Properly safeguarding personally identifiable information (PII) and business identifiable information (BII).
The term personally identifiable information refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
Sensitive PII is PII which if lost, compromised, or disclosed without authorization, could result in harm, embarrassment, inconvenience, or unfairness to an individual. The following types of PII are considered sensitive when associated with an individual: Social Security Number (including truncated form), place of birth, date of birth, mother’s maiden name, biometric information, medical information (excluding brief references to absences from work), personal financial information, credit card or purchase card account numbers, passport numbers, potentially sensitive employment information (e.g., performance ratings, disciplinary actions, and results of background investigations), criminal history, and any information that may stigmatize or adversely affect an individual.
Context of information is important. The same types of information can be sensitive or non-sensitive depending upon the context. For example, a list of names and phone numbers for the Department’s softball roster is very different from a list of names and phone numbers for individuals being treated for an infectious disease.
If sensitive PII is electronically transmitted, it must be protected by secure methodologies, such as encryption, Public Key Infrastructure, or secure sockets layer. When in doubt, treat PII as sensitive.
Business Identifiable Information is information that is defined in the Freedom of Information Act (FOIA) as “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential.” (5 U.S.C.552(b)(4)). This information is exempt from automatic release under the (b)(4) FOIA exemption. “Commercial” is not confined to records that reveal “basic commercial operations” but includes any records [or information] in which the submitter has a “commercial interest” and can include information submitted by a nonprofit entity. Or (b) commercial or other information that, although it may not be exempt from release under FOIA, is exempt from disclosure by law (e.g., 13 U.S.C. 9).
Commercial or financial information is considered confidential if disclosure is likely to cause substantial harm to the competitive position of the person from whom the information was obtained. Examples of BII include financial information provided in response to requests for economic census data, business plans and marketing data provided to participate in trade development events, commercial and financial information collected as part of export enforcement actions, proprietary information provided in support of a grant application or related to a federal acquisition action, and financial records collected as part of an investigation.
BII received by the Department must be similarly protected as PII, in accordance with applicable laws.
A Department of Commerce employee/contractor is responsible and accountable for:
- Knowing what constitutes PII and BII
- Handling and protecting PII and BII
- Recognizing a PII breach incident and immediately reporting it upon discovery/detection.
- Successfully completing training relative to safeguarding PII.
Use secure methodologies, such as encryption, to electronically transmit sensitive PII information.
Encrypt sensitive PII on mobile computers, media and other devices
Lock or log off of unattended computer systems.
Destroy sensitive paper PII by shredding or using burn bags.
Delete sensitive PII by emptying electronic “recycle bin”.
Store sensitive PII on Federal Government systems only.
Secure PII data properly while away from your desk or at the end of the day.
Upon discovery/detection, immediately report a suspected or confirmed PII breach incident to your supervisor/Contract Officer’s Representative (COR) and Bureau/Operating Unit (BOU) Computer Incident Response Team (CIRT).
Provide details of the PII breach incident.
Maintain or document information and/or actions relevant to the PII breach incident.
Complete corrective/remedial actions, if appropriate.