An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

Safeguarding PII is everyone’s responsibility

  • Published
  • By Lt. Col. Corey Ramsby
  • 375th Communications Squadron commander
SCOTT AIR FORCE BASE, Ill. --  What is Personally Identifiable Information, or PII? It is information about an individual that identifies or describes them, e.g., a social security number, age, rank/grade, marital status, race, home/office phone numbers and other demographic, biometric, personnel, medical, and financial information.

The release of PII to unauthorized individuals places members at risk for identity theft and potential cybercrimes. This can also threaten the operational integrity of our government networks through phishing schemes and other malicious activity. In the past two months alone, there have been several breaches affecting thousands of personnel in Air Mobility Command. The SSN is the most misused piece of personal information in these violations. As with all PII, it should only be used when necessary, and if so, properly protected when storing or sending.

As a result of the increasing personal and government risks, senior leaders in the Air Force are engaging on the issue. The Undersecretary of the AF, John Fanning said in a recent memo "Safeguarding PII is everyone's responsibility. We must have zero tolerance for failing to adhere to Air Force policies and guidance, and I echo the Air Force Chief Information Officer's call for greater diligence in managing PII. I expect all commanders to ensure that our Airmen understand the requirements, maintain awareness and comply with standards for sustained protection of PII across our force."

One of the most prevalent ways a PII breach occurs is through the use of email. In August 2012, Lt. Gen. Michael Basla, AF chief information officer, said, "To safeguard PII, sending PII to a personal e-mail account is strictly prohibited. All emails containing PII or other sensitive information must be encrypted. When encryption is not used, there is always the potential for compromise and possible targeting by hackers and identity thieves. The unnecessary compromise of PII exposes risk to individuals and the Air Force."

To help enforce PII rules, 24th Air Force monitors e-mail being sent from .mil to .com accounts. When violations are discovered, government accounts are being locked until members are retrained and have a reactivation request signed by the first O-6 in their chain of command.

Unfortunately, automated tools alone cannot prevent PII breaches. It is our shared responsibility to protect each other's information.

If you have any questions or need to report suspected loss, theft or compromise of PII, immediately contact your unit Privacy Act Monitor and the Wing Privacy Act Manager, Patricia M. Feist 256-3210/5004. AMC users can also get additional information by clicking on their desktop "Help" button.


Common rules for handling PII


E-mail

· Ensure there is an official need for the recipients to receive the information.

· Place FOUO in the subject line and use the Privacy Act statement: "This e-mail contains FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Freedom of Information Act (5 U.S.C 552) and/or the Privacy Act of 1974 (5 U.S.C. 552a). Unauthorized disclosure or misuse of this PERSONAL INFORMATION may result in disciplinary action, criminal and/or civil penalties. Further distribution is prohibited without the approval of the author of this message unless the recipient has a need to know in the performance of official duties. If you have received this message in error, please notify the sender and delete all copies of this message."

· Encrypt and digitally sign the e-mail. If they cannot be encrypted, put the PII in a document to be attached and password protect the document.

Electronic Information Management

· Ensure PII stored on EIM or shared drives is only accessible to individuals who have an official, valid "need-to-know" and is required for day-to-day operations.

· Remove PII maintained within SharePoint or equivalent software programs when no longer needed for daily operations.

Physical copies

· In an office environment, documents containing Privacy Act information should have a proper cover sheet and be placed in an out of sight location.