Idaho Bulletin 270-8-1

September 25, 2008

SUBJECT:  IRM - Importance of Safeguarding Personally Identified Information (PII)

TO:   All Employees, NRCS, Idaho

Purpose.  To remind employees of the importance of safeguarding PII information and to transmit information on the incident reporting process for lost or stolen equipment or paper-based data

Expiration Date.  September 30, 2009

Attached is a memo from Chief Lancaster describing the importance of ensuring that PII information is properly managed and that equipment and PII must be secured. It is the responsibility of each and every one of us to take the necessary precautions to ensure the security of personally identifiable information and to make certain that partners and contractors are also aware of their responsibility in this regard.  Supervisors are to ensure that employees, partners and contractors receive, read and understand the information contained in this memo.

Also attached is an Incident Reporting Process for all NRCS Employees. Review this process with employees, contractors and partners in your office and display where it can be easily found in the event of stolen or lost equipment or paper-based data.

Private and sensitive information must be requested and used only when the transaction cannot be completed without it; it must be entered for that one transaction and not stored for any future use unless it is absolutely necessary. When private and sensitive information must be stored, it must be secured. If this information is on paper, it must be secured in a locked file cabinet or drawer where only authorized employees have access to it. If this information is in electronic form, the computer system, including laptops, tablets, and desktops; USB drives; external hard drives; and similar devices, whether they are encrypted or not, must be secured in a way that prevents the information from being lost or stolen. If the electronic files cannot be secured, the information must not be stored on that computer. The information may be best secured in an access-controlled, shared-drive folder on a physically secure server that is accessed over the network.

Examples of Private Data: social security number (SSN); tax ID; employee NFC ID; account numbers; and farm, tract, or common land unit (CLU) numbers.

The following information will assist you with compliance to secure electronic files:

• H:drive is a secure site

• C:drive is only secure if documents are filed in either the home directory or documents and settings directory.

• S:drive is secure from outside sources, but any sensitive information should be protected by permissions for internal use.

• Thumb drives are only secure if they are encrypted.

• Do not save government information on home computers

All employees will assure that “hard copy” files or documents containing private and/or sensitive information are secured from access by non authorized persons. The most common cause of lost or unintentional release of private and/or secure information is carelessness. Treat this information as if it contained your family’s most personal secrets.

The following information will assist you with compliance to secure hard copy files:

• Do not leave files with private or sensitive information unsecured over night or when away from your workstation for an extended period.
• Files that contain sensitive information are to be stored in locked cabinets when not in use.
• Documents that contain large amounts of private information, such as lists with large numbers of names, addresses and/or telephone numbers should be secured.
• Materials may be considered secure if in a locked office whose access is limited to NRCS staff
• Private and or sensitive information needs to be shredded not thrown in garbage cans or recycle barrels.

/s/
JEFF BURWELL
STATE CONSERVATIONIST             

Attachments:

1. Chief Lancaster memo dated 9/19/2008
2. Incident Reporting Process

< Back to 260 Bulletins