LBNL takes seriously the responsibility to appropriately protect the private information we are entrusted with. While most of our work is open and publishable, there are categories of operational and research information which must be protected according to Federal and State Law, as well as our own good judgment.

This website provides links to resources with information about implementation of Privacy protections at LBNL.

If you have any questions about the protection of private information at LBNL, please email itpolicy@lbl.gov

If you are concerned about information security, because you process personally identifiable information (names or other identifiers matched with social security numbers, or account numbers), personal health information (names or other identifiers matched with health data), or other LBNL protected information, your best resource is to take the online training linked below. Then work with your line management and any necessary subject matter experts to take appropriate steps to secure the information under your control. If you need additional assistance or guidance, please contact itpolicy@lbl.gov

DANGER:

Social Security Number, Driver's License #, Financial Account Number

Baseline Responsibilities

You may not collect and store Protected Information at LBNL to include Social Security Numbers, Personally Identifiable Heatlh Information, Driver's License Numbers, or Financial Account Numbers without prior authorization from the Computer Protection Program. When approved, this information may only be stored in Institutional Business Systems at LBNL (HRIS, FMS, etc). Note: eroom, email, and calendar and other non-business systems are not acceptable means for transmitting, sharing, or storing this information. If there is a business need to store this information outside of the business systems, a security plan must be created and approved by your line management and by the computer protection program manager.

Your local workstation may not store collections of any of the above kinds of information. Your local workstation may process transient instances (not collections) of protected information, but you must take steps to ensure that the information is deleted in a timely manner. You must also ensure that your workstation does not contain multiple instances of this kind of information.

Paper collections and instances of PII must be protected and managed. Generally, paper instances should be minimized and paper collections should be protected with physical access measures. Paper instances and collections should be destroyed by shredding when they are no longer needed to support the work of the Laboratory or meet archiving requirements.

If you identify a business process that results in the collection of Protected Information outside of the business systems, please report it to itpolicy@lbl.gov

It is your responsibility to ensure that appropriate controls are placed on all information collection at LBNL. Security is a line management responsibility.

Recognizing and Protecting Private Information

Important: SB1386 and HiPAA Information Defined