16 | Handbook for Safeguarding Sensitive PII DHS Privacy Policy Directive 047-01-007
Government-wide policies, and other applicable statutory authorities. Consult DHS Privacy
Policy Instruction 110-01-001 for the Operational Use of Social Media, and your Component
Office of Public Affairs, Privacy Officer or PPOC for additional guidance.
Email
Internally
Although DHS policy permits emailing SPII within the DHS network without encryption or password
-protection to a recipient with an official need to know, some Components do require
encryption or password-protection. The DHS Privacy Office strongly recommends that you
redact, password-protect, or encrypt SPII emailed internally.
18
Use particular caution when
emailing SPII to distribution lists.
Externally [beyond the DHS.gov domain/network]
Never email SPII to or from a personal email account. Use of personal email accounts over DHS
furnished equipment or network connections or to perform government business requires the
approval of the DHS Under Secretary for Management (USM).
19
Email SPII externally only within
an encrypted or password-protected attachment using WinZip or Adobe Acrobat,
20
and provide
the password separately by phone or email. Send only to individuals with an official need to
know.
Note: If someone outside of DHS sends you SPII in an unprotected manner, you must protect that
data in the same manner as all SPII you handle once you receive it.
For example, if someone outside of DHS sends you unsecured SPII in the body of an email,
you must delete the SPII from the body of the email, put it in a separate attachment, and
encrypt or password-protect the data if you wish to respond to that individual or email it
to another recipient outside the dhs.gov domain. Alternatively, you can redact the SPII
before responding to or forwarding the email.
16. The Chief Human Capital Office’s (CHCO) Lockbox process is a best practice for the safe handling of non-
routine or ad hoc CREs. Contact CHCO for the Lockbox Standard Operating Procedure.
17. “Operational use” means authorized use of social media to collect personally identifiable information for the
purpose of enhancing situational awareness, investigating an individual in a criminal, civil, or administrative
context, making a benefit determination about a person, making a personnel determination about a
Department employee, making a suitability determination about a prospective Department employee, or for
any other official Department purpose that has the potential to affect the rights, privileges, or benefits of an
individual. Operational use does not include the use of search engines for general Internet research, nor does it
include the use of social media for professional development such as training and continuing education or for
facilitating internal meetings.
18. More information on the standards and use of encryption within the Federal Government and DHS can be
found in the Department of Commerce’s National Institute of Standards and Technology (NIST) (https://
www.nist.gov/), including the following publications: NIST Special Publication 800-53, “Security Controls and
Assessment Procedures for Federal Information Systems and Organizations”; NIST Special Publication 800-171,
“Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”; and
Federal Information Processing Standards Publication (FIPS) 140-2, “Security Requirements for Cryptographic
Modules.”
19. Sending email to a personal account can trigger numerous vulnerabilities. See DHS Sensitive Systems Policy
Directive 4300A, version 13.1, July 27, 2017. However, in some cases, it may be necessary to do so, for example,
when CHCO communicates with job applicants.
20. For instructions on how to encrypt documents with WinZip or Adobe Acrobat Editor, consult your Help Desk.
Note that OMB Circular A-130 requires the use of encryption for all Sensitive Information (FIPS 199 moderate- or
high-impact) at rest and in transit. DHS is currently working to implement Public Key Infrastructure encryption for
emailing Sensitive Information both internally and externally in HQ and all Components.