Protecting Personally Identifiable Information PII z And other

Protecting Personally Identifiable Information (PII) z. And other sensitive information

z TWC understands that there are risks inherent with any staff having access to PII and that risk can increase when that same individual works off-site. TWC recognizes that the challenges related to telework may be unfamiliar to many employees. We expect that PII protocols will be maintained and Boards and Grantees will continue to ensure that appropriate protections be in place for staff and customers.

What is Personally Identifiable Information (PII)? z PII: information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linkable to a specific individual. PII includes, but is not limited to: § § Other sensitive information: any unclassified § information whose loss, misuse, or unauthorized § access to or modification of could adversely § affect the interest or the conduct of federally § funded programs, or the privacy to which individuals are entitled under the Privacy Act of 1974, as amended (5 USC § 55 a) § Social Security Numbers (SSNs) Bank account numbers, Credit card numbers, or any financial information Home telephone numbers & mobile telephone numbers Ages & birth dates Marital status & spouse names Medical History Educational history Biometric identifiers (for example, fingerprints, voiceprints, and iris scans) Computer passwords

Handling and Protection of PII and Other Sensitive information z § PII and other sensitive information must be stored in a manner that protects the confidentiality of the information and is designed to prevent unauthorized individuals from retrieving it by computer, remote access, or any other means. § PII, and other sensitive information obtained through a request, must not be disclosed to anyone other than an individual or entity authorized by law to receive the information. Examples of Authorized Individuals include, but are not limited to: Ø Ø program staff with a need to know; auditors; state and fiscal monitors; and individuals or entities identified in a signed release from the participant.

Computers & Data Storage and z Transportation § Only approved computers, servers, media, and software may be used to receive, process, access, and store PII. The Board and Grantees must retain control of all work-related PII on all hardware and end-point equipment. § All PII removed from an office must be documented using a signout and sign-in protocol, or other logging method, that maintains a record of custody. § Laptops, portable storage devices, mobile phones, and files containing PII must not be left in a vehicle unattended for significant periods of time. § If PII must be left in a vehicle for a short time, the PII must be placed preferably in the trunk or out of plain sight. The vehicle must be locked. § Staff transporting files must immediately remove and secure files when they arrive at their destination.

E-mail and Mail z § PII must be sent as an encrypted attachment, unless software supports encrypting the entire email and its attachments. (See example on AEL COVID 19 TCALL site for Office 365 message encryption. ) Ø Passwords for attachments must be provided through a separate medium (such as a separate e-mail or by phone). § When e-mails are sent to multiple participants, the e -mail address of each participant must be concealed from the other recipients. Ø Put all email addresses in the Bcc field, or use a software application that sends e-mail to all recipients individually. § When mailing, all materials must be enclosed in an opaque envelope or container that hides all information other than the name and mailing address. Ø Use tracking options offered by mail services to ensure receipt of mailed materials. For example: a service that requires a signature of the recipient.

Faxing and Printing § z avoid faxing documents with PII, If possible, otherwise alert the recipient before faxing, so they know not to leave the transmission unattended in an unsecured room. § All faxes must be sent with a cover page that includes: Ø the recipient’s name & fax number Ø the sender’s name & fax number Ø and a confidentiality statement at the bottom of the page Example: *Confidentiality Notice: This communication, including any attachments thereto, is intended only for the use of the individual or entity to which it is addressed and contains information that is privileged, confidential, and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of the message and attachments thereto is strictly prohibited.

§ Protection Against & Response to Possible Breaches of PII z If staff members suspect or know policy has been violated, regardless of the reason or severity, staff must: Ø Ø Ø At the time of discovery, secure the PII from further compromise; Report the incident to the Supervisor or (if unavailable or there is a potential conflict of interest) to the Director; Notify TWC immediately of all PII breaches or reasonably assumed release of PII using RSM 3120 F. Staff can refer to WD 24 -11, Change 1, issued January 17, 2018, and entitled “Reporting Negative Incidents Involving Texas Workforce System Customers—Update”; Do not compromise the information further by including PII in the incident report; Document or maintain records relevant to the incident, as they might be required in the privacy incident handling report; If the incident was not a breach but PII protection policies were violated, take corrective action to minimize future incidents. § Failure to comply with these requirements or take appropriate action to prevent any improper use or disclosure of PII and other sensitive information for an unauthorized purpose, is subject to sanctions or other actions, up to and including termination of contracts and recoupment of funds, or criminal or civil prosecution. § Boards and Grantees must hold those who improperly use or disclose PII and other sensitive information accountable.

Recommended Best Practices z § Before collecting PII from customers, have the customer sign release forms acknowledging its use, disclosing the entities that will have access to it, and notifying them that in certain circumstances the proper, secure release of their information will be necessary. § Use digital, or e. Signature applications such as Docu. Sign and Adobe E-signature, that comply with Texas Administrative Code (TAC) 203, subchapter B. Ø Additionally, check with your IT Administrator, they may provide a secure way to transmit and receive documents between participants and local staff. § Whenever possible use Unique Identifiers, such as Participant ID or Local Assigned Number, for participant tracking, instead of SSNs. Ø Once the SSN is entered for performance tracking purposes, the unique identifier may be used in place of the SSN for tracking purposes.

Recommended Best Practices continued z § Encrypt the entire laptop (with secured access). If this feature is unavailable, encrypt files containing PII, so they will not be compromised if the laptop is lost or stolen. § When mailing PII, consider double boxed or double wrapping, so that if the outer package is damaged during transit, then the inner package will protect the contents from disclosure. § Print and file the fax confirmation page to document the successful transmission of the fax. If this option is unavailable, print the fax transmission log to serve as a replacement. § If PII needs to be stored on a shared network folder, create a limited access subfolder, and provide access privileges only to those who have a need to access the information. § Ensure that PII is disposed of using a legitimate and reputable document destruction vendor, preferably one that is National Association for Information Destruction certified.

z Resources § Privacy Act of 1974, as amended (5 USC § 55 a) : https: //www. justice. gov/opcl/privacy-act-1974 § WD 24 -11, Change 1, issued January 17, 2018 “Reporting Negative Incidents Involving Texas Workforce System Customers –Update” : https: //www. twc. texas. gov/files/policy_letters/wd-24 -11 ch 1 -twc. pdf § RSM 3120 F: https: //www. wrksolutions. com/Documents/Staff/Issuances/18 -05 Attachments/Incident-Report-Form. pdf § Texas Administrative Code (TAC) 203, subchapter B: https: //texreg. sos. state. tx. us/public/readtac$ext. View. TAC? tac_view=5&ti=1&pt=10&ch=203&sch=B&rl=Y § WD 02 -18, issued March 23, 2018 “Handling and Protection of Personally Identifiable Information and Other Sensitive Information”: https: //www. twc. texas. gov/files/policy_letters/wd-02 -18 -twc. pdf § COVID-19 Questions & Answers for Local Workforce Development Boards: https: //www. twc. texas. gov/partners/covid-19 -resources-local-workforce-development-boards#other. Resources § AEL PII Professional Development Training (FOR PD CREDIT): PD Portal: https: //twc. csod. com/client/twc/default. aspx > Find Training> Search> PII (2019 -2020)