2. Transmission or storage of Protected Personal Information (including DOE-owned personally identifiable information (PII)) via email, cloud storage, or other unsecure means;
          3. Sale or transfer of ownership rights of records containing personal information for any consideration.
      4. Notice. Berkeley Lab Management and workforce members must give appropriate notice to individuals regarding personal information about them which Berkeley Lab collects, permitted uses and disclosures of personal information, and guidance on how individuals may contact Berkeley Lab to make specific requests related to that information. The notice must be approved by the Privacy Officer and comply with requirements arising under applicable laws, regulations, or contract. The processing of personal information contrary to or in excess of what is disclosed via the notice is prohibited.
      5. Training and Awareness. The Privacy Officer shall maintain an education, training, and awareness program designed to inform employees of the requirements identified under this policy, build knowledge and skills to enable staff to protect personal information, and change behaviors towards focusing attention on the protection of personal information. To the greatest extent possible, this program should be tailored for roles based on the degree to which the individual is expected to process personal information in connection with Berkeley Lab business processes. Laboratory Management remains responsible for ensuring that all members of the laboratory workforce receive appropriate training to the extent necessary and appropriate for them to carry out their required job functions.
      6. Third-Party Risk Management. Where a third party is to process personal information on behalf of the Laboratory, Laboratory Management shall ensure that the third party will agree in writing to comply with the requirements under this policy. This may be accomplished through implementation of standard contractual clauses approved by the Privacy Officer and/or the Office of the Laboratory Counsel.
      7. Information Security. The Privacy Officer shall coordinate with the Chief Information Security Officer to ensure that physical, technical, and administrative controls adequately ensure that personal information remains appropriately protected throughout its lifecycle.
      8. Privacy Incident Management. The Privacy Officer shall maintain procedures to ensure the adequate management of privacy incidents resulting in unauthorized disclosure of, or access to, personal information according to contractual, legal, and regulatory obligations.
      9. Compliance. The Privacy Officer shall coordinate and collaborate with Berkeley Lab Management and workforce members to ensure compliance with applicable laws and regulations, University of California policies, and Department of Energy directives related to Privacy with Laboratory Management.
      10. Review and Assessment. The Privacy Officer shall coordinate assessments of the effectiveness of controls implemented pursuant to this policy. This assessment may be conducted by internal or external parties and will serve to guide the organization on the effectiveness of the overall program.

    E. Roles and Responsibilities

    All members of the Laboratory community have responsibilities and remain accountable for complying with this policy. This section outlines specific responsibilities that attach to members of the Laboratory community based on their role and/or job duties.

    Role

    Responsibilities

    Berkeley Lab Workforce: all employees, affiliates, trainees, volunteers, and other entities or persons who perform work for the Laboratory or use Laboratory IT or resources. This includes other roles identified under this policy.
    • Comply with this policy and implementation procedures (including the Privacy Program Manual, where applicable);
    • Process personal information only to fulfill authorized job duties or activities for the Laboratory;
    • Consult with the Laboratory Privacy Officer to address novel or ambiguous privacy issues;
    • Avoid actions or inactions that could result in unauthorized disclosure or access to any form of personal information;
    • Report any suspected or confirmed privacy incidents, policy violations, or other concerns through appropriate channels (i.e., [email protected]);
    • Timely complete all required training modules.

    Laboratory Privacy Officer: individual appointed to oversee the Privacy Program
    • Interpret and implement policies and procedures to supplement this policy;
    • Provide advice with a view of encouraging compliance with applicable laws and regulations, improving privacy practices, and resolving problems;
    • Chair the Privacy Steering Committee.

    Laboratory Management: division directors or delegates authorized pursuant to Laboratory Policy to accept risks associated with processing personal information on behalf of the Laboratory.
    • Ensure all Berkeley Lab Workforce operating under their oversight and authority comply with this policy and address violations consistent with the RPM;
    • Own risks associated with processing personal information.


    F. Definitions/Acronyms

    Term

    Definition

    De-identified personal information

    		 Information related to individuals but from which all personally identifiable information (PII) has been removed and which cannot trivially be attributed to specific individuals through inference or aggregation of other publicly available information

    Federally-Owned Personally Identifiable Information (PII)

    		 Federally-owned information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified.

    Monitoring and Surveillance


    		 Terms generally used to describe a variety of activities intended to track, survey, observe, record, or otherwise monitor activities of specific individuals. Monitoring and surveillance can occur for a variety of reasons and to different extents, such as to protect confidential information from unauthorized disclosure or in connection with an internal investigation.

    Personal Information

    Any information that is maintained by the Laboratory in furtherance of Laboratory business that identifies or describes an individual, including, but not limited to, his or her name, Social Security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. This includes:

    • Federally-owned personally identifiable information (PII);
    • UC-owned Personal Information and Protected Personal Information;
    • Publicly available personal information.
      This term does not include de-identified information.

    Processing

    		 Any activity performed by Berkeley Lab as to personal information throughout its life cycle, including creating, copying, transmitting, destroying, and providing access

    Protected Personal Information

    A highly sensitive subset of personal information that is subject to legal, regulatory, or contractual requirements, or which, if accessed or acquired without authorization, could cause harm to data subjects. This designation applies to UC-owned records containing any of the below:

    • Data breach-notice triggering elements identified under California law, consisting of a combination of first name or first initial and last name and any of the below:
      • Social Security numbers, drivers license numbers, passport numbers, green card numbers, and any other government-issued identifiers commonly used to identify an individual;
      • Employee health information, including records originating from a healthcare provider containing descriptions of conditions, diagnosis, prescriptions, referrals, visits, and other health information, insurance and/or claims-related information;
      • Biometric information;
      • License plate recognition system information; and/or
      • Financial account information (such as debit and credit account information), including PINs or other authentication information.
    • Usernames and passwords that would permit someone to access an online account.
    • Certain sensitive personal data of EU residents contained in records subject to the General Data Protection Regulation;
    • Certain datasets determined to be protected pursuant to a documented risk assessment by the Privacy Officer.

    Prudent to Protect Personal Information

    UC-owned information that can be used to identify or describe an individual, but which is not identified as Protected Personal Information or Public Personal Information or which has not been de-identified

    Public Personal Information

    Information processed by Berkeley Lab staff in support of official Laboratory business which relates to or describes an identifiable individual, but that is lawfully publicly available or about which individuals do not have objectively reasonable expectations of privacy

    G. Recordkeeping Requirements

    None

    H. Implementing Documents

    Document Number

    Title

    Type

    N/A

    Privacy Program Manual

    Manual

    N/A

    Berkeley Lab Privacy Website

    Website

    I. Contact Information

    Laboratory Privacy Officer
    Information Technology Division
    [email protected]

    J. Revision History


    Date

    Revision

    By Whom

    Revision Description

    Section(s) Affected


    1/2/2012

    1

    J. Bonaguro

    Rewrite for wiki

    All

    Minor

    2/4/2014

    2

    J. Bonaguro

    Edit

    All

    Major

    3/6/2017

    2.1

    M. Stoufer

    "Chief Operating Officer" position title updated to "Deputy Director for Operations"

    All

    Editorial

    3/30/2017

    2.2

    S. Lau

    Minor editorial edits

    All

    Minor

    12/17/2020


    D. Soustin

    Updated Contract 31 I clause numbers as per mod 1105

    Source Requirement Documents

    Editorial

    6/15/2021

    2.2

    A. Sultan

    Periodic review. Minor formatting. No changes.

    All

    Editorial

    11/1/2021

    3

    R. Elias

    Major rewrite: changes reflect best practices in privacy program management that have become prevalent since the previous policy's initial drafting, reflecting current program management practices, such as those around implementing standard contractual clauses into procurement agreements. The policy also implements privacy by design by being crossfunctional, impacting virtually every function and requiring privacy risks to be managed throughout the data lifecycle. Title changed from Privacy, Monitoring and Access without Consent to Privacy.

    All

    Major



    • No labels

    Printed or exported copies of this LBNL policy are not official.
    Users are responsible for working with the latest approved revision located in the online LBNL Requirements and Policies Manual.