June 22, 2018

NSF Procedures for Breach of Personally Identifiable Information (PII)

The National Science Foundation Research Terms and Conditions (effective March 1, 2018) require recipients of NSF funding to protect Personally Identifiable Information within the scope of an NSF award. Article 35 states:

“Grantees that use or operate a Federal information system or create, collect, use, process, store, maintain, disseminate, disclose, or dispose of Personally Identifiable Information (PII) within the scope of an NSF award, must have procedures in place to respond to a breach of PII. These procedures should promote cooperation and the free exchange of information with NSF, as needed to properly escalate, refer and respond to a breach. Grantees will notify NSF upon learning that a breach of PII within the scope of an NSF award has occurred.”

“Personally Identifiable Information” can generally be defined as any information/data that could potentially be used to identify a specific individual. Examples include, but are not limited to, names, SSNs, driver’s license numbers, medical information, etc. A “breach” of Personally Identifiable Information can be defined as a security incident in which sensitive, protected or confidential data is suspected to have been copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. More information on Personally Identifiable Information can be found on the Committee for Protection of Human Subjects (CPHS) website.

Any suspected breach of Personally Identifiable Information that occurs within the context of an NSF supported research or training grant or contract, should be reported to the director of the Sponsored Projects Office (plfmiller@berkeley.edu) and to Berkeley Information Security. This office will validate the scope and nature of the incident and will follow up with an Incident Response Plan.

If the breach includes Personally Identifiable Information that is collected as part of an IRB approved research study or participants or trainees in an NSF Training Grant, the Office for Protection of Human Subjects (OPHS) also should be contacted as soon as possible.

We want to remind all human subjects researchers that, under the context of an IRB approved protocol, a Personally Identifiable Information breach would constitute an adverse event/unanticipated problem (loss of confidentiality) which would have to be reported to the IRB office within 7 calendar days of the Principal Investigator’s knowledge of the incident (with a formal report submitted within 14 calendar days).

Examples of data breaches include, but are not limited to:
  • Loss/theft of device/computer/server storing PII or documents with PII
  • Hacking of device/computer/server storing PII including any suspected malware or ransomware infection of device
  •  Insecure electronic transmission of PII (e.g. using email to transmit confidential information) · Loss/theft of passwords or password storing software
  •  Insecure or unauthorized disposal of devices/computers or documents with PII
For more information about protecting the confidentiality of UC information and data please go to the UC Berkeley Information Security and Policy website.

June 01, 2018

NSF Proposal & Award Policy Newsletter: Latest Edition

Below is a message from Jean Feldman, Head of the National Science Foundation Policy Office, on June 1, 2018. Topics inside the new May 2018 edition of the of the NSF Proposal & Award Policy Newsletter are:
  • Draft PAPPG posted in Federal Register,
  • Proposal Submission via Research.gov,
  • New Account Management System,
  • Revision of NSF Terms and Conditions,
  • Public Access Expansion Repository, and
  • Faculty Compensation Reminder.

Dear Colleagues:

The Policy Office in the Division of Institution & Award Support at the National Science Foundation is pleased to release the latest edition of the NSF Proposal & Award Policy Newsletter.

You may sign up to receive this newsletter automatically via NSF Update. This mechanism allows you to choose to be notified about NSF programs, policies and events. To do this, navigate to www.nsf.gov, and click on the envelope icon in the “Follow Us” section of the website. After entering your e-mail address, you can select the topics you’re interested in learning about. To receive this newsletter, check the boxes for Newsletters/ Journals and Publications: Policies and Procedures.

We hope that you will find the information in this latest edition to be useful. If you have ideas for future topics to be addressed in the newsletter, please send them to policy@nsf.gov.

Best,

Jean

Jean Feldman
Head, Policy Office
Division of Institution & Award Support
National Science Foundation