NSF Breach of Personally Identifiable Information (PII) Policy
Data Classification: Data is organized into three distinct levels:
Level 1 - Public Data: not restricted or internal data, disclosure does not pose risk to the institution. Examples include marketing materials, business addresses, public web sites.
Level 2 - Internal Data: data of limited access, disclosure may pose risk to the institution. Examples include budget information, research and manuscripts, payroll and employment documentation, donation and giving records.
Level 3 - Restricted Data: data of regulated access, disclosure may result in harm to individuals or the institution. Examples of regulated data elements include social security number (PII), driver’s license number (PII), passport ID (PII), tax ID (PII), health information (HIPAA), class schedule (FERPA), academic actions (FERPA), grades or transcripts (FERPA), and payment card data (PCI DSS).
PII: Personally Identifiable Information
HIPAA: Health Insurance Portability and Accountability Act
FERPA: Family Educational Rights and Privacy Act
PCI DSS: Payment Card Industry Data Security Standard
The Principal Investigator (PI) is the lead faculty member on an externally-funded project and is the primary individual responsible for an external grant.
May 14, 2018 NSF Research Terms and Conditions (PDF) Article 36. Breach of Personally Identifiable Information:
Grantees that use or operate a Federal information system or create, collect, use, process, store, maintain, disseminate, disclose, or dispose of Personally Identifiable Information (PII) within the scope of an NSF award, must have procedures in place to respond to a breach of PII. These procedures should promote cooperation and the free exchange of information with NSF, as needed, to properly escalate, refer and respond to a breach. Grantees will notify NSF upon learning that a breach of PII within the scope of an NSF award has occurred.
This policy seeks to ensure compliance with the National Science Foundation Research Terms and Conditions, effective March 1, 2018, which requires grantees to have procedures in place to respond to a breach of personally identifiable information (PII) and advise NSF in the event of such a breach within the scope of an NSF award.
Effective March 1, 2018, the National Science Foundation requires grantees to have procedures in place to respond to a breach of personally identifiable information (PII) and advise NSF in the event of such a breach within the scope of an NSF award.
Any suspected breach of personally identifiable information that occurs within the context or scope of an NSF award, should be reported immediately to the Director of Sponsored Programs (email@example.com) and to Davidson Technology & Innovation (firstname.lastname@example.org). These offices will validate the scope and nature of the incident and will follow up with appropriate actions.
Administration of Policy
The Director of Sponsored Programs shall oversee this policy and review it at least once every two years. Changes to this policy shall be made in accordance with the college’s Policy on Policies.
Related Davidson College Policies: Policy and Procedure for Responsible Conduct of Research
Date of Adoption: September 14, 2018
Last Updated: September 14, 2018
Last Reviewed: November 7, 2019