2. Protect hard copy Sensitive PII: Do not leave Sensitive PII unattended on desks, printers, fax machines, or copiers.
Secure Sensitive PII in a locked desk drawer, file cabinet, or similar locked enclosure when not in use. When using
Sensitive PII, keep it in an area where access is controlled and limited to persons with an official need to know.
Avoid faxing Sensitive PII, if at all possible.
3. Proper use of the U.S. mail to share Sensitive PII: Encrypt Sensitive PII stored on CDs, DVDs, hard drives, USB flash
drives, floppy disks, or other removable media prior to mailing or sharing. Note: FOIA requests may require different
handling instructions.
a. Within DHS: Sensitive PII should be mailed in blue messenger envelopes furnished by your onsite DHS
mailroom or courier. Verify that the recipient received the information.
b. External mail: Seal Sensitive PII in an opaque envelope or container, and mail using First Class or Priority
Mail, or a traceable commercial delivery service (e.g., UPS or FedEx).
4. Safeguard DHS media: Sensitive PII may only be saved, stored, or hosted on DHS-approved portable electronic
devices (PEDs), such as laptops, USB flash drives, and external hard drives, all of which must be encrypted as noted
in DHS Sensitive Systems Policy Directive 4300A. Personally-owned computers or USB flash drives may not be used.
Note: If you need to transport your laptop or PED and must leave it in a car, lock it in the trunk so that it is out of
sight. Do not leave your laptop or PED in a car overnight. If it is stolen or lost, report it as a lost asset following your
component reporting procedures.
5. Making electronic copies of Sensitive PII: In some instances, it may be appropriate to create new spreadsheets or
databases that contain Sensitive PII from a larger file or database. Before doing so, however, please consult
Attachment S1 to the DHS Sensitive Systems Policy Directive 4300A.
6. Posting Sensitive PII to web sites and shared drives: Do not post Sensitive PII on the DHS intranet, the Internet
(including social networking sites), shared drives, or multi-access calendars that can be accessed by individuals who
do not have a “need to know.”
7. Social engineering/phishing: Be alert to any phone calls or emails from individuals claiming to be DHS employees
and attempting to get personal or non-public information or asking to verify such information about you. DHS will
not ask you to verify or confirm your account login, password, or personal information by email or over the phone.
8. Sharing account logins and/or passwords: Do not share account information, especially logins or passwords, with
anyone. Do not have login or password information accessible to others (e.g., on a sticky note on your computer).
Disposition of Sensitive PII
Sensitive PII, including that found in archived emails, must be disposed of when no longer required, consistent with the
applicable records disposition schedules. If destruction is required, take the following steps:
• Shred paper containing Sensitive PII; do not recycle or place in garbage containers. Be especially alert during
office moves and times of transition when large numbers of records are at risk.
• Before transferring your computer or PED to another employee, ask your Help Desk to sanitize Sensitive PII from
computer drives and other electronic storage devices according to your component’s information security
standards or DHS 4300A Sensitive Systems Handbook.
Report Privacy Incidents
You must report all privacy incidents, whether suspected or confirmed, to your supervisor immediately
. If your
supervisor is unavailable, or if there is a potential conflict of interest, report the incident to your Program Manager, Help
Desk, component privacy officer or privacy point of contact. To obtain more information on privacy incident reporting,
download the Privacy Incident Handling Guidance on DHS Connect.
For More Information
To obtain more detailed guidelines on the safe handling of Sensitive PII, download the Handbook for Safeguarding
Sensitive PII on DHS Connect, or email
privacy@dhs.gov to request a copy.
MAY 2011
Website: www.dhs.gov/privacy Email: privacy@dhs.gov Phone: 703-235-0780