Found via PogoWasRight.org.
The Department of Homeland Security has released guidelines (pdf) for safeguarding “sensitive personally identifiable information” that it retains or uses. There are definitions for personally identifiable information (PII) and sensitive PII:
DHS defines PII as any information that permits the identity of an individual to be directly or indirectly inferred, including any information which is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.
Some PII is not sensitive, such as the PII on a business card. Other PII is Sensitive Personally Identifiable Information (Sensitive PII), such as a Social Security number or alien number (A-number), and requires stricter handling guidelines because of the increased risk to an individual if compromised.
DHS defines Sensitive PII as personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
- Due care should be taken when handling sensitive PII;
- such data should be collected “only as authorized,” meaning that the employee should be sure he or she “[has] the legal authority to do so”;
- use of sensitive PII should be limited to official purposes;
- “Do not access or share Sensitive PII for entertainment or any other purpose unless it is related to your mission need to know” and “protect against ‘shoulder surfing,’ eavesdropping, or overhearing by anyone without a need to know the Sensitive PII” (this might be in response to the numerous problems that federal, state and local government agencies had with employees misusing their authority to access sensitive data);
- “Do not create unnecessary or duplicative collections of Sensitive PII, such as duplicate, ancillary, ‘shadow,’ or ‘under the radar’ files. Minimizing proliferation of Sensitive PII helps to keep it more secure and reduces the risk of a data breach”;
- data retention and destruction schedules should be followed; and,
- “Do not take Sensitive PII home or to any non-DHS approved worksite, in either paper or electronic format, unless appropriately secured. Sensitive PII in electronic form must be encrypted. Paper documents must be under the control of the employee or locked in a container” (this brings to mind the 2006 security breach where an unencrypted laptop and hard drive containing sensitive data on 26.5 million current military personnel, veterans, and their spouses were stolen from a Veterans Affairs’ employee’s home and a July report (pdf) from the GAO that found more than 70 percent of the federal government’s mobile devices were unencrypted at the time of the review).
There are more instructions for identifying and safeguarding sensitive PII, and the protocols to follow should an employee suspect sensitive PII has been mishandled or wrongly disseminated.