The Equal Employment Opportunity Commission (EEOC) is responsible for enforcing Title VII of the Civil Rights Act (Title VII) of 1964, as amended, the Age Discrimination in Employment Act (ADEA) of 1967, the Equal Pay Act (EPA) of 1963, Title I and Title V of the Americans with Disabilities Act (ADA) of 1990, Sections 501 and 505 of the Rehabilitation Act of 1973, and the Civil Rights Act of 1991. The mission of the EEOC is to ensure equality of opportunity in the workplace by vigorously enforcing these federal laws. To support the mission of the agency, various systems of records have been devised and maintained on EEOC computer systems, some of which may contain personally identifiable data.
The protection of the systems and their data is required by Office of Management and Budget (OMB) Circular A-130; the Federal Information Security Management Act of 2002 (FISMA); the Privacy Act of 1974; Title VII, and the EEOC Information Security Program Directive. National Institute of Standards and Technology guides provide the minimum security requirements for agency systems and major applications.
The OMB has recently issued Memorandum M-06-16, which indicates that the extracts from databases which contain personally identifiable information (PII) may be in need of further protection if the extracts are removed from the EEOC premises.
For purposes of this policy, a data extract is defined as multiple records of information that are downloaded or copied from an EEOC database system (such as the Integrated Mission System, Federal Personnel and Payroll System, or Integrated Financial Management System) and maintained in electronic format outside of the originating system. This policy is limited to data extracts that contain personally identifiable information (PII) that is considered to be very sensitive in nature, such as Social Security Numbers, medical information, and certain information from charges, complaints, or cases that are not yet filed in court. This policy is additionally limited to data extracts that are physically removed from EEOC premises via electronic transmission, laptop, file, CD, diskette, memory key, or any other portable storage device. It additionally includes data extracts downloaded via EEOC’s virtual private network (VPN) to any external device. Using the VPN to access files and data (without download to an external device) is NOT subject to this policy.
The risks from extracted personal data can be reduced in several ways:
An example of what is NOT considered a data extract under this policy is the download of name and address information for correspondence purposes. In addition, accessing and working with files and information across the EEOC VPN is NOT considered a data extract. However, if you physically download (transfer) multiple records from an internal EEOC database system to a remote laptop or storage device through the VPN, this is considered a data extract.
Individual electronic documents that are not created through a database extract process (as defined above) are not considered a “data extract” for purposes of this policy and do not require the logging procedures outlined below in section III. This includes working files maintained on your office desktop computer. However, if the individual files contain sensitive PII, the files should be protected prior to removal from an EEOC facility. Download and storage within the \myfiles directory on a properly configured EEOC laptop or to an encrypted and password protected portable device, fulfills the security requirement for these files. Encrypting and password protecting the file(s), prior to download/removal, also fulfills the requirement. If you have any questions on how to encrypt an individual file or group of files, please contact the OIT Help Desk.
In order to remove data extracts containing sensitive PII from EEOC premises, users must:
The automatic on-line remote back-up of field network servers is excluded from the extract logging requirement, as the Office of Information Technology will note these recurring extracts in an overall system administration log.
Non-compliance may result in revocation of system access, disciplinary action, or both. Breaches that violate other legal provisions (e.g., Title VII, Privacy Act) may also be subject to the respective penalties of such laws.
This page was last modified on April 24, 2007.