In case you hadn’t noticed, the amount of personal data surfacing on the internet is exploding.
The same is true with the amount of information about your Federal grant.
Since the current grant regulations were written back in the days of big hair and even bigger “brick” cell phones, no one even considered protecting information on the internet at that time.
Today, the risk of exposing sensitive information is a very real threat.
This is the reason why protecting sensitive information is now part of the new grant regulations being implemented in 2014.
Can We Really Trust the Feds to Protect Personally Identifiable Information?
Even the Feds know that they can’t do it all.
And that’s why they are addressing the whole concept of protecting certain types of information in the new “Super Circular.”
Simply put: They aren’t going to do it for you.
You, as a grant recipient must have the systems in place to ensure sensitive and protected personally identifiable information is not disclosed-either on purpose or accidentally.
Think about it.
When’s the last time you considered what data is contained in your proposals, reports, project descriptions, and certifications that can be used to identify individuals?
Warning: Sensitive Information Is More than Credit Card Information
The new grant regulations define a wide variety of protected personally identifiable information (PII) that you now have the responsibility to keep from prying eyes.
We all know the common ones like social security numbers and credit card information, but here are some you may not have considered:
• Security clearance
• Bank numbers
• Place of birth
• Mother’s maiden name
• Criminal history
• Medical records
• Educational transcripts
• Financial records
• Passport number
Any information that can be used to track an individual’s identity is personally identifiable information.
Public vs. Protected Information: How to Tell the Difference
Sometimes personally identifiable information is already in the public realm through websites, phone listings, and professional networking sites.
This can include things like:
• Work telephone
• General academic credentials
So what distinguishes public information from the type of information that you need to protect as a grantee?
It all comes down to how the information can be combined.
In other words, if the public information can be paired with sensitive information to identify someone personally, you may have a problem.
3 Ways to Safeguard Protected Personally Identifiable Information
The new grant regulations explicitly move the duty to safeguard protected personally identifiable information into the internal control requirements for your non-Federal entity.
This change in grant guidance moves up the importance and scope of internal control into the mainstream of grant management.
Here are three ways to safeguard protected PII:
Identify Where It Exists
The first step is to identify where protected personally identifiable information exists.
From a Grant Manager’s laptop to the Human Resources spreadsheets contained on a server-where does sensitive data reside at your organization?
Educate Staff about the Risks and Responsibilities
The next step is to make sure that there is broad understanding among your personnel about the risks of disclosure and the responsibilities for protection of these types of sensitive information.
Everyone from the IT department to President should be instructed about this additional duty of care contained in the new grant regulations.
It also helps to have a central point of contact within the organization for when questions arise about specific risks and responsibilities.
Monitor Reporting and Protect Data
Next, the recipient needs to be alert when submitting information electronically so that sensitive information is not included unless required.
And realize that where ever protected information exists, the data needs to be secured and safeguarded.
• Could a misplaced laptop put the organization as risk because there was a spreadsheet on it containing protected information?
• Are there protocols in place to prevent malicious hacking or disclosure?
2014 is the year the Federal government requires grant recipients to actively protect personally identifiable information.
Don’t ignore the risks!
Ready to Improve Your Grant Management?
How about you?
Would you like to be a better grant manager?
We have another grant management training seminar coming soon.
Click here to get all the details!
Hope to see you there!
Lucy Morgan CPA, MBA
CEO, Compliance Warrior
Author of “Decoding Grant Management-The Ultimate Success Guide to the Federal Grant Regulations in 2 CFR Part 200” The 2nd Edition is now available on Amazon in Paperback and Kindle versions.