DOE Requirements for Protecting Personally Identifiable Information (PII)
GAO Postsecondary Education Report: Many States Collect Graduates’ Employment Information, but Clearer Guidance on Student Privacy Requirements Is Needed
The Higher Education Opportunity Act directed GAO to study the information that states have on the employment outcomes of postsecondary graduates. This report describes (1) the extent and purposes for which states collect employment-related information and the challenges they faced in doing so, (2) potential approaches to expanding states’ collection efforts across states and nationwide, and (3) how selected states and schools collaborate with employers to align education and workforce needs.
Lost, stolen, or misdirected information that is personally identifiable is a violation of existing regulations and can cause harm to individuals if such information is released to the public under any circumstance. One such avenue of dissemination is potential release of information through its loss during transmission from one location to another.
DOE Requirements for Protecting Personally Identifiable Information
- DOE Memorandum to Former Worker Medical Screening Program Points of Contact
Subject: Transmittal of Personal Identifiable Information
March 20, 2009
- DOE Manual: Security Controls for Unclassified Information Systems Manual
DOE M 205.1-7, Admin Chg 2: 12-22-09
- DOE Manual: Cyber Security Incident Management Manual
DOE M 205.1-8, Admin Chg 2: 12-22-09
- DOE Order: Department of Energy Privacy Program
DOE O 206.1, Approved: 01-16-09
- DOE Manual: Manual for Identifying and Protecting Official Use Only Information
DOE M 471.3-1, Approved 04-09-03
- Security Requirements for Cryptographic Modules
FIPS Pub 140-2, 12-03-2002
Requirements for Protecting PII of Human Research Subjects
- The Federal human subjects protection regulations (45 CFR 46) issued by the HHS Office of Human Research Protections (OHRP) require prompt reporting of any unanticipated problem (such as loss of data) to the IRB, to appropriate institutional and agency officials, and to OHRP. OHRP guidance recommends that the PI report an unanticipated problem to the IRB(s) within 2 weeks and that the PI/the PI’s organization report the unanticipated problem to OHRP within 6 weeks (or within 1 month of notifying the IRB(s)).
- DOE Order 443.1B also requires prompt reporting to the DOE Human Subjects Research Program Manager, SC-23 (and the NNSA Human Subjects Research Program Manager, NNSA sites), and coordination with and approval from the appropriate Human Subjects Research (HSR) Program Manager in determining plans to correct any noncompliance or to deal with the unanticipated problem. While DOE Order 443.1B does not specify how quickly the HSR Program Manager should be notified, it is recommended that you do so within 48 hours of learning of any unanticipated problem that does not involve PII.
- However, the definition of “prompt reporting” is different when PII is involved. Federal and DOE requirements (see DOE Order 206.1) require that any incident involving potential loss or compromise of PII be reported immediately (as soon as you learn of the incident) through your Departmental Element and to the DOE-Cyber Incident Response Capability (DOE-CIRC) at 866-941-2472 (email@example.com). Please coordinate with your site cybersecurity office to report the incident to the DOE-CIRC. Please also report any such incident(s) immediately to the HSR Program Manager(s).
- Additionally, in accordance with Federal and DOE requirements, PII transferred from one organization to another as part of a human research project (when/as authorized by the approving IRBs, the responsible DOE Program Office, and the research/screening participant) must first be encrypted consistent with PII protection requirements stated in DOE M 205.1-7 using a program such as Entrust.
In order for protocols to be approved by DOE site IRBs and the Central DOE IRB, they must have clear and detailed plans for protecting PII in accordance with Federal and DOE requirements, including encryption of any data to be transferred and immediate notification of any incident involving potential compromise or loss of PII data. Likewise any human subjects research funded by DOE or using DOE data that is reviewed by another institution’s IRB must comply with DOE requirements for protecting PII.
Content reviewed: November 7, 2012