GSA Rules of Behavior for Handling Personally Identifiable Information (PII)
Note: The information on this page is intended to inform members of the public of GSA's privacy policies and practices as they apply to GSA employees, contractors, and clients.
GSA Directive
HCO 2180.1 GSA Rules of Behavior for Handling Personally Identifiable Information (PII)
Date: 08/07/2009
Status: Validated
Outdated on: 08/07/2019
GSA Rules of Behavior for Handling Personally Identifiable Information (PII)
1. Purpose: This order provides GSA’s policy on how to properly handle PII and the consequences and corrective actions that will be taken when a breach has occurred.
2. Cancellation: HCO IL-08-1 is cancelled.
3. Background: This satisfies the requirement to develop and implement policy outlining rules of behavior and consequences included in Office of Management and Budget (OMB) Memorandum M-07-16 (May 22, 2007).
4. Applicability: This order applies to all GSA officials, employees, contractors and those whose responsibility it is to manage information technology systems that contain PII in published Systems of Records Notices (SORNs). Contractors are not subject to the provisions of internal GSA discipline, as discussed in paragraphs 13 and 14.
5. References: The following informational material is relevant to this topic.
a. Privacy Act of 1974, as amended
b. OMB Memo M-07-16 (May 22, 2007)
c. IT Security Procedural Guide: Handling IT Security Incidents CIO-IT Security-01-02 (April 22, 2008)
d. GSA Information Technology (IT) Security Policy (GSA CIO P 2100.1E, July 2, 2009)
e. GSA IT Rules of Behavior (GSA CIO 2104.1, July 3, 2003)
f. Maintaining Discipline (CPO 9751.1, May 20, 2003)
g. Federal Information Security Management Act (FISMA) (January 2003)
6. Personally Identifiable Information (PII): Personally Identifiable Information is information about a person that contains some unique identifier, including but not limited to name or Social Security Number, from which the identity of the person can be determined. In OMB M-06-19 (July 12, 2006), "the term Personally Identifiable Information means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual."
7. Protecting PII: GSA CIO P 2100.1E lists measures that should be taken to protect PII. Chapter 4, Policy of Operational Controls, Section 22, Personally Identifiable Information, has security requirements for the protection of PII.
a. If it is a business requirement to store PII on GSA user workstations or mobile devices including, but not limited to, notebooks computers, USB drives, CD- ROMs/DVDs, personal digital assistants and Blackberries, PII must be encrypted using a FIPS 140-2 certified encryption module. An employee or contractor shall not physically take out PII from GSA facilities (including GSA-managed programs housed at contractor facilities under contract), or access remotely (i.e., from locations other than GSA facilities), without written permission from the employee’s supervisor, the data owner, and the IT system authorizing official. This applies to electronic media (e.g. laptops, Blackberries, USB drives), paper, and any other media (e.g. CDs/DVDs) that may contain PII.
b. PII shall be stored on network drives and/or in application databases with proper access controls (i.e., User IDs/password) and shall be made available only to those individuals with a valid need to know.
c. Log all computer-readable extracts from databases holding PII and verify each extract including PII has been erased within 90 days or its use is still required.
d. Creation of computer-readable data extracts that include PII shall be maintained in an official log, including reactor, date, type of information, and user.
e. If PII needs to be transmitted over the Internet, it must be sent using encryption methods defined in the GSA Information Technology (IT) Security Policy (GSA CIO P 2100.1E, Ch. 4, para. 22).
f. All incidents involving data breaches which could result in identity theft must be coordinated through the Senior Agency Information Security Officer (SAISO) and the GSA Management Incident Response Team (MIRT) using the GSA Information Breach Notification Policy (9297.2A HCO, February 26, 2009).
g. GSA-managed computers that collect and store PII must adhere to all PII requirements.
h. If PII needs to be emailed within the GSA network, at a minimum Lotus Notes encryption is required.
i. If PII needs to be sent by courier, printed, or faxed, several steps should be taken. When sending PII by courier, mark “signature required” when sending documents. This creates a paper trail in the event items are misplaced or lost. Don’t let PII documents sit on a printer where unauthorized employees or contractors can have access to the information. When faxing information, use a secure fax line. If one is not available, contact the office prior to faxing so they know information is coming, and contact them after transmission to ensure they received it. For each event the best course of action is to limit access of PII only to those individuals authorized to handle it, create a paper trail, and verify information reached its destination.
8. Privacy and Security Awareness Training and Education:
a. All employees and contractors must complete Security Awareness training and Privacy Training 101 within 30 days of employment. All GSA employees and contractors must complete Security Awareness training and Privacy Training 101 annually.
b. All GSA employees and contractors must complete Security Awareness training and Privacy Training 101 annually.All employees and contractors must complete Security Awareness training and Privacy Training 101 within 30 days of employment.
c. All employees and contractors who have information security responsibilities as defined by 5 CFR 930.301 and GSA IT Security Training Policy (April 13, 2006) must complete specialized IT security training as defined in the policy.
d. All employees and contractors who have significant privacy information responsibilities must complete specialized Privacy Training 201.
e. All GSA employees and contractors, who work with personally identifiable information or have access to other people’s information, must complete Privacy Training 201.
f. Failure to comply with annual awareness and specialized training requirements will result in termination of email privileges.
9. Information Data Breach: A data breach is when PII is viewed, leaked, or accessed by anyone who is not the individual or someone authorized to have access to this information as part of his/her official duties. In accordance with GSA IT Security Procedural Guide: Handling IT Security Incidents, a "security incident" is "[a] set of
events that have been examined and determined to indicate a violation of security policy or an adverse effect on the security status of one or more systems within the enterprise.” When it has been determined that PII has been compromised, refer to GSA Information Breach Notification Policy (see link above).
10. Corrective Action, Consequences, and Penalties:
a. Employees:
(1) Penalties for non-compliance: All users who do not comply with the IT General Rules of Behavior may incur disciplinary action and/or criminal action. GSA IT Rules of Behavior (GSA CIO 2104.1, para. 6).
(2) Compliance and deviations: Compliance is mandatory. The GSA IT Security Policy requires all GSA Services, Staff Offices, Regions (S/SO/R), Federal employees, and authorized users of GSA’s IT resources to comply with the security requirements outlined in the policy. The policy must be properly implemented, enforced, and followed to effectively protect GSA’s IT resources that store PII. Appropriate disciplinary action must be taken in a timely manner in situations where individuals and/or systems are found non-compliant. Violations of GSA IT Security Policy may result in penalties under criminal and civil statutes and laws. All deviations from the GSA IT Security Policy Order must be approved by the appropriate Authorizing Official with a copy of the approval forwarded to the GSA Senior Agency Information Security Officer (SAISO) in the Office of the Chief Information Officer (OCIO). GSA Information Technology (IT) Security (IT) Policy (GSA CIO P 2100.1E, ch. 1, par. 5).
b. Contractors:
(1) When GSA contracts for the design, operation, maintenance, or use of systems containing information covered by the Privacy Act, the contractor and its employees are considered employees of GSA for purposes of safeguarding the information and are subject to the same requirements for safeguarding the information as Federal employees. (5 U.S.C. 552a(m)).
(2) Contractors and their employees are subject to criminal sanctions under the Privacy Act for any violation that may occur due to oversight or negligence.
11. Security Violation: All breach incidents that involve PII must be reported to the Senior Agency Information Security Officer (SAISO) (IT Security Policy, Ch. 4, par. 9.e).
12. Maintaining Discipline: GSA’s Order on Maintaining Discipline (CPO 9751.1), May 20, 2003, and the Penalty Guide should be used when it is determined that disciplinary action is required for GSA employees.
a. The principles of this policy are:
(1) Primary emphasis is to be placed on positive action by supervisors to prevent situations requiring disciplinary actions.
(2) Employees are expected to adhere to high standards of conduct. When they violate the rules, regulations, or standards of conduct, they will be dealt with promptly and adequately, on a fair and equitable basis.
(3) Disciplinary actions should be consistent with the principle of like penalties for like offenses, with due consideration for the employee’s past record and any other circumstances that, in the exercise of reasonable judgment, detract from or add to the seriousness of the offense.
b. As with any disciplinary action, the particular facts and circumstances, including whether a breach was intentional, should be considered in taking appropriate action. Supervisors also should be reminded that any action taken must be consistent with law, regulation, applicable case law, and any relevant collective bargaining agreement. Supervisors should understand they may be subject to disciplinary action for failure to take appropriate action upon discovering a breach or failure to take required steps to prevent a breach from occurring. Supervisors should use their best judgment when determining if punishment is warranted. For example, discarding a document with the author’s name on the front, without any other personally identifiable information, into an office trashcan likely would not warrant punishment. However, a database containing names, Social Security numbers, and bank account information would be considered sensitive information warranting discipline for a breach. Supervisors should consult with the Office of General Counsel and Office of the Chief Human Capital Officer when they have questions or concerns.
13. Penalty Guide: Penalties for offenses not listed should be determined by reference to the penalties listed for offenses of a similar type or of comparable seriousness.
a. Types of delinquency or misconduct. Table 1 in Appendix 1, in the GSA order Maintaining Discipline, is the Penalty Guide. Paragraph 15 states, "Failure through willfulness or with reckless disregard for the regulations, to observe any security regulation or order prescribed by the competent authority. Investigations of security violations must be done initially by security managers in accordance with ADM P 1025.2C, ch-8." It continues with the following penalty guidance:
(1) Where the violation involved information classified “below” Secret (such as Personally Identifiable Information) the recommendations are:
(a) The penalty for a first-time offense is reprimand to removal.
(b) The penalty for a second offense is suspension to removal.
(c) The penalty for a third offense is removal.
(2) Where the violation involved information classified Secret or “above” (assuming that this category encompasses a moderate or high-risk data breach) the recommendations are:
(a) The penalty for a first-time offense is reprimand to removal.
(b) The penalty for a second offense is removal.
14. Criminal Penalties: The Privacy Act of 1974, as amended, lists the following criminal penalties in sub-section (i).
a. Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by the Privacy Act or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
b. Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of the Privacy Act shall be guilty of a misdemeanor and fined not more than $5,000.
c. Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.
