Viewable by the world

Parent Policy: Controlled and Prohibited Information Categories
Document#: 10.08.001.001

If you're involved in the collection, use, and management of Personal Information rated "Controlled," you must follow the requirements in this document.

Generally, personal information is any information that is maintained by the Laboratory in furtherance of Laboratory business that identifies or describes an individual, including, but not limited to, his or her name, Social Security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history.

Personal information rated "Controlled" is a highly sensitive subset of personal information that is subject to legal, regulatory, or contractual requirements, or which, if accessed or acquired without authorization, could cause harm to data subjects.

This designation applies to UC-owned records containing any of the below:

  • Data breach-notice triggering elements identified under California law, consisting of a combination of first name or first initial and last name and any of the below:
    • Social Security numbers, drivers license numbers, passport numbers, green card numbers, and any other government-issued identifiers commonly used to identify an individual;
    • Employee health information, including records originating from a healthcare provider containing descriptions of conditions, diagnosis, prescriptions, referrals, visits, and other health information, insurance and/or claims-related information;
    • Biometric information;
    • License plate recognition system information; and/or
    • Financial account information (such as debit and credit account information), including PINs or other authentication information.
  • Usernames and passwords that would permit someone to access an online account.
  • Certain sensitive personal data of EU residents contained in records subject to the General Data Protection Regulation;
  • Certain datasets determined to be Controlled pursuant to a documented risk assessment by the Privacy Officer.

Berkeley Lab respects the privacy of individuals whose information it processes to accomplish its mission. If personal information is accessed without authorization, individuals could suffer significant consequences, such as being more likely to be subject to identity theft and fraud scams. This would not only impact individuals, but could also hurt Berkeley Lab's reputation and affect our open computing environment. While all personal information processing is subject to control, Berkeley Lab takes additional protective measures as to this subset of information to avoid and mitigate potential harms that usually ensue from a breach involving highly sensitive personal information.

1. Baseline Requirement

Controlled Personal Information can only be stored in Institutional Business Systems:

  • Human Resources Information System (HRIS)
  • UCPath (not an LBL system, but approved for PII)
  • Financial Management System (FMS) (Limited to a subset of financial account information for certain non-routine scenarios)
  • Taleo
  • REMS
  • CHESS
  • OHM (being replaced by CHESS)
  • RADAR
  • Clinic.lbl.gov (Occupational Health Record)

If you find Controlled Personal Information outside of these systems, immediately contact Cyber Security Operations at [email protected].

2. End-User Requirements

Do you use or access Controlled Information in the course of your work? If so, you must follow the requirements below to protect this information. If you need help or are confused about any requirements, contact [email protected].

2.1 How should I send or receive Controlled Information?

Permitted Methods

You may send Controlled Information (for approved business needs) by paper mail, fax, or phone. If none of these methods is sufficient, contact [email protected] for approval of another method.

Permitted Method

Quick Tips

Paper Mail

Onsite - single instances: Use Berkeley Lab mail services.
Onsite - collections: Hand deliver.
Offsite: Use a service with delivery confirmation.
Instance versus collection: Instances of Controlled Information are single items, for example, one individual's social security number. Collections contain the PII of multiple people. If it involves a spreadsheet, it's probably a collection.

Fax

We permit fax machines because they typically use phone lines - not the Internet.
Electronic fax software do have some risks. Please contact [email protected] if you have questions about desktop electronic fax software.

Phone

You may give information verbally over the phone.

Prohibited Methods

If it is not on the list of permitted methods, it is prohibited. However, we’ve had specific questions about the following methods and why we prohibit them.

Prohibited Method

Why we prohibit it

Email

Email is sent in the “clear”. Anyone who can see the network traffic can potentially see the contents of the email.

External media (USB stick, SD card, external drive, DVD, etc)

It's too easy to lose a USB stick or SD card. Most stories about loss of Controlled Information involve external media. Help us stay out of the news.

Password Controlled files

Password protecting a Word document or zip file doesn’t protect it at all. Free tools allow an attacker to trivially break your password.

Anything else electronic

If you know of other electronic methods, we prohibit it. But drop us an email at [email protected], and we’ll add it to this list.

Receiving Controlled Information via Prohibited Methods

If you receive an instance of Protected Personal Information via a prohibited method:

  1. Ask the sender to only share Controlled Information using an approved method (if you’re responding to an email, delete the Controlled Information in your reply message).
  2. Record the information, if needed, in the approved system.
  3. Delete the information.

If you receive a collection (versus one or two pieces) of Controlled Information:

  1. Contact [email protected] so we can work with you to identify any new work processes or approaches that can limit this in the future.
  2. Delete the information as soon as possible (we're happy to help if necessary, contact [email protected])

2.2 How should I store Controlled Information?

Permitted Method: Paper

If you need to store paper collections (for approved business needs), use physical protections such as locked cabinets and/or offices. If possible, store only one copy.

Prohibited Method: Electronic

You should never store electronic Controlled Information. For example, you may not store Controlled Information on your laptop, desktop, smartphone, thumb-drive, etc. Controlled Information is only allowed in Institutional Business Systems (e.g. HRIS and FMS).

If you come across Controlled Information outside of Institutional Business Systems, you must report it immediately to [email protected].

2.3 How do I remove Controlled Information?

Electronic

If you accidentally accumulate collections or instances of Controlled Information on your computer, you must delete it as soon as possible.

Paper

Shred paper collections when they are no longer needed (use cross-cut shredders or a secure shredding service); when appropriate, archive collections per procedures from the Archives and Records Office.

2.4 I received a request to share Controlled Information. What should I do?

You may not share Controlled Information outside of existing operational needs. If you receive a request to share Controlled Information, contact [email protected] and your line management.

2.5 How do I report concerns or problems with Controlled Information?

If you found a collection of Controlled Information or you’re worried that these requirements are not being met, contact [email protected]. We’ll work with you to troubleshoot the problem.

3. Functional (Business) Owner Requirements

If you are responsible for a business process that uses Controlled Information, you must follow the following requirements to protect this information. If you need help or are confused about any requirements, contact [email protected].

3.1 Business Case Approval

You must have an approved business need for the use of Controlled Information. The business need must demonstrate that Controlled Information is necessary versus some other identifier such as employee ID. Required approvals:

Research Purposes

The Human Subjects Committee must approve the use or collection of Controlled Information and related protocols. The Human Subjects Committee must ensure that the use or collection of Controlled Information is necessary for the purposes of research and that the researcher has adequately considered other methods.

De-identification. Researchers must de-identify Controlled Information unless approved by the Human Subjects Committee. If information is not de-identified, the researcher must follow the requirements under Required Protections for Approved Business Cases.

Operational Purposes

The appropriate Operations Division Director and the IT Division’s Privacy Coordinator must approve the collection of Controlled Information for an identified business need.

3.2 Required Protections for Approved Business Cases

  1. Business Process and Security Design. You must involve Computer Security Operations and the IT Division Privacy Coordinator early and throughout the design of your business process. This will help limit the amount of Controlled Information to the minimum amount possible. Contact [email protected].
  2. Data Collection. Design data collection to obtain only the minimum amount of Controlled Information to meet the approved need. For example, do not collect social security numbers and driver's license unless you need both; also limit the number of individuals about whom information is collected, e.g. only current versus both current and former employees.
  3. Storage
    1. Electronic Collections.
      1. Approved Systems. Only Institutional Business Systems (e.g. HRIS and FMS) may store Controlled Information. If a business need exists to store this information outside of approved systems, you must develop a information security plan that is approved by your line management and Cyber Security Operations.
      2. Prohibited Systems. You may not store Controlled Information outside of approved systems, including file shares or laptops and other portable devices.
      3. Transient storage. If required by the business process, you may authorize employees to process transient instances (not collections) of Controlled Information (e.g. to confirm an upload to an Institutional System) on workstations (not a portable device). However you must ensure that processes exist to ensure that the information is deleted as soon as possible and that it does not generate multiple instances of the information.
    2. Paper Collections. Use physical protections such as locked cabinets and offices to store paper collections. If possible, store only one copy.
  4. User Access, Roles, and Privileges.
    1. Access procedures and roles. Access to Controlled Information may only be granted based on a business need and should be limited to the minimum level necessary. Functional owners must establish a process to identify what roles are necessary for accessing the Controlled Information, how access is granted, when it is revoked, and any differences in access based on roles.
    2. Review of Access. Functional owners must regularly review who has access to Controlled Information. Two separate people should review access so that no one person can overlook their own access rights. The review of roles and access should:
      1. Ensure access is limited to individuals with a business need,
      2. Ensure access rights are appropriate for the job and no broader than necessary,
      3. Validate high levels of privilege, including administrative or system access, and
      4. Ensure adequate separation of duties for each individual.
  5. Sharing or Disclosing Controlled Information
    1. Approval. You must obtain approval for sharing Controlled Information that exceeds existing operational needs and for disclosure outside of the UC system. Laboratory Counsel must approve data sharing requests, which includes sharing Controlled Information with the DOE.
      1. Existing approvals include the NRDC Dosimeter metric system (SSN plus dose), FACTS, and I-9 verification e-verify.
    2. Criteria for Sharing or Disclosing Controlled Information. Requests for sharing UC-owned Controlled Information must have as their basis a legal requirement, contract clause, or business agreement.
  6. Disposal. When the business case no longer requires Controlled Information, it must be disposed of using Berkeley Lab procedures. Securely shred paper collections. For electronic collections, work with your IT Division liaisons to ensure that they are properly removed from existing data systems.
  7. Third Party Providers. If Berkeley Lab contracts with another party to process, manage, or store Controlled Information, Cyber Security Operations and the Privacy Coordinator must review and approve the information security protections. Business owners are responsible for obtaining the approvals and involving relevant parties early in the provider evaluation and selection process.
Policy Implementing Document

This document helps implement a Laboratory policy in the Requirements and Policies Manual.

Feedback

Send feedback to [email protected].

  • No labels