Policy for Personally Identifiable Data Extracts Removed from EEOC Premises

I. Background

The Equal Employment Opportunity Commission (EEOC) is responsible for enforcing Title VII of the Civil Rights Act (Title VII) of 1964, as amended, the Age Discrimination in Employment Act (ADEA) of 1967, the Equal Pay Act (EPA) of 1963, Title I and Title V of the Americans with Disabilities Act (ADA) of 1990, Sections 501 and 505 of the Rehabilitation Act of 1973, and the Civil Rights Act of 1991. The mission of the EEOC is to ensure equality of opportunity in the workplace by vigorously enforcing these federal laws. To support the mission of the agency, various systems of records have been devised and maintained on EEOC computer systems, some of which may contain personally identifiable data.

The protection of the systems and their data is required by Office of Management and Budget (OMB) Circular A-130; the Federal Information Security Management Act of 2002 (FISMA); the Privacy Act of 1974; Title VII, and the EEOC Information Security Program Directive. National Institute of Standards and Technology guides provide the minimum security requirements for agency systems and major applications.

The OMB has recently issued Memorandum M-06-16, which indicates that the extracts from databases which contain personally identifiable information (PII) may be in need of further protection if the extracts are removed from the EEOC premises.

II. Definition of a "Data Extract"

For purposes of this policy, a data extract is defined as multiple records of information that are downloaded or copied from an EEOC database system (such as the Integrated Mission System, Federal Personnel and Payroll System, or Integrated Financial Management System) and maintained in electronic format outside of the originating system. This policy is limited to data extracts that contain personally identifiable information (PII) that is considered to be very sensitive in nature, such as Social Security Numbers, medical information, and certain information from charges, complaints, or cases that are not yet filed in court. This policy is additionally limited to data extracts that are physically removed from EEOC premises via electronic transmission, laptop, file, CD, diskette, memory key, or any other portable storage device. It additionally includes data extracts downloaded via EEOC's virtual private network (VPN) to any external device. Using the VPN to access files and data (without download to an external device) is NOT subject to this policy.

The risks from extracted personal data can be reduced in several ways:

• If the sensitive data is not needed in the extract, do not include it.
• Limit the number of records in the extract to the smallest number needed.
• Delete the extract as soon as it is no longer needed.

An example of what is NOT considered a data extract under this policy is the download of name and address information for correspondence purposes. In addition, accessing and working with files and information across the EEOC VPN is NOT considered a data extract. However, if you physically download (transfer) multiple records from an internal EEOC database system to a remote laptop or storage device through the VPN, this is considered a data extract.

Individual electronic documents that are not created through a database extract process (as defined above) are not considered a "data extract" for purposes of this policy and do not require the logging procedures outlined below in section III. This includes working files maintained on your office desktop computer. However, if the individual files contain sensitive PII, the files should be protected prior to removal from an EEOC facility. Download and storage within the \myfiles directory on a properly configured EEOC laptop or to an encrypted and password protected portable device, fulfills the security requirement for these files. Encrypting and password protecting the file(s), prior to download/removal, also fulfills the requirement. If you have any questions on how to encrypt an individual file or group of files, please contact the OIT Help Desk.

III. Procedures for Handling Extracted Data Containing Sensitive PII which is Physically Transported Outside of the EEOC Premises

In order to remove data extracts containing sensitive PII from EEOC premises, users must:

1. Maintain a centralized office log for extracted datasets that contain sensitive PII. This log must include the date the data was extracted and removed from the facilities, a description of the data extracted, the purpose of the extract, the expected date of disposal or return, and the actual date of return or deletion.
2. Ensure that any extract which is no longer needed is returned to EEOC premises or securely erased, and that this activity is recorded on the log.
3. Obtain management concurrence in the log, if an extract aged over 90 days is still required.
4. Store all PII data extracts maintained on an EEOC laptop in the encrypted \myfiles directory. This includes any sensitive PII data extracts downloaded via the EEOC VPN.
5. Encrypt and password-protect all sensitive PII data extracts maintained on a portable storage device (such as CD, memory key, flash drive, etc.). Exceptions due to technical limitations must have the approval of the Office Director and alternative protective measures must be in place prior to removal from EEOC premises.
6. Encrypt and password-protect prior to transmission any sensitive PII data extracts that are sent to an external e-mail address via the Internet. The password key should be forwarded to the recipient in a separate e-mail from the attached file.

The automatic on-line remote back-up of field network servers is excluded from the extract logging requirement, as the Office of Information Technology will note these recurring extracts in an overall system administration log.

IV. Roles and Responsibilities

1. Office Directors and Supervisors are responsible for: (a) ensuring that their employees understand and comply with these policies, (b) determining internal procedures related to the upkeep and maintenance of any required extract logs, and (c) monitoring the log per Section III.3 above.
2. The Office of Information Technology (OIT) and the Office of Legal Counsel are responsible for ensuring that EEOC employees and contractors receive training in the implementation of these policies.
3. Information owners are responsible for protection of their data.
4. Any suspected breach of these policies must be immediately reported to the EEOC Information Security Officer within OIT, via the OIT Help Desk at (202) 663-4767, TTY (202) 663-7193, or via e-mail at OIT.HelpDesk@eeoc.gov. This notification is essential in order to meet incident reporting timeframes required by OMB Memorandum M-06-19, "Reporting Incidents Involving Personally Identifiable Information".

Non-compliance may result in revocation of system access, disciplinary action, or both. Breaches that violate other legal provisions (e.g., Title VII, Privacy Act) may also be subject to the respective penalties of such laws.