Frequently Asked Questions (FAQs)

What is Personally Identifiable Information (PII)?

Personally Identifiable Information (PII) is information in an Information Technology (IT) system or collection that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.). In addition, PII may be comprised of information by which an agency intends to identify specific individuals in conjunction with other data elements. These data elements may also include gender, race, birth date, geographic indicator and other descriptors.

The Office of Management and Budget (OMB) defines PII as: “Any information about an individual maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and information that can be used to distinguish or trace an individual's identity, such as his or her name, SSN, date and place of birth, mother's maiden name, biometric records, etc., including any other personal information that is linked or linkable to an individual.” – OMB 07-16

PII should not be confused with “private” information. Private information is information that an individual prefers not to make publicly known, e.g., because of the information’s sensitive nature. Personally identifiable information is much broader in scope and includes all information that can be used to directly or indirectly identify individuals.

The Federal government has been trying for years to solidify a definition to use, but the closest we can come is the subtext used in OMB-07-16. The most simplistic definition is to consider PII to be information that can be linked or linkable to a specific individual.

Regardless of whether it is publically available or not, it is still “identifying information”, or PII. However, what federal employees must be wary of is Personally Sensitive PII. Not all PII is sensitive. For example, information on a business card or in a public phone directory is considered identifying information. But, in most cases it is not sensitive PII, because it is usually widely available information. PII that is releasable to the public in accordance with the Freedom of Information Act (FOIA) or is commonly used in the work environment is not considered to be of risk to an individual (or to the agency). PII of this nature is not “sensitive”. However, it is PII nevertheless; and it needs to be protected.

The data or identifiable factor must be examined in its context of use. Context of use can make personal information be regarded as sensitive if the list is contextually associated with sensitive information. For example, a list of names and addresses of people subscribing to a government newsletter is PII, but it is not sensitive PII. Change the title of the top of the page to a list of people receiving treatment for substance abuse and it becomes sensitive information. As well as context, the association of two or more non-sensitive PII elements may result in sensitive PII. A

1 social security list on a sheet of paper is not dangerous until paired with a name or other individualizing factor.

The definition of PII is very broad and makes no distinction between “sensitive” and “non- sensitive” information. If an individual can be identified, it is PII. Sensitive PII is defined personally identifiable information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. This is the information that we should be especially looking to safeguard at all times. Still, even if information is not sensitive (even if publically available), the U.S. Forest Service cannot release that PII without consent. Therefore, any and all personally identifying information collected, stored and used by the Federal government needs to be protected.

What is Personally Sensitive Information?

Personally Sensitive Information (PSI) is an official U.S. Forest Service record that is Personally Identifiable Information (PII) or non-public information, which if lost, compromised, or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Information classified as PSI therefore requires stricter handling guidelines to protect against any anticipated threats or hazards to security or integrity because of the increased risk to an individual. PSI should only be used if a need for the information relates to the official duties of the U.S. Forest Service.

PII is considered private if it is associated with an individual. A person's SSN or TIN, credit card numbers, and other financial information may be considered PSI if their disclosure might lead to crimes such as or fraud. Some types of PSI information, including records of a person's health care, education, and employment may be protected by privacy laws. The data or identifiable factor must be examined in its context of use. Context of use can make personal information be regarded as PSI if the list is contextually associated with sensitive information. For example, a list of names and addresses of people subscribing to a government newsletter is PII, but it is not sensitive PII. Change the title of the top of the page to a list of people receiving treatment for substance abuse or a communicable disease and it becomes sensitive information. As well as context, the association of two or more non-sensitive PII elements may result in PSI. A social security list on a sheet of paper is not dangerous until paired with a name or other individualizing factor.

The PSI label (coupled with the designation of Controlled Unclassified Information) is intended for the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others. Unauthorized disclosure of PSI can make the perpetrator liable for civil remedies and may in some cases be subject to criminal penalties. Loss, misuse, modification or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security, internal and foreign affairs of a nation depending on the level of sensitivity and nature of the information. Note: Nonpublic information is information that the employee gains by reason of Federal employment and that he or she knows or reasonably should know has not been made available to the general public.

Nonpublic Government information includes, but is not limited to:

2

 information that is exempt from disclosure under the Freedom of Information Act,  information that the agency has designated as confidential, or  information that has not actually been disseminated to the general public and is not authorized to be made available to the public upon request

Executive branch employees may not use or allow the use of sensitive or nonpublic government information to further their own private interests or the private interests of others. In addition to violating the Standards of Conduct, the actions may also violate Federal statutes prohibiting the use and disclosure of confidential and inside information.

What are the Fair Principles (FIPPS)? In order to assure that any personal information submitted to the U.S. Forest Service (FS) is properly protected, the agency has devised principles to be applied when handling personal information. This is referred to as the “Code of Fair Information Privacy Principles (FIPPs)".

Principle 1 – Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

Principle 2 – Identifying Purposes The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Principle 3 – Consent The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4 – Limiting Collection The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Principle 5 – Limiting Use, Disclosure, and Retention Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Principle 6 – Accuracy Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 – Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Principle 8 – Openness

3

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Principle 9 – Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 – Challenging Compliance An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

The FIPPs are set forth in policies that U.S. Forest Service employees will follow when handling personal information. Any U.S. Forest Service employee or contractor who handles the personal information of others must abide by the principles set forth by the following Codes:

1) When the U.S. Forest Service collects , we will inform the public of the intended uses of the data, the disclosures that will be made, the authorities for the collection, and whether the collection is mandatory or voluntary. We will collect no data subject to the unless a Privacy Act System of Record Notice has been published in the Federal Register. 2) Unless the U.S. Forest Service has claimed an exemption from the Privacy Act, we will, upon request, grant an individual access to records; provide the individual a list of disclosures made outside the Agency; and make corrections to the individual’s file, once shown to be in error. 3) The U.S. Forest Service will collect only those personal data elements required to fulfill an official function or mission grounded in law. Those collections are conducted by lawful and fair means. 4) The U.S. Forest Service will retain an individual’s personal information only as long as necessary to fulfill the purposes for which it is collected. Records will be destroyed in accordance with established U.S. Forest Service records management schedules. 5) The U.S. Forest Service will maintain only accurate, relevant, timely, and complete data about the public. 6) The U.S. Forest Service will use an individual’s personal data only for lawful purposes. Access to the individual’s data will be limited to U.S. Forest Service employees and contractors with an official need for access. 7) U.S. Forest Service employees and contractors will safeguard the public’s personal data to ensure that all disclosures are made with an individual’s written permission or are made in strict accordance with the Privacy Act. 8) The public’s personal data is protected by appropriate safeguards to ensure security and confidentiality. Electronic systems will be periodically reviewed for compliance with the security principles of the Privacy Act, the Computer Security Act, and related statutes. Electronic collections will be accomplished in a safe and secure manner.

4

9) U.S. Forest Service employees and contractors are subject to civil and criminal penalties for certain breaches of Privacy. The U.S. Forest Service is diligent in sanctioning individuals who violate Privacy rules. 10) The public may challenge the U.S. Forest Service if an individual believes the agency has failed to comply with these principles, the Privacy Act, or the rules of a system of records notice. Challenges may be addressed to the person accountable for compliance with this Code, to the U.S. Forest Service Privacy Act Officer, or the U.S. Forest Service Freedom of Information Act (FOIA) Officer at: Mailing Address: USDA FS, FOIA Service Center 1400 Independence Avenue, SW Mail Stop: 1143 Washington, DC 20250-1143

FEDEX Address USDA Forest Service FOIA Service Center ORMS/RIS 201 14th Street, SW 1st Floor, SW Wing Washington, DC 20250

Your correspondence may also be sent via fax or email: Fax your request to: (202) 260-3245 Email your correspondence to: [email protected]

Main Number: (202) 205-1542

What are U.S. Forest Service employees and contractors required to do?

The U.S. Forest Service work force is required to:

 Ensure that personal information contained in a system of records, to which they have access to or are using incident to the conduct of official business, shall be protected so that the security and confidentiality of the information shall be preserved.  Not disclose any personal information contained in any system of records except as authorized. Personnel willfully making such a disclosure when knowing that disclosure is prohibited are subject to possible criminal penalties and/or administrative sanctions.  Report any unauthorized disclosures of personal information from a system of records or the maintenance of any system of records that are not authorized to your local Privacy Act Officer or to their supervisor.  Ensure that all personnel who either shall have access to the system of records or who shall develop or supervise procedures for handling records in the system of records shall be aware of their responsibilities for protecting personal information being collected and maintained under the Privacy Program.

5

 Prepare promptly any required new, amended, or altered systems notices for the system of records and submit them through the Washington Office Privacy Officer for publication in the Federal Register.  Not maintain any official files on individuals that are retrieved by name or other personal identifier without first ensuring that a Privacy Act system of records notice has been published in the Federal Register. Any official who willfully maintains a system of records without meeting the publication requirements of the Privacy Act is subject to possible criminal penalties and/or administrative sanctions.

The U.S. Forest Service work force are instructed of and made aware of the following:

 Ask, “If I do this, will I increase the risk of unauthorized access?”  Do not share it with anyone outside of the U.S. Forest Service unless: o The recipient is listed in Section (b) of the Privacy Act or o The record’s subject has given you written permission to disclose it.  Make sure that access controls are in place to limit access to files/folders that contain PII to those with a “need to know.” o Password-protect and encrypt personal data placed on shared drives, the Internet or the Intranet. o Issue passwords only to those with a clear need for access.  Remove it once it no longer needs to be posted.  Never post privacy data to E-Workplace, SharePoint or Outlook.  Never leave your laptop unattended. o Keep your laptop in a secure government space or secured under lock and key when not in use. o Laptops and mobile electronic equipment must have full disk encryption.  Mark all external drives or mobile media as “Property of USDA/USFS”  If encryption is not available, do not create, store, or transmit PII on Information Technology (IT) equipment.  Ensure PII resides only on government furnished IT equipment. Never store PII on personal devices.  Do not maintain PII on a public web site or electronic bulletin board.  Verify the printer’s location prior to sending a document containing PII to the printer, and promptly pick up all copies of the documents as soon as they are printed.  Double check the fax number prior to transmitting documents with PII, and ensure someone is standing by on the receiving end of the fax. Do not fax PII to unattended fax machines.  Ensure all printed documents with PII are properly marked with “CUI–Privacy Sensitive.”  Do not discard documents with PII in trash or recycle bins. o Destroy U.S. Forest Service records in accordance with the U.S. Forest Service Records Schedule. o Dispose of documents containing PII by making them unrecognizable by shredding, pulping, or burning. o Disposal methods are considered adequate if the personal data is rendered unrecognizable or beyond reconstruction.

6

o Documents containing PII may also be placed in a burn bag for destruction.  Ensure all hard drives are degaussed, properly marked, and accounted for prior to turn in.  Limit storage of PII on shared drives and folders whenever possible.

What are the privacy laws, regulations, rules and mandates?

Privacy law in the United States

In the United States, unlike most developed countries, there is no overarching and comprehensive federal-level law protecting against personal information being collected and stored. Instead, the U.S. has a patchwork of laws covering different types of data protection - with separate laws for medical record privacy, financial privacy, telemarketing, credit reporting and even video rentals. Like any patchwork system, there are a lot of holes. With technology constantly and quickly evolving, our patchwork system of laws and policies are often lagging behind industry innovations.

The "" is something many of us take for granted - but it's not mentioned in the Bill of Rights or the Constitution. Reflecting this, the Privacy Act of 1974 does not actually cover privacy in the traditional way that it is thought of in regard to secrecy, being left alone, or requiring a quiet space. The Privacy Act of 1974 is primarily about governmental procedure when it comes to the collection and use of personal information.

Regulations and Mandates

As an agency in the Federal government, the U.S. Forest Service is required to comply with all current applicable Federal privacy laws, regulations and guidance, and must establish and apply data safeguards. Protecting Personally Identifiable Information (PII) is the primary focus. However the following tasks are also priorities:  Support mechanisms that allow individuals to review records about themselves and amend their personal records if there is erroneous information;  Keep a record of disclosures made outside of the U.S. Forest Service to authorized routine uses described in the Privacy Act system notice;  Maintain only accurate, timely, and complete information;  Follow the Privacy Act and other regulations regarding the release and/or withholding of information;  Ensure contracts involving Privacy Act data contain the appropriate Federal Acquisition Regulation (FAR) privacy clauses;  Factor Privacy into the workplace; and  Develop best practices.

Federal Mandates

The Privacy Act of 1974 protects an individual's privacy from unwarranted invasion by requiring that personal information in possession of Federal agencies is properly used, and that agencies institute measures to prevent any potential misuse of information in their possession. The Privacy Act of 1974:

7

 Controls the use of personal information by restricting Federal agencies' collection, maintenance, use, and dissemination of personal information.  Allows individuals to access information about themselves that agencies maintain.  Allows individuals to correct their records when the information is not accurate, relevant, timely, or complete.  Controls the disclosure of personal information in possession of a Federal agency.  Requires that agencies follow mandated policies and procedures.

The Computer Matching and Privacy Protection Act of 1988, and the Computer Matching and Privacy Protection Amendments of 1990 concern the electronic sharing of information. These laws:

 Apply to automated systems of records when the information in the systems is shared between Federal or non-Federal agencies.  Spell out the procedural requirements that agencies must follow when performing computer-matching activities.  Require agencies to provide to individuals whose records are in matching systems the opportunity to receive notice and to refute adverse information before having a benefit denied or terminated.  Require agencies which are engaged in matching activities to establish Data Integrity Boards to oversee computer-matching activities.

The E-Government Act of 2002 aims to ensure privacy in the conduct of Federal information activities. Title III of the E-Government Act, Federal Information Security Management Act of 2002 establishes computer security requirements for Federal automated information resources. Among its other system security provisions, this Act requires agencies to:

 Conduct a periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency;  Address information security throughout the life cycle of each agency information system.

Office of Management and Budget (OMB) Guidance oversees, establishes rules and procedures, and provides guidance to agencies on the implementation of the Privacy Act and on information security. OMB's guidance is found in:

 OMB Circular No. A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals, which establishes Privacy Act requirements and procedures;  OMB Circular No. A-130, Appendix III, Management of Federal Information Resources, which establishes guidelines for Federal agencies on complying with the fair information practices and security requirements for operating automated information systems.  (M-03-22) Memorandum for Heads of Executive Departments and Agencies, OMB Guidance for Implementing the Privacy Provisions of E-Government Act of 2002.  Title III of the E-Govt Act, Federal Information Security Management Act of 2002

8

U.S. Forest Service privacy requirements

The U.S. Forest Service Privacy Office is currently complying with applicable laws and regulations such as (but not limited to):

 Privacy Act of 1974  E-Government Act of 2002  Paper Reduction Act of 1995  NARA Code of Federal Regulations  Other laws and regulations

And following OMB requirements such as (but not limited to):

 OMB Circular A-130, Appendix I  FISMA Reporting Instructions for Agency Privacy Management  OMB Memo M-05-08, Designation Senior Agency Officials for Privacy (SAOP)  OMB Memo M-07-16, Safeguarding Against and Responding to Breach of Personally Identifiable Information  OMB Instructions for Complying with the President’s Memorandum of May 14, 1998, Privacy and Personal Information in Federal Records

Can I see what privacy-related information the government has?

Under the Privacy Act, you may request copies of any U.S. Forest Service records that:  are about you and  are filed and can be retrieved by your name or a personal identifier (such as your Social Security number). You can also ask the Agency to correct records that are inaccurate, incomplete, untimely, or irrelevant. In some cases, the Privacy Act may not allow release of your personal records. If you have any questions about records, please see the Freedom of Information Web Page at http://www.fs.fed.us/im/foia/makearequest.htm.

Requests for information about you contained in a U.S. Forest Service Privacy Act system of records must:

 Be in writing and signed.  Be addressed to the appropriate U.S. Forest Service activity you believe is maintaining the information about you.  Identify the applicable U.S. Forest Service Privacy Act system of records notice that might contain the information you are seeking, and your relationship with U.S. Forest Service and the time period of that relationship. Privacy Act systems of records notices are found at http://www.fs.fed.us/im/foia/pasystems.htm.  Provide any other documentation as listed under the Notification or Access elements within the Privacy Act system of records notice.  When in doubt, contact the U.S. Forest Service Privacy Officer.

9

Note: An employee’s browsing or reading information that he or she does not have a “need-to- know” reason to see the data is a violation of privacy of the person for whom the data is about. It is punishable with criminal or civil penalties for violating the Privacy Act.

How do I submit a Freedom of Information Act (FOIA) request?

For information about submitting a FOIA request, visit the U.S. Forest Service FOIA website http://www.fs.fed.us/im/foia/makearequest.htm

10