General Privacy FAQs
Published, September 11, 2018
The following is a list of general frequently asked questions of the Office of the Chief Information Officer (OCIO) Privacy Team.
What is PII?
PII stands for personally identifiable information. The definition of PII, used throughout the federal government including the Department of the Navy (DON) comes from the Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource is: "Personally identifiable information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Because there are many different types of information that can be used to distinguish or trace and individual's identity, the term PII is necessarily broad." Your name and other elements such as date of birth (DOB), Social Security number (SSN), Passport Number, fingerprints, etc. fall under the definition of PII.
What is a PII Breach?
The Office of Management and Budget (OMB) defines a beach in their memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, as "The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose."
What PII can be Shared Without Causing a Breach?
DON uses the Office of Management and Budget (OMB) Circular A-130 definition of PII, which is the standard though out the federal government. In many cases, when asking if an identifying element is PII what is really being asked is "is the release of a PII element a PII breach?" More broadly asked: What PII is it okay to share without causing a breach? In the DON, there are two blanket cases where disclosure of PII is not a reportable breach.
First, if it is your PII, or that of your dependents, you are of course free to share with anyone you would like, without taking any precautions to prevent further dissemination of your PII. Though this is fraught with risk and most definitely neither recommended nor encouraged by the DON privacy office, it is, in fact, strongly discouraged. Properly protecting one's own PII and of those who rely upon you to protect their PII is critical to thwarting identity theft.
Second, there are PII elements which are generally releasable to members of the public under the Freedom of Information Act, aka FOIA, or authorized by DoD policy. These PII elements are typically referred to as "rolodex PII, business PII, office PII or internal government operations related PII." They include full name, DoD ID, DoD benefits number, pay grade or rank, office phone number, office address, and office email address. Considering the above, a digital signature, which includes your name and DoD ID, though PII by definition, when released does not constitute a breach, nor would the typical email signature block. The information contained in the Global Access List (GAL) is another example of where rolodex PII is accessible to anyone with a common access card (CAC) and is not considered a breach.
The release of rolodex PII can of course become a breach; it depends upon the circumstances and context of the release.
If in doubt as to whether or not the release of any PII elements alone or in combination is a breach, report it.
How Do I Report a Breach?
All members of the DON have a responsibility to report a breach, actual or suspected, when discovered. If you discover a breach, notify your supervisor or command privacy officer.
Within one hour of discovery, commands should report breaches to the Department of the Navy (DON) Office of the Chief Information Officer (OCIO) using Secretary of the Navy (SECNAV) 5211/1 breach reporting form. It is important to report the breach within the hour time period, even when all the details are not yet known so that actions to mitigate the breach can be initiated. Supplemental reports using SECNAV 5211/1 can be submitted as appropriate.
See the PII Breach Reporting Resources page for access to the breach reporting forms, a convenient breach reporting desktop guide and other information on breaches within the DON.
What Happens After a Breach is Reported?
Within 24 hours of the OCIO privacy team receiving a breach report, the following action will occur:
- OCIO assign a breach report tracking number.
- If necessary, OCIO will contact the reporting command for additional information. OCIO will also determine the command that is accountable for breach mitigation actions (normally the reporting command is t accountable for the breach).
- OCIO will conduct a risk analysis to determine if written notification to affected individuals is required.
- OCIO will inform the accountable command if written notification to affected individuals is required.
- Should notification be directed, accountable commands have 10 days to notify impacted individuals. Note: delay in notification may occur if/when law enforcement or computer forensics require additional time for investigation and or testing.
- Within 30 days of being notified of the risk analysis and notification determination, accountable commands will submit SECNAV 5211/2 after action report to close the breach.
In rare instances, the magnitude of the breach either because of the high number of impacted individuals or the severity of the breach, will require the Senior Component Official for Privacy (SCOP) for the Navy, the Under Secretary/CIO, to convene the DON breach response team (BRT). The BRT will manage the response for the DON including notifying DoD. Typically, the BRT will coordinate with the reporting command via the OCIO privacy staff.
See the PII Breach Reporting Resources page for access to the breach reporting form and other information on breaches within the DON.
What is the Difference Between a Breach and a Spillage?
Breach is the term used to identify the compromise or suspected compromise of PII. Spillage is the term used when discussing a compromise of classified information.
Is My Name or the DoD ID Number PII?
Yes, your name and your DoD Identification (ID) Number are PII. They fit the OMB definition in that they can be used to distinguish or trace your identity.
What many people want to know when this question is asked is; is the release of my DOD ID or name such as in my digital signature or email signature block a breach? In general no, The DoD ID number, by itself or with an associated name, shall be considered internal government operations-related PII, exposure of the DoD ID number shall not be considered a breach when exposed as a part of a DoD business function.
See the DoD information paper: "The DoD Identification (ID) Number as PII".
Can I FAX PII?
DON policy prohibits the use of a FAX machine to send the SSN or other PII except under the following circumstances:
- When another more secure means of transmitting PII is not practical.
- When a process outside of DON control requires FAXing to activities such as the Defense Finance and Accounting Service (DFAS), TRICARE, Defense Manpower Data Center (DMDC), etc.
- In cases where operational necessity requires expeditious handling.
- When FAXing PII related to internal government operations related PII only, i.e. office phone number, rank, job title, etc.
When sending a FAX, use a Privacy Act Data Cover Sheet (DD FORM 2923) and verify receipt by the correct addressee.
See DON CIO Washington DC 081745Z NOV 12.
Do files containing PII on a shared network drive need to be labeled FOUO/PII?
According to DoDM 5200.01-V4, Enclosure 3, Paragraph 2.C.(3)(g) (page 14):
"When FOUO information is contained in media or material (including hardware
and equipment) not commonly thought of as documents (e.g., computer files
and other electronic media, audiovisual media, chart, maps, films, sound
recordings), the requirement remains to identify, as clearly as possible,
the information that requires protection. The main concern is that holders
and users of the material are clearly notified of the presence of FOUO
information. The markings required by this enclosure shall be applied
either on the item or the documentation that accompanies it."
The file document name itself does not necessarily need to contain the PII/FOUO marking as long as the person accessing the file knows that it contains PII/FOUO and the file has restricted permissions accessible only to those individuals with a need to know.