IES shall ensure that all personally identifiable information remain confidential, in accordance with the Privacy Act of 1974.
Chapter Contents
Restricted-use data licenses are used to make sensitive federal information sources available to qualified research organizations. Strict security procedures are required to protect the data on individuals who responded to these surveys; i.e., who provided individually identifiable information.
The Licensees are governed by the terms of the license and these security procedures, which are the minimum requirements for protecting the individually identifiable information (referred to as "subject data" in the license) while in the custody of the Licensee. The protection requirements for individually identifiable information are based on three statutes.
Anyone who violates the confidentiality provisions of this Act shall be found guilty of a class E felony and imprisoned up to five years, and/or fined up to $250,000. |
Other statutes may apply under certain circumstances, such as the Computer Fraud and Abuse Act of 1986, which makes it a felony to gain unauthorized access to a computer system containing Federal data, or to abuse the access one has, with the purpose of doing malicious destruction or damage.
Individually identifiable information is highly sensitive and requires high levels of confidentiality and integrity protection to prevent unauthorized disclosure or modification. The integrity of information produced from these data relies on the integrity of the source data.
Licensees shall ensure that adequate security measures are continuously in place so that the subject data are SAFE at all times. SAFE means that the subject data are secure from unauthorized disclosure, use, or modification.
The Summary of Minimum Security Requirements below provides an overview of the protection measures. Note: IES may inspect Licensee facilities (see chapter 4) and the questions that will be asked are based on these minimum security requirements. Appendix K contains a list of the questions.
Summary of Minimum Security Requirements | ||||
General Security (Section 3.3)
|
Physical Handling, Storing, & Transporting Data (Section 3.4)
|
Licensees (i.e., Principal Project Officers) shall assess the security of the environment in which the data will be accessed, handled, and stored to determine if the minimum security procedures, described herein, are adequate for their environment. Since facilities and computer capabilities vary considerably, there may be onsite conditions that necessitate additional protections. If so, Licensees shall increase protections to make their environment SAFE.
Licensees must meet the spirit and intent of these protection requirements to ensure a SAFE environment 24 hours a day for the period of the license.
The Senior Official (SO), who signed the license document/contract, has overall responsibility for the security of the subject data.
The Principal Project Officer (PPO):
The SO or PPO shall assign a System Security Officer (SSO) (or assume the duties). The SSO shall be responsible for maintaining the day-to-day security of the licensed data.
The SSO's assigned duties shall include the implementation, maintenance, and periodic update of the security plan to protect the data in strict compliance with statutory and regulatory requirements.
Licensees shall complete the Restricted-Use Data Security Plan Form before permitting any access to the subject data. Federal angencies do not need to submit the Security Plan Form . Federal agencies must adhere to the security requirements set forth in the MOU.
The SO, PPO, and SSO shall sign the implemented security plan and provide a copy to IES.
Access control is the process of determining WHO will have WHAT type of access to WHICH subject databases.
Licensee shall retain the original version of the subject data and all copies or extracts at a single location (i.e., the licensed site) and shall make no copy or extract of the subject data available to anyone except an authorized staff member as necessary for the purpose of the statistical research for which the subject data were made available to the Licensee.
Licensee shall not permit removal of any subject data from the licensed site (i.e., limited access space protected under the provisions of this license) without first notifying, and obtaining written approval from the IES Data Security Program. This includes using data at home or providing it to a sub-contractor to use off-site.
Any researcher who requests access to subject data must sign an Affidavit of Nondisclosure under the procedures in Section IV of the license.
Licensee agrees to notify IES immediately when it receives any legal, investigatory, or other demand for disclosure of subject data, including any request or requirement to provide subject data to any State agency or State contractor under conditions that are inconsistent with any requirement of this license. Time is of the essence in notifying IES of any such request or requirement. Licensee must also immediately inform the requestor or enforcer of the request or requirement that subject data are protected under the law of the United States, as specified in section 3.1. Licensee authorizes IES to revoke this License and, pending the outcome of the penalty procedures under Section VI of this license, to take possession of or secure the subject data, or take any other action necessary to protect the absolute confidentiality of the subject data.
Licensee shall return to the IES Data Security Program the original subject data when the research that is the subject of the agreement has been completed or the license terminates, whichever occurs first. All other individually identifiable information (e.g., the one backup copy, working notes) shall be destroyed under IES supervision or by approved IES procedures.
Machine-readable media storage from IES will be CD-ROMs or floppy diskettes.
Note: Data stored on fixed hard disks are addressed in section 3.5 in Standalone Computers.
Lock Up Media. Subject data on machine-readable media shall always be secured from unauthorized access (e.g., locked in a secure cabinet when not in use, only necessary copies made).
Label/Catalog/Track Media. To ensure that license dates are not exceeded, all portable media from NCES has been labeled with the expiration date of the license. If the user changes the media, or develops subsets, new labels with the expiration date must be affixed. Additionally, use a simple, effective cataloging/ tracking system to know who has possession and responsibility for what media at all times. Anyone having possession of the data must hold an affidavit, including computer personnel who load data on the system. Data shall not be in a computer facility library unless all who have access to the library media hold affidavits.
Lock Up Printed Material. Printed material containing individually identifiable information shall always be secured from unauthorized access (e.g., locked in a secure cabinet when not in use).
Edit for Disclosures. Licensee shall ensure that all printouts, tabulations, and reports are edited for any possible disclosures of subject data. In planning and producing analyses and tabulations, the general rule is not to publish a cell in which there are fewer than three (3) respondents or where the cell information could be obtained by subtraction. In addition, care must be taken not to disclose information through subsequent use of the same data with variables from other databases.
Copying Restrictions. The Licensee is accountable for any copies of the subject data, or subsets, that are made. If the data are copied, the Licensee shall ensure that each copy is:
Only One Backup Copy. The Licensee is permitted to make ONLY ONE BACKUP COPY OF THE ENTIRE DATABASE at the beginning of the loan period. Protect this backup copy under the same Security Procedures as the original database.
If the Licensee plans to make a backup copy of the restricted-use data, the Licensee must state in their SECURITY PLAN: (1) THAT A BACKUP COPY OF THE ENTIRE DATABASE WILL BE MADE, AND (2) WHAT SECURITY PROCEDURES WILL PROTECT THE NCES RESTRICTED-USE DATA FROM DISCLOSURE.
Restricted-use data are licensed for one site only (see section 3.3), and only the following methods shall be used for transporting the data within that site, to a new license site as approved by IES, or to and from IES:
If prospective Licensees cannot meet the security requirements, then they will not be granted a license.
A standalone computer is any single-user PC (e.g., running DOS or Windows operating system). Laptop computers are strictly prohibited. See "No Connections to Another Computer" for further information.
Limit room/area access. The data must always be secured from unauthorized access. Computer rooms/areas that process individually identifiable data must be secure during business hours and locked after close of business.
Standalone Computer | ||||
measures are adequately implemented |
Minimum Security Requirements
|
|||
If security
measures cannot be adequately implemented, do not use this model for individually identifiable information. |
||||
Passwords. When passwords are used, they shall be unique, 6-8 characters in length, contain at least one non-alphanumeric character (e.g., ?, &, +), and be changed at least every three months. See subparagraphs "Lock Computer and/or Room" and "Automatic 'Shutdown' of Inactive Computer" for other password requirements. (For additional details on passwords, see FIPSPUB 112, Password Usage, Section 4.3, "Password System for High Protection Requirements.")
In the absence of an automated password generator, user-selected passwords should be unique, memorizable, and NOT dictionary words. One good way to select a password is to make up an easy to remember phrase-My Favorite Lake Is Superior-and use the first letter in each word plus a non-alphanumeric character (e.g., ?, +, *) as your password. The result is MFL?IS.
Notification (warning screen). During the log-in or boot-up process, a warning statement should appear on the screen before access is permitted. This statement should stay on the screen for at least ten seconds to ensure that it is readable. The statement should be worded to ensure that the intent of the following is conveyed.
Unauthorized Access to Licensed Individually Identifiable Information is a Violation of Federal Law and Will Result in Prosecution.
If it is not feasible to have this statement appear on the screen of the computer, it should be typed and attached to the monitor in a prominent location. The following is an example of the warning screen:
WARNING FEDERAL RESTRICTED-USE DATA UNAUTHORIZED ACCESS TO LICENSED INDIVIDUALLY IDENTIFIABLE INFORMATION IS A VIOLATION OF FEDERAL LAW AND WILL RESULT IN PROSECUTION. DO YOU WISH TO CONTINUE? (Y)es ___ or (N)o ___ |
Read-only Access. User access authorization to the original data shall be Read-Only. Restricted-use survey databases are not to be modified or changed in any way. Only extrapolations and reading of the original data are permitted.
No Connections to Another Computer. When processing individually identifiable information on a standalone computer, shut down any connections to another computer (e.g., via modem, LAN, cable, wireless). For modems, use one of the following methods to prevent unauthorized dial-in access:
The standalone computer cannot be connected to the LAN while subject data are on the system.
Lock Computer and/or Room. When the authorized user is away from the computer, protect the subject data by locking the computer and/or the room. For example, physically lock the computer with its exterior keylock, shutdown the computer and enable its power-on password, or lock the room to prevent an unauthorized individual from gaining access to the computer.
Automatic "Shutdown" of Inactive Computer. Some computers can automatically shutdown, logout, or lockup (e.g., password-protected screen-savers) when a period of defined inactivity is detected. If available, this feature may be used in place of or in addition to locking the computer and/or room. When used, the defined period of inactivity shall be three to five minutes.
Do Not Backup Restricted-Use Data. Licensees shall not make routine or system backups (e.g., daily, weekly, incremental, partial, full) of restricted-use data except for the one backup copy of the entire restricted-use database. (Also see section 3.4.) This restriction does not apply to information extrapolated from the restricted-use data.
Staff Changes. Change passwords accordingly when staff changes are made.
Overwrite Hard Disk Data. Even after files are deleted from computer systems, the information remains in a form that can be recovered by various relatively simple techniques. Active steps must be taken to prevent this possibility. Overwriting writes new data in the file storage locations, thus making the previous data unreadable. For example, under DOS, various utilities such as WIPEINFO (Norton Utilities' Wipe Information) have an option that overwrites the selected files or disk areas with 0s. Overwriting is necessary when a computer containing restricted-use data is no longer used for an NCES project (e.g., reallocated to other projects) or when the computer needs to be repaired (e.g., hard disk crashes).
Note: The DOS "delete" and "erase" commands remove the data's address, but not the data, which remains on the hard disk until the computer needs the space for new data. On hard disks, most versions of the DOS FORMAT command reinitialize the system area but does not overwrite the data area--the disk appears to be empty but the data are usually recoverable.