Using the NIH Guide for Identifying Sensitive Information

In the wake of a recent breach of NIH Personally Identifiable Information (PII)—the theft of an employee’s unencrypted laptop containing patient data and social security numbers—the NIH Guide for Identifying Sensitive Information at the NIH was published (April 2008). A cascade of OMB, HHS and NIH controls continue to be mandated in an attempt to close the security gaps where sensitive data is at risk. At the crux of this effort is educating users how to determine if the data is sensitive.

What is sensitive information and how do I identify it?

Information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals (definition from the Guide).

To recognize whether unclassified information is sensitive and requires special precautions, users must take into account not only the face value of data and its context but must consider whether improper disclosure, modification or deletion of the data could be expected to have a serious, severe or catastrophic adverse effect on the NIH mission and operations, organizational assets or individuals.

It is not always easy or straightforward to recognize information as sensitive or categorize data as Personally Identifiable Information (PII). Thus, the Guide for Identifying Sensitive Information at the NIH is intended to provide useful guidance on how to effectively identify sensitive information (including PII) and Privacy Act records. The publication suggests some insight into the complexity of identifying this type of data. While it’s not an exact science and requires some thinking on the part of the user, context is often a determining factor.

For example, a picture of an employee along with their name placed in a newsletter article recognizing their achievements is not sensitive. However, that same picture and name contained in a file named “Genetic screening results” or “Staff placed on probation” would be considered very sensitive. The same information in different contexts can make a tremendous difference in how the information needs to be protected.

Personally Identifiable Information (PII)

The Guide for Identifying Sensitive Information at the NIH identifies PII as any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual's identity, such as their name, SSN, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information that is linked or linkable to an individual.

In general, PII is an individual identifier (like a name or driver’s license number) along with data that can be used to cause harm to the individual (like a bank account number or medical record). PII can be an individual field, such as a SSN. PII does NOT include publicly obtainable information that is lawfully made available to the general public from federal, state, or local government records.

Examples of identifying pieces of information can include:

•	Personal characteristics (such as height, weight, gender, sexual orientation, date of birth, age, hair color, eye color, race, ethnicity, scars, tattoos, gang affiliation, religious affiliation, place of birth, mother’s maiden name, distinguishing features and biometrics information, such as fingerprints, DNA and retinal scans).
•	A unique set of numbers or characters assigned to a specific individual, including name, address, phone number, SSN, e-mail address, driver’s license number, financial account or credit card number, and Automated Integrated Fingerprint Identification System (AIFIS) identifier, booking, or detention system number.
•	Descriptions of event(s) or points in time (for example, information in documents such as police reports, arrest reports and medical records).
•	Descriptions of location(s) or place(s), including geographic information system (GIS) locations, electronic bracelet monitoring information, etc.

Pieces of information that can cause harm to an individual include the following types of records:

•	Financial records
•	Criminal records
•	Health/Patient records
•	Personnel/HR records

However, context, good judgment and risk assessment should always be taken into consideration when evaluating data’s potential for harm.

The Privacy Act

PII may be contained in a Privacy Act system of records. The Privacy Act applies when you have a group of records (more than one) that contains information about an individual and is designed so that data is retrieved using the individual’s name or another personal identifier assigned to that individual. If you have a single record, or publicly available information, it is not subject to the Privacy Act although it may still be sensitive. See the Guide for Identifying Sensitive Information at the NIH for more information about the Privacy Act.

Why Social Security numbers are a privacy risk

The Social Security number (SSN) has a unique status as a privacy risk because no other form of personal identification plays such a significant role in linking records that contain sensitive information. Identity theft and other forms of credit fraud are associated with the widespread overuse and public exposure of SSNs as unique identifiers.

NIH staff and contractors should not:

•	Collect SSNs unnecessarily,
•	Post or publicly display SSNs,
•	Print SSNs on identification cards or badges,
•	Transmit SSNs over the Internet or in email unless the connection is secure or the number is encrypted,
•	Require people to transmit a SSN over the Internet or in email unless the connection is secure or the number is encrypted,
•	Require people to log onto a website using an SSN as a username or password, or
•	Print SSNs on anything mailed to a customer unless required by law or the document is a form or application.

Please see the Guide for Identifying Sensitive Information at the NIH for important tips on keeping the SSN private and safe.

How the Guide can help you

The NIH Guide for Identifying Sensitive Information at the NIH contains working definitions and examples that help users distinguish whether data (electronic and hard copy) is sensitive information, PII or can be publicly available without causing harm. The Guide also qualifies what data falls under Privacy Act protections.

In addition to guidance about adherence to security controls including encryption, more stringent authentication and time-out requirements for remote access, etc., the Guide for Identifying Sensitive Information at the NIH educates users about minimizing the risk of sensitive information exposure by reducing its use. This publication addresses de-identification of patient data and devotes an entire section to understanding the unique status of the Social Security numbers (SSN) as a privacy risk. Users will develop a full appreciation on how the use of the SSN can be reduced, and if required, how to securely manage and protect this form of identity.

Be aware that this publication is a living document and may be expanded. A newly established trans-NIH work group is being convened to determine if there are additional types of information that should be labeled as sensitive. The work group will analyze what polices and protections currently apply to sensitive information, and if gaps in coverage are identified, supplementary policy protections may be implemented.

Remember your role in safeguarding sensitive information

We exist in a world where personal privacy erodes daily, identify theft and credit fraud are rampant and the confidentiality, integrity and availability of organizational assets and operations are exposed to overt and stealth attacks. This underscores the need for every individual using NIH information and information systems to take their role of information stewardship seriously. Beyond practicing common sense behaviors, the protection of sensitive NIH information will be best served when users supplement their knowledge with the valuable guidance contained in this Guide for Identifying Sensitive Information at the NIH.

Have questions?

For questions concerning the NIH Guide for Identifying Sensitive Information at the NIH, please contact Brent Kopp (koppb@mail.nih.gov). Additional information about privacy and the Privacy Act can be found at the Office of the Senior Official for Privacy website or by contacting your IC Privacy Coordinator (http://oma.od.nih.gov/about/contact/browse.asp?fa_id=3).

The NIH Guide for Identifying Sensitive Information at the NIH (April 2008) at http://irm.cit.nih.gov/security/NIH_Sensitive_Info_Guide.doc