Skip to main content

Overview of Handling and Protecting Personally Identifiable Information (PII)

Handling and safeguarding PII maintained and used by FRTIB personnel is necessary to ensure the trust of TSP participants and beneficiaries. Privacy Act requests involving participants who request TSP account-specific information are administered by a division within FRTIB’s Office of Participant Services. In an effort to protect PII, FRTIB’s Information Technology Security Management Division has deployed a data loss prevention (DLP) tool to enhance the security of FRTIB’s most critical asset—PII. FRTIB’s DLP enhances privacy protections to PII and helps to reduce breaches. The Privacy Division has also published a PII Handling Policy which details how to identify and safeguard PII.

Recognizing PII

PII refers to information which can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual, such as information relating to TSP participants and their beneficiaries or individual FRTIB employees or contractors. Sensitive PII is PII which if lost, compromised, or disclosed without authorization could result in harm, embarrassment, inconvenience, or unfairness to an individual.

It is always important to consider the context in which the information is used when determining the level of sensitivity. The same types of information can be sensitive or non-sensitive depending on the context. For example, a list of employee names and phone numbers is far less sensitive than a list of employee names and phone numbers who are being treated for a particular disease.

The following types of PII are considered sensitive when associated with an individual:

Minimizing the Collection of PII

FRTIB complies with the Privacy Act’s requirement to limit the collection of PII from individuals. FRTIB maintains only relevant and necessary information about individuals, in accordance with a legally authorized purpose. FRTIB also complies with the Office of Management and Budget (OMB) Circular A-130, Managing Information as a Strategic Resource, which directs agencies to eliminate unnecessary collections, maintenance, and uses of Social Security numbers (SSN).

FRTIB’s Privacy Division maintains an inventory of PII holdings and uses the PTA, PIA, and SORN processes to identify methods to further reduce the data the Agency collects and to ensure, to the maximum extent practicable, that such holdings are accurate, relevant, timely, and complete. Moreover, FRTIB’s SAOP ensures FRTIB minimizes the collection and use of participant information contained on TSP forms and correspondence.

Handling and Transmitting PII

FRTIB requires strict handling guidelines for employees and contractors who handle PII due to the nature of the data and the increased risk to an individual if data were to be compromised. Methods for properly handling PII include, but are not limited to the following, and must be done in accordance with FRTIB’s approved records schedules:

Sensitive PII may be distributed or released to other individuals only if: (1) it is within the scope of the recipient’s official duties; (2) the recipient has an official, job-based need to know; (3) the distribution is done in accordance with a legitimate underlying authority (e.g., a routine use to a SORN); and (4) sharing information is done in a secure manner. When in doubt FRTIB employees must treat PII as sensitive and must keep the transmission of sensitive PII to a minimum, even when it is protected by secure means.

Other ways for communicating, sending, and receiving sensitive PII include: