U.S. Department of Commerce
Office of the Chief Information Officer
Electronic Transmission of
Personally Identifiable Information
What is the Commerce policy on electronic transmission of personally identifiable information (PII)?
This policy provides guidance to help Commerce employees distinguish between sensitive and non-sensitive PII and determine which PII may be transmitted electronically. The Commerce policy is that if sensitive PII must be electronically transmitted, then it shall not be sent unless it is specifically protected by secure methodologies such as encryption, Public Key Infrastructure (PKI), secure sockets layer (SSL). Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules, provides the standard to which encryption methodologies must conform. Non-sensitive PII may be transmitted in an unprotected form. The transmission of sensitive PII, even if it is protected by secure means, must be kept to a minimum.
This policy applies to Commerce employees, contractors, interns, guest researchers, foreign nationals, and others who are authorized to use Commerce resources.
The term personally identifiable information refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
(OMB Memorandum M-07-16, Note 1). Examples include direct references such as name, address, social security number, and e-mail address. PII also includes any information that could be used to reference other data elements that are used for identification, such as gender, race, and date of birth.
Sensitive PII is defined as PII which, when disclosed, could result in harm to the individual whose name or identity is linked to the information. Further, in determining what PII is sensitive, the context in which the PII is used must be considered. For example, a list of people subscribing to a government newsletter is not sensitive PII; a list of people receiving treatment for substance abuse is sensitive PII. As well as context, the association of two or more non-sensitive PII elements may result in sensitive PII. For instance, the name of an individual would be sensitive when grouped with place and date of birth and/or mother’s maiden name, but each of these elements would not be sensitive independent of one another.
For the purpose of determining which PII may be electronically transmitted, the following types of PII are considered sensitive when they are associated with an individual. Secure methods must be employed in transmitting this data when associated with an individual:
- Place of birth
- Date of birth
- Mother’s maiden name
- Biometric information
- Medical information, except brief references to absences from work
- Personal financial information
- Credit card or purchase card account numbers
- Passport numbers
- Potentially sensitive employment information, e.g., personnel ratings, disciplinary actions, and result of background investigations
- Criminal history
- Any information that may stigmatize or adversely affect an individual.
This list is not exhaustive, and other data may be sensitive depending on specific circumstances.
Social Security Numbers (SSNs), including truncated SSNs that include only the last four digits, are sensitive regardless of whether they are associated with an individual. If it is determined that such transmission is required, then secure methods must be employed.
The following additional types of PII may be transmitted electronically without protection because they are not considered sufficiently sensitive to require protection.
- Work, home and cell phone numbers
- Work and home addresses
- Work and personal e-mail addresses
- Resumes that do not include an SSN or where the SSN is redacted
- General background information about individuals found in resumes and biographies
- Position descriptions and performance plans without ratings
The determination that certain PII is non-sensitive does not mean that it is publicly releasable.. The determination to publicly release any information can only be made by the official authorized to make such determinations. The electronic transmission of non-sensitive PII is equivalent to transmitting the same information by the U.S. mail, a private delivery service, courier, facsimile, or voice. Although each of these methods has vulnerabilities, the transmitted information can only be compromised as a result of theft, fraud, or other illegal activity.
Other than the non-sensitive information identified above, individual employees, including contract employees, should not electronically transmit personal information solely about themselves unless it is encrypted or handled by a secure method. This is to ensure that the personal information is protected from possible breach and identity theft.
Examples of electronic transmission of PII, include, but are not limited to:
- E-mail, text, and instant messages
- Document (s) attached to an e-mail message
- File Transfer Protocol (FTP)
- Secure Sockets Layer (SSL)
- Transport Layer Security (TLS)
- General Web Services
- File Sharing Services
- Electronic Data Interchange (EDI)
Who should employees contact if they have questions about which PII may be transmitted electronically?
If there is any question concerning the sensitive or non-sensitive nature of the PII, they should contact their supervisor who should consult Commerce privacy officials if doubts remain.
There are several methods operating units can use to transmit sensitive PII. These include:
- Installing encryption software on a select number of desktops and designating those computers for the transmission of sensitive PII. The encryption methodology that is installed must conform to the standard for cryptographic-based security systems in Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules.
- Using encryption software to encrypt the sensitive PII before sending it electronically, e.g., as an e-mail attachment. The password key should be forwarded to the recipient in a separate e-mail from the attached file.
- Using an application designed to protect the transmission of sensitive PII, e.g., Web-based applications that use TLS1.0, secure file share, or secure file transfer applications such as Secure Shell File Transport Protocol (SFTP).
- Sending documents with sensitive PII by facsimile is permissible if the sender alerts the designated recipient that sensitive PII is being sent. The recipient must then verify by phone or e-mail that the information has been received.
Other references regarding sensitive PII include:
For information about IT security, contact Tim Hurr (THurr@doc.gov), the Commerce IT Security Officer.
For information on provisions of the Privacy Act, contact Brenda Dolan (firstname.lastname@example.org), the Department’s Privacy Act Officer.
Date of policy superseded: None
Revision status: Revision 1
Approved by Earl Neal, Acting Chief Information Officer, 07/30/2009
- Questions regarding this section may be directed to the IT Policy, Guidance & Legislation Administrator