| Card |
|---|
default |
|---|
| , Monitoring, and Access without Consent362017242014 BRIEFPolicy SummaryTo further the secure and acceptable use of Laboratory Information Technology (IT) and Information at Berkeley Lab, this policy: - Defines no expectation of privacy in use
- Establishes authority to monitor and consent to monitoring
- Establishes policies and procedures for Access without Consent
This policy describes Lawrence Berkeley National Laboratory's (Berkeley Lab's) approach to managing privacy risks. Who Should Read This Policy- Employees and affiliates
- Other users of Laboratory Berkeley Lab IT, including collaborators and visitors
To Read the Full Policy, Go To:The POLICY tab on this wiki page Laboratory Privacy OfficerInformation Technology Policy Manager
Information Technology Division
itpolicy@lblprivacy@lbl.gov |
| Card |
|---|
| | Title:Privacy, Monitoring, and Access without Consent | 362017242014 POLICYA. PurposeTo further the secure and acceptable use of Laboratory IT and Information at Lawrence Berkeley National Laboratory (Berkeley Lab) , this policy: - Defines no expectation of privacy in use
- Establishes authority to monitor and consent to monitoring
- Establishes policies and procedures for Access without Consent
- Seeks to ensure that Access without Consent is consistent with the value of privacy in individual activity and behavior that is consistent with the scientific mission of the Laboratory
B. Persons AffectedThis policy applies to employees and affiliates as well as casual users of Laboratory IT and resources, including collaborators and visitors. C. ExceptionsNot applicable D. Policy Statement- Expectation of Privacy
- No Expectation of Privacy: Users have no expectation of privacy when they use Laboratory IT, subject to applicable state, federal, Department of Energy (DOE), and University laws and regulations.
- Authority to Monitor
- Authority: System administrators have limited authority to monitor systems for availability and security; however, only the Chief Information Officer, Laboratory Director, or Deputy Director for Operations may grant broad authority to monitor content and transactions on Laboratory IT for security purposes and acceptable use.
- Minimal Access: Employees engaged in monitoring must access the minimum amount of information necessary to accomplish any monitoring task and must treat information in a confidential manner as appropriate.
- Notice of Monitoring: This policy serves as Notice of Monitoring. Systems with external users must provide notice to these users. Acceptable ways of providing notice include but are not limited to requiring users to sign an agreement or linking to the LBNL Privacy and Security Notice.
- Exceptions: The monitoring or recording of telephone conversations is illegal without the consent of all parties.
- Consent to Monitoring
- Consent: Use of Laboratory IT constitutes consent to monitoring. Any or all uses of Laboratory IT may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized University, DOE, and law-enforcement personnel. Some Berkeley Lab services are provided by third-party providers or monitored by external parties. Where applicable, employees and affiliates acknowledge monitoring by Berkeley Lab, the third-party provider, or external party. Authorized investigative agencies may access any DOE computer used during the period of access to information on a DOE computer, and for a period of three years thereafter.
- Written Consent: Use of Laboratory IT serves as written consent to the requirements and policies of the LBNL Privacy and Security Notice for that system and all other DOE systems. In addition, SEC 0203 Notice of External Monitoring serves as written consent of external monitoring by third-party providers or external parties.
- Access without Consent
- Individual Access. Individual Access without Consent is access, without a user's permission, to Laboratory Information that is normally available to only that user. This access occurs for either investigations or operational necessity and exceeds normal monitoring activities.
- Data Access. Data Access without Consent is access to Laboratory Information, which is not normally available to the requestor, which provides individually identifiable information or recordings regarding the activities, actions, or behaviors of employees, affiliates, and other users of Laboratory IT or resources.
- Authorizations for Access without Consent
- Investigation of Wrongdoing: The Laboratory Deputy Director for Operations or Laboratory Counsel must authorize access for purposes of investigation of wrongdoing.
- Legal Requests: Laboratory Counsel must authorize access for legal requests, including requests from law enforcement.
Individual Access: The table below defines the authorization required for individual access for operational access and changes. The Access without Consent Procedurecontains the list of privacy implicating services. Employee or Affiliate Status | Operational Access | | Operational Changes | | Non-privacy implicating | Privacy implicating | | Active or On Leave | Supervisor or equivalent | Division director or designee | Supervisor or equivalent if the individual is unavailable | Terminated | Supervisor or equivalent | Division director or designee | Supervisor or equivalent |
- Data Access: The System Owner may authorize access to information for the purposes of operational access or changes.
- Fair and Reasonable Access: Employees responsible for authorizing Access without Consent must ensure that requests for access are fair and reasonable, given the potential for abuse inherent in Access without Consent and despite no expectation of privacy in the use of Laboratory IT.
- Least Intrusive Means Possible: Methods of access for operational purposes must be limited to the least-intrusive means possible. For example, it is less intrusive to set a vacation message (an operational change) than to give access to e-mail (operational access). Read the service provider guides at this page for help on providing least intrusive means possible.
- Minimal Involvement: To maximize confidentiality, the number of persons involved must be limited to only those required to initiate and conduct access.
- eDiscovery: The IT Division must provide a point of contact to provide and/or coordinate the provision of access for investigation of wrongdoing and legal requests and to advise on operational access and changes.
E. Roles and ResponsibilitiesEmployees engaged in monitoring or Access without Consent must adhere to the provisions of this policy. This policy also emphasizes the following roles and responsibilities: Role | Responsibility | Deputy Director for Operations | Approves requests for Access without Consent for purposes of investigating wrongdoing; ensures that requests are fair and reasonable | Laboratory Counsel | Approves requests for Access without Consent for legal purposes and to investigate wrongdoing; ensures that requests are fair and reasonable; ensures that requests adhere to applicable laws and policies | eDiscovery | Provides and/or coordinates the provision of Access without Consent for investigation of wrongdoing or legal requests; assists with identifying the least-intrusive means possible, including advising service providers, for operational access or changes; coordinates Laboratory approach to e-Discovery at the direction of Laboratory Counsel | IT Policy Manager | Helps to ensure that the provision of Access without Consent is fair and reasonable and supports autonomy privacy despite no expectation of privacy in the use of Laboratory IT; determines the list of privacy implicating services | Division directors | Ensure that operational access is not for investigatory purposes and that requested access is necessary to accomplish the function; assess if a request for Access without Consent may lead to an investigation and routes the request to the appropriate authorizer | Supervisors, system owners, other authorizers, or other requestors for Operational Access without Consent | Ensures that a good-faith effort is made to obtain consent from the individual before requesting operational access or changes; ensures that operational access or changes are not for investigatory purposes and that requested access is necessary to accomplish the function |
F. Definitions/AcronymsTerm | Definition | Laboratory IT | Berkeley Lab-managed IT, including computing devices, networks, services, and accounts | Access without Consent | Individual Access without Consent is access, without a user's permission, to Laboratory Information that is normally available to only that user. This access occurs for either investigations or operational necessity and exceeds normal monitoring activities; Data Access without Consent is access to Laboratory Information, which is not normally available to the requestor, which provides individually identifiable information or recordings regarding the activities, actions, or behaviors of employees, affiliates, and other users of Laboratory IT or resources | Investigation of wrongdoing | Access to identify or detect suspected wrongdoing; examples include examining an employee's e-mail for indication of violations of policy, searching through network-level records for indications of "time wasting," or to access data from card reader systems to investigate an incident | Legal requests | Legally enforceable requests, such as a subpoena, search warrant, court order, national security letter, or public records request, and requests for voluntary disclosure of information | Operational access | Access to gather operational information or provide continuity of service; for example, a work document in an individual account | Operational changes | Access required to modify an operational feature; examples include changing/activating a vacation message for an employee, or changing outgoing voice mail |
G. Recordkeeping RequirementsNone H. Implementing DocumentsInformation Technology Policy Manager
Information Technology Division
[email protected] J. Revision HistoryDate | Revision | By whom | Revision Description | Section(s) affected | Change Type | 1/2/2012 | 1 | J. Bonaguro | Rewrite for wiki | All | Minor | 2/4/2014 | 2 | J. Bonaguro | Edit | All | Major | | 3/6/2017 | 2.1 | M. Stoufer | "Chief Operating Officer" position title updated to "Deputy Director for Operations" | All | Editorial |
has an interest in ensuring the privacy of its workforce members, research subjects, and visitors is respected consistent with University of California and Department of Energy (DOE) policy, the California Constitution, and state and federal privacy laws and regulations. This policy articulates Berkeley Lab's policy position on privacy and how workforce members must handle personal information gathered and used in furtherance of the Laboratory's mission. It also serves to ensure that Berkeley Lab complies with applicable data protection laws, regulations, and contractual obligations, and adequately protects the information of staff, customers, and research and business partners. B. Persons AffectedThis policy applies to employees, affiliates, and casual users of Berkeley Lab IT and resources, including collaborators and visitors as to processing of personal information. C. ExceptionsNot applicable. D. Policy Statement- Risk-Based Approach. All personal information is not created equal and therefore should not all be protected the same way. This policy requires the Privacy Officer to develop processes and controls for identifying, assessing, and managing privacy risks proactively. The Privacy Officer shall work cross-functionally with Laboratory Management to coordinate implementation of these controls consistently and commensurably with the risks certain business processes pose to individual autonomy or information privacy. To the greatest extent possible, controls shall be built into business processes by design.
- Individual Autonomy and Expectations of Privacy by Berkeley Lab Workforce. The Privacy Officer shall coordinate the implementation of controls addressing end users' expectations of privacy, monitoring, and/or surveillance of Berkeley Lab staff activities and use of Laboratory IT, and limitations on access to Laboratory IT consistent with the following:
- Expectations of Privacy. Users have no expectation of privacy when using Laboratory IT, subject to limitations set by law and regulations, University Policy, and Department of Energy Orders as implemented into the Prime Contract.
- Acceptable Use. Subject to limitations set by Berkeley Lab policy, end users are permitted to make incidental personal use of Laboratory IT. However, incidental personal use of Laboratory IT is not subject to greater privacy protection than that of routine business use of Laboratory IT.
- Monitoring, Surveillance, and Access to Information About or Held by Berkeley Lab staff. The unauthorized monitoring and surveillance of Berkeley Lab staff is strictly prohibited. Authorization will be granted by Laboratory Management in consultation with Laboratory Counsel only where necessary to carry out a legitimate Laboratory function, be subject to appropriate oversight, be appropriately limited in time, place, manner, and scope, and be documented in writing.
- The Privacy Officer shall coordinate the implementation of controls addressing end users' expectations of privacy, monitoring, and/or surveillance of Berkeley Lab staff activities and use of Laboratory IT, and limitations on access to Laboratory IT consistent with the following:
- Information Privacy. The Privacy Officer shall coordinate the implementation of controls addressing the appropriate processing of personal information in connection with furthering the Laboratory's mission consistent with the following:
- Governance. Berkeley Lab's Privacy Program is supported by the following:
- Laboratory Privacy Officer. The Deputy Director of Operations shall appoint a Laboratory Privacy Officer to work cross-functionally with Laboratory Management on carrying out the intent of this policy. The Privacy Officer shall be a subject-matter expert capable of exercising independent and sound judgment, represent the Laboratory in internal and external fora, champion cross-functional projects, and conduct duties as assigned to ensure the Laboratory remains in compliance with applicable laws, regulations, policies, and contractual requirements.
- Privacy Committee. The Laboratory Privacy Officer may chair a Privacy Committee charged with coordinating activities related to advancing Berkeley Lab's Privacy Program objectives consistent with this policy. The Laboratory Privacy Officer may also lead specialized and cross-functional working groups composed of subject-matter experts in specific areas. Additional standards, implementation specifications, and guidance issued by these groups shall serve as extensions of this policy.
- Program Documentation, Review, and Authorization. The Laboratory Privacy Officer shall document the Privacy Program consistent with applicable requirements and periodically revise the documentation to ensure it remains current and in compliance with Berkeley Lab's legal, regulatory, contractual, and policy obligations.
- Minimization. Berkeley Lab Workforce must limit the collection, use, disclosure, or storage of personal information to that which is relevant and necessary to accomplish the Laboratory's mission and as required or authorized by the California Constitution or statute, or mandated by the federal government.
- Proper Basis for Processing of Personal Information. Berkeley Lab Management must process personal information only where the processing is supported by a proper basis. Proper basis includes:
- Consent. Where practicable or legally required, Berkeley Lab Workforce may process personal information pursuant to the appropriate consent given by the relevant data subject. Appropriate consent is that which is reasonable under the specific circumstances of the information processing and, where applicable, complies with applicable laws and regulations. Examples of appropriate consent include implied and express (in writing or electronically signed).
- Contract Performance. Berkeley Lab Workforce may process personal information to the extent necessary to perform a contract to which the individual is a party.
- Where Legally Permitted or Required. Berkeley Lab Management and workforce members may process personal information to the extent necessary to comply with legal or regulatory obligations, as required under the DOE Prime Contract, or as permitted under California or federal law. This includes processing personal information in the course of internal investigations, in connection with lawsuits or as directed by a tribunal with appropriate jurisdiction, for the proper functioning of the Laboratory, to protect the safety and well-being of individuals or the Laboratory community, and as otherwise permitted or required by law, University Policy, or Department of Energy directive.
- Specific Prohibitions on Processing of Personal Information. The following uses of personal information are prohibited without approval by the Privacy Officer.
- Use of Protected Personal Information as a personal identifier;
- Transmission or storage of Protected Personal Information (including DOE-owned personally identifiable information (PII)) via email, cloud storage, or other unsecure means;
- Sale or transfer of ownership rights of records containing personal information for any consideration.
- Notice. Berkeley Lab Management and workforce members must give appropriate notice to individuals regarding personal information about them which Berkeley Lab collects, permitted uses and disclosures of personal information, and guidance on how individuals may contact Berkeley Lab to make specific requests related to that information. The notice must be approved by the Privacy Officer and comply with requirements arising under applicable laws, regulations, or contract. The processing of personal information contrary to or in excess of what is disclosed via the notice is prohibited.
- Training and Awareness. The Privacy Officer shall maintain an education, training, and awareness program designed to inform employees of the requirements identified under this policy, build knowledge and skills to enable staff to protect personal information, and change behaviors towards focusing attention on the protection of personal information. To the greatest extent possible, this program should be tailored for roles based on the degree to which the individual is expected to process personal information in connection with Berkeley Lab business processes. Laboratory Management remains responsible for ensuring that all members of the laboratory workforce receive appropriate training to the extent necessary and appropriate for them to carry out their required job functions.
- Third-Party Risk Management. Where a third party is to process personal information on behalf of the Laboratory, Laboratory Management shall ensure that the third party will agree in writing to comply with the requirements under this policy. This may be accomplished through implementation of standard contractual clauses approved by the Privacy Officer and/or the Office of the Laboratory Counsel.
- Information Security. The Privacy Officer shall coordinate with the Chief Information Security Officer to ensure that physical, technical, and administrative controls adequately ensure that personal information remains appropriately protected throughout its lifecycle.
- Privacy Incident Management. The Privacy Officer shall maintain procedures to ensure the adequate management of privacy incidents resulting in unauthorized disclosure of, or access to, personal information according to contractual, legal, and regulatory obligations.
- Compliance. The Privacy Officer shall coordinate and collaborate with Berkeley Lab Management and workforce members to ensure compliance with applicable laws and regulations, University of California policies, and Department of Energy directives related to Privacy with Laboratory Management.
- Review and Assessment. The Privacy Officer shall coordinate assessments of the effectiveness of controls implemented pursuant to this policy. This assessment may be conducted by internal or external parties and will serve to guide the organization on the effectiveness of the overall program.
E. Roles and ResponsibilitiesAll members of the Laboratory community have responsibilities and remain accountable for complying with this policy. This section outlines specific responsibilities that attach to members of the Laboratory community based on their role and/or job duties. Role | Responsibilities | Berkeley Lab Workforce: all employees, affiliates, trainees, volunteers, and other entities or persons who perform work for the Laboratory or use Laboratory IT or resources. This includes other roles identified under this policy. | - Comply with this policy and implementation procedures (including the Privacy Program Manual, where applicable);
- Process personal information only to fulfill authorized job duties or activities for the Laboratory;
- Consult with the Laboratory Privacy Officer to address novel or ambiguous privacy issues;
- Avoid actions or inactions that could result in unauthorized disclosure or access to any form of personal information;
- Report any suspected or confirmed privacy incidents, policy violations, or other concerns through appropriate channels (i.e., [email protected]);
- Timely complete all required training modules.
| Laboratory Privacy Officer: individual appointed to oversee the Privacy Program | - Interpret and implement policies and procedures to supplement this policy;
- Provide advice with a view of encouraging compliance with applicable laws and regulations, improving privacy practices, and resolving problems;
- Chair the Privacy Steering Committee.
| Laboratory Management: division directors or delegates authorized pursuant to Laboratory Policy to accept risks associated with processing personal information on behalf of the Laboratory. | - Ensure all Berkeley Lab Workforce operating under their oversight and authority comply with this policy and address violations consistent with the RPM;
- Own risks associated with processing personal information.
|
F. Definitions/AcronymsTerm | Definition | De-identified personal information | Information related to individuals but from which all personally identifiable information (PII) has been removed and which cannot trivially be attributed to specific individuals through inference or aggregation of other publicly available information | Federally-Owned Personally Identifiable Information (PII) | Federally-owned information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. | Monitoring and Surveillance
| Terms generally used to describe a variety of activities intended to track, survey, observe, record, or otherwise monitor activities of specific individuals. Monitoring and surveillance can occur for a variety of reasons and to different extents, such as to protect confidential information from unauthorized disclosure or in connection with an internal investigation. | Personal Information | Any information that is maintained by the Laboratory in furtherance of Laboratory business that identifies or describes an individual, including, but not limited to, his or her name, Social Security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history. This includes: - Federally-owned personally identifiable information (PII);
- UC-owned Personal Information and Protected Personal Information;
- Publicly available personal information.
This term does not include de-identified information.
| Processing | Any activity performed by Berkeley Lab as to personal information throughout its life cycle, including creating, copying, transmitting, destroying, and providing access | Protected Personal Information | A highly sensitive subset of personal information that is subject to legal, regulatory, or contractual requirements, or which, if accessed or acquired without authorization, could cause harm to data subjects. This designation applies to UC-owned records containing any of the below: - Data breach-notice triggering elements identified under California law, consisting of a combination of first name or first initial and last name and any of the below:
- Social Security numbers, drivers license numbers, passport numbers, green card numbers, and any other government-issued identifiers commonly used to identify an individual;
- Employee health information, including records originating from a healthcare provider containing descriptions of conditions, diagnosis, prescriptions, referrals, visits, and other health information, insurance and/or claims-related information;
- Biometric information;
- License plate recognition system information; and/or
- Financial account information (such as debit and credit account information), including PINs or other authentication information.
- Usernames and passwords that would permit someone to access an online account.
- Certain sensitive personal data of EU residents contained in records subject to the General Data Protection Regulation;
- Certain datasets determined to be protected pursuant to a documented risk assessment by the Privacy Officer.
| Prudent to Protect Personal Information | UC-owned information that can be used to identify or describe an individual, but which is not identified as Protected Personal Information or Public Personal Information or which has not been de-identified | Public Personal Information | Information processed by Berkeley Lab staff in support of official Laboratory business which relates to or describes an identifiable individual, but that is lawfully publicly available or about which individuals do not have objectively reasonable expectations of privacy |
G. Recordkeeping RequirementsNone H. Implementing DocumentsLaboratory Privacy Officer
Information Technology Division
[email protected] J. Revision History
Date | Revision | By Whom | Revision Description | Section(s) Affected |
| 1/2/2012 | 1 | J. Bonaguro | Rewrite for wiki | All | Minor | 2/4/2014 | 2 | J. Bonaguro | Edit | All | Major | 3/6/2017 | 2.1 | M. Stoufer | "Chief Operating Officer" position title updated to "Deputy Director for Operations" | All | Editorial | 3/30/2017 | 2.2 | S. Lau | Minor editorial edits | All | Minor | 12/17/2020 |
| D. Soustin | Updated Contract 31 I clause numbers as per mod 1105 | Source Requirement Documents | Editorial | 6/15/2021 | 2.2 | A. Sultan | Periodic review. Minor formatting. No changes. | All | Editorial | 11/1/2021 | 3 | R. Elias | Major rewrite: changes reflect best practices in privacy program management that have become prevalent since the previous policy's initial drafting, reflecting current program management practices, such as those around implementing standard contractual clauses into procurement agreements. The policy also implements privacy by design by being crossfunctional, impacting virtually every function and requiring privacy risks to be managed throughout the data lifecycle. Title changed from Privacy, Monitoring and Access without Consent to Privacy. | All | Major | 12/2/2024 | 3.1 | A. Sultan | Periodic review: editorial clarification | D | Editorial |
|
| Card |
|---|
| label | Document Information |
|---|
| | | Card |
|---|
| label | Document Information |
|---|
| title | Document Information |
|---|
| DOCUMENT INFORMATION Title: | Privacy, Monitoring, and Access without Consent | Document number | 10.01.005.000 | Revision number |
23620172420142420152027 | Policy Area: | Information Technology | RPM Section (home) | Information Management |
RPM Section (cross-reference) | Section 9.01 | Functional Division | Information Technology | Prior reference information (optional) | RPM, Chapter 9, Section 9.01 | Source Requirements Documents | Functional Division | Information Technology |
Source Requirements DocumentsUC-DOE Prime Contract No. DE-AC02-05CH11231 (Contract 31), Clause H-7, Privacy Act Records Contract 31, Clause I.67 – FAR 52.224-1, Privacy Act Notification (APR 1984) Contract 31, Clause I.68 – FAR 52.224-2, Privacy Act (APR 1984) Contract 31, Clause I.69 – FAR 52.224-3, Privacy Training (JAN 2017) Contract 31, - DOE Office of Science Program Cyber Security Plan, June 2010
- DOE O 205.1B, Department of Energy Cyber Security Program, CRD Section 6
- DOE O 1450.4, Consensual Listening-In to or Recording Telephone/Radio Conversations
Clause I.124 – DEAR 952.204–77 Computer Security (AUG 2006), as modified by Contract No. DE-AC02-05CH11231, Appendix P, Section 2
Implementing DocumentsImplementing Documents |
| Show Ifbuilder-show |
|---|
| | Card |
|---|
| label | Additional Information | title | Additional Additiional Information |
|---|
| , Monitoring, and Access without ConsentPolicy | Document number | 10.01.005.000 | Revision number |
23620172420142420152027 | Policy Area: | Information Technology | RPM Section (home) | Information Management | RPM Section (cross-reference) |
Section 9.01none | Functional Division | Information Technology | Author name/contact info | Rainier Elias |
J Bonaguro | Revision 0 publication date |
320200711 | Retirement date | n/a | Prior reference information (optional) |
RPM, Chapter 9, Section 9.01 | |
|
|
| Inputs from more than one Functional Area? | No | List additional Functional Areas & contacts |
| | |
|
|
| Inputs from more than one Policy Area? | No | List additional Policy Areas & contacts |
| | |
|
|
| 30-day notification needed? | No | 30-day start date | n/a | 30-day end date | n/a |
| | |
|
| Need TABL reminders? | No | Frequency | n/a | Brief reminder text: | n/ |
a | a |
|
| Approval Sheet for this revision received (date)
[Note: author is responsible |
] - Information Technology,Information Management(Policy Area 1), (Policy Area 2), (Section)
New terms that need to be added to Glossary/Acronym list:- (list items not found and context (Policy Area name) – full definition would be included in Policy)
Implementing Documents restricted to department/functional use(optional – these will be used for tracing between requirements and associated documents)
Side bars:
Side bar 1 location (cite by Policy Section # - for example: Section D.2.a)
Sidebar 1 text:
Sidebar 2 location
Sidebar 2 text:
Sidebar 3 location Sidebar 3 text:
|
|
|
