Policy K6

Policy Name: Federal Project Handling and Protection of Personally Identifiable Information (PII)

Responsibility for Maintenance: Institutional Planning, Assessment & Research (IPAR); Grants; Administration & Compliance; Information Technology

I. Policy Statement

Federal award recipients are required to take aggressive measures to mitigate the risks associated with the collection, storage, and dissemination of sensitive data including Personally Identifiable information (PII).  Recipients of federal awards must protect Personally Identifiable information in accordance to the standard required by the federal agency granting the federal award. Employees, staff, and sub-recipients must be made aware of their duty to report any suspected issue of non-compliance involving impacting programs supported by a federal award; as well as the correct procedure for filing such a report.  Federal law, OMB Guidance, and Federal Department polices require that PII and other sensitive information be protected. Grantees, as stewards of Federal funds, must ensure compliance with the Federal department sponsoring the federal award, and Federal law and regulations.  Grantees must secure transmission and storage of PII and sensitive data developed, obtained, or otherwise associated with federally funded grants. To ensure that such PII is not transmitted to unauthorized users, all PII and other sensitive data transmitted via e-mail or stored on CDs, DVDs, thumb drives, etc., must be encrypted using a Federal Information Processing Standards (FIPS) 140-2 compliant and National Institute of Standards and Technology (NIST) validated cryptographic module. Grantees must not e-mail unencrypted sensitive PII to any entity, including their Federal sponsor or contractors. Grantees must take the steps necessary to ensure the privacy of all PII obtained from participants and/or other individuals and to protect such information from unauthorized disclosure. Grantees must maintain such PII in accordance with the standards for information security described in TEGL 39-11 and any updates to such standards provided to the grantee by their sponsoring Federal agency. Grantees shall ensure that any PII used during the performance of their grant has been obtained in conformity with applicable Federal and state laws governing the confidentiality of information. Grantees further acknowledge that all PII data obtained through their grant shall be stored in an area that is physically safe from access by unauthorized persons at all times and the data will be processed using grantee issued equipment. Accessing, processing, and storing of grant PII data on personally owned equipment, at off-site locations e.g., employee’s home, and non-grantee managed IT services, e.g., Yahoo mail, is strictly prohibited unless approved by the sponsoring agency. Grantee employees and other personnel who will have access to sensitive/confidential/proprietary/private data must be advised of the confidential nature of the information, the safeguards required to protect the information, and that there are civil and criminal sanctions for noncompliance with such safeguards that are contained in Federal and state laws. Grantees must have their policies and procedures in place under which grantee employees and other personnel, before being granted access to PII, acknowledge their understanding of the confidential nature of the data and the safeguards with which they must comply in their handling of such data as well as the fact that they may be liable to civil and criminal sanctions for improper disclosure. Grantees must not extract information from data supplied by sponsoring agency for any purpose not stated in the grant agreement. Access to any PII created by the grant must be restricted to only those employees of the grant recipient who need it in their official capacity to perform duties in connection with the scope of work in the grant agreement, which includes IT staff, subcontractors, and sub-recipients. All PII data must be processed in a manner that will protect the confidentiality of the records/documents and is designed to prevent unauthorized persons from retrieving such records by computer, remote terminal or any other means. Data may be downloaded to, or maintained on, mobile or portable devices only if the data are encrypted using NIST validated software products based on FIPS 140-2 encryption. In addition, wage data may only be accessed from secure locations. PII data obtained by the grantee through a request from the federal sponsor must not be disclosed to anyone but the individual requestor except as permitted by the Grant Officer. Grantees must permit the federal sponsor to make onsite inspections during regular business hours for the purpose of conducting audits and/or conducting other investigations to assure that the grantee is complying with the confidentiality requirements described above. In accordance with this responsibility, grantees must make records applicable to this policy available to authorized persons for the purpose of inspection, review, and/or audit. Grantees must retain data received only for the period of time required to use it for assessment and other purposes, or to satisfy applicable Federal records retention requirements, if any. Thereafter, the grantee agrees that all data will be destroyed, including the degaussing of magnetic tape files and deletion of electronic data. 

Employees, staff and sub-recipients of federal awards

Employees, staff, and sub-recipients must be made aware of their duty to safeguard PII in the manner described in this policy, and their duty to report any suspected compliance issues involving the protection of PII; as well as the correct procedure for filing such a report at least annually. 

Vendors and subcontractors supported by federal awards

Vendors and subcontractors made aware of their duty safeguard PII in the manner described in this policy, and their duty to report suspected non-compliance with this policy. Additionally, they will be made aware of the correct procedure for filing such a report as part of their contractual obligations with the College. 

College reporting policy

While highly encouraged, the College may not make other internal reporting of such issues a condition of reporting suspected issues to a federal agency. Note that the claimant is not expected to be able to determine whether the allegations or suspicions are true or not before reporting them to the OIG. In fact, there must not be any delay reporting such allegations or suspicions while the claimant conducts their own “investigation.” Also note that a report must be filed merely suspicions of such wrongdoing. The responsibility is to report these events, and not determine whether they are true or not.

II. Reason for Policy

As part of their grant activities, grantees may have in their possession large quantities of PII relating to their organization and staff; sub-grantee and partner organizations and staff; and individual program participants. This information is generally found in personnel files, participant data sets, performance reports, program evaluations, grant and contract files and other sources. Federal agencies have attempted to standardize this requirement across agencies as part of the Office of Management and Budget's (OMB) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards.

The Office of Management and Budget's (OMB) Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly called "Uniform Guidance") was officially implemented in December 2014.  The Uniform Guidance – a "government-wide framework for grants management" – is an authoritative set of rules and requirements for Federal awards that synthesizes and supersedes guidance from earlier OMB circulars. Uniform Guidance became effective December 26, 2014, affecting all federal award applications submitted prior to but awarded after the effective date. The reforms that comprise the Uniform Guidance aim to reduce the administrative burden on award recipients and, at the same time, guard against the risk of waste and misuse of Federal funds. Among other things, the OMB's Uniform Guidance does the following: removes previous guidance that is conflicting and establishes standard language; directs the focus of audits on areas that have been identified as at risk for waste, fraud and abuse; lays the groundwork for Federal agencies to standardize the processing of data; clarifies and updates cost reporting guidelines for award recipients.

III. Applicability of the Policy

This policy applies to all employees, vendors, subcontractors, and sub-recipients who interact with, access, collect, or store Personally Identifiable Information for grant supported projects. This policy applies to projects, employees, vendors, and sub-recipients supported directly or indirectly by federal funds.  Federal awards never lose their identity; no matter how many agencies, states, and local programs federal awards pass through, the Uniform Guidance standard still applies.

IV. Related Documents

 
  • CFR 200 § 200.113 Mandatory disclosures
  • OMB issued M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments. In this memorandum, OMB provided updated guidance for reporting of security incidents involving PII.
  • OMB issued M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information. In this memorandum, OMB required federal agencies and federal projects to implement a PII breach notification policy within 120 days.
  • Training and Employment Guidance Letter (TEGL) 39-11
  • Uniform Guidance found at 2 CFR 200, and 2 CFR 2900 (DOL Exceptions)
 

V. Contacts

Office Name Title or Position Telephone Number Email/URL
Financial Services Senior Vice President & Chief Financial Officer (315) 498-2268 m.r.manning@sunyocc.edu
IPAR Associate Vice President (315) 498-2742 tarbyw@sunyocc.edu
Governance & Compliance Vice President (315) 498-2962 urtza@sunyocc.edu
 

VI. Definitions

Sensitive Information Any unclassified information whose loss, misuse, or unauthorized access to or modification of could adversely affect the interest or the conduct of Federal programs, or the privacy to which individuals are entitled under the Privacy Act.
PII OMB defines PII as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  
Protected PII Information that if disclosed could result in harm to the individual whose name or identity is linked to that information. Examples of protected PII include, but are not limited to, social security numbers (SSNs), credit card numbers, bank account numbers, home telephone numbers, ages, birth dates, marital status, spouse names, educational history, biometric identifiers (fingerprints, voice prints, iris scans, etc.), medical history, financial information and computer passwords.
Non-sensitive PII Information that if disclosed, by itself, could not reasonably be expected to result in personal harm. Essentially, it is stand-alone information that is not linked or closely associated with any protected or unprotected PII. Examples of non-sensitive PII include information such as first and last names, e-mail addresses, business addresses, business telephone numbers, general education credentials, gender, or race. However, depending on the circumstances, a combination of these items could potentially be categorized as protected or sensitive PII. To illustrate the connection between non-sensitive PII and protected PII, the disclosure of a name, business e-mail address, or business address most likely will not result in a high degree of harm to an individual. However, a name linked to a social security number, a date of birth, and mother’s maiden name could result in identity theft.
Incident Report (IR) (OIG 1-156) This is the primary form for reporting instances of fraud, misapplication of funds, gross mismanagement, and any other incidents of known or suspected criminal or other serious activities. The OIG 1-156 may also be used to provide interim and final reports. *Note: this form is used for reporting issues for USDOL supported projects.


VII. Procedure

The process of reporting differs across federal agencies and awards.  Select the appropriate process below to report allegations, suspicions, and complaints of PII non-compliance.

USDOL ETA Awards

  • The Department of Labor's Incident Reporting System uses the DOL Incident Report Form DL 1-156 which is available online at the dol.gov website and in TEGL 2-12. This form and its instructions can be found in TEGL 2-12.
  • Submit copies to OIG and ETA:  Documenting and reporting these incidents consists of recording them on the form DL 1-156 and submitting them to OIG and ETA.
  • If imminent health or safety concerns or imminent loss of funds exceeding $50,000:
    • When the threat is immediately imminent or involves sensitive PII, you must report this to OIG even more quickly. These incidents must be reported to the OIG and ETA immediately by telephone followed by a written Incident Report (IR) no later than one working day.
  • Recipients and subrecipients are also required to report fraud and other criminal acts to ETA or the pass-through entity, as appropriate, in accordance with the new Uniform Guidance requirement on mandatory disclosure at 200.113.
  • The ETA OIG operates a hotline phone number where people can report anything and everything that they find to be suspicious. Those numbers are: DOL Hotline - Office of Inspector General 1-800-347-3756 or (202) 693-6999.
  • If mailing the report, send the DL 1-156 to the following address: Complaints Analysis Office, DOL Office of Inspector General, Room S5506, 200 Constitution Avenue NW, Washington, DC 20210 or to the corresponding Regional Inspector General for Investigations with a copy simultaneously provided to ETA.
  • Incidents can be reported and channelled through a state or local system first, before the report is sent to OIG, if there are procedures set up to do so, and if the incident does not pose an immediate or substantial threat. But, in all cases, DOL must be notified at the same time.
 

VIII. Responsibilities

Compliance, monitoring and review

Responsibilities for actions under this procedure are detailed throughout this document.

Reporting

Failure to make required disclosures can result in any of the remedies described in § 200.338 Remedies for noncompliance, including suspension or debarment. (See also 2 CFR part 180 and 31 U.S.C. 3321).

Records Management

Staff must maintain all records relevant to administering this policy and procedure in the master compliance log and share drive, or a recognized College record keeping system.  The recorder should include the date of training, and a list of attendees.

 

Approved by the Board of Trustees January 23, 2018