1. Ames Laboratory Privacy and Personally Identifiable Information (PII) Training
Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
The Department of Energy (DOE) requires all employees of the Ames Laboratory to complete Privacy and Personally Identifiable Information (PII) Training annually.

2. The Privacy Act
Allows the Laboratory to maintain information about an individual that is relevant and necessary.
All DOE employees and contractors are subject and must comply.
Complying with the Privacy Act
- Governs the ability to maintain, collect, use, or disseminate a record about an individual
Safeguarding PII
- Define and protect
The Privacy Act of 1974 is a law enacted to balance the government’s need to maintain information about individuals against unwarranted invasion of the individual’s privacy. All DOE employees and contractors are subject to the Privacy Act and must comply with its provisions.
DOE Order 206.1, Department of Energy Privacy Program, ensures compliance with the privacy requirements set forth in the Privacy Act of 1974 and establishes a training and awareness program for all DOE federal and contractor employees to ensure all personnel are cognizant of their responsibilities.
Privacy is comprised of two main components: compliance with the Privacy Act and safeguarding PII. Compliance governs the Laboratory’s responsibility about who can maintain, collect, use, or disseminate a record about an individual. Safeguarding PII includes how to define it and how to protect it.

3. System of Records
Information collected must be stored in a System of Records (SOR).
SORs at the Ames Laboratory include:
Foreign Visits and Assignments.
Access Control (photographs).
Personnel Radiation.
The Ames Laboratory collects and maintains PII necessary for business functions and stores the information in an electronic System of Records. This SOR is located in the moderate enclave, which protects it using various levels of security. Employees are granted access to PII and Privacy Act covered information only on a “need to know” basis in order to discharge the duties of the job for which they were hired.

4. Potential Privacy Violations
Evaluate your day-to-day activities
Phone Calls
Ensure that shared data meets the need-to-know requirement.
Be conscious of your surroundings.
Do not use wireless or cordless phones when discussing PII.
Common Information Handling Errors
Unauthorized information sharing
Browsing or using personal information
As an employee of the Ames Laboratory, you should evaluate day-to-day work activities to determine if you may be violating the privacy of another individual.
Some common work practices can pose risks to the privacy of the information you handle on a daily basis. For example, leaving someone’s personal information unattended on a printer or fax would be considered a violation.
Telephone conversations with clients, vendors, co-workers, etc., are an integral part of our day to day activities. Assess the situation carefully and determine if the information the caller is requesting or you are sharing meets the “need to know” criteria. Ask questions and make sure the caller is authorized to receive the information they are requesting.
Be conscious of who may be able to overhear your conversation, especially if you are discussing PII.
Wireless and cordless phone transmissions are not secure, and your conversations may be picked up by other electronic equipment.
Communication is a key component of the business world. But not every part of your workday can be shared.
Before you share or send information, think carefully about the situation. You might think that sending or sharing another employee’s personal information to or with another employee is acceptable, but you could be violating privacy guidelines. What type of information are you sharing? Is the receiving party authorized or have a “need to know?”
Computer Access is a wonderful tool and a necessity in the workplace today. But looking up information on another individual, if it is not necessary to do your job, is inappropriate and a violation of privacy guidelines.

5. Penalties - Criminal misdemeanor for each offense - Fines up to $5,000
- Civil penalties
Violation of the Privacy Act is a serious legal matter. Each violation can be accompanied by a misdemeanor criminal charge and a fine of up to $5,000 for each offense, as well as administrative sanctions.
The court system may also award civil penalties.
You may be liable if you knowingly and willfully obtain or request records under false pretenses or disclose Privacy Act protected information to any person not entitled to access it.
Not only is the Ames Laboratory liable for your actions and subject to fines and negative publicity, but you personally may be held liable for damages as well as face both criminal and/or civil penalties.

6. Privacy Principles It is each employee’s responsibility to:
Assess and determine whether or not the information used is considered Protected PII.
Protect the privacy of the individuals who entrust us with their information.
Only share Protected PII with others for authorized purposes. Check with HR before sharing Protected PII information with a third party.
Limit the exposure of Protected PII data and disclose the information on a “need to know” basis.
Think Twice Rule:
Is it reasonable?
Is it necessary?
Every employee at the Ames Laboratory is required to be knowledgeable about their individual responsibilities. Specifically, each
If you aren’t sure if you should be releasing particular information, check with HR.
Utilize the “Think Twice Rule” before you share information about individuals in every instance.

7. Recognizing PII Systems and Data
DOE defines two classes of PII data:
Public PII data is available in public sources such as phone books, public web pages, business cards, etc.
Protected PII data is not available in public sources, and, if compromised, can cause serious or severe harm to an individual (ie. identity theft).
PII systems are used to store and process Protected PII data for multiple individuals.
DOE defines two classes of PII:
Public PII is information that is readily available to the public and if disclosed, normally causes no harm to the individual.
Protected PII is not available from public sources and can be used for Identity Theft or to cause other harm. All PII data at the Ames Laboratory is stored on protected systems.
Specific systems must be utilized to store and process PII data on employees.

8. Protected PII Examples
Social Security Numbers (SSN)
When associated with an individual (SSN + any of the following)
Place of Birth
Date of Birth
Mother’s maiden name
Biometric data
Medical information
Criminal history
Financial information
Employment history
Ratings
Disciplinary actions
Protected PII is comprised of data elements about individuals that is in identifiable form. This means any representation of information that permits the identity of an individual to whom the information applies, to be reasonably inferred by either direct or indirect means.
It is the responsibility of the Ames Laboratory to protect that information from loss and misuse. Security incidents involving personally identifiable information ca result in considerable harm, embarrassment, and inconvenience to an individual, and may lead to identity theft or other fraudulent use of the information. The Ames Laboratory and US DOE can experience a loss of public trust, legal liability, or remediation costs.

9. Public PII Examples Individual’s name or other identifier
Phone numbers
addresses
Digital pictures
Medical information pertaining to work status (X is out sick today)
Medical information included in a health or safety report
Personal information stored by individuals about themsevles on their assigned workstation or laptop
Birthday cards
Birthday s
Resumes, unless they include a Social Security Number
Present and past position titles and occupational series
Present and past grades
Written biographies
Academic credentials
Present and past annual salary rates
performance awards and bonuses
Incentive awards
Merit pay
Meritorious or Distinguished Executive Ranks
Allowance and differentials
Public PII examples are numerous. These items may be readily available on public media, the internet or social networking sites.
Individuals should be cognizant of all of the types of information out on public sources.
Ames Laboratory employees will treat Public PII in the same manner as departmental/laboratory information.

10. PII Protection Standards
Requires NIST Low Baseline controls (see NIST document for more details)
Protect to the same level as other program / department data
Protected PII
Requires NIST Moderate Baseline controls (see References for more details)
Any suspected compromise of Protected PII data MUST be reported to Cyber Security staff within 45 minutes.
May not be stored on portable media (ie. CDs, USB keys, or backup media) without FIPS compliant encryption (see the IS office for details).
Files stored on portable media must be deleted within 90 days or approval for continued use is documented.
May not be stored on portable computing devices (ie. laptops or PDAs) without a waiver from DOE.
Any system used to store this data must reside within a moderate network enclave.
No Internet Access except by request.
Any remote access requires 2-factor authentication
Users may not have Administrative privileges.
Workstations used to access PII data must implement 10 minute screen locks, and must only be used by users authorized to access PII data.
Public PII
NIST (The National Institute of Standards and Technology) dictates baseline controls for any SOR containing PII.
The Ames Laboratory SOR resides in the moderate network enclave. Access is restricted based on job duties and users must adhere to strict login and password requirements.
PII data workstations may only be used by PII authorized users and must employ screen locks when not attended to. Report any breach or disclosure of PII to Cyber Security taff within 45 minutes of discovery.
Absolutely NO PII may be stored on a portable computing device.

11. Ames Laboratory PII Reporting Process
A device designated as a PII system must be reported to the HR office.
Be alert for systems not previously designated as a PII System.
The system will be located in the Moderate Enclave and moderate security controls will be applied (details available in the references).
Annual training will be required for all users of the system.
An annual review of the system will be conducted to ensure controls are in place.
Any computer that contains PII or accesses PII must be designated as such. HR must be aware of any system containing PII.
If you see or find PII on a system that is not in the Moderate Enclave, report your findings to HR immediately.
Annual and periodic system reviews are conducted by IS to search for PII and to ensure compliance.

12. Recommendations Limit the number of systems storing PII data.
A central system is available to provide storage of PII data and controlled data access via Microsoft file shares. Encrypted backups are performed on a daily basis. This system is covered by appropriate moderate controls. Use this system for storing PII data instead of a desktop device. Contact the IS Office at or for more information.
Data retention and disposal.
PII should be limited to only that information which is specifically needed to carry out duties.
PII data should only be retained for as long as is necessary to fulfill its intended purpose.
Appropriately dispose of PII when it is no longer necessary to retain it.
Contact the HR Office with questions.
Know the flow of PII data.
Where does the data come from?
How is it backed up?
Which users and which computers need access to the data?
The Ames Laboratory utilizes a central file server system to store PII data and control access thereby reducing the risk of accidental disclosure. No PII should be saved to a desktop device.
Review of retention policies and disposal of those records exceeding their lifecycle reduces risk of disclosure.
If you have questions, contact HR.

13. PII Incident Reporting
Protected PII, regardless of whether it is in paper or electronic form, must be protected from unauthorized access or disclosure throughout its lifecycle.
[PII, DOE O 206.1] Any known or suspected loss of control or unauthorized disclosure of Protected PII must be reported.
[Privacy Act] Any unauthorized disclosure of Protected PII contained in any System of Records (SOR).
Suspected or confirmed incidents involving the breach of Protected PII or SOR must be reported to the IS Office ( or within 45 minutes of discovery.
If you are involved in or suspect a disclosure of Protected PII, you must report the disclosure to the IS Office within 45 minutes of discovery.
If you have questions or are unsure, contact the IS Office at or for assistance.

14. Summary It is your responsibility to Safeguard PII Loss of PII:
Can lead to identity theft (which is costly to the individual and the government)
Can result in adverse actions being taken against the employee who loses PII
Can erode confidence in the Government’s ability to protect personal information
Safeguarding PII is EVERYONE’S responsibility. Loss of PII creates an adverse chain of events.

15. References
Policy, Procedures, Guides and Forms for Ames Laboratory:
- Select Forms & Documents (lower left).
- The Policy section details the controls required in the Moderate baselines, and the Moderate CSPP.
DOE Order Department of Energy Privacy Program: -
NIST Special Publications for protecting Moderate data: - -
For further information on anything discussed in the PII training, please refer to the reference documents listed.

16. Confidentiality Agreement
Please print and sign the Ames Laboratory Confidentiality Agreement (you must be logged into the Ames Laboratory website to access the document) and return to Human Resources in 105 TASF.
All employees are required to sign the Confidentiality Agreement each year. You will need to return your signed document to Human Resources after completing this training.

17. Assessment Tool Please return to Cyber Train:
Click on “My Record,” and “Classes”
Click on the course test icon
You must achieve 80% on the test, and you can only attempt it once.