June 22, 2018

NSF Procedures for Breach of Personally Identifiable Information (PII)

The National Science Foundation Research Terms and Conditions (effective March 1, 2018) require recipients of NSF funding to protect Personally Identifiable Information within the scope of an NSF award. Article 35 states:

“Grantees that use or operate a Federal information system or create, collect, use, process, store, maintain, disseminate, disclose, or dispose of Personally Identifiable Information (PII) within the scope of an NSF award, must have procedures in place to respond to a breach of PII. These procedures should promote cooperation and the free exchange of information with NSF, as needed to properly escalate, refer and respond to a breach. Grantees will notify NSF upon learning that a breach of PII within the scope of an NSF award has occurred.”

“Personally Identifiable Information” can generally be defined as any information/data that could potentially be used to identify a specific individual. Examples include, but are not limited to, names, SSNs, driver’s license numbers, medical information, etc. A “breach” of Personally Identifiable Information can be defined as a security incident in which sensitive, protected or confidential data is suspected to have been copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. More information on Personally Identifiable Information can be found on the Committee for Protection of Human Subjects (CPHS) website.

Any suspected breach of Personally Identifiable Information that occurs within the context of an NSF supported research or training grant or contract, should be reported to the director of the Sponsored Projects Office (plfmiller@berkeley.edu) and to Berkeley Information Security. This office will validate the scope and nature of the incident and will follow up with an Incident Response Plan.

If the breach includes Personally Identifiable Information that is collected as part of an IRB approved research study or participants or trainees in an NSF Training Grant, the Office for Protection of Human Subjects (OPHS) also should be contacted as soon as possible.

We want to remind all human subjects researchers that, under the context of an IRB approved protocol, a Personally Identifiable Information breach would constitute an adverse event/unanticipated problem (loss of confidentiality) which would have to be reported to the IRB office within 7 calendar days of the Principal Investigator’s knowledge of the incident (with a formal report submitted within 14 calendar days).

Examples of data breaches include, but are not limited to:
  • Loss/theft of device/computer/server storing PII or documents with PII
  • Hacking of device/computer/server storing PII including any suspected malware or ransomware infection of device
  •  Insecure electronic transmission of PII (e.g. using email to transmit confidential information) · Loss/theft of passwords or password storing software
  •  Insecure or unauthorized disposal of devices/computers or documents with PII
For more information about protecting the confidentiality of UC information and data please go to the UC Berkeley Information Security and Policy website.