Purpose

As part of your employment with MetaTech Consulting, Inc. (MTC) and your contract activities, you may have access to Personally Identifiable Information (PII). This information is generally found in personnel files, contract files, systems of records used by government agencies, or other sources. Federal law and federal policies require that PII and other sensitive information be secured and protected at all times.

Affected Parties

MetaTech Consulting employees accessing, handling, or using MetaTech information Management systems containing PII must receive initial training on protecting and safeguarding the information, and must continue thereafter to train their employees annually.  MetaTech Consulting maintains records of the privacy training provided to employees.

References

Privacy Act of 1974, as amended, 5 U.S.C. § 552a establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies. A system of records is a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier assigned to the individual.

Definition of Key Terms

“Personally Identifiable Information” (PII) is defined as information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.
“Sensitive Information”: Any unclassified information whose loss, misuse, or unauthorized access to or modification of could adversely affect the interest or the conduct of Federal programs or the privacy to which individuals are entitled under the Privacy Act.
The Department of Labor has defined two types of PII, “protected PII” and “non-sensitive PII.” The differences between protected PII and non-sensitive PII are primarily based on an analysis regarding the “risk of harm” that could result from the release of the PII.

1. “Protected PII” is information that if disclosed could result in harm to the individual whose name or identity is linked to that information. Examples of protected PII include, but are not limited to, social security numbers (SSNs), credit card numbers, driver’s license number, passport number, bank account numbers, home telephone numbers, ages, birthdates, marital status, spouse names, educational history, biometric identifiers (fingerprints, voiceprints, iris scans, etc.), medical history, financial information, and computer passwords.
    
2. “Non-sensitive PII” is information that if disclosed, by itself, could not reasonably be expected to result in personal harm. It is standalone information that is not linked or closely associated with any protected or unprotected PII. Examples of non-sensitive PII include information such as first and last names, e-mail addresses, business addresses, business telephone numbers, general education credentials, gender, or race. However, depending on the circumstances, a combination of these items could potentially be categorized as protected or sensitive PII.

---

The PII elements below are not necessarily considered private, but combining these elements with other PII may have privacy implications. Examples of Other PII that may be misused if combined with other PII or aggregated:

1. Address
2. Phone number
3. Email address
4. Employee ID
5. Employee directory information in which the employee has not opted out (like that above, but also dates and photos)

---

To illustrate the connection between non-sensitive PII and protected PII, the disclosure of a name, business e-mail address, or business address most likely will not result in a high degree of harm to an individual. However, a name linked to a social security number, a date of birth, and mother’s maiden name could result in identity theft. This demonstrates why protecting PII is so important.

Eligibility Requirements

PII from all individuals must be protected at all times. There is no eligibility requirement.

Policy

All MetaTech employees must ensure the privacy of all PII obtained from other individuals and protect such information from unauthorized disclosure. All employees must ensure that PII used during their employment has been obtained in conformity with applicable Federal and state laws and policies governing the confidentiality of information.
All PII transmitted via e-mail or stored on external drives must be encrypted. All PII stored onsite must be kept safe from unauthorized individuals at all times and must be managed with appropriate information technology (IT) services. Accessing, processing, and storing of PII data on personally owned equipment at off-site locations (e.g. employee’s home, and non-grantee managed IT services, e.g. Yahoo mail, Gmail, etc.) is strictly prohibited.
All employees who will have access to sensitive/confidential/proprietary/private data must be advised of the confidential nature of the information, the safeguards with which they must comply to protect the information, and that they may be liable to civil and criminal sanctions for improper disclosure.
Access to any PII obtained through employment with MetaTech must be restricted to only those employees who need it in their official capacity to perform duties in connection with the scope of work in the company or on the contract to which they are assigned.
All PII data must be processed in a manner that will protect the confidentiality of the records/documents and must be designed to prevent unauthorized persons from retrieving such records by computer, remote terminal, or any other means.
MetaTech employees must retain PII data received only for the period of time required to use it for assessment and other purposes, or to satisfy applicable Federal and record retention requirements, if any. Thereafter, the employee agrees that all data will be destroyed, including deletion of electronic data.

Protection and Handling of PII

The following requirements apply to PII in paper records, electronic records, and in oral communications, as well as any aggregation of PII in an electronic format (e.g., databases, webpages, e-mail, spreadsheets, tables, and file-sharing services such as OneDrive).

Disposal: PII must be destroyed and rendered unreadable before disposal. For example, this may include shredding paper or wiping electronic files

General: In addition to complying with all applicable legal requirements, MTC further limits the collection, use, disclosure, transmission, storage and/or disposal of PII to that which fulfills the MTC mission.

Safeguards: To protect PII against inappropriate access, use, disclosure, or transmission, MTC requires appropriate administrative, technical, and physical safeguards. Divisional leadership is responsible for documenting security controls and safeguards and risk management consistent with the Information Technology Security policy. Examples of physical safeguards include storing documents containing PII in secured cabinets or rooms and ensuring that documents containing PII are not left on desks or in other locations that may be visible to individuals not authorized to access the PII.

Collection –Collected data should be appropriate for the intended authorized use, and collection should be conducted according to best practice and legal requirements for the type and purpose of data collected. Since the collection process itself can potentially lead to unintended PII disclosure, considerations of confidentiality in collection and recording should be explicitly addressed.

Minimization: All members of the MTC staff are responsible for minimizing the use of PII (including redaction of financial account information, use of less sensitive substitutes such as partial SSN) and minimizing aggregations of PII. The risk of unauthorized disclosure or access to PII increases with the amount of data. All MTC staff are responsible for ensuring that the number and scope of physical and electronic copies and repositories of PII are kept to the minimum necessary and only for the period that a valid business need for the information exists.

Permitted Use within MTC: Only individuals within MTC who are permitted under law, regulation and MTC policies and have a legitimate “need to know” are authorized to access, use, transmit, handle or receive PII, and that authorization only extends to the specific PII for which the relevant individual has a legitimate “need to know” to perform his or her job duties.

Permitted Disclosure to Third Parties: MTC may release PII to third parties only as permitted by law/regulation and under the MTC policy. Third-party contractors to whom MTC is disclosing PII must be bound by agreements with appropriate PII safeguarding and use provisions.

Oral Communications: Only authorized individuals may engage in oral communications involving PII. Caution is required in all oral communications involving PII, and oral communications involving PII may not take place in any location where the communication may be overheard by an individual not authorized to access the PII.

Storage of PII: PII may be stored only as necessary for the MTC mission and permitted under the MTC Records and Retention policy. Divisional leadership is responsible for providing guidelines around where information can be scanned/stored (e.g. in hardcopy, on shared drives, on other media/devices) and how long information may be retained before requiring deletion or destruction). In addition, divisional and entity leadership is responsible for maintaining an up-to-date inventory of stored or maintained documents, files, databases and data sets containing PII, and their contents, and requiring encryption of PII stored on mobile devices, media, or other at-risk devices such as public workstations.

Transmission of PII: PII may not be transmitted to external parties outside the MTC (e.g. via mail, fax, e-mail, instant messaging) without appropriate security controls. Generally, such controls include encryption and authentication of recipients (e.g., password protection of files; verifying fax numbers; cover sheets; marking documents as confidential). Great care is to be taken to ensure that e-mails are sent only to intended recipients.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

Mobile Information: Mobile information will not be shared with third parties/affiliates for marketing/promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

“Opting Out” of Mobile Messaging Campaigns: If you wish to be removed from receiving future communications, you can opt out by texting STOP in response to any text message received. 

Reporting a Privacy Incident

All MetaTech employees must report all privacy incidents, whether suspected or confirmed, immediately to the Facility Security Officer (FSO) or Human Resources (HR).

Document or maintain records of information and actions relevant to the privacy incident, as they may be required to investigate and remediate the incident.
Any alleged violations that may constitute criminal misconduct or identity theft will be reported to law enforcement as part of the privacy incident reporting and investigation process.

Respond promptly to any requests about a privacy incident.

Additional Requirements

1. Use appropriate methods for destroying sensitive PII in paper files (i.e. shredding) and securely deleting sensitive electronic PII.
2. Do not leave records containing PII open and unattended.
3. Store documents containing PII in locked cabinets when not in use.
4. Immediately report any breach or suspected breach of PII.

Training

All MetaTech employees must be trained during the onboarding process and then annually.  Key elements that are covered include:

1. The Privacy Act of 1974, including penalties for violation of the Act;
2. The appropriate way to handle and safeguard PII;
3. The authorized and official use of a system of records or any other PII;
4. Restrictions on the use of unauthorized equipment to create, collect, use, process, store, maintain, disseminate, disclose, dispose of, or otherwise access PII;
5. Prohibitions against unauthorized use of a system of records or the unauthorized disclosure, access, handling or use of PII; and
6. Procedures in the event of a suspected or confirmed breach of a system of records or unauthorized disclosure, access, handling or use of PII.

A one-hour training course entitled Identifying and Safeguarding Personally Identifiable Information (PII), DS-IF101.06 is available online through the Security Training, Education and Professionalization Portal (STEPP) at: https://www.cdse.edu/Training/eLearning/DS-IF101/

Upon completion of the course, employees are to send a copy of the training certificate to the FSO.