Handling Sensitive Data

The Department of Health and Human Services (HHS) manages all data collected by NIOSH employees and contractors under the EEOICPA or the Act. This includes data obtained from the Department of Energy (DOE) and its contractors. Some of this data may be sensitive in nature.

NIOSH is committed to protecting the personal information of our claimants and others involved in the program, as well as data important to our country’s safety.

NIOSH employees and contractors follow data storage and handling plans, procedures, policies, and regulations to safeguard these types of information:

  • Controlled unclassified information—any unclassified information that, if improperly disclosed, modified, or deleted, could adversely affect the national interest, the conduct of federal initiatives, or the privacy of individuals
  • Classified information—that available only to authorized people, for reasons of national security
  • Personally Identifiable Information (PII)—information that can be used to distinguish or trace an individual’s identity (such as a, name, Social Security number, or date of birth)

Controlled Unclassified Information

Controlled unclassified information has relative sensitivity and requires protection because of statutory or regulatory restrictions.

Examples of Controlled Unclassified Information:

  • Unclassified Controlled Nuclear Information (UCNI): certain unclassified but sensitive government information concerning nuclear material, weapons, and weapons components. The dissemination of such information is controlled under Section 148 of the Atomic Energy Act of 1954 and it must be protected from release to the general public.
  • Official Use Only (OUO): unclassified information that is confidential (that is, cannot be discarded in the open trash, made available to the general public, or posted on an uncontrolled website). It can, however, be shared with individuals on a need-to-know basis. The public release of this information has the potential to damage governmental, commercial, or private interests by making it available to persons other than those who need it to perform their jobs or other contractual obligations. This information must be protected from public release and must fall under at least one of the Freedom of Information Act (FOIA) exemptions.
  • Export Controlled Information (ECI): information that is not necessarily classified but does require a technology export license or authorization. DOE requires an ECI review before public release of information.

Controlled unclassified information requires a degree of protection because inadvertent or deliberate misuse, alteration, disclosure, or destruction could adversely affect national security or other governmental interests (such as program-critical information or controlled scientific and technical information, which might include computer programs used to process such information).

The NIOSH policy document OCAS-PLCY-0001: Handling Controlled Unclassified Information [74 KB (17 pages)] details the handling of controlled unclassified information.

The policy covers these topics:

  • access (such as authorized individuals, eligibility)
  • use (such as authority to use the information per the Act)
  • protection requirements (such as encryption, passwords)
  • reproduction (such as printing, copying)
  • transmission (such as by mail, email, phone, hand)
  • storage (such as locked buildings, rooms, file cabinets, desks, bookcases)
  • destruction (document disposal such as shredding)

Classified Information

Classified information is available only to authorized NIOSH employees and contractors. NIOSH uses unclassified information as much as possible to evaluate exposure potential or to develop models for dose reconstructions.

However, classified information is used when necessary and appropriate such as:

  • when information is missing and there are no other unclassified sources for it
  • when information from unclassified sources is incomplete, unsubstantiated, implausible, or inadequate; lacks data integrity; or is plainly erroneous

The NIOSH policy document DCAS-IG-005: Use of Classified Information [184 KB (10 pages)] details the criteria for the use of classified information.

The policy covers topics such as:

  • when classified information is necessary and appropriate
  • data capture guidelines for both classified and unclassified information
  • hierarchy of data sources used in dose reconstruction
  • Advisory Board’s handling of classified information
  • handling classified information in the Special Exposure Cohort (SEC) petition process

Department of Energy Review for Classified and Controlled Unclassified Information

NIOSH requests information from DOE to complete dose reconstructions. DOE understands that NIOSH employees and contractors need to have access to classified and controlled unclassified information, but ensures that the requests are necessary and appropriate. DOE also ensures that classified and controlled unclassified information critical to our national security is kept safe.

DOE developed a plan for such purposes, detailed in the U.S. Department of Energy Office of Health, Safety and Security – Security Plan for the Energy Employees Occupational Illness Compensation Program.

This plan serves to:

  • identify the security roles and responsibilities of DOE, DOL (Department of Labor), and NIOSH employees and their contractors;
  • describe the security procedures to be followed by all parties; and
  • establish processes for resolving security issues as they arise.

The DOE/HSS Security Plan balances the need for protecting classified and controlled unclassified information with the need to fairly settle compensation cases. DOE declassifies, decontrols, redacts, and reviews documents as necessary per this security plan and the document-handling procedures described below.

NIOSH’s Department of Energy Classification Review of Documents

The NIOSH Department of Energy Classification Review of Documents [38 KB (6 pages)] outlines the steps required to coordinate the review of documents by a DOE classification office.

The procedure applies to all documents associated with covered DOE and atomic weapons employer (AWE) work sites under the Act, such as the following:

  • Technical Basis Documents
  • Site Profiles
  • SEC Evaluation Reports
  • Meeting minutes
  • Personal interviews

NIOSH’s Data Access and Interview Procedures

The NIOSH/OCAS-PR-010: Data Access and Interview Procedures [301 KB (14 pages)] outlines the steps required to coordinate and submit data requests to DOE and to conduct interviews. Interviews of current and former workers are sometimes necessary to understand work practices and radiation monitoring. The document also outlines steps to ensure the protection of sensitive information during reviews.

Privacy Act and Personally Identifiable Information (PII)

The Privacy Act of 1974 protects records that contain personal identifiable information (PII). NIOSH protects all PII per Office of Management and Budget (OMB) guidelines, regulations, and policies.

PII can be used to distinguish or trace an individual’s identity and includes the following:

  • Name
  • Social Security number
  • Date and place of birth
  • Mother’s maiden name
  • Biometric records

The Privacy Act serves to:

  • prohibit disclosure of PII records without the written consent of the individual (unless one of the 12 disclosure exceptions apply)
  • govern the Federal government’s
    • collection,
    • usage,
    • dissemination, and
    • storage of PII information.
  • focus on protecting the rights of individuals, such as the right to:
    • access their records,
    • request amendment of incorrect records, and
    • find out how their information is being used.
  • bind only Federal agencies (that is, it covers only records in the possession and control of Federal agencies).

More information on the Privacy Act and its administration at NIOSH can be found on the HHS FOI/Privacy Acts Division Website.

Protection of Information during Transmission

The following requirements apply to data transmitted between agencies:

  • Data stored on removable media (CD, DVD, USB Flash Drives, etc.) must be protected with use of certified encryption products.
  • Passwords must meet the current password requirements.
  • Removable media must be sent by express overnight service with required signature and tracking.
  • Data files containing PII that are being sent by e-mail must be encrypted with certified encryption products.
  • Passwords used to encrypt data files must be sent separately from the encrypted data files (in a separate e-mail, telephone call, or letter).
  • Websites established for submission of information that includes PII must use certified encryption methods.
  • Remote access to systems and databases that contain PII must require two-factor authentication for logon access control.

In addition to other reporting requirements, the loss or suspected loss of PII must be reported immediately upon discovery.

More information on protecting PII can be found in the following Memorandum of Understanding documents concerning DOE and DOL.