Personally Identifiable Information (PII) & Data Collection

Do you collect contact form data? If so, are you aware that much of that content could possibly be considered personally identifiable information (PII)? This guide will help navigate PII and Army Regulations and policies.

General Data Collection SOP

All data collected must not to be of a sensitive nature, or facilitate the gathering of Personally Identifiable Information (PII). Some kinds of data are prohibited to use or ask for in forms or surveys created in the website’s CMS.

PII and Prohibited Information

PII is information which can be used to identify a person uniquely and reliably, including but not limited to name, date of birth, social security number (SSN), home address, home telephone number, home e-mail address, mother’s maiden name, etc. This includes any form of data that may lead to identity theft or any information related crime.

It is not allowed to create forms that require more than one sensitive item for example; full name and date of birth. Forms should only require first names and personal/commercial e-mail (non-military) information at most for identification. Further sending/receiving of personal information should be managed through other means external to the website. Do not place PII on local drives, shared drives, e-mail folders, multi-access calendars, or the Intranet unless it is password protected or encrypted.

Approved Online Form Example

Example 2:

Approved Form2.jpg

Examples of unapproved forms

Collecting Other Data

Other data besides identification or e-mail addresses can be collected with certain restrictions.

Online forms should only collect choices regarding the facility service or event at hand. For example: the time and the number of objects (i.e. equipment, chairs, tables, etc). If any information is considered sensitive or that may cause the facility a problem, such as inventory, include a disclaimer that advises the customer to contact the office by telephone or in person. List your office’s phone number and building location on the form.

Each form must have the proper disclaimer (FOUO and Privacy Act Statements) attached at the top for users to read before filling out any information. The FOUO and Privacy Act Statements can be copied from this document’s appendix and customized to state the specific purpose of collecting data.

Addresses on Forms

When collecting data .mil or emails with military association should not be published unless they are generic accounts for a program or facility, to avoid exposing a person’s PII. The website can also generate forms which hide the recipient e-mail address, use them when possible. Contact the Web Development Team if you need support on how to create these.

Important: This SOP does not apply to the Webtrac, Rectrac, and CYMS services or their forms of collecting data.

Appendix
For Official Use Only (FOUO) Statement

SSNs are personal and unique to each individual. Protect them and other PII by adding the FOUO Statement to websites and documents. Within DOD, do not disclose PII to anyone without an official need to know. Outside DOD, do not release any information without the person’s consent.

For Official Use Only: This information may be disseminated within the DOD components and between officials of the DOD components and DOD contractors, consultants, and grantees as necessary in the conduct of official business. FOUO information may also be released to officials in other departments and agencies of the executive and judicial branches in performance of a valid government function. (DoD Directive 5400.11, "Department of Defense Privacy Program," May 8, 2007.)

Privacy Act Statement
When collecting PII from the individual, include the following on the collection form or on a separate form that can be retained by the individual (popularly referred to as the Privacy Act Statement)

Authority: The legal authority, that is, the U.S.C. or Executive Order authorizing the program the business process, system and collection it supports. In general terms, 10 USC 3013 in overall Secretary of the Army authority; and EO 9397 authorizes use of SSNs.

Principal Purpose: The reason you are collecting the information and what you intend to do with it.

Routine Use(s): Indicate agencies/entities along with where and why the information will be disclosed outside the Department of Defense.

Example: Information you provide will also be furnished to the Department of Veteran Affairs in order to validate authorized benefits.

Disclosure: Voluntary or Mandatory. Disclosure is almost always Voluntary. Use Mandatory only when disclosure is required by law and the individual will be penalized for not providing information. Whether Voluntary or Mandatory, include any consequences of nondisclosure in nonthreatening language.

Example: Furnishing information is Voluntary; however, failure to provide required information will result in disapproval of your training request.

The Privacy Act Statement is not required if PII is not collected.

Printed Materials and FAX Machines

Within your office files, maintain only information about an individual that is relevant and necessary to accomplish your mission.

Verify printer location prior to sending a document containing PII to the printer, and promptly pick up all copies of the documents as soon as they are printed.
Locate your office FAX machine in a secure location, away from foot traffic and unauthorized personnel.
Ensure all printed documents with PII are properly marked with “FOUO – Privacy Sensitive.”
Use DD Form 2923, “Privacy Act Data Cover Sheet” for all documents containing PII

Personally Identifiable Information (PII)

IMCOM MWR Enterprise Web is an Army website that conforms to regulations regarding Personally Identifiable Information (PII). Garrison MWR websites on this system will not publish what the Army considers PII. This includes an individual’s:

Name
E-mail address
Postal home address
Personal telephone numbers
Social Security Number
Family information within personal biographies
Photographs
Personal schedules
Rank
Official title
Rosters with names
Telephone directories with names
Charts with names
Pay information
Marital status
Names, gender or number of dependents
Online forms developed in the Enterprise Web may not contain more than 2 personally identifiable items. Please refer to "General Data Collection SOP" for specific guidance.

Government employees and contractors who have access to work on the IMCOM MWR Enterprise Web must complete the Web Content and OPSEC Certificate Training Course and be able to provide the Web Team with their certificate.

This required training is located at https://iatraining.us.army.mil/ and is entitled Web Content and OPSEC Certification.

Download and view Army policies and OPSEC training screenshots regarding the use of PII on the web and consequences of violating them: