EEOICPA BULLETIN NO. 08-39
Issue Date: July 16, 2008
Effective Date: July 16, 2008
Expiration Date: July 16, 2009
Subject: Privacy Act - Personally Identifiable Information (PII)
Background: The release of information by any governmental agency, including the Division of Energy Employees Occupational Illness Compensation (DEEOIC), is subject to two federal laws: the Freedom of Information Act (FOIA) and the Privacy Act of 1974.
The Privacy Act of 1974 applies to an individual seeking information about him/herself. The law provides an individual the right to access records that are maintained in federal “systems of records” and that are retrievable by his/her name or other personal identifier. This applies to most of the requests received by DEEOIC for information.
The amount of data collected, maintained and shared in the management of workers’ compensation files creates certain vulnerabilities in the integrity of the privacy of records maintained by DEEOIC. As a result, procedures must be put in place to mitigate the risk of improper disclosure.
The claim files maintained by DEEOIC constitute a “system of records” under the Privacy Act of 1974 and must be treated accordingly. These records contain personally identifiable information (PII).
“PII” is defined as information that can be used to distinguish or trace an individual's identity, such as their name, Social Security number, or biometric records, alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
The Department of Labor defines “Protected PII” as PII, which when disclosed, could result in harm to the individual whose name or identity is linked to that information. This is distinguished from “Non-sensitive PII”, the disclosure of which cannot reasonably be expected to result in personal harm.
Protected PII includes, but is not limited to:
· Social Security number
· Credit card number
· Bank account number
· Residential address
· Residential or personal telephone number
· Biometric identifier (image, fingerprint, iris, etc.)
· Date of birth
· Place of birth
· Mother’s maiden name
· Criminal records
· Medical records
· Financial records.
Non-sensitive PII that can become protected if linked with other Protected PII includes:
· First/last name
· E-mail address
· Business address
· Business telephone
· General education credentials.
Categories of PII that indirectly identify an individual:
A deceased person’s name, address or Social Security number is not PII; however, a document referring to a deceased person may also contain PII regarding living relatives, authorized representatives, or associates.
Safeguarding the sensitive data that includes personally identifiable information (PII) is of utmost importance. Care and vigilance must be exercised in daily operations when accessing, processing, transporting, or storing the sensitive data on end-user computing devices and portable media.
The Privacy Act of 1974 provides for criminal penalties against individuals for willful disclosure of PII in a manner that is prohibited by the Act and civil penalties against agencies for willful or intentional failure to comply with the provisions of the Act.
References: Privacy Act of 1974, 5 U.S.C. § 552a; OMB Memorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, July 12, 2006; OWCP Bulletin No. 08-01, Privacy Act – Personally Identifiable Information (PII), January 23, 2008; OWCP Bulletin No. 08-02, Case-specific email transactions, May 9, 2008; DLMS 9, Chapter 1200 - DOL Safeguarding Sensitive Data Including Personally Identifiable Information, January 8, 2008; DLMS 5, Chapter 200 - The Privacy Act of 1974 and Invasion of Privacy, November 17, 2004.
Purpose: To provide guidance on how to protect personally identifiable information on DEEOIC claimants.
Applicability: All Staff
1. The CE must prevent the unauthorized release of CDs, paper records, or any other material that contains PII for any living individual. This includes materials received from NIOSH, DOE (DAR records), unions, corporate verifiers, resource centers, or any other source.
2. CDs from NIOSH and DOE (DAR records) often contain PII of individuals other than the employee/subject of the information request. The CE must thoroughly review all documents before copying the information for a claimant. If a document requested by a claimant contains the PII of an individual other than the claimant, the CE must print the record and physically redact the other individuals’ PII from the document by totally concealing the information with a black marker, opaque tape, or other method that completely removes the PII. A copy of the newly redacted record must be made to ensure that no information can be detected from materials sent to the requesting claimant. The CE must then ensure that the unredacted file is not saved on a copy of any CD to be sent to the claimant.
The CE must mark CDs that contain PII on other individuals in the case file as follows:
This CD and/or printed documents from the CD, includes confidential information on workers other than this employee. This information must be carefully reviewed and redacted before any release of the information from the CD, whether by electronic or printed version, pursuant to the Privacy Act. Monetary fines may be imposed on an individual government employee for release of confidential information or personally identifiable information.
The CE must take care to ensure that any CD containing PII is not separated from the case file.
3. The CE must comply with all proscribed OWCP directives concerning the use of e-mail containing PII. E-mail sent from one DEEOIC employee to another DOL employee through the ESA wide-area network (WAN) is considered secure. E-mail to and from contractors who use the ESA network (ESA owned and properly configured equipment, including remote laptops that access the ESA WAN) is also considered secure. As such, reference to the employee’s name and case number may be used in the body of the message. However, no reference to the employee’s name or Protected PII (see definition above) should be made in the subject portion of the e-mail. Central Bill Process (CBP) “threads”, provided through the bill processing agent’s secured website conform to this policy, as they are secured within an accredited network.
Any e-mail originating within the DOL network that is forwarded to outside parties becomes non-secure, and PII must be deleted as explained below.
4. E-mail between DEEOIC employees and outside parties is outside the ESA network, and therefore does not guarantee security. As such, the CE must not disclose any Protected PII in any part of the e-mail message.
• The last four digits of a person’s SSN may be referenced in the body of the message along with the last name only, as long as the remainder of the SSN, full name, or other PII is not used anywhere in the e-mail message or in attachments that are not password protected or encrypted.
• Attachments that are encrypted with Point Sec may contain the full SSN and name. (See instructions for sending encrypted documents to non-Point Sec users: http://omap/Pointsec%20Encryption/Quick_Reference_Guide.pdf)
In accordance with the above directive, the CE must not send information requests to the resource centers, corporate verifiers, NIOSH, or the Department of Energy via unencrypted e-mail, if the request contains Protected PII for an individual. Development letters to corporate verifiers should be faxed or mailed; or the CE can contact the corporate verifier by telephone. E-mails to the resource centers, NIOSH, and DOE Operations Centers may contain the last name and last four digits of a person’s SSN, as described above.
5. CEs may receive e-mail messages from sources outside of DOL that contain PII in the text. The CE is reminded that substantive e-mail responses to outside parties who are not a party to the case are strictly prohibited. An acknowledgement e-mail may be sent, but reference to any personal identifiers must be removed, and the CE must never confirm the existence of cases for specific claimants to members of the public who are not a party to the case.
6. When DEEOIC employees exchange e-mail messages with the bill processing agent concerning claimants, the communications should reference the claimant’s CBP Member ID (from the CBP claimant eligibility file). Claimant names should not be included in the same e-mail message as these Member IDs unless they are provided in an encrypted attachment.
The CE must review attachments and e-mail message chains, and if necessary, alter them to remove reference to the claimant’s name, SSN or other Protected PII if that e-mail trail is being forwarded outside of DOL. If it is not possible to alter or redact the document or e-mail, or if it is important that the attachment or e-mail include both the claimant’s name and case number or SSN, the CE must fax or send the document via mail or courier to the appropriate party. Packages containing extracts of multiple Protected PII records sent via mail or courier must be tracked (e.g. Registered Mail, Return Receipt, Fed Ex, etc.).
If a case-specific e-mail message is received from an outside party containing Protected PII, the message should be printed for inclusion in the case file.
If a DEEOIC response containing Protected PII is required, the CE should respond in accordance with the above guidance. If a CE’s response does not require Protected PII, the response may be made via a reply e-mail message, but the Protected PII from the originating e-mail request must be deleted or redacted. The response should also include a statement encouraging the party to write or call with future requests that include Protected PII. The CE must adhere to this procedure when communicating with any source, including, for example, claimants, physicians, and Congressional offices.
DEEOIC does not handle claims communications with claimants or physicians over e-mail. The CE should always encourage claimants and physicians to communicate with DEEOIC via telephone or letter if they have specific questions regarding individual claims, as e-mail cannot be considered secure.
7. The CE may respond to inquiries and communications regarding deceased claimants without protecting the decedent’s information, as the right to privacy ends upon death. CEs are cautioned, however, that living beneficiaries' information must continue to be protected.
8. Upon receiving a written and signed request from a claimant or the authorized representative of a claimant for a copy of the claim, the CE handling the case can arrange for the case file to be photocopied and sent to the claimant, or authorized representative.
9. The CE must follow the same procedure that is provided above for paper records before releasing any records in an electronic format:
10. The CE must only store Protected PII or other sensitive data on portable media when absolutely necessary, as determined by DEEOIC.
Protected PII and other sensitive data on portable media devices including laptops issued by DOL must be protected with encryption. All removable storage media, such as flash drives, CDs, DVDs, writable optical media, and external hard drives that will store Protected PII or other sensitive data, must be encrypted. DOE and NIOSH submit CDs containing claimant PII to DEEOIC in accordance with Department of Energy and Department of Health and Human Services policy. Both DOE and NIOSH have assured DEEOIC that these policies address the sensitivity of the materials, and provide adequate protection of claimant PII.
All reasonable measures will be taken to ensure that portable media containing Protected PII and other sensitive data are stored inside a safe or in a secured, locked cabinet, room, or area during periods when the media is not in transit or in active use.
11. Portable media containing Protected PII or other sensitive data including CDs, DVDs, or other writable media may be transmitted by the United States Postal Service or another DOL-authorized delivery service if media is encrypted to DOL standards and double-wrapped in an opaque package or container that is sufficiently sealed to prevent inadvertent opening and to show signs of tampering. The decryption key must not be included in the same package, but transmitted via a separate or alternate channel. The package must be sent via certified carrier with an ability to track pickup, receipt, transfer, and delivery.
12. Documents and electronic media containing PII must never be discarded in wastebaskets or recycle bins, but must be shredded or burned. Documents containing PII must be boxed in containers marked as “Sensitive Information – Burn Box” and burned if volumes are large. CDs containing PII must be disposed of via shredding.
13. If Protected PII is improperly released as a result of the inadvertent mailing of a case record copy to an incorrect individual, or a release pursuant to a Privacy Act request of a case record that contains incorrectly filed documents or documents with other individuals’ Protected PII that has not been redacted, the CE takes the following actions:
(a) The CE begins the document recapture process by asking the individual to return the document (either via telephone or registered mail) and offering a self-addressed, stamped envelope for return of the material directly to the district office for re-filing or destruction.
(b) The CE immediately notifies the District Director who in turn notifies the Regional Director, who complies with established Departmental reporting requirements documenting the type of PII disclosure, the circumstances surrounding the disclosure and how it was discovered, the appropriate actions taken to recover the PII documents in question and the disposition of that recovery effort.
(c) The CE must track each PII recapture request within the regional or FAB office. If the recapture of the PII document(s) is successful, the incident will be closed with the incident record filed and maintained in OWCP.
(d) If the third party in possession of errant PII document(s) refuses to return the document(s), the CE must report the situation to the National Office, through the Regional Director, who will provide guidance on determining what actions should be taken.
Disposition: Retain until incorporated in the Federal (EEOICPA) Procedure Manual.
PETER M. TURCIC
Director, Division of Energy Employees
Occupational Illness Compensation
Distribution List No. 1: Claims Examiners, Supervisory Claims Examiners, Technical Assistants, Customer Service Representatives, Fiscal Officers,
FAB District Managers,Operation Chiefs, Hearing Representatives, District Office Mail & File Section