Privacy and Sensitive Information Protection
It’s easy to see the importance of protecting Sensitive but Unclassified Information (SBU). Personally Identifiable Information (PII) (or Privacy Information) is considered SBU, but warrants the higher degree of protection within the SBU category due to its potential for damage in the area of Identity Theft. This is why there are so many policies and procedures with specific focus on the protection of PII.
What is NASA PII?
PII is any information about an individual which can be used to distinguish or trace an individual's identity. Some information that is considered to be PII is available in public sources such as telephone books, public Web sites, university listings, etc. This type of information is considered to be Public PII and includes, for example, first and last name, address, work telephone number, e-mail address, home telephone number, and general educational credentials.
In contrast, Protected PII is defined as a social security number as a stand alone, or an individual's first name or first initial and last name in combination with any one or more types of the following information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother's maiden name, criminal, medical and financial records, etc. This information may be in the form of paper, electronic or any other media format.
PII is also broken down into two categories at NASA. There is Protected PII and Public PII. When breached or otherwise compromised, the loss of control over Protected PII carries the requirement to report it to the NASA Security Operation Center (SOC) within 1 hour. You are asked to make your report immediately upon discovery. It should be noted that PII collected by NASA employees for official purposes that constitutes NASA employee protected privacy information is reportable immediately upon discovery as an incident. Privacy Information collected by NASA employees, belonging to other than NASA employee’s, (friends’ or relatives’ personal information stored in your handheld device for example), though should be protected, are not reportable as a NASA data breach.)
For more information including break-down descriptions and other frequently asked questions, please visit the NASA Agency Privacy Web Frequently Asked Questions.
NASA Provided Tools
IF IN DOUBT - ENCRYPT
Data encryption software has been deployed to all NASA HQ desktop and laptop computers as an initial step in improving the protection of sensitive information. This provides the ability to encrypt information prior to transporting, transmission, or storage, and to decrypt information upon receipt. NASA HQ also offers briefings and training for all employees upon request through the Computer Training Center which provides insight on identifying and safeguarding sensitive information, governing NASA and Federal policy, incident reporting procedures and penalties for the mishandling or wrongful disclosure of sensitive information. There are other options available for those who can not fully meet their demands through the use of PKI and Entrust. Contact your HQ Privacy Manager for further information.
The Overarching Message
We all have the responsibility to ensure the protection of sensitive information. We should treat all privacy information as if it were our own and apply appropriate safeguards to protect it on our own behalf, as well as our colleagues. This applies to information stored and/or processed on computer systems, hand held devices, removable media of any kind, and any format including graphic images and printed documents. Hard copy images and files should be locked up and securely stored, never left lying around, and always with an SBU cover sheet attached. Individuals who are authorized to remotely access, collect, or process sensitive information, and those who telecommute need to be especially vigilant in safeguarding and protecting this information.
If you believe you handle sensitive information and have not yet received encryption software, you may submit an NHQ Form 261 - Request for Entrust Certificate, to receive the Entrust software and a digital certificate. For more information on Entrust PKI, visit the Entrust PKI Web page.
Questions should be directed to the HQ Privacy Manager, Bryan D. McCall, at 202-358-1767.