{ "version" : "https://jsonfeed.org/version/1", "content" : "news", "type" : "single", "title" : "Tackling PII in Electronic Data |Digital.gov", "description": "Tackling PII in Electronic Data", "home_page_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/","feed_url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2013/09/23/tackling-pii-in-electronic-data/index.json","item" : [ {"title" :"Tackling PII in Electronic Data","summary" : "As non-lawyers peering into the legal world, be advised this post is not official legal advice from the Office of General Counsel. These are our impressions and what we took away from the Legal Learning Series session Social Media – Privacy, Records and Litigation.","date" : "2013-09-23T18:11:36-04:00","date_modified" : "2025-01-27T19:42:55-05:00","authors" : {"tlowden" : "Tim Lowden"},"topics" : { "content-strategy" : "Content strategy", "privacy" : "Privacy", "social-media" : "Social media" },"branch" : "bc-archive-content-3", "filename" :"2013-09-23-tackling-pii-in-electronic-data.md", "filepath" :"news/2013/09/2013-09-23-tackling-pii-in-electronic-data.md", "filepathURL" :"https://github.com/GSA/digitalgov.gov/blob/bc-archive-content-3/content/news/2013/09/2013-09-23-tackling-pii-in-electronic-data.md", "editpathURL" :"https://github.com/GSA/digitalgov.gov/edit/bc-archive-content-3/content/news/2013/09/2013-09-23-tackling-pii-in-electronic-data.md","slug" : "tackling-pii-in-electronic-data","url" : "/preview/gsa/digitalgov.gov/bc-archive-content-3/2013/09/23/tackling-pii-in-electronic-data/","content" :"\u003cp\u003e\n \u003ca href=\"https://s3.amazonaws.com/digitalgov/_legacy-img/2013/09/person-holding-hand-up-in-front-of-camera.jpg\"\u003e\u003cdiv class=\"image\"\u003e\n \u003cimg\n src=\"https://s3.amazonaws.com/digitalgov/_legacy-img/2013/09/person-holding-hand-up-in-front-of-camera.jpg\"\n alt=\"person holding hand up in front of camera\"/\u003e\u003c/div\u003e\n\n\u003c/a\u003eAs non-lawyers peering into the legal world, be advised this post is not official legal advice from the Office of General Counsel. These are our impressions and what we took away from the Legal Learning Series session Social Media \u0026#8211; Privacy, Records and Litigation.\n\u003c/p\u003e\n\u003cp\u003e\n Do you collect comments and post photos on your agency social media accounts and websites? If so, are you aware that much of that content could possibly be considered personally identifiable information (PII)?\n\u003c/p\u003e\n\u003cp\u003e\n PII is, at times, a clever disguise artist. Although something may not seem like PII on the surface, you need to dig deeper to better understand the nuances. At GSA’s fourth installment of the “Legal Learning Series,” federal employees learned the different forms that electronic data can take and what their agencies need to do to ensure we can collect important data while still protecting people’s privacy.\n\u003c/p\u003e\n\u003cp\u003e\n Some 80 participants gathered to hear from two distinguished speakers\u0026#8211;Kathy Harman-Stokes, Chief Privacy Officer at the CFTC and Alex Tang, Attorney in the Office of General Counsel at the FTC\u0026#8211;detail the ins and outs of electronic PII acquisition and performing the requisite privacy impact assessments (PIAs). Here are some key takeaways from the presentation:\n\u003c/p\u003e\n\u003cp\u003e\n \u003cstrong\u003ePII is nearly ubiquitous in social media and on the web\u003c/strong\u003e\n\u003c/p\u003e\n\u003cp\u003e\n The term “PII,” as defined in \u003ca href=\"http://www.whitehouse.gov/sites/default/files/omb/memoranda/fy2007/m07-16.pdf\"\u003eOMB Memorandum M-07-16\u003c/a\u003e refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Social media and the web happen to be chock full of PII, but it’s not always immediately evident. It’s important to find any PII collected in electronic data, as well as follow the regulations regarding it.\n\u003c/p\u003e\n\u003cp\u003e\n Examples of information your agency might be collecting that probably has PII include:\n\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eComments (on Facebook, blogs, etc)\u003c/li\u003e\n\u003cli\u003ePhotos of people\u003c/li\u003e\n\u003cli\u003eVideo/Audio (including live cams)\u003c/li\u003e\n\u003cli\u003eGeolocation or mapping data\u003c/li\u003e\n\u003cli\u003eMobile app user data\u003c/li\u003e\n\u003cli\u003eWeb tracking, user preference and experience cookies, logs (i.e. IP addresses, analytics, etc)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\n \u003cstrong\u003eMy agency is collecting PII, what next?\u003c/strong\u003e\n\u003c/p\u003e\n\u003cp\u003e\n Good question. \u003ca href=\"http://www.whitehouse.gov/omb/memoranda_m03-22#b\"\u003eSection 208 of the E-Government Act\u003c/a\u003e requires that a privacy impact assessment (PIA) be conducted when developing or acquiring electronic IT that will “collect, maintain, or disseminate” PII. Of note, OMB requires PIAs \u003cem\u003e\u003cstrong\u003ebefore\u003c/strong\u003e\u003c/em\u003e using third-party sites and applications whenever PII will be made available to your agency. A PIA is a documentation of the analysis of privacy risks and steps taken to mitigate them, and must be \u003ca href=\"http://www.gsa.gov/portal/content/102237\"\u003epublicly posted\u003c/a\u003e after approval by your agency’s CIO or other official designated by the department/agency head.\n\u003c/p\u003e\n\u003cp\u003e\n Required contents of a PIA (this list is not exhaustive; refer to the \u003ca href=\"http://www.whitehouse.gov/omb/memoranda_m03-22#b\"\u003eact\u003c/a\u003e for more information) :\n\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003ePurpose: why does the agency need the PII? Is it absolutely necessary?\u003c/li\u003e\n\u003cli\u003eAuthority: are there laws/regulations against the collection of specific PII (e.g. SSN information, \u003ca href=\"http://www.ftc.gov/ogc/coppa1.htm\"\u003eCOPPA\u003c/a\u003e data about kids 13 and under, etc.)?\u003c/li\u003e\n\u003cli\u003eSources: what PII will be available and where is it coming from? What will be collected, maintained, and/or disseminated?\u003c/li\u003e\n\u003cli\u003eUsage: what are the intended uses of the PII both now and in the future?\u003c/li\u003e\n\u003cli\u003eAccess: who will have access to the information and how will you prevent unauthorized use?\u003c/li\u003e\n\u003cli\u003eSharing: with whom outside your agency will the information be shared?\u003c/li\u003e\n\u003cli\u003eNotice: how will the public be notified? The privacy policy must disclose third party sites and apps as well as be publicly posted, as does the PIA.\u003c/li\u003e\n\u003cli\u003eChoice \u0026amp; Consent: will the public have an option not to share PII? Will they have a choice to opt-in or opt-out of their PII being shared?\u003c/li\u003e\n\u003cli\u003eSecurity: how will the information be protected, and what are the risks involved? How will the agency address those risks? A breach response plan is required.\u003c/li\u003e\n\u003cli\u003eRetention/Disposal: how will the PII be stored and for how long? What are the methods of disposal?\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\n For more information contact Kathy Harman-Stokes at \u003ca href=\"mailto:kharman-stokes@cftc.gov\"\u003ekharman-stokes@cftc.gov\u003c/a\u003e or Alex Tang at \u003ca href=\"mailto:atang@ftc.gov\"\u003eatang@ftc.gov\u003c/a\u003e.\n\u003c/p\u003e\n\u003cp\u003e"} ] }