What does the Department of Homeland Security tell its staff about protecting personally identifiable information (PII) in the agency's employee handbook?
The section on PII for DHS employees is three pages long and gives this definition for sensitive personally identifiable information:
"Social Security numbers, Alien Registration Numbers (A-number), financial account numbers, biometric identifiers (e.g., fingerprint, iris scan), citizenship or immigration status, account passwords, and medical information. The context of the PII may also determine its sensitivity, such as a list of employees with poor performance ratings."
7 privacy guidelines around PII
Here are the bullet points DHS gives its employees for protecting PII:
Before collecting or maintaining Sensitive PII, be sure that:
• you have the authority to do so;
• the data collection is consistent with the terms of a Privacy Act System of Records Notice (SORN); and
• your database or information-technology system has an approved Privacy Impact Assessment.
Access to Sensitive PII is based on having an official need to know. Limit your access to only the Sensitive PII needed to do your job.
• Ensure that casual visitors, passersby, and other individuals without an official need to know cannot access or view documents containing Sensitive PII. If you leave your work area for any reason, activate your computer's screen saver.
• Ensure privacy while having conversation or making a telephone call regarding Sensitive PII.
• Do not post sensitive PII online. This includes the DHS intranet, social networking sites, shared drives, SharePoint, or multi-access calendars accessible to individuals without an official need to know or proper authorization.
The document also says PII and data can only be stored on approved devices (which includes USB drives) and must be encrypted. You can see the complete DHS Executive Correspondence Handbook, here.
