5 FAM 460
privacy policy
(CT:IM-315; 04-17-2024)
(Office of Origin: A/GIS/PRV)
5 FAM 461 SCOPE
(CT:IM-312; 03-07-2024)
This chapter addresses the Department’s privacy governance structure and the governing policies concerning the collection, use, maintenance, and dissemination of personally identifiable information (PII) in carrying out the Department’s mission and protecting privacy in the Department’s handling of information about individuals.
5 FAM 462 AUTHORITies
(CT:IM-312; 03-07-2024)
a. Statutory authorities pertaining to privacy include:
(1) Freedom of Information Act of 1966 (FOIA), as amended; privacy exemptions (5 U.S.C. 552(c)(6) and (c)(7)(C));
(2) Fair Credit Reporting Act of 1970, Section 603 (15 U.S.C. 1681a);
(3) Privacy Act of 1974, as amended (5 U.S.C. 552a);
(4) Paperwork Reduction Act (PRA) of 1995 (44 U.S.C. 3501 et seq.);
(5) Information Technology Management Reform Act of 1996 (ITMRA) (Clinger-Cohen Act), as amended (P.L. 104-106, 110 Stat. 679 (1996));
(6) E-Government Act of 2002;
(7) Implementing Regulations of the 9/11 Commission of 2007, Sections 802 and 803;
(8) Executive Order 13526 - Classified National Security Information (2009) or predecessor and successor EOs on classifying national security information regarding covert operations and/or confidential human sources;
(9) Federal Information Security Modernization Act of 2014 (FISMA) (P.L. 113-283), codified at 44 U.S.C. 3551 et. seq); and
(10) Social Security Number Fraud Prevention Act of 2017.
b. OMB directives and guidance include:
(1) OMB Memorandum M-99-18, Privacy Policies on Federal Web Sites (June 2, 1999);
(2) OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003);
(3) OMB Memorandum M-10-22, Guidelines for Online Use of Web Measurement and Customization Technologies (June 25, 2010);
(4) OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010);
(5) OMB Memorandum M-16-24, Role and Designation of Senior Agency Officials for Privacy (September 15, 2016);
(6) OMB Memorandum M-17-06, Policies for Federal Agency Public Websites and Digital Services (November 8, 2016);
(7) OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control (July 15, 2016);
(8) OMB Circular No. A-130, Managing Information as a Strategic Resource (July 28, 2016);
(9) OMB Circular No. A-108, Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act (December 2016); and
(10) OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (January 3, 2017).
5 FAM 463 DEFINITIONS
(CT:IM-312; 03-07-2024)
Breach (as defined by OMB Memorandum M-17-12): The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar occurrence, whether non-cyber or cyber, where (1) a person other than an authorized user accesses personally identifiable information (PII) or (2) an authorized user accesses or potentially accesses PII for an other than authorized purpose.
Disclosure: Providing information from a system of records, by any means, to anyone other than the individual by whose name or other identifier the record is retrieved.
Individual: A citizen of the United States or an alien lawfully admitted for permanent residence.
Personally Identifiable Information (PII): Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. Examples of PII include, but are not limited to, full name, birthdate, personal address information (email and physical addresses), personal phone number, personal identification numbers (badge number, Social Security number, driver's license number, bank account numbers, passport number), medical or disability information, biometrics (e.g., fingerprints, voice signatures, facial geometry), and visual representations (e.g., photographs, videos, drawings).
Privacy Act Statement (PAS): The PAS is a statement that must be provided when collecting PII from an individual that will be maintained in a system of records. The PAS explains how the information will be used, with whom the information will be shared, the authority to collect the information, and the effects, if any, of not providing the information.
Privacy Impact Assessment (PIA): An analysis of how PII is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of information in identifiable form in an electronic information system; and to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy concerns. A PIA is both an analysis and a formal document detailing the process and the outcome of the analysis (OMB Circular No. A-130).
Record (as defined by the Privacy Act): Any item, collection, or grouping of information about an individual that is maintained by a Federal agency, such as information about an individual's education, financial transactions, medical history, and criminal or employment history and that contains an individual's name, or an identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.
Routine use: A type of disclosure under the Privacy Act that permits a Federal agency to disclose Privacy Act-protected information when doing so is compatible with the purpose for which the information was collected and the routine use has been published by the agency. Routine use disclosures are external to the agency and do not include intra-agency disclosures.
System manager: Owner of a system of records.
System of Records: A group of any records (as defined by the Privacy Act) under the control of any Federal agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifier assigned to the individual.
System of Records Notice (SORN): A formal notice to the public published in the Federal Register that describes a system of records maintained by an agency. SORNs identify the purpose for which the information in the system is collected, from whom, the types of information collected, how the information is shared externally (routine uses), and how an individual may access and correct records about themselves in the system.
Workforce Member: Department employees, contractors (third-party and personal service contractors), grantees, U.S. Government personnel detailed or assigned to the Department, and any other personnel (e.g., locally employed staff, re-employed annuitants) who perform work for or on behalf of the Department.
5 FAM 464 privacy roles and responsibilities
(CT:IM-312; 03-07-2024)
5 FAM 464.1 Privacy and Civil Liberties Officer (PCLO)
(CT:IM-312; 03-07-2024)
a. The Under Secretary for Management serves as the Department’s Privacy and Civil Liberties Officer (PCLO). In accordance with the Implementing Recommendations of the 9/11 Commission Act of 2007, the PCLO is the principal advisor to the Secretary of State on the privacy and civil liberties implications of Department policies and regulations. The PCLO:
(1) Assists the head of the Department and other officials in considering privacy and civil liberties concerns when such officials are proposing, developing, or implementing laws, regulations, policies, procedures, or guidelines related to efforts to protect the Nation against terrorism;
(2) Periodically investigates and reviews Department actions, policies, procedures, guidelines, and related laws and their implementation to ensure that the Department is adequately considering privacy and civil liberties in its actions;
(3) Ensures that the Department has adequate procedures to receive, investigate, respond to, and redress complaints from individuals who allege that the Department has violated their privacy or civil liberties; and
(4) In providing advice on proposals to retain or enhance a particular governmental power considers whether the Department has established:
(a) That the need for the power is balanced with the need to protect privacy and civil liberties;
(b) That there is adequate supervision of the use by such department, agency, or element of the power to ensure protection of privacy and civil liberties; and
(c) That there are adequate guidelines and oversight to properly confine its use.
b. In accordance with Section 803 of the 9/11 Commission Act of 2007, the Privacy Office compiles the Department’s reports related to the discharge of certain privacy and civil liberties functions of the PCLO, including information on:
(1) The number and types of reviews undertaken;
(2) The type of advice provided and response given to such advice;
(3) The number and nature of complaints received by the Department for alleged violations; and
(4) A summary of the disposition of such complaints, the reviews and inquiries conducted, and the impact of the activities of the PCLO. See 42 U.S.C. 2000ee-1(f).
5 FAM 464.2 Senior Agency Official for Privacy (SAOP)
(CT:IM-312; 03-07-2024)
The Deputy Assistant Secretary for Global Information Services (A/GIS) serves as the Senior Agency Official for Privacy (SAOP) with overall responsibility and accountability for managing privacy risks across the enterprise and ensuring the Department’s compliance with applicable privacy requirements in statutory authorities, OMB guidance and directives, and representing the Department at the interagency Federal Privacy Council. The SAOP can delegate specific responsibilities to the Chief Privacy Officer.
5 FAM 464.3 Chief Privacy Officer (CPO)
(CT:IM-312; 03-07-2024)
The Chief Privacy Officer is the Department’s senior advisor for privacy policy and principal technical advisor to the Department concerning implementation of privacy laws, policies, safeguards, best practices, and initiatives. The CPO provides executive-level leadership and management oversight of the Privacy Office in performing analytical and evaluative duties necessary to carry out responsibilities of the Department’s Privacy Program for ensuring compliance with Federal privacy mandates.
5 FAM 464.4 Privacy Office (A/GIS/PRV)
(CT:IM-312; 03-07-2024)
a. The Department’s Privacy Office (“Privacy Office”) located within the Bureau of Administration, Office of Global Information Services (A/GIS/PRV) manages the Department’s privacy program to ensure compliance with privacy requirements, develop and evaluate privacy policies, manage privacy risks, protect privacy, and promote privacy awareness.
b. The Privacy Office oversees Federal privacy program requirements, including privacy impact assessments (PIAs), system of records notices (SORNs), Privacy Act statements (PASs), privacy risk management, and privacy training and accountability.
c. The Privacy Office assesses the impacts of breaches on individuals and is responsible for developing and maintaining the Department’s Breach Response Plan.
5 FAM 464.5 Office of the Legal Adviser (L)
(CT:IM-312; 03-07-2024)
The Office of the Legal Advisor (L) provides guidance on federal privacy laws including the Privacy Act of 1974 and the E-Government Act of 2022, as well as legal privacy risks generally. L also provides advice on emerging privacy issues and their impact on the Department, and provides guidance on breaches as outlined in the Department’s Breach Response Plan.
5 FAM 464.6 Office of the Procurement Executive (A/OPE)
(CT:IM-312; 03-07-2024)
a. As outlined in Federal Acquisitions Regulation 24.103, the Department’s contracting officers review requirements to determine whether a contract will involve the design, development, or operation of a system of records on individuals to accomplish an agency function. If one or more of these tasks is required, the contracting officer ensures the contract work statement specifically identifies the system of records on individuals and the design, development, or operation work to be performed; and follows Department policy as specified in this chapter, procedures, rules and regulations implementing the Privacy Act.
b. A/OPE ensures that applicable privacy clauses are included in all solicitations, contracts, grants, and cooperative agreements when the design, development, or operation of a system of records on individuals is required to accomplish an agency function.
c. A/OPE serves as the procurement expert when a breach involves a contract, grant, or cooperative agreement. A/OPE and the Privacy Office will work directly with contractors or grantees on breaches in accordance with the Department’s Breach Response Plan.
5 FAM 464.7 Executive Directors
(CT:IM-312; 03-07-2024)
Executive Directors or equivalent are responsible for:
(1) Ensuring workforce members who handle records containing PII adhere to legal, regulatory, and Department privacy policies;
(2) Ensuring workforce members receive the training necessary to protect PII;
(3) Implementing the rules of behavior defined in 5 FAM 467 for protecting, marking and handling PII and identifying behaviors that do not adhere:
(a) Documenting and taking appropriate action when discovering or suspecting bureau workforce members fail to follow the rules;
(b) Notifying the appropriate authorities if workforce members belong to other organizations, agencies, or commercial businesses; and
(c) Reporting the incident and actions taken to the SAOP and the Enterprise Chief Information Security Officer (E-CISO);
(4) Allocating adequate budgetary resources to protect PII, including technical measures or procedures;
(5) Ensuring that the Bureau’s system owners comply with privacy impact assessment requirements according to the time schedule established by the Department’s Privacy Office; and
(6) Responding to breaches as outlined in the Department’s Breach Response Plan.
5 FAM 464.8 System Owners
(CT:IM-312; 03-07-2024)
System owners, defined in 5 FAM 825, are responsible for determining the risks and impacts of collecting, maintaining, and disseminating PII in a system and facilitating privacy reviews of their systems in coordination with the Privacy Office to ensure privacy risks are mitigated and systems are in compliance with Federal laws and mandates. The Privacy Office determines necessary privacy requirements for all systems (e.g., privacy impact assessments (PIAs) see 5 FAM 466.2).
5 FAM 465 Breach Response
(CT:IM-312; 03-07-2024)
5 FAM 465.1 Breach Response Plan
(CT:IM-315; 04-17-2024)
a. The Department’s Breach Response Plan establishes agency-wide procedures for reporting and handling breaches of PII at the Department, including breaches of paper and electronic records. The plan identifies the roles and responsibilities in the event of a breach, including, but not limited to the E-CISO, Bureau of Diplomatic Security (DS), and the Chief Information Office (CIO).
b. Workforce members must report breaches in accordance with the Department’s Breach Response Plan. When a breach is reported, the information is routed to the Bureau of Diplomatic Security, Cyber Incident Response Team (DS/CIRT) for cyber incidents or the Privacy Office for non-cyber incidents. If a criminal act is actual or suspected, the Office of Inspector General, Office of Investigations (OIG/INV) will be notified.
5 FAM 466 Privacy Risk Management
(CT:IM-312; 03-07-2024)
5 FAM 466.1 Budget and Acquisition – Information Technology (IT) Investments
(CT:IM-312; 03-07-2024)
a. The SAOP is a functional partner in the Capital Planning and Investment Control (CPIC) process (see 5 FAM 613), reviewing all IT investments to ensure privacy, as well as any associated cost, is considered and protected in electronic activities.
b. For IT applications involving cloud services, the SAOP is a member of the evaluation board hosted by the Cloud Program Management Office (PMO).
c. System owners must consult with the Privacy Office during the design phase for new systems to ensure privacy is considered early in the process.
d. Before the Information Technology Executive Council Program Management Office (ITEC PMO) reviews a request for a new IT system and associated funding, an IT business case must be developed (see 5 FAM 613 and 5 FAM 615). Business cases involving IT systems with privacy risk must be reviewed by the Privacy Office to ensure that privacy risk is adequately identified and remediated.
5 FAM 466.2 Privacy Impact Assessment (PIA)
(CT:IM-312; 03-07-2024)
a. The E-Government Act of 2002, Section 208, generally requires a privacy impact assessment (PIA), as defined in 5 FAM 463, for electronic information collections or IT systems (unclassified or classified) that collect, process, disseminate, or maintain PII.
b. A PIA is not required for National Security Systems (NSS) as defined by the Clinger-Cohen Act of 1996.
c. A PIA must be conducted when:
(1) Developing or procuring new technologies or systems that handle or collect PII;
(2) Making significant revisions or modifications to an existing system that change how PII is managed in the system;
(3) A system undergoes a triennial security reauthorization;
(4) A new or updated authority or executive order involving the collection or sharing of PII is issued;
(5) A system's PII is moving to cloud storage; or
(6) The Department uses third-party websites or applications to collect PII.
d. Systems that do not collect PII or only collect business contact information (i.e., information that is exclusively related to an individual’s employment contact information, including employee name, business address, business email address, and business phone numbers) are generally exempt from the PIA requirement. System owners must contact the Privacy Office in these circumstances; only the Privacy Office can declare an exemption.
e. When the Privacy Office determines that a system requires a PIA, system owners must conduct the PIA in coordination with the Privacy Office, L, the Records and Archives Management Division (A/GIS/IPS/RA), and other stakeholders as necessary to ensure privacy risks have been effectively mitigated and documented.
f. Escalation and enforcement policy: If system owners do not complete a PIA within the timeframe allotted by the Privacy Office, the Chief Privacy Officer (CPO) will notify the Bureau’s Executive Director for action. Lack of response or action from the Bureau Executive Director will result in escalation to the Senior Agency Official for Privacy (SAOP), who in turn may further escalate the issue to the Assistant Secretary for the Bureau of Administration. Continued non-compliance with the requirement and timeline established will be notified to the Under Secretary for Management (M) by the Assistant Secretary of the Bureau of Administration.
g. The SAOP or their delegate approves the PIA. If, through the PIA, it becomes apparent that PII cannot be adequately protected, the SAOP must provide a memorandum to the Department’s CIO outlining these findings and explaining what needs to be done to address the risk and advising that systems in which the PII cannot be protected cannot be authorized to operate until the privacy risks are addressed.
h. All PIAs for systems that collect information from or about the public must be posted on the Department's public-facing PIA website and noted within the governance, risk, and compliance (GRC) system.
5 FAM 466.3 Security Categorization and System Authorization
(CT:IM-312; 03-07-2024)
a. As part of the Department’s risk assessment policy (12 FAM 623.16) and process (12 FAH-10 H-330), the SAOP reviews and approves the categorization of information systems that create, collect, use, process, maintain, disseminate, disclose, or dispose of PII in accordance with NIST FIPS Publication 199 and NIST SP 800-60. The SAOP also reviews and approves system authorizations for any systems that collect PII, including business contact information.
b. All IT systems must complete the systems authorization process before becoming operational (See 5 FAM 1060 and 5 FAM 611). The PIA (see 5 FAM 466.2) is a component of the Department’s system authorization process for all systems that collect PII beyond business contact information. The PIA is integrated into the system authorization process in the Department’s Government, Risk, and Compliance tool. A system that collects PII cannot be authorized until the PIA has been approved by the SAOP or their delegate or the Privacy Office has determined that the system qualifies for an exemption from the PIA.
5 FAM 466.4 System of Records Notice (SORN)
(CT:IM-312; 03-07-2024)
a. The Privacy Act requires SORNs to be published in the Federal Register for new, modified, or rescinded systems of records. Examples of when a SORN will require modification include:
(1) There is a substantial increase in the number, type, or category of individuals about whom records are maintained in the system;
(2) The purpose(s) for which the information in the system of records is maintained changes; or
(3) A new routine use or significant change to an existing routine use has the effect of expanding the availability of the information in the system.
These examples are not exhaustive. If you are not sure whether a change to a system of records requires a SORN modification, please consult the Privacy Office.
b. A SORN must be rescinded under the following circumstances:
(1) When a system of records is retired or deleted, such as when information kept in a system of records is no longer relevant and necessary to accomplish an agency function;
(2) If a SORN was published in error and it is determined that the system of records is not subject to the Privacy Act; or
(3) When a system of records is a duplication of an existing system.
c. System managers must use the Department’s SORN guidance to write a SORN for any new or modified system or a rescindment notice for a rescinded system, in coordination with the Privacy Office, L, the Records and Archives Management Division (A/GIS/IPS/RA), and other stakeholders as necessary.
d. L reviews and provides guidance on SORNs. The SAOP provides clearance for submission to the Office of Management and Budget (OMB) for review.
e. The Privacy Office submits the OMB-reviewed SORN for publication in the Federal Register and provides notification to the Bureau of Legislative Affairs (H) for relevant congressional committees.
f. The Privacy Office conducts biennial reviews of each SORN with system mangers following publication in the Federal Register to ensure Department SORNs continue to accurately describe the systems of records.
5 FAM 466.5 Privacy Act Statement (PAS)
(CT:IM-312; 03-07-2024)
a. In accordance with the Privacy Act of 1974, all Department forms (paper or digital), webpages, surveys, questionnaires, and/or applications that collect PII from individuals that will be maintained in a system of records must contain a Privacy Act Statement (PAS) notifying individuals of the following:
(1) The legal authority for collecting the information;
(2) The purpose(s) for collecting the information and how it will be used;
(3) Who the information will be shared with outside of the Department and for what purpose(s); and
(4) Whether providing the information is mandatory or voluntary. The Department can make collection mandatory only when a Federal statute, executive order, regulation, or other lawful order specifically imposes collection of the information from an individual, and the effects, if any, of not providing the information.
b. Bureaus that create and maintain a collection of information, as defined in 18 FAM 201.5, that includes PII must coordinate with the Office of Directives Management (A/GIS/DIR) and follow the Information Collections Program policy in 18 FAM 201.5 and coordinate with the Privacy Office to develop a PAS.
5 FAM 466.6 Privacy Training and Awareness
(CT:IM-312; 03-07-2024)
a. All Department workforce members must complete the mandatory course PA318, Protecting Personally Identifiable Information, prior to accessing Department systems and every two years thereafter. The Privacy Office implements and maintains this course in collaboration with the Foreign Service Institute (FSI).
b. All Department computer users must also satisfactorily complete mandatory course PS800, Cyber Security Awareness, prior to accessing Department systems and annually thereafter. This course contains a section on privacy awareness to assist Department workforce members with properly protecting PII.
c. Annual, mandatory role-based privacy awareness training includes:
(1) IA110, Information System Security Officer Cybersecurity Foundations;
(2) IA210, System Administrator Cybersecurity Foundations; and
(3) PC441, Passport and Data Security.
d. Training containing content related to privacy or PII must be submitted to the Privacy Office for review prior to implementation to ensure accuracy of the privacy content in accordance with Department policy and procedures and Federal privacy laws, legal authorities, and guidance.
5 fam 467 RULES OF BEHAVIOR FOR PROTECTING, marking and handling personally identifiable information (pii)
(CT:IM-312; 03-07-2024)
5 FAM 467.1 Purpose
(CT:IM-312; 03-07-2024)
a. The rules of behavior must be adhered to by all workforce members to limit the potential for unauthorized disclosure of PII due to the increased risk to an individual if PII is compromised. Exemptions to these rules must be approved by the SAOP.
b. The Federal Information Security Modernization Act of 2014 (FISMA) requires system owners to ensure that workforce members requiring access to information and IT systems, including those containing PII, sign appropriate access agreements prior to being granted access. The access agreement for a system must include rules of behavior tailored to the requirements of the system.
5 FAM 467.2 Requirements
(CT:IM-312; 03-07-2024)
a. Workforce members must adhere to the following to protect PII:
(1) Only retrieve, review, or search records containing PII when authorized to do so in the performance of official duties and there is a need to do so to accomplish assigned work. (see 5 FAM 474.1)
(2) Only alter or delete records containing PII when necessary and authorized to do so in the performance of official duties in accordance with record disposition schedules.
(3) PII may only be disclosed within the Department when the receiving employee has a need to know the information in the performance of official duties.
(4) PII may only be disclosed outside the Department in accordance with the Privacy Act and other applicable legal authorities. If you are unsure whether PII may be disclosed, consult with L/M.
(5) Ensure appropriate controls for accessing PII are established on all Department applications so only authorized workforce members with a need to know have access.
(6) Ensure that PII maintained or in shared electronic or network folders/files can only be accessed by authorized workforce members with a need to know.
(7) Adhere to the Department’s Data Management and Governance policies when collecting, using, and/or storing data with PII. (see 20 FAM 100)
(8) Adhere to the Department’s Human Capital Data policy when collecting, using, and disseminating demographic data to ensure individual privacy. (see 20 FAM 300)
(9) Consult with the Privacy Office when artificial intelligence (AI) use cases utilize PII to ensure adherence to privacy laws and policies. (see 20 FAM 201.1)
(10) Consult with the Privacy Office before developing new systems that will collect, use, maintain, or disseminate PII.
(11) Consult with the Privacy Office before developing applications with PII (such as Power Apps) on Department-approved systems (e.g., SharePoint) to ensure adherence to privacy laws and policies.
(12) Mark emails, memorandums, cables, or any other records containing PII as Sensitive But Unclassified (SBU) whenever practical to do so (see 12 FAM 540). When available, mark as “SBU – Privacy or PII” as a reminder to safeguard the content appropriately.
(13) Only email personal documents (i.e., materials that belong to a workforce member that are not used to conduct agency business) with PII to or from OpenNet with prior authorization from the SAOP.
(14) Protect government-furnished devices in accordance with security requirements in 12 FAM 600.
(15) Use a complex password for unclassified and classified systems and protect passwords and other credentials (e.g., network passwords for specific network applications) in accordance with the requirements stated in 12 FAH-10 H-130 and 12 FAM 632.1-4.
(16) Do not reveal passwords to others or allow others to log on under the user's account.
(17) Lock or log off from the computer before leaving work areas.
(18) Secure paper records with PII in locked containers or rooms approved for storing SBU information. (see 12 FAM 544.1)
(19) Do not leave PII unsecured or unattended in public spaces (e.g., unsecured at home, left in a car, checked baggage, hotel room, etc.).
(20) Process, maintain, and/or transmit PII on secure Federal government systems and/or government furnished devices, except when authorized to use Dedicated Internet Networks (DINs) as defined in 5 FAM 872.2.
(21) Do not maintain or process PII on non-government furnished devices and/or storage media (e.g., personally-owned or contractor-owned computer) unless authorized to do so by the Executive Director or equivalent in accordance with 12 FAH-10 H-173.4.
(22) Comply with 12 FAM 544.3 if a valid business need exists to transmit PII electronically outside the Department’s network via the Internet to avoid exposing the information to unauthorized access.
(23) Only remove or transport PII from a Federal facility when it is essential to the performance of official duties. If essential, obtain supervisory approval prior to removing the records. Remove the minimum amount necessary to accomplish the work and return promptly when no longer needed or required.
(24) Use the Department's approved method for the secure remote access of PII on the Department’s network, from any Internet-connected computer meeting the system requirements. (see 12 FAH-10 H-170)
(25) When faxing PII, include an advisory statement about the contents on the cover sheet and notify the recipient before and after transmission.
(26) When mailing documents with PII via the Department’s Diplomatic Pouch and Mail Service, follow guidance in 14 FAM 720 and 14 FAM 730.
(27) When mailing documents with PII via the U.S. Postal Service or a commercial carrier, secure documents in an opaque envelope or container and mail using a trackable mailing service (e.g., Priority Mail with delivery confirmation, Express Mail).
(28) Destroy paper records with PII by shredding or using burn bags in accordance with the records disposition schedule (see 5 FAM 450 and 12 FAM 540).
b. Contractors and third parties that own and operate systems that create, collect, use, process, maintain, disseminate, disclose, or dispose of information on behalf of the Department must comply with rules of behavior as outlined in the contract or agreement.
c. In accordance with the Social Security Fraud Prevention Act of 2017, reduce the use of Social Security Numbers.
(1) Social Security Numbers must not be visible on the outside of any document sent by postal mail.
(2) Social Security Numbers must not be included on any document sent by postal mail unless the Secretary of State determines that inclusion of the number is necessary as authorized by law or required by operational necessity (e.g., interoperability with organizations outside of the Department).
(3) Where feasible, use techniques such as partial redaction, truncation, masking, encryption, or disguising Social Security Numbers on all documents collecting that information.
5 FAM 467.3 Consequences for Failure to Protect Personally Identifiable Information (PII)
(CT:IM-312; 03-07-2024)
Violations or possible violations of certain requirements described in this section may give rise to personal liability under the Privacy Act. Specifically, an employee who willfully discloses Privacy Act-protected information to any person or entity not lawfully permitted to receive it, or who maintains records without proper notice, is guilty of a misdemeanor and subject to a fine of not more than $5,000. 5 U.S.C. § 552a(i)(1).
Violations may also constitute cause for appropriate penalties including but not limited to:
(1) Referral to the Program Applications Division (DS/IS/APD) for consideration as a potential security incident under 12 FAM 550;
(2) Administrative action (e.g., removal or other adverse personnel action). Workforce members will be held accountable for their individual actions. In certain circumstances, consequences for failure to protect PII or respond appropriately to a data breach could include disciplinary action. Additionally, such failure could be addressed in employee performance evaluations, contract performance evaluations, or may result in contractor removal. Supervisors who are aware of a subordinate's data breach involving PII and allow such conduct to continue may also be held responsible for failure to provide effective organizational security oversight; and
(3) Non-disciplinary action (e.g., removal of authority to access information or information systems) for workforce members who demonstrate egregious disregard or a pattern of error for protecting PII.