Skip Over Navigation Links
​​Privacy Program

Privacy Program – The NIH Privacy Program is responsible for mitigating and managing privacy breaches within NIH, and coordinates with IC Privacy Coordinators across NIH to prevent and manage situations where persons other than authorized users have access, or potential access, to personally identifiable information (PII).

Privacy Incidents and Breach Response


In January 2017, OMB Memorandum  M-17-12 “Preparing for and Responding to a Breach of Personally Identifiable Information” required every agency, among other things, to implement more stringent breach notification and response policies and procedures.

Let the OSOP know if:

  • The compromised system or lost/stolen equipment contained NIH data;
  • A compromised account had access to NIH data;
  • If the data was personally identifiable or sensitive in nature;
  • If the data/equipment/device was encrypted;
  • Data elements involved in loss/theft (name, SSN, DOB, race, gender, medical record number, biometric identifier, photo, etc.);
  • Number of individuals potentially affected;
  • Types of controls in place to mitigate risk;
  • Level of risk to agency and individual.

Contact us using the information on the top right of this page so that a breach response plan and/or letter to notify individuals of the breach of PII/Sensitive Information (SI) can be prepared (if required).

Privacy Incident

A privacy incident is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to PII, ​or SI, whether physical or electronic.

Personally Identifiable Information (PII): Information which can be used to distinguish or trace an individual’s identity, such as their name, SSN, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”  PII is protected by the provisions of the Privacy Act if the record in which it is located is under the control of an agency and is contained in an authorized system of records retrieved by a personal identifier.

Sensitive Information (SI): Information for which the loss, misuse, or unauthorized access could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act). Information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Privacy Breach

A breach is the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses personally identifiable information or (2) an authorized user accesses or potentially accesses personally identifiable information for an other than authorized purpose.​

​To report lost or stolen NIH data (PII, or ​SI) or equipment (i.e. laptop/tablet, digital camera, USB drive, Blackberry, cell phone), contact the NIH IT Service Desk within one (1) hour of the discovery of the loss/theft:

Phone Number: (301) 496-HELP (4357)Skype logo​​​
Toll Free Number: (866) 319-4357
TTY: (301) 496-8294

Visit the Incident Response Team (IRT) Portal to create an incident report.

Email Security

The NIH E-mail System is not secure! PII distributed or communicated by email must be encrypted whether the PII is within an attachment or part of the actual message.  This applies to email distributed with the NIH network or on the Internet.

  • If the recipient of the email is within the HHS community, employees/contractors can use their HHS ID to encrypt the email by inserting the PIV card into the computer's smart card reader.
  • For both NIH and non-NIH recipients, data can be protected using the NIH Secure Email and File Transfer (SEFT) service.

Personally-Owned Equipment (POE) and Software

The use of personally-owned or non-NIH equipment and/or software to store PII or sensitive government data is not permitted. POE and software includes, but is not limited to, personal computers and related equipment (e.g., wireless laptops, printers, USB drives) and software, personal e-mail providers (e.g., Yahoo!, Hotmail, Gmail), personal library resources, hand-held and personal digital assistant (PDA)​ devices, facsimile machines and photocopiers. POE and software cannot be physically connected to, or installed on, NIH systems or networks without written authorization from the IC Chief Information Officer.

Additional Reference

HHS Cybersecurity Program
NIH Guide for Handling Sensitive Information
NIH Incident Response Team (IRT) Portal
NIH Sensitive Information and Encryption Resource Card
NIH Encryption
NIH PKI Quick Reference Guide
FTC OnGuard Online
FTC Identity Theft
Privacy Incident Management - Reference Sheet Scenario Examples​

Privacy Program

Privacy Program Laws, Policies, and Memoranda
Privacy Act
Privacy Impact Assessments (PIAs)
Privacy Incidents and Breach Response
Social Media and Web Management
Training Resources
Privacy Program FAQs
Privacy Program Glossary
Privacy Program Laws & References
IC Privacy Coordinators​​​


Contacting DCM

Division of Compliance Management

Director, Anna Amar

Administrative Assistant, Raisa Sarwar

Office of Management Assessment (OMA)

Office of Management (OM)

Office of the Director (OD)

6705 Rockledge Dr, Suite 601

Bethesda, MD 20892

Phone: (301) 496-4606

MSC = 7901

​​ ​​​
Last modified: 3/26/2024 2:56 PM