Tackling PII in Electronic Data

As non-lawyers peering into the legal world, be advised this post is not official legal advice from the Office of General Counsel. These are our impressions and what we took away from the Legal Learning Series session Social Media – Privacy, Records and Litigation.

Do you collect comments and post photos on your agency social media accounts and websites? If so, are you aware that much of that content could possibly be considered personally identifiable information (PII)?

PII is, at times, a clever disguise artist. Although something may not seem like PII on the surface, you need to dig deeper to better understand the nuances. At GSA’s fourth installment of the “Legal Learning Series,” federal employees learned the different forms that electronic data can take and what their agencies need to do to ensure we can collect important data while still protecting people’s privacy.

Some 80 participants gathered to hear from two distinguished speakers–Kathy Harman-Stokes, Chief Privacy Officer at the CFTC and Alex Tang, Attorney in the Office of General Counsel at the FTC–detail the ins and outs of electronic PII acquisition and performing the requisite privacy impact assessments (PIAs). Here are some key takeaways from the presentation:

PII is nearly ubiquitous in social media and on the web

The term “PII,” as defined in OMB Memorandum M-07-16 refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Social media and the web happen to be chock full of PII, but it’s not always immediately evident. It’s important to find any PII collected in electronic data, as well as follow the regulations regarding it.

Examples of information your agency might be collecting that probably has PII include:

  • Comments (on Facebook, blogs, etc)
  • Photos of people
  • Video/Audio (including live cams)
  • Geolocation or mapping data
  • Mobile app user data
  • Web tracking, user preference and experience cookies, logs (i.e. IP addresses, analytics, etc)

My agency is collecting PII, what next?

Good question. Section 208 of the E-Government Act requires that a privacy impact assessment (PIA) be conducted when developing or acquiring electronic IT that will “collect, maintain, or disseminate” PII. Of note, OMB requires PIAs before using third-party sites and applications whenever PII will be made available to your agency. A PIA is a documentation of the analysis of privacy risks and steps taken to mitigate them, and must be publicly posted after approval by your agency’s CIO or other official designated by the department/agency head.

Required contents of a PIA (this list is not exhaustive; refer to the act for more information) :

  • Purpose: why does the agency need the PII? Is it absolutely necessary?
  • Authority: are there laws/regulations against the collection of specific PII (e.g. SSN information, COPPA data about kids 13 and under, etc.)?
  • Sources: what PII will be available and where is it coming from? What will be collected, maintained, and/or disseminated?
  • Usage: what are the intended uses of the PII both now and in the future?
  • Access: who will have access to the information and how will you prevent unauthorized use?
  • Sharing: with whom outside your agency will the information be shared?
  • Notice: how will the public be notified? The privacy policy must disclose third party sites and apps as well as be publicly posted, as does the PIA.
  • Choice & Consent: will the public have an option not to share PII? Will they have a choice to opt-in or opt-out of their PII being shared?
  • Security: how will the information be protected, and what are the risks involved? How will the agency address those risks? A breach response plan is required.
  • Retention/Disposal: how will the PII be stored and for how long? What are the methods of disposal?

For more information contact Kathy Harman-Stokes at kharman-stokes@cftc.gov or Alex Tang at atang@ftc.gov.