Privacy Frequently Asked Questions (FAQs)
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is information in an Information Technology (IT)
system or collection that directly identifies an individual (e.g., name, address, social security
number or other identifying number or code, telephone number, email address, etc.). In addition,
PII may be comprised of information by which an agency intends to identify specific individuals
in conjunction with other data elements. These data elements may also include gender, race, birth
date, geographic indicator and other descriptors.
The Office of Management and Budget (OMB) defines PII as: “Any information about an
individual maintained by an agency, including but not limited to, education, financial
transactions, medical history, and criminal or employment history and information that can be
used to distinguish or trace an individual's identity, such as his or her name, SSN, date and place
of birth, mother's maiden name, biometric records, etc., including any other personal information
that is linked or linkable to an individual.” – OMB 07-16
PII should not be confused with “private” information. Private information is information that an
individual prefers not to make publicly known, e.g., because of the information’s sensitive
nature. Personally identifiable information is much broader in scope and includes all information
that can be used to directly or indirectly identify individuals.
The Federal government has been trying for years to solidify a definition to use, but the closest
we can come is the subtext used in OMB-07-16. The most simplistic definition is to consider PII
to be information that can be linked or linkable to a specific individual.
Regardless of whether it is publically available or not, it is still “identifying information”, or PII.
However, what federal employees must be wary of is Personally Sensitive PII.
Not all PII is sensitive. For example, information on a business card or in a public phone
directory is considered identifying information. But, in most cases it is not sensitive PII, because
it is usually widely available information. PII that is releasable to the public in accordance with
the Freedom of Information Act (FOIA) or is commonly used in the work environment is not
considered to be of risk to an individual (or to the agency). PII of this nature is not “sensitive”.
However, it is PII nevertheless; and it needs to be protected.
The data or identifiable factor must be examined in its context of use. Context of use can make
personal information be regarded as sensitive if the list is contextually associated with sensitive
information. For example, a list of names and addresses of people subscribing to a government
newsletter is PII, but it is not sensitive PII. Change the title of the top of the page to a list of
people receiving treatment for substance abuse and it becomes sensitive information. As well as
context, the association of two or more non-sensitive PII elements may result in sensitive PII. A
1
social security list on a sheet of paper is not dangerous until paired with a name or other
individualizing factor.
The definition of PII is very broad and makes no distinction between “sensitive” and “nonsensitive” information. If an individual can be identified, it is PII. Sensitive PII is defined
personally identifiable information, which if lost, compromised, or disclosed without
authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to
an individual. This is the information that we should be especially looking to safeguard at all
times. Still, even if information is not sensitive (even if publically available), the U.S. Forest
Service cannot release that PII without consent. Therefore, any and all personally identifying
information collected, stored and used by the Federal government needs to be protected.
What is Personally Sensitive Information?
Personally Sensitive Information (PSI) is an official U.S. Forest Service record that is Personally
Identifiable Information (PII) or non-public information, which if lost, compromised, or
disclosed without authorization could result in substantial harm, embarrassment, inconvenience,
or unfairness to an individual. Information classified as PSI therefore requires stricter handling
guidelines to protect against any anticipated threats or hazards to security or integrity because of
the increased risk to an individual. PSI should only be used if a need for the information relates
to the official duties of the U.S. Forest Service.
PII is considered private if it is associated with an individual. A person's SSN or TIN, credit card
numbers, and other financial information may be considered PSI if their disclosure might lead to
crimes such as identity theft or fraud. Some types of PSI information, including records of a
person's health care, education, and employment may be protected by privacy laws.
The data or identifiable factor must be examined in its context of use. Context of use can make
personal information be regarded as PSI if the list is contextually associated with sensitive
information. For example, a list of names and addresses of people subscribing to a government
newsletter is PII, but it is not sensitive PII. Change the title of the top of the page to a list of
people receiving treatment for substance abuse or a communicable disease and it becomes
sensitive information. As well as context, the association of two or more non-sensitive PII
elements may result in PSI. A social security list on a sheet of paper is not dangerous until paired
with a name or other individualizing factor.
The PSI label (coupled with the designation of Controlled Unclassified Information) is intended
for the control of access to information or knowledge that might result in loss of an advantage or
level of security if disclosed to others. Unauthorized disclosure of PSI can make the perpetrator
liable for civil remedies and may in some cases be subject to criminal penalties. Loss, misuse,
modification or unauthorized access to sensitive information can adversely affect the privacy or
welfare of an individual, trade secrets of a business or even the security, internal and foreign
affairs of a nation depending on the level of sensitivity and nature of the information.
Note: Nonpublic information is information that the employee gains by reason of Federal
employment and that he or she knows or reasonably should know has not been made available to
the general public.
Nonpublic Government information includes, but is not limited to:
2



information that is exempt from disclosure under the Freedom of Information Act,
information that the agency has designated as confidential, or
information that has not actually been disseminated to the general public and is not
authorized to be made available to the public upon request
Executive branch employees may not use or allow the use of sensitive or nonpublic government
information to further their own private interests or the private interests of others. In addition to
violating the Standards of Conduct, the actions may also violate Federal statutes prohibiting the
use and disclosure of confidential and inside information.
What are the Fair Information Privacy Principles (FIPPS)?
In order to assure that any personal information submitted to the U.S. Forest Service (FS) is
properly protected, the agency has devised principles to be applied when handling personal
information. This is referred to as the “Code of Fair Information Privacy Principles (FIPPs)".
Principle 1 – Accountability
An organization is responsible for personal information under its control and shall designate an
individual or individuals who are accountable for the organization’s compliance with the
following principles.
Principle 2 – Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization
at or before the time the information is collected.
Principle 3 – Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of
personal information, except where inappropriate.
Principle 4 – Limiting Collection
The collection of personal information shall be limited to that which is necessary for the
purposes identified by the organization. Information shall be collected by fair and lawful means.
Principle 5 – Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was
collected, except with the consent of the individual or as required by law. Personal information
shall be retained only as long as necessary for the fulfillment of those purposes.
Principle 6 – Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the
purposes for which it is to be used.
Principle 7 – Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of
the information.
Principle 8 – Openness
3
An organization shall make readily available to individuals specific information about its policies
and practices relating to the management of personal information.
Principle 9 – Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her
personal information and shall be given access to that information. An individual shall be able to
challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 – Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above
principles to the designated individual or individuals accountable for the organization’s
compliance.
The FIPPs are set forth in policies that U.S. Forest Service employees will follow when handling
personal information. Any U.S. Forest Service employee or contractor who handles the personal
information of others must abide by the principles set forth by the following Codes:
1) When the U.S. Forest Service collects personal data, we will inform the public of the
intended uses of the data, the disclosures that will be made, the authorities for the
collection, and whether the collection is mandatory or voluntary. We will collect no data
subject to the Privacy Act unless a Privacy Act System of Record Notice has been
published in the Federal Register.
2) Unless the U.S. Forest Service has claimed an exemption from the Privacy Act, we will,
upon request, grant an individual access to records; provide the individual a list of
disclosures made outside the Agency; and make corrections to the individual’s file, once
shown to be in error.
3) The U.S. Forest Service will collect only those personal data elements required to fulfill
an official function or mission grounded in law. Those collections are conducted by
lawful and fair means.
4) The U.S. Forest Service will retain an individual’s personal information only as long as
necessary to fulfill the purposes for which it is collected. Records will be destroyed in
accordance with established U.S. Forest Service records management schedules.
5) The U.S. Forest Service will maintain only accurate, relevant, timely, and complete data
about the public.
6) The U.S. Forest Service will use an individual’s personal data only for lawful purposes.
Access to the individual’s data will be limited to U.S. Forest Service employees and
contractors with an official need for access.
7) U.S. Forest Service employees and contractors will safeguard the public’s personal data
to ensure that all disclosures are made with an individual’s written permission or are
made in strict accordance with the Privacy Act.
8) The public’s personal data is protected by appropriate safeguards to ensure security and
confidentiality. Electronic systems will be periodically reviewed for compliance with the
security principles of the Privacy Act, the Computer Security Act, and related statutes.
Electronic collections will be accomplished in a safe and secure manner.
4
9) U.S. Forest Service employees and contractors are subject to civil and criminal penalties
for certain breaches of Privacy. The U.S. Forest Service is diligent in sanctioning
individuals who violate Privacy rules.
10) The public may challenge the U.S. Forest Service if an individual believes the agency has
failed to comply with these principles, the Privacy Act, or the rules of a system of records
notice. Challenges may be addressed to the person accountable for compliance with this
Code, to the U.S. Forest Service Privacy Act Officer, or the U.S. Forest Service Freedom
of Information Act (FOIA) Officer at:
Mailing Address:
USDA FS, FOIA Service Center
1400 Independence Avenue, SW
Mail Stop: 1143
Washington, DC 20250-1143
FEDEX Address
USDA Forest Service FOIA Service Center
ORMS/RIS
201 14th Street, SW
1st Floor, SW Wing
Washington, DC 20250
Your correspondence may also be sent via fax or email:
Fax your request to: (202) 260-3245
Email your correspondence to: wo_foia@fs.fed.us
Main Number: (202) 205-1542
What are U.S. Forest Service employees and contractors required to do?
The U.S. Forest Service work force is required to:




Ensure that personal information contained in a system of records, to which they have
access to or are using incident to the conduct of official business, shall be protected so
that the security and confidentiality of the information shall be preserved.
Not disclose any personal information contained in any system of records except as
authorized. Personnel willfully making such a disclosure when knowing that disclosure is
prohibited are subject to possible criminal penalties and/or administrative sanctions.
Report any unauthorized disclosures of personal information from a system of records or
the maintenance of any system of records that are not authorized to your local Privacy
Act Officer or to their supervisor.
Ensure that all personnel who either shall have access to the system of records or who
shall develop or supervise procedures for handling records in the system of records shall
be aware of their responsibilities for protecting personal information being collected and
maintained under the Privacy Program.
5


Prepare promptly any required new, amended, or altered systems notices for the system
of records and submit them through the Washington Office Privacy Officer for
publication in the Federal Register.
Not maintain any official files on individuals that are retrieved by name or other personal
identifier without first ensuring that a Privacy Act system of records notice has been
published in the Federal Register. Any official who willfully maintains a system of
records without meeting the publication requirements of the Privacy Act is subject to
possible criminal penalties and/or administrative sanctions.
The U.S. Forest Service work force are instructed of and made aware of the following:














Ask, “If I do this, will I increase the risk of unauthorized access?”
Do not share it with anyone outside of the U.S. Forest Service unless:
o The recipient is listed in Section (b) of the Privacy Act or
o The record’s subject has given you written permission to disclose it.
Make sure that access controls are in place to limit access to files/folders that contain PII
to those with a “need to know.”
o Password-protect and encrypt personal data placed on shared drives, the Internet
or the Intranet.
o Issue passwords only to those with a clear need for access.
Remove it once it no longer needs to be posted.
Never post privacy data to E-Workplace, SharePoint or Outlook.
Never leave your laptop unattended.
o Keep your laptop in a secure government space or secured under lock and key
when not in use.
o Laptops and mobile electronic equipment must have full disk encryption.
Mark all external drives or mobile media as “Property of USDA/USFS”
If encryption is not available, do not create, store, or transmit PII on Information
Technology (IT) equipment.
Ensure PII resides only on government furnished IT equipment. Never store PII on
personal devices.
Do not maintain PII on a public web site or electronic bulletin board.
Verify the printer’s location prior to sending a document containing PII to the printer, and
promptly pick up all copies of the documents as soon as they are printed.
Double check the fax number prior to transmitting documents with PII, and ensure
someone is standing by on the receiving end of the fax. Do not fax PII to unattended fax
machines.
Ensure all printed documents with PII are properly marked with “CUI–Privacy
Sensitive.”
Do not discard documents with PII in trash or recycle bins.
o Destroy U.S. Forest Service records in accordance with the U.S. Forest Service
Records Schedule.
o Dispose of documents containing PII by making them unrecognizable by
shredding, pulping, or burning.
o Disposal methods are considered adequate if the personal data is rendered
unrecognizable or beyond reconstruction.
6
o


Documents containing PII may also be placed in a burn bag for destruction.
Ensure all hard drives are degaussed, properly marked, and accounted for prior to turn in.
Limit storage of PII on shared drives and folders whenever possible.
What are the privacy laws, regulations, rules and mandates?
Privacy law in the United States
In the United States, unlike most developed countries, there is no overarching and
comprehensive federal-level law protecting against personal information being collected and
stored. Instead, the U.S. has a patchwork of laws covering different types of data protection with separate laws for medical record privacy, financial privacy, telemarketing, credit reporting
and even video rentals. Like any patchwork system, there are a lot of holes. With technology
constantly and quickly evolving, our patchwork system of laws and policies are often lagging
behind industry innovations.
The "right to privacy" is something many of us take for granted - but it's not mentioned in the
Bill of Rights or the Constitution. Reflecting this, the Privacy Act of 1974 does not actually
cover privacy in the traditional way that it is thought of in regard to secrecy, being left alone, or
requiring a quiet space. The Privacy Act of 1974 is primarily about governmental procedure
when it comes to the collection and use of personal information.
Regulations and Mandates
As an agency in the Federal government, the U.S. Forest Service is required to comply with all
current applicable Federal privacy laws, regulations and guidance, and must establish and apply
data safeguards. Protecting Personally Identifiable Information (PII) is the primary focus.
However the following tasks are also priorities:
 Support mechanisms that allow individuals to review records about themselves and
amend their personal records if there is erroneous information;
 Keep a record of disclosures made outside of the U.S. Forest Service to authorized
routine uses described in the Privacy Act system notice;
 Maintain only accurate, timely, and complete information;
 Follow the Privacy Act and other regulations regarding the release and/or withholding of
information;
 Ensure contracts involving Privacy Act data contain the appropriate Federal Acquisition
Regulation (FAR) privacy clauses;
 Factor Privacy into the workplace; and
 Develop best practices.
Federal Mandates
The Privacy Act of 1974 protects an individual's privacy from unwarranted invasion by requiring
that personal information in possession of Federal agencies is properly used, and that agencies
institute measures to prevent any potential misuse of information in their possession. The
Privacy Act of 1974:
7





Controls the use of personal information by restricting Federal agencies' collection,
maintenance, use, and dissemination of personal information.
Allows individuals to access information about themselves that agencies maintain.
Allows individuals to correct their records when the information is not accurate, relevant,
timely, or complete.
Controls the disclosure of personal information in possession of a Federal agency.
Requires that agencies follow mandated policies and procedures.
The Computer Matching and Privacy Protection Act of 1988, and the Computer Matching and
Privacy Protection Amendments of 1990 concern the electronic sharing of information. These
laws:




Apply to automated systems of records when the information in the systems is shared
between Federal or non-Federal agencies.
Spell out the procedural requirements that agencies must follow when performing
computer-matching activities.
Require agencies to provide to individuals whose records are in matching systems the
opportunity to receive notice and to refute adverse information before having a benefit
denied or terminated.
Require agencies which are engaged in matching activities to establish Data Integrity
Boards to oversee computer-matching activities.
The E-Government Act of 2002 aims to ensure privacy in the conduct of Federal information
activities. Title III of the E-Government Act, Federal Information Security Management Act of
2002 establishes computer security requirements for Federal automated information
resources. Among its other system security provisions, this Act requires agencies to:


Conduct a periodic assessment of the risk and magnitude of the harm that could result
from the unauthorized access, use, disclosure, disruption, modification, or destruction of
information and information systems that support the operations and assets of the agency;
Address information security throughout the life cycle of each agency information
system.
Office of Management and Budget (OMB) Guidance oversees, establishes rules and procedures,
and provides guidance to agencies on the implementation of the Privacy Act and on information
security. OMB's guidance is found in:




OMB Circular No. A-130, Appendix I, Federal Agency Responsibilities for Maintaining
Records About Individuals, which establishes Privacy Act requirements and procedures;
OMB Circular No. A-130, Appendix III, Management of Federal Information
Resources, which establishes guidelines for Federal agencies on complying with the fair
information practices and security requirements for operating automated information
systems.
(M-03-22) Memorandum for Heads of Executive Departments and Agencies, OMB
Guidance for Implementing the Privacy Provisions of E-Government Act of 2002.
Title III of the E-Govt Act, Federal Information Security Management Act of 2002
8
U.S. Forest Service privacy requirements
The U.S. Forest Service Privacy Office is currently complying with applicable laws and
regulations such as (but not limited to):





Privacy Act of 1974
E-Government Act of 2002
Paper Reduction Act of 1995
NARA Code of Federal Regulations
Other laws and regulations
And following OMB requirements such as (but not limited to):





OMB Circular A-130, Appendix I
FISMA Reporting Instructions for Agency Privacy Management
OMB Memo M-05-08, Designation Senior Agency Officials for Privacy (SAOP)
OMB Memo M-07-16, Safeguarding Against and Responding to Breach of Personally
Identifiable Information
OMB Instructions for Complying with the President’s Memorandum of May 14, 1998,
Privacy and Personal Information in Federal Records
Can I see what privacy-related information the government has?
Under the Privacy Act, you may request copies of any U.S. Forest Service records that:
 are about you and
 are filed and can be retrieved by your name or a personal identifier (such as your Social
Security number).
You can also ask the Agency to correct records that are inaccurate, incomplete, untimely, or
irrelevant.
In some cases, the Privacy Act may not allow release of your personal records.
If you have any questions about records, please see the Freedom of Information Web Page at
http://www.fs.fed.us/im/foia/makearequest.htm.
Requests for information about you contained in a U.S. Forest Service Privacy Act system of
records must:





Be in writing and signed.
Be addressed to the appropriate U.S. Forest Service activity you believe is maintaining
the information about you.
Identify the applicable U.S. Forest Service Privacy Act system of records notice that
might contain the information you are seeking, and your relationship with U.S. Forest
Service and the time period of that relationship. Privacy Act systems of records notices
are found at http://www.fs.fed.us/im/foia/pasystems.htm.
Provide any other documentation as listed under the Notification or Access elements
within the Privacy Act system of records notice.
When in doubt, contact the U.S. Forest Service Privacy Officer.
9
Note: An employee’s browsing or reading information that he or she does not have a “need-toknow” reason to see the data is a violation of privacy of the person for whom the data is about. It
is punishable with criminal or civil penalties for violating the Privacy Act.
How do I submit a Freedom of Information Act (FOIA) request?
For information about submitting a FOIA request, visit the U.S. Forest Service FOIA website
http://www.fs.fed.us/im/foia/makearequest.htm
10