Protection of PII

Published March 21, 2016
By Craig W. Gilbert
436th Communications Squadron

DOVER AIR FORCE BASE, Del. -- A recent increase in the number of incidents involving Personally Identifiable Information (PII) requires all wing personnel to take a more aggressive approach in the handling and storing of PII.

PII is any information, alone or in combination with other information, that could be used to identify an individual. Sensitive PII is any information, which if lost, compromised or disclosed without proper authorization, could result in harm, embarrassment, inconvenience or unfairness to an individual. Sensitive PII includes but is not limited to social security numbers, medical information, performance evaluations, alien registration and passport numbers, law enforcement information and legal information.

Air Force Instruction 33-332, Air Force Privacy and Civil Liberties Program, defines a PII breach as the "actual or possible loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access...whether physical or electronic." Something as simple as PII being accessed by someone without a need-to-know could constitute a PII breach.

Any time PII is potentially compromised, the Base Privacy Manager must be notified within 24 hours. Within that 24 hours, notification of the breach is immediately up-channeled through the affected group commander, wing commander and major command to the Headquarters Air Force Privacy Manager. A PII breach inquiry must also be initiated to identify any risk of harm to individuals affected by the potential breach.

Any person deemed to have caused or contributed to the breach must complete the Defense Information Systems Agency PII refresher training, and could face possible administrative or legal actions as a result of the inquiry's findings. All wing members are reminded they are responsible for the protection of all PII under their control and the immediate reporting of any identified potential breach.

PII is prohibited on shared drives, network drives or SharePoint (EIM) web sites unless access to the information is "locked down." The term locked down means access is restricted to the minimum number of personnel requiring access and who have a valid "need-to-know." If a folder on a shared drive or the official records drive contains PII, the folder name must contain "FOUO."

Any email message containing PII or attachments with PII must be encrypted, digitally signed and only sent to recipients with a need-to-know. Email messages containing PII must also have "FOUO" at the beginning of the subject line and the PA statement from AFI 33-322, 2.5.7 at the beginning of the message. Any document, roster or other physical product containing PII must be covered with an Air Force or DoD Privacy Act cover sheet and safeguarded to prevent unauthorized access.

The information contained in this article does not cover all the requirements for the protection of PII. Readers who handle or store PII are encouraged to read AFI 33-332 for additional information on PII protection. Commanders are highly encouraged to invite the Base Privacy Manager to commander calls or other unit gatherings to brief on the Privacy Act and protection of PII. The Base Privacy Manager is located in Building 310 and may be contacted at (302) 677-3642, should there be any questions or concerns regarding PII. As custodians of PII, we are all responsible for protecting the information of others entrusted to their care.