Safeguarding Personally Identifiable Information (PII): Protective Measures

• Be aware of local physical and technical procedures for safeguarding PII.
• Cover or place PII documents in an out-of-sight location when those without an official need to know enter the work space.
• Remove DoD Common Access Cards (CAC) from your computer before stepping away from the work area, even for brief periods, to ensure protection of PII.
• Store PII to ensure no unauthorized access during duty and non-duty hours.
• PII should be stored in a locked desk, file cabinet, or office that is not accessible, etc.
• Password protect electronic files containing PII when maintained within the boundaries of the agency network.
• Report any suspicious activity to your Information Assurance Security Officer (IASO).

SSN Reduction-DoD 1000.30, 1 August 2012, Reduction of Social Security Number (SSN) Use within DoD. Limit the use of the SSN, in any form (including the last four digits), substituting the DoD ID number or other unique identifier whenever possible. Continued collection of the SSN must meet one of the acceptable use criteria and be formally justified in writing.

• Never include the SSN in a personnel roster.
• Use only officially issued forms. Those that collect PII should also have a Privacy Act Statement (PAS).
• The SSN must not be posted on any public websites.

• Do not create, store or transmit PII on IT equipment unless the material is encrypted.
• Encrypt all data on mobile computers/devices, in accordance with the requirements established in OMB Memorandum M-06-16.
• Mark all Government furnished external drives or mobile media containing PII with “FOUO-Privacy Sensitive.”
• Keep your laptop in a secure government space or secured under lock and key when not in use.
• Never store Government PII on personally-owned notebooks, desktops, flash drives, etc.
• Do not maintain PII on a public website or electronic bulletin board.

When traveling with or transporting employee information technology (IT) devices (such as laptops, cellular phones, smart phones, or tablet computers),

• Do not leave an employee IT device, such as a laptop unattended in a car. If you must leave an employee IT device in a car, lock it in the trunk so that it is out of sight.
• Do not leave an employee IT device in a car overnight.
• Do not store an employee IT device in an airport, on a train, at a bus station, or in any public locker.
• Avoid leaving employee IT devices in a hotel room. If you must leave it in a hotel room, lock it inside an in-room safe or a piece of luggage.
• Never place an employee IT device in checked luggage.
• At airport security, place your employee IT device(s) on the conveyor belt only after the belongings of the person ahead of you have cleared the scanner. If you are delayed, keep your eye on it until you can pick it up.

• Consider the sensitivity of the information before choosing to send PII via email.
• As a best practice, ensure the email subject line contains “FOUO” if the email contains PII.
• The subject line of an email should never contain PII because only the body of an email is encrypted when sent.
• Ensure the body of the email containing PII includes the following warning: “FOR OFFICIAL USE ONLY. Any misuse or unauthorized disclosure may result in both civil and criminal penalties.”
• Email containing sensitive information must be encrypted and digitally signed. Such emails include but are not limited to those containing:
  • PII or other personal information as defined by the Privacy Act of 1974
  • Health Insurance Portability and Accountability Act Information (HIPAA)
  • Information identified as FOUO
  • Proprietary contract information
• Under no circumstance should PII be transmitted from a government server to a private server (e.g., .mil to a .com email address).
• Ensure you are sending the email to the correct recipients and all have an official need to know. Check to ensure that each email address is correct before sending the email.
• Ensure you know whether your attachment contains PII prior to sending. Do not forget to check all tabs if the attachment is an Excel spreadsheet.
• Phishing continues to be on the rise. Ensure you only open and respond to legitimate emails.
• Provide a point of contact should the email or fax be received by someone other than an authorized recipient. Sample instructions such as “If you have received this email or fax in error, please notify the sender immediately by replying to the email or fax and permanently delete the email or destroy the fax and any attachments without reading, forwarding, saving or disclosing them” must be prominent in the document.

• Verify the printer location prior to printing a document containing PII.
• Ensure all printed documents with PII are properly marked with “FOR OFFICIAL USE ONLY.”
• As a best practice, use a “Privacy Act Data Cover Sheet” (DD Form 2923) as a cover when handling PII.
• Safeguard all documents when not in your direct possession by prohibiting access by those without an official need to know.
• Documents or other materials containing PII or Personal Health Information (PHI) should not be printed, copied indiscriminately, left unattended, or open to compromise.
• Printed or copied documents containing PII and/or PHI should be locked away or otherwise maintained in an area not accessible by unauthorized personnel or members of the public when such documents are not required for use, especially when the office is vacated.

• Facsimile transmission of PII is prohibited except:
  • When another more secure means is not practical.
  • When a non-Army process requires faxing.
  • When required by operational necessity.
  • When faxing internal Government operations PII (e.g., office rosters, and emails).
• Use a “Privacy Act Data Cover Sheet” (DD Form 2923) as a cover.
• Verify receipt by the correct recipient.
• External customers should be encouraged to use the US Postal Service or transmission by another secure means. (See Mailing Recommendations below).

• Scanned documents containing PII shall be transmitted using a secure means.
• Network-attached Multi-Functional Devices (MFDs) and scanners that employ a "scan to email" function may be used only if the sender can verify that the intended recipients are authorized to access the scanned file (i.e., have an official need to know). The MFD or scanner must also encrypt the email message containing the scanned file.
• The network attached MFD “Scan to file” or “scan to network share” functionality may be used only if the sender can verify that all users are authorized to have access to the scanned file or network share location.

All internal and removable electronic storage media must be properly marked and secured. The devices include, but are not limited to: laptops, printers, copiers, scanners, multi-function devices, hand held devices, CDs/DVDs, removable and external hard drives, and flash-based storage media. Classified electronic storage devices must be physically destroyed. (See AR 380-5, Department of the Army Information Security Program).

(AR 25-1, Army Information Technology; AR 25-2, Information Assurance)

• For files/folders containing PII, ensure that controls are in place restricting access to only those with an official need to know.
• Limit storage of PII on shared drives whenever possible.
• Delete files containing PII in accordance with AR 380-5, Department of the Army Information Security Program.”
• Verify that access controls/permissions are properly restored following maintenance.

• Disposal methods are those approved by Army or the National Institute of Standards and Technology (NIST) IAW AR 380-5, Department of the Army Information Security Program.
• Disposal methods are considered adequate if the records are rendered unrecognizable or beyond reconstruction. Destruction should be tailored to the type of media involved. For paper records, disposal methods, such as tearing, burning, melting, chemical decomposition, pulping, pulverizing, shredding, or mutilation are acceptable. For electronic records and media, disposal methods, such as overwriting, degaussing, disintegration, pulverization, burning, melting, incineration, shredding or sanding are acceptable.
• It is highly recommended and considered a best practice to use a cross-cut shredder.
• For shredder residue size as a best practice, refer to NIST Special Publication 800-88 Revision 1.
• An alternative to purchasing a shredder is to contract with a GSA approved shredder service.
• In lieu of shredding, the use of burn bags is the alternate option.
• Do not discard documents containing PII in trash or recycle bins.

• All new employees are required to take Cyber Awareness Challenge (formerly Information Assurance (IA) Training) PII training, before allowed access to networks.
• All Army personnel, including contractors, should complete an annual PII training, such as the Safeguarding Personally Identifiable Information (PII) Training and the Privacy Act Overview Training. Local Privacy Officers must maintain record of completion by any method, e.g., spreadsheet log.
• Army personnel who mishandle PII are required to take remedial training.

• Assume all information shared on social media sites can be made public.
• Do not post or discuss work related information, especially sensitive/classified information.
• Use privacy settings and controls to limit access to all PII (e.g., creating a folder on AKO that stores PII).

• When serviced by a military postal facility (e.g., Army Post Office/Fleet Post Office), send Sensitive PII materials directly via the U.S. Postal Service’s First Class Mail.
• Make sure it is necessary before shipping documents that contain PII. Ship the files via U.S. Postal Service or other courier services so that the files can be tracked (“certified, return receipt”). Note: Tracked service does not reduce the number of individuals involved in the handling of the package and does not provide any extra type of security during the process. But it does provide information about the date and time of delivery and the signature of the person who actually receives the package. That information can be used to investigate lost, damaged, or compromised packages.
• When mailing material containing PII or preparing it for courier delivery, securely seal the envelope/box and take care to ensure that it is addressed to the appropriate recipient.
• Do not mark the outside of the package with any special warning, such as “confidential,” because that just brings unwanted attention to the box.
• Keep an inventory of the documents you are shipping or a duplicate set so you can identify what documents are in the package in the event it is lost or stolen.

• Report the incident immediately to your first line supervisor, your Privacy Official, and if cyber related to your Information Technology Division as well.
• Report all cyber related incidents involving the actual or suspected breach/compromise of PII within one hour of discovery to the United States Computer Emergency Readiness Team (US-CERT).
• Report both actual or suspected cyber and non-cyber incidents within 24 hours of discovery to the Army Privacy Office via the Privacy Act Tracking System (PATS).
• Consult with your Privacy Officer and follow your Activity’s guidance for additional reporting requirements.
• Submit updates to US-CERT, APO, your Privacy Official and appropriate individual(s) within your Activity as information becomes available.
• For detailed information, see Report a PII Incident.