Personally Identifiable Information (PII) & Data Collection

Do you collect contact form data? If so, are you aware that much of that content could possibly be considered personally identifiable information (PII)?  This guide will help navigate PII and Army Regulations and policies.

General Data Collection SOP

All data collected must not to be of a sensitive nature, or facilitate the gathering of Personally Identifiable Information (PII).  Some kinds of data are prohibited to use or ask for in forms or surveys created in the website’s CMS.

PII and Prohibited Information

PII is information which can be used to identify a person uniquely and reliably, including but not limited to name, date of birth, social security number (SSN), home address, home telephone number, home e-mail address, mother’s maiden name, etc. This includes any form of data that may lead to identity theft or any information related crime.

It is not allowed to create forms that require more than one sensitive item for example; full name and date of birth. Forms should only require first names and personal/commercial e-mail (non-military) information at most for identification. Further sending/receiving of personal information should be managed through other means external to the website.  Do not place PII on local drives, shared drives, e-mail folders, multi-access calendars, or the Intranet unless it is password protected or encrypted.

Approved Online Form Example

good-form.jpg

Example 2:

Approved Form2.jpg

Examples of unapproved forms

badform.jpg

Collecting Other Data

Other data besides identification or e-mail addresses can be collected with certain restrictions.

Online forms should only collect choices regarding the facility service or event at hand. For example: the time and the number of objects (i.e. equipment, chairs, tables, etc).  If any information is considered sensitive or that may cause the facility a problem, such as inventory, include a disclaimer that advises the customer to contact the office by telephone or in person.  List your office’s phone number and building location on the form.

Each form must have the proper disclaimer (FOUO and Privacy Act Statements) attached at the top for users to read before filling out any information. The FOUO and Privacy Act Statements can be copied from this document’s appendix and customized to state the specific purpose of collecting data.

Addresses on Forms

When collecting data .mil or emails with military association should not be published unless they are generic accounts for a program or facility, to avoid exposing a person’s PII. The website can also generate forms which hide the recipient e-mail address, use them when possible. Contact the Web Development Team if you need support on how to create these.

Important: This SOP does not apply to the Webtrac, Rectrac, and CYMS services or their forms of collecting data.

Appendix
For Official Use Only (FOUO) Statement 

SSNs are personal and unique to each individual. Protect them and other PII by adding the FOUO Statement to websites and documents. Within DOD, do not disclose PII to anyone without an official need to know. Outside DOD, do not release any information without the person’s consent.

For Official Use Only: This information may be disseminated within the DOD components and between officials of the DOD components and DOD contractors, consultants, and grantees as necessary in the conduct of official business. FOUO information may also be released to officials in other departments and agencies of the executive and judicial branches in performance of a valid government function. (DoD Directive 5400.11, "Department of Defense Privacy Program," May 8, 2007.)

Privacy Act Statement
When collecting PII from the individual, include the following on the collection form or on a separate form that can be retained by the individual (popularly referred to as the Privacy Act Statement)

Authority: The legal authority, that is, the U.S.C. or Executive Order authorizing the program the business process, system and collection it supports. In general terms, 10 USC 3013 in overall Secretary of the Army authority; and EO 9397 authorizes use of SSNs.

Principal Purpose: The reason you are collecting the information and what you intend to do with it.

Routine Use(s): Indicate agencies/entities along with where and why the information will be disclosed outside the Department of Defense.

Example: Information you provide will also be furnished to the Department of Veteran Affairs in order to validate authorized benefits.

Disclosure: Voluntary or Mandatory. Disclosure is almost always Voluntary. Use Mandatory only when disclosure is required by law and the individual will be penalized for not providing information. Whether Voluntary or Mandatory, include any consequences of nondisclosure in nonthreatening language.

Example: Furnishing information is Voluntary; however, failure to provide required information will result in disapproval of your training request.

The Privacy Act Statement is not required if PII is not collected.

Printed Materials and FAX Machines

Within your office files, maintain only information about an individual that is relevant and necessary to accomplish your mission.

Verify printer location prior to sending a document containing PII to the printer, and promptly pick up all copies of the documents as soon as they are printed.
Locate your office FAX machine in a secure location, away from foot traffic and unauthorized personnel.
Ensure all printed documents with PII are properly marked with “FOUO – Privacy Sensitive.”
Use DD Form 2923, “Privacy Act Data Cover Sheet” for all documents containing PII

Personally Identifiable Information (PII)

IMCOM MWR Enterprise Web is an Army website that conforms to regulations regarding Personally Identifiable Information (PII). Garrison MWR websites on this system will not publish what the Army considers PII. This includes an individual’s:

  • Name
  • E-mail address
  • Postal home address
  • Personal telephone numbers
  • Social Security Number
  • Family information within personal biographies
  • Photographs
  • Personal schedules
  • Rank
  • Official title
  • Rosters with names
  • Telephone directories with names
  • Charts with names
  • Pay information
  • Marital status
  • Names, gender or number of dependents
  • Online forms developed in the Enterprise Web may not contain more than 2 personally identifiable items. Please refer to "General Data Collection SOP" for specific guidance.

Government employees and contractors who have access to work on the IMCOM MWR Enterprise Web must complete the Web Content and OPSEC Certificate Training Course and be able to provide the Web Team with their certificate.

This required training is located at https://iatraining.us.army.mil/ and is entitled Web Content and OPSEC Certification.

Download and view Army policies and OPSEC training screenshots regarding the use of PII on the web and consequences of violating them:

U.S._Army_MWR_Fourth_Quarter_FY24_Insights.jpg

2024 Fourth Quarter Analytics

Added by Jess - PortlandLabsOctober 29, 2024

How many new pages of content did installations create last quarter? Web managers created a total of 291  new pages on EPW in the last quarter. It's important to note that the total excludes data from, calendar events, and directory...

Metrics_Glossary_3.jpg

Reports Glossary

September 27, 2024

This guide provides an easy-to-understand summary of various Matomo Analytics reports and what they reveal about your website’s performance.

September 27, 2024

Metrics Glossary

This page serves as a glossary of key Matomo Analytics terms. It provides clear, concise definitions for a variety of metrics and...

September 26, 2024

Segments

This page provides all the essential labels and definitions related to segments in Matomo.You’ll find explanations of key terms like segment...

September 25, 2024

Visitor Reports

Whether you’re new to Matomo or looking to enhance your analytics skills, this tutorial will help you leverage Matomo’s powerful...

September 25, 2024

Behavior Reports

This tutorial will help you leverage Matomo’s powerful Behavior Reports. This report offers detailed insights into how...

September 25, 2024

Acquisition Reports

Whether you’re new to Matomo or looking to enhance your analytics skills, this tutorial will help you leverage the Acquisition...

September 25, 2024

Dashboard Overview

By leveraging the Main Dashboard and its charting capabilities, you can easily identify performance trends, detect anomalies, and gain actionable...

September 24, 2024

Accessing Matomo

By following this guide, users will be able to: Successfully log in to the Matomo system for the first time using their CAC. Understand...

September 12, 2024

FY24 STRONG B.A.N.D.S.

BLUF: The STRONG B.A.N.D.S.  program pages have experienced mixed trends in site traffic and user engagement. Total users for the...