NSF and NIH Breach of Personally Identifiable Information (PII) Policy

Background

Protecting the identity of those who take part in research, whether research subjects, or others who contribute to research in other ways, is a critical obligation of all researchers. For federal grant recipients, NSF and NIH have key requirements to protect personally identifiable information (PII). Those obligations speak to both Davidson’s as well as PI’s and all key personnel’s obligations when PII has been disclosed without the permission of research participants (i.e., a breach of PII). 

Purpose 

This policy seeks to ensure compliance with the NSF and NIH Terms and Conditions which require grantees to have procedures in place to respond to a breach of personally identifiable information (PII) and advise NSF and NIH in the event of such a breach.

Policy

This policy addresses the requirements to protect PII by NSF as well as NIH. PIs and all personnel working on a federally funded project must keep all research records on Davidson’s computer systems, and must not keep any research records on personal devices or accounts (e.g., personal Gmail, etc.). Keeping such records on a personal device or account is not only a violation of the College’s policies, as well as the conditions of federal grants, but also creates difficulties to remedy PII breaches if they take place.

Examples of data breaches include, but are not limited to:

• Loss/theft of device/computer/server storing PII or documents with PII
• Hacking of device/computer/server storing PII including any suspected malware or ransomware infection of device
• Insecure electronic transmission of PII (e.g. using email to transmit confidential information)
• Loss/theft of passwords or password-storing software
• Insecure or unauthorized disposal of devices/computers or documents with PII
• Loss/theft of hard-copy documents that contain PII (e.g., theft of signed consent forms or inappropriate disposal of such documents)

NSF:

Effective January 30, 2023, the National Science Foundation requires grantees to have procedures in place to respond to a breach of personally identifiable information (PII) and advise NSF in the event of such a breach within the scope of an NSF award. See NSF Research Terms and Conditions (PDF) Article 38. Breach of Personally Identifiable Information (January 30, 2023).

NIH:

Similar to NSF’s requirements, NIH’s grant terms require that institutions, like Davidson, notify NIH’s Division of Compliance Management (DCM) when a breach of PII has taken place. Disclosure to NIH is required only for data or research records funded through NIH grant awards –those include all types of awards, such as R, K, and P.

Further information about the considerations and steps for disclosure to NIH: https://oma.od.nih.gov/DMS/Pages/Privacy-Program-Privacy-Incidents-and-Breach-Response.aspx. 

PI and Key Personnel Obligations:

Any suspected breach of personally identifiable information that occurs within the context or scope of an NSF or NIH award (e.g., loss of a laptop that contains human subjects’ data, loss of an informed consent form signed by a subject), should be reported immediately to the Director of the Office of Sponsored Programs and to Davidson Technology & Innovation (ti@davidson.edu). These offices will validate the scope and nature of the incident and will follow up with appropriate actions. 

Grantees (i.e., Davidson, Davidson researchers and key personnel) who create, collect, use, process, store, maintain, disseminate, disclose, or dispose of Personally Identifiable Information (PII) within the scope of an NSF or NIH award, must have procedures in place to respond to a breach of PII. These procedures should promote cooperation and the free exchange of information with NSF, as needed, to properly escalate, refer and respond to a breach. Grantees will timely notify NSF and NIH upon learning that a breach of PII within the scope of an NSF award has occurred. At Davidson, this is completed by the Sponsored Programs office. The responsibility of a PI is to immediately contact Sponsored Programs and Technology & Innovation if they believe that a breach has occurred or probably occurred.

Definitions

Data Classification:  Data is organized into three distinct levels:

Level 1 - Public Data:  not restricted or internal data, disclosure does not pose risk to the institution. Examples include marketing materials, business addresses, public web sites.

Level 2 - Internal Data:  data of limited access, disclosure may pose risk to the institution.  Examples include budget information, research and manuscripts, payroll and employment documentation, donation and giving records.  

Level 3 - Restricted Data: data of regulated access, disclosure may result in harm to individuals or the institution.  Examples of regulated data elements include social security number (PII), driver’s license number (PII), passport ID (PII), tax ID (PII), health information (HIPAA), class schedule (FERPA), academic actions (FERPA), grades or transcripts (FERPA), and payment card data (PCI DSS).

PII: Personally Identifiable Information: 

Examples of PII include:

• Name for purposes other than contacting federal employees

• Photographic identifier

• Fingerprint/voiceprint

• Vehicle identifier

• Personal mailing/phone/email address

• Medical record number

• Medical notes 

Examples of Sensitive PII:

• Social Security Number

• Driver’s License Number

• Personal Health Information (PHI)

• Certificates, legal documents

• Device identifiers, web URL

• IP address (when collected with regard to a particular transaction)

• Military status

• Foreign activities

• Identifier that identifies, locates or contacts an individual

• Identifier that reveals activities, characteristics or details about a person

• Alien Registration Number

• Financial Account Number

• Biometric Identifiers. It should be noted that PII is not necessarily HIPAA protected Personal Health Information.

HIPAA: Health Insurance Portability and Accountability Act

FERPA:  Family Educational Rights and Privacy Act

PCI DSS:  Payment Card Industry Data Security Standard

The Principal Investigator (PI) is the lead faculty member on an externally-funded project and is the primary individual responsible for an external grant.

Administration of Policy

The Assistant Dean for Research Development / Director of Sponsored Programs shall oversee this policy and review it at least once every three years.  Changes to this policy shall be made in accordance with the college’s Policy on Policies.

Related Davidson College Policies: 

• Export Control
• Policy and Procedure for Responsible Conduct of Research
• Research Data Protection Policy and Procedure for Research with Human Subjects

Other Related Policies:

• NSF Research Terms and Conditions
• NIH Award Conditions

Date of Adoption: September 14, 2018
Last Updated: April 26, 2023
Last Reviewed: June 27, 2024