Text

UNITED STATES NUCLEAR REGULATORY COMMISSION Yellow Announcement: YA-21-0085 Date: October 21, 2021 Expiration Date: October 21, 2026 TO:

All NRC Employees and Contractors

SUBJECT:

REMINDER TO NRC EMPLOYEES AND CONTRACTORS OF THEIR RESPONSIBILITIES FOR PROTECTING AND HANDLING PRIVACY AND PERSONALLY IDENTIFIABLE INFORMATION This Yellow Announcement reminds staff of their responsibilities for protecting and handling privacy and personally identifiable information (PII). PII may be used by U.S. Nuclear Regulatory Commission (NRC) staff when needed for performing business and mission critical functions. However, the use of PII must be limited to use by authorized employees for business needs. Please review the information below.

What is PII?

PII is information that can be used to identify or contact a person uniquely and reliably, or can be traced back to a specific individual. The NRC defines PII as a persons name in combination with any of the following information:

Relatives names, Home postal address, Personal e-mail address, Home or cellular telephone number, Personal characteristics, Social Security number, Date or place of birth, Mothers maiden name, Drivers license number, Bank account information, Credit card information, Medical or disability information Biometric record, or

Other information that would make the individuals personal identity easily traceable and useable for unauthorized or criminal purposes.

Storing PII:

Access to PII should always be restricted to only those who have a need to know, regardless of where the information is maintained.

Shared Drives: Store PII on shared access computer network drives (shared drives)

ONLY if access is restricted to those with a need to know by permissions settings or passwords.

SharePoint or ADAMS: Storing PII on SharePoint or ADAMS only if access is restricted to those with a need to know by permissions settings or passwords.

Paper/Hard Copy PII in the Workplace:

Never leave PII in hard copy unattended or unsecured. Physically secure PII (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of a person with a need to know.

Paper copies of PII must not be removed from NRC-controlled space or electronic systems unless the PII has been redacted.

Emailing PII:

PII transmitted outside the agency network can only be transmitted to authorized recipients and must be encrypted using agency-approved encryption techniques.

Before emailing PII, confirm that you have the correct email address.

Never email PII information to a personal email account.

Collect PII Only as Authorized Before collecting or maintaining PII information, be sure that:

1. You have the legal authority to do so;

2. The data collection is consistent with the terms of a Privacy Act System of Records Notice (SORN), whenever applicable (see https://www.nrc.gov/reading-rm/foia/privacy-systems.html);

3. If you are collecting or maintaining PII information, be sure to check with the Privacy Officer to determine if your collection, database, or system requires a Privacy Impact Assessment (PIA), Privacy Threshold Analysis and/or compliance with the Federal Information System Management Act (FISMA), and

4. When collecting PII from members of the public, ensure that all paper or electronic forms or processes are reviewed and approved by the NRC Forms Manager before collection.

Collecting personal information from members of the public may trigger additional requirements under the Paperwork Reduction Act (PRA), and may also require a Privacy Act Statement.

Limit Sharing of PII:

Internally: You are authorized to share PII with another NRC employee or contractor only if the recipients need for the information is related to their official duties.

Externally: PII that is contained within a Privacy Act System of Records may only be shared outside the NRC with the written consent of the individual or in accordance with one of the statutory exceptions in the Privacy Act, including in furtherance of a published routine use in the applicable SORN. PII that is not maintained within a Privacy Act System of Records is to be treated in accordance with applicable agency policy for the handling of sensitive internal information.

PII in Electronic Form:

PII should only be accessed using NRC-approved electronic devices and should always be protected; access should be restricted to only those who have a need to know.

Personally owned computers should not be used to access, save, or store PII unless you log in through the NRC via CITRIX. This applies to all individuals on an approved telework program.

Reporting Privacy Incidents:

You must report immediately all suspected or confirmed privacy incidents involving the loss or compromise of PII to CSIRT@nrc.gov.

If you have questions regarding PII, please contact the NRC Privacy Officer, Sally Hardy, 301-415-5607.

/RA/

Scott C. Flanders Office of the Chief Information Officer Management Directive

Reference:

MD 3.2, "Privacy Act,"Section V, Responsibilities of NRC Employees who work with Records Containing Information about Individuals.

ML

• Concur via e-Concurrence OFFICE OCIO/GEMSD OCIO/GEMSD/D OCIO/ITSDOD OCIO/DD NAME GNalabandian*

JMoses*

AGlazer*

SFlanders*

DATE 10/19/2021 10/20/2021 10/20/2021 10/21/2021