Title:

Controlled and Prohibited Information Categories

Publication date:

8/9/2024

Effective date:

8/9/2024

BRIEF

Policy Summary

The general expectation is that Berkeley Lab information can be shared without restriction. However, some categories of information may affect the legal or security status of the Laboratory and require additional controls. These categories include:

  • Protected Information, including Personally Identifiable Information (PII) and Personal Health Information (PHI)
  • Official Use Only (OUO), Controlled Unclassified Information (CUI), and Sensitive but Unclassified (SBU) Information
  • Proprietary Information (e.g., information under a Cooperative Research and Development Agreement [CRADA] or a Nondisclosure Agreement [NDA])
  • Export-controlled information
  • Information with foreign national restrictions (e.g., No Foreign National Access [NOFORN])
  • Prudent to Protect information

This policy prohibits the following information:

  • Classified information
  • Unclassified Controlled Nuclear Information (UCNI)
  • Naval Nuclear Propulsion Information (NNPI)

Who Should Read This Policy

Employees and affiliates

To Read the Full Policy, Go To:

The POLICY tab on this wiki page

Contact Information

Information Technology Policy Manager
Information Technology Division
itpolicy@lbl.gov

Title:

Controlled and Prohibited Information Categories

Publication date:

8/9/2024

Effective date:

8/9/2024

POLICY

A. Purpose

This policy describes information controls to help maintain the legal and security status of Lawrence Berkeley National Laboratory (Berkeley Lab), while facilitating its scientific mission.

B. Persons Affected

This policy applies to employees and affiliates.

C. Exceptions

Not applicable.

D. Policy Statement

Employees and affiliates must adhere to policies, approvals, and controls for prohibited and controlled information categories. Policies and controls apply to both electronic and physical collections of information and may differ depending on whether the use is for research or operations.

D.1 Prohibited Information Categories

Employees and affiliates may not create, access, or store information that is prohibited at Berkeley Lab. The existence of prohibited information at Berkeley Lab, either physically or electronically, alters the fundamental security posture of the Laboratory. If employees or affiliates encounter prohibited information, they must stop work immediately and contact Blackberry Gate at (510) 486-6999 and they will enact the Classified and Sensitive Information Protocol.
Berkeley Lab prohibits the following information categories:

  • Classified Information, including but not limited to: Secret (S), Top Secret (TS), National Security Information (NSI), Secret Restricted Data (SRD), Special Access Required (SAR), etc. This includes information that is classified but has entered the public domain.
  • Unclassified Controlled Nuclear Information (UCNI)
  • Naval Nuclear Propulsion Information (NNPI)

D.2 Controlled Information Categories

Berkeley Lab is an unclassified, open research environment. The Laboratory's work is such that it can be freely communicated to the scientific and technical community. The Laboratory's computing environment supports research work intended for publication. Additional steps must be taken to secure information not intended for publication when it resides on Laboratory systems.

  1. Protected Information (i.e., Personally Identifiable Information [PII] and Protected Health Information [PHI])
    1. Policy. By law, Berkeley Lab must protect the privacy and security of personal information. The collection or use of Protected Information is prohibited unless approved, and should occur under limited circumstances.
    2. Protected Information Requirements. Individuals involved in the collection, use, and management of collections of Protected Information must comply with the Protected Information Requirements, which address approvals and required protections throughout the lifecycle of the data.
    3. Reporting Unapproved Use and Other Violations. Employees and affiliates must report any unapproved use or disclosure of protected information, or for approved uses, violations of the Protected Information Requirements.
  2. Official Use Only (OUO), Controlled Unclassified Information (CUI), and Sensitive But Unclassified (SBU)
    1. Policy. Berkeley Lab does not use OUO, CUI, or SBU designations. If required and under limited circumstances, employees in Operations may receive documents with these designations (for example, DOE materials that reflect pre-decisional program information or planning information). Employees should encourage collaborators at other institutions not to use this designation for collaborative research projects or operational purposes.
    2. Approvals. Operations employees may receive limited amounts of OUO or SBU materials during the course of their work. No additional approvals are required for this limited use. Researchers who receive material marked OUO or SBU must seek guidance from the Export Control Officer at (510) 486-7096. Employees that intend or expect to receive CUI must follow the processes detailed on the Lab’s CUI Commons page.
    3. Requirements
      1. Creation. Do not create CUI, OUO, or SBU Information at Berkeley Lab. Use "UC Confidential" when generating University of California records that are not publicly releasable. If under a CRADA, use "Protected CRADA Information."
      2. Management and Storage. Follow the OUO Management and Storage Requirements.
  3. Proprietary Information (e.g., Information under a CRADA or NDA)
    1. Policy. Berkeley Lab permits the use of proprietary information for both research and operations.
    2. Approvals. Technology Transfer and Intellectual Property Management (TTIPM) or the Office of Sponsored Projects and Industry Partnerships (OSPIP) must approve agreements regarding the use of proprietary information and should consult, if necessary, with physical and cyber security. The data-protection level for agreements must not exceed the Laboratory's approved data-protection level for unclassified research: Low for confidentiality, integrity, and availability per Federal Information Processing Standards Publication: Standards for Security Categorization of Federal Information and Information Systems, FIPS PUB 199.
    3. Controls
      1. Creation. Do not create proprietary information at Berkeley Lab unless approved by the Laboratory Director. Work with TTIPM or OSPIP to obtain approval.
      2. Management and Storage. Adhere to any disclosure requirements specified in signed agreements.
      3. Additional. OSPIP must approve proprietary use of Berkeley Lab resources, such as user facilities. The agreement language must limit Berkeley Lab commitments to protecting information or knowledge acquired from proprietary use of Laboratory resources.
    4. Other Applicable Policies
      1. Cooperative Research & Development Agreements (CRADAs)
      2. Material Transfer Agreements
      3. Nondisclosure Agreements
      4. Designated User Facility Agreements
      5. Strategic Partnership Projects (SPP)
  4. Export Controlled
    1. Policy. Berkeley Lab does not create export-controlled information unless approved and only in rare circumstances. In the course of research or operations, access to export-controlled information may be necessary to provide background information. Employees may not access or use export-controlled information unless approved. Employees who take on the obligation of protecting export-controlled information expose themselves to personal civil and criminal liability for export-control violations.
    2. Approvals. The Export Control Officer must approve the creation of export-controlled information. The Export Control Officer or TTIPM (for NDAs and MTAs) must approve the use of export-controlled information and ensure that its use is commensurate with Berkeley Lab requirements, including the development of a Technology Control Plan as necessary.
    3. Controls
      1. Creation. Do not create export-controlled information at Berkeley Lab unless approved by the Export Control Officer who will require a plan to ensure that the creation of export-controlled information complies with applicable laws and regulations.
      2. Management and Storage. Develop a plan to appropriately manage and store export-controlled information to ensure compliance with applicable laws and regulations. Coordinate with the Export Control Officer who will consult with physical or cyber security, as appropriate.
  5. Foreign National Access Restrictions (e.g., NOFORN Marking)
    1. Policy. Berkeley Lab operates under the University of California nondiscrimination policy, which prohibits discrimination based on nationality in the conduct of fundamental research; therefore, the Laboratory prohibits information with foreign national access restrictions unless approved.
    2. Approvals. Senior Laboratory Management and the cyber and physical security groups may receive and store this information when necessary. The Export Control Officer, with input from cyber security and physical security as needed, must approve additional exceptions.
    3. Controls
      1. Creation. Do not create materials with foreign national access restrictions at Berkeley Lab.
      2. Management and Storage. Coordinate with the Export Control Officer who will consult with physical or cyber security, as appropriate.
    4. Additional. Berkeley Lab prohibits employees from attending meetings where foreign nationals are prohibited without prior approval from the Export Control Officer.

D.3 Prudent to Protect Information

During the course of research or for operational purposes, employees and affiliates may generate, use, or encounter information that is Prudent to Protect. Prudent to Protect is information that should not be publicly available but does not rise to the level of requiring specific controls. Prudent to Protect information may include materials from ethics investigations, material under attorney-client privilege, animal welfare protocols, passport numbers, etc., as well as Privileged Information.

Prudent to Protect Information is not public and may not be shared or published. Precautions must be taken to limit public exposure of this information.

Refer to Use of Privileged Information for additional policies regarding conflict of interest.

E. Roles and Responsibilities

Employees and affiliates are responsible for adhering to this policy.

F. Definitions/Acronyms

Term

Definition

Protected Information

Protected Information includes Personally Identifiable Information (PII) and Personal Health Information (PHI). Berkeley Lab defines the following data, alone or in combination, as Protected Information:

  • Social Security numbers
  • Personal financial account information
  • Driver's license numbers
  • Health information with personal identifiers, for example:
    • Name plus insurance number
    • Employee ID plus treatment information
    • Any unique ID plus any medical information

Protected Health Information (PHI)

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), information, including demographic data, that relates to:

  • The individual's past, present, or future physical or mental health or condition
  • The provision of health care to the individual or
  • The past, present, or future payment for the provision of health care to the individual
    and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Personally Identifiable Information (PII)

An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social Security number, (2) driver's license number or California identification card number (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account, (4) medical information, (5) health insurance information. See California Civil Code Section 1798.29 for additional information.

G. Recordkeeping Requirements

None

H. Implementing Documents

Document number

Title

Type

10.08.001.001

Protected Information Requirements

Standard

10.08.001.002

OUO Management and Storage Requirements

Standard

I. Contact Information

Information Technology Policy Manager
Information Technology Division
itpolicy@lbl.gov

J. Revision History

Date

Revision

By whom

Revision Description

Section(s) affected

Change Type

1/2/2012

0

J. Bonaguro

Rewrite for wiki (brief)

All

Minor

11/28/2012

1

J. Bonaguro

Rewrite for wiki (policy)

All

Minor

12/17/20201D. SoustinUpdated Contract 31 I clause numbers as per mod 1105Source Requirement DocumentsEditorial
6/15/20211.1A. SultanPeriodic review. Several link fixes. No policy changes.AllEditorial
8/9/20241.2A. SultanPeriodic review. Updated to include CUI commons page linkD.2Minor

DOCUMENT INFORMATION

Title:

Controlled and Prohibited Information Categories

Document number

10.08.001.000

Revision number

1.2

Publication date:

8/9/2024

Effective date:

8/9/2024

Next review date:

8/8/2027

Policy Area:

Information Categories and Controls

RPM Section (home)

Information Management

RPM Section (cross-reference)

none

Functional Division

Information Technology

Prior reference information (optional)


Source Requirements Documents

  • Contract 31, Clause I.106, DEAR 952.204-72, Disclosure of Information (APR 1994) (prev. I.063)
  • DOE O 471.3, Identifying and Protecting Official Use Only Information
  • DOE M 471.3-1 Manual for Identifying and Protecting Official Use Only Information
  • DOE O 205.1C, Department of Energy Cybersecurity Management, CRD
  • DOE P 205.1, Departmental Cyber Security Management Policy
  • UCOP IS-3, Electronic Information Security

Implementing Documents

Document number

Title

Type

10.08.001.001

Protected Information Requirements

Standard

10.08.001.002

OUO Management and Storage Requirements

Standard

ADDITIONAL INFORMATION

Title:

Controlled and Prohibited Information Categories

Document number

10.08.001.000

Revision number

1.2

Publication date:

8/9/2024

Effective date:

8/9/2024

Next review date:

8/8/2027

Policy Area:

Information Categories and Controls

RPM Section (home)

Information Management

RPM Section (cross-reference)

none

Functional Division

Information Technology

Author name/contact info

J. Bonaguro



Revision 0 publication date

1/2/2012

Retirement date

n/a

Prior reference information (optional)




Inputs from more than one Functional Area?

Yes

List additional Functional Areas & contacts

Export Control Officer (Legal), Technology Transfer and Intellectual Property Management, Office of Sponsored Projects and Industry Partnerships (OSPIP)



Inputs from more than one Policy Area?

No

List additional Policy Areas & contacts




30-day notification needed?

No

30-day start date

n/a

30-day end date

n/a



LDAP protected?

No



Need TABL reminders?

No

Frequency

n/a

Brief reminder text:

n/a



Approval Sheet for this revision received (date)
[Note: author is responsible}


Key labels/tags:

  • (Policy Area 1), (Policy Area 2), (Section)

New terms that need to be added to Glossary/Acronym list:

Implementing Documents restricted to department/functional use

(optional – these will be used for tracing between requirements and associated documents)

Document number

Title







Side bars:
Side bar 1 location (cite by Policy Section # - for example: Section D.2.a)
Sidebar 1 text:
Sidebar 2 location
Sidebar 2 text:
Sidebar 3 location
Sidebar 3 text: