Text

UNITED STATES NUCLEAR REGULATORY COMMISSION Yellow Announcement: YA-16-0076 Date: August 5, 2016 Expiration Date: July 10, 2019 TO:

All NRC Employees

SUBJECT:

CLARIFICATION OF THE U.S. NUCLEAR REGULATORY COMMISSIONS POLICY FOR PROTECTING AND HANDLING PERSONALLY IDENTIFIABLE INFORMATION The purpose of this Yellow Announcement is to clarify the U.S. Nuclear Regulatory Commissions (NRCs) policy on emergency contact lists, duty rosters, and other low-risk personally identifiable information (PII). Specifically, this Yellow Announcement clarifies the exceptions available to NRC employees regarding the removal or use of emergency contact lists, duty rosters, and other low-risk PII.

=

Background===

The NRC has implemented a policy regarding the protection of personally identifiable information (PII) in the workplace. Yellow Announcement No. 2006-0069, Protection of Personally Identifiable Information, dated September 19, 2006, announced the policy that prohibits staff from removing paper documents that contain PII of others from NRC-controlled space, unless the PII has been redacted from the documents or an exception has been granted.

Yellow Announcement No. 2006-0069 states the general exception that is related to removal or use of emergency contact information outside NRC-controlled space and provides that office directors, regional administrators, and their designees may issue specific exceptions in writing.

These written exceptions must describe (a) why unredacted documents are necessary and (b) how the documents will be protected while outside NRC-controlled space. However, Yellow Announcement No. 2007-0071, Privacy at the NRC, dated July 18, 2007, provided links to the PII Project Web page (http://www.internal.nrc.gov/PII/index.html) that did not cite the exceptions to the NRC PII policy. The omission of these exceptions on the PII Project Web page at that time, and in other guidance documents, led some NRC employees to incorrectly conclude that emergency contact lists and duty rosters may not be taken offsite.

What is PII?

PII is information that can be used to identify or contact a person uniquely and reliably, or can be traced back to a specific individual. The NRC defines PII as a persons name in combination with any of the following information:

Relatives names, Home postal address, Personal e-mail address, Home or cellular telephone number, Personal characteristics, Social Security number, Date or place of birth, Mothers maiden name, Drivers license number, Bank account information, Credit card information, or Other information that would make the individuals personal identity easily traceable and useable for unauthorized or criminal purposes.

PII may be used by NRC employees when needed for performing business and mission critical functions. However, the use of PII must be limited to use by authorized employees for bona fide business needs. To appropriately protect the confidentiality of PII and ensure its proper handling, the NRC has implemented a risk-based PII policy. The policy considers the risk of improper release and the severity of the potential harm to individuals posed by unauthorized disclosure of PII.

Barring the exceptions stated below, the following controls apply to PII:

Paper copies of PII must not be removed from NRC-controlled space or electronic systems unless the PII has been redacted.

PII transmitted outside the agency network can only be transmitted to authorized recipients and must be encrypted using agency approved encryption techniques.

The following are examples of types of PII that are excepted from the general provisions of the NRC policy based on the risk presented by the potential release:

General Exception: NRC Emergency Contact Listings/Duty Rosters -Those with an official need-to-know may keep employee emergency contact lists of names, home and cellular phone numbers, and home e-mail addresses, in paper form or stored in personal electronic devices, outside of NRC-controlled space.

Specific Exceptions - Office directors, regional administrators, and their designees may issue specific exceptions. However, the exceptions must be in writing and describe why unredacted documents are necessary and how the documents will be protected while outside NRC-controlled space. These specific exceptions shall be granted infrequently and a copy of the written exception must be provided to the Chief Information Officer (CIO).

Personal Exception - Individuals may control the release, transport, and transmission of their own PII in conducting personal business or as necessary for agency use, such as for payroll or travel records. Using un-encrypted electronic or voice communications

or carrying un-redacted hard copies of ones own PII represents a degree of risk for the loss of that information.

The following are examples of information that are not covered by the PII policy because they do not constitute PII as submitted or used:

Adjudicatory Filings, Documents Associated with Agency Rulemakings, and Correspondence Received from the Public on Regulatory Matters - Home addresses, home phone numbers, or home e-mail addresses that individuals choose to include in these submissions are not considered PII because they are voluntarily submitted as part of a public process.

NRC Employees Name, Title, Work Telephone Number, Official Work Address, and Work E-Mail Address - The NRC does not consider these to be PII, since they are not personal information subject to misuse and reflect the employees professional identity rather than his or her private information.

OCIOs Privacy Team staff has identified several agency guidance documents that fail to clearly articulate the exceptions above and is in the process of reviewing and updating all PII-related guidance documents.

How is PII Properly Protected and Handled?

As a reminder, to properly protect PII, all NRC employees must Ensure that PII is stored only when it is necessary and is accessible only to those NRC employees who have a need to know the information to perform their official duties.

Identify files that contain PII and delete those files no longer required to conduct official agency business.

Automatically lock out after 15 minutes (or less) of user inactivity on all laptops or mobile devices on which PII is stored.

Maintain PII in a manner that will ensure no inadvertent or unauthorized disclosures:

Do not leave PII in open view of others, secure paper records when away from your desk in a locked drawer, and always store electronic PII in a restricted access file; Do not place PII on a SharePoint or other shared network drive unless it is under appropriate access controls; and Dispose of paper containing PII in burn boxes.

If you have any questions regarding PII, please contact the NRC Acting Privacy Officer, Sally Hardy, 301-415-5607.

/RA/

Frederick D. Brown, Acting Chief Information Officer Office of the Chief Information Officer Management Directive

Reference:

MD 3.2, "Privacy Act,"Section V, Responsibilities of NRC Employees who work with Records Containing Information about Individuals

ML16218A418

• Concurrence via e-mail OFFICE OCIO/CSD OCIO/CSD OCIO/CSD OCIO/CSD OGC (NLO)

OCIO NAME SHardy*

KMorganButler* AImboden*

PHirsch*

(AImboden for)

NNoelliste*

FBrown*

DATE 08/05/16 08/05/16 08/05/16 08/05/16 08/04/16 08/05/16