CONTROL AND PROTECTION OF LIMITED OFFICIAL USE INFORMATION
|Approval Date:||September 1, 1982|
|KEVIN D. ROONEY
Assistant Attorney General
|Distribution:||BUR/H-1; OBD/H-1; OBD/F-1|
|Initiated By:||Justice Management Division
- PURPOSE . This order establishes Department of Justice (DOJ) regulations requiring the identification, with the marking "Limited Official Use", and the safeguarding of unclassified but sensitive information which must be protected against unauthorized disclosure. The order includes minimum protection requirements and recommends additional security safeguards to be applied where warranted by the sensitivity of the information.
- SCOPE. This order applies to all organizations within the Department of Justice.
- 26 U.S.C. Section 6103, Publicity of returns and disclosure of information as to persons filing income tax returns.
- Federal Rules of Criminal Procedure, Rule 6(e), Grand Jury Secrecy of Proceedings and Disclosure.
- BACKGROUND. In contrast with many government agencies, the Department of Justice has not previously issued a published policy for protecting unclassified information which is considered sensitive. Within the Department, a number of bureaus, offices, boards and divisions have issued directives or established procedures to protect sensitive information within their purview. The lack of a Department order specifying a single term to identify sensitive information throughout the Department and setting minimum protection requirements decreases the effectiveness of the individual directives or procedures when the information is released to other organizations within the Department. Additionally, the protection of sensitive information on Department wide facilities such as the Justice Data Management Service or the Justice Telecommunications System is more difficult to effect without uniform Department policy.
- DEFINITION OF LIMITED OFFICIAL USE.
- Limited Official Use information is unclassified information of a sensitive, proprietary or personally private nature which must be protected against release to unauthorized individuals, and this term is prescribed for use within the Department to signify such information. Information which impacts on the national security of the United States and is classified Confidential, Secret or Top Secret under Executive Order 12356 is not to be considered as Limited Official Use.
- The determination of categories or types of information within an organization of the Department which are considered as Limited Official Use will be the responsibility of the heads of Offices, Boards, Divisions and Bureaus (hereinafter referred to as Departmental organizations). Information must not be designated as Limited Official Use to conceal inefficiency, misdeeds or mismanagement.
- The following categories are provided for illustrative
purposes only as examples of the types of information
that Departmental organizations may want to include as
Limited Official Use information:
(1) Informant and witness information;
(2) Grand Jury information subject to paragraph 3b;
(3) Investigative material;
(4) Tax information subject to paragraph 3a;
(5) Information that could be sold for profit;
(6) Personal information subject to the Privacy Act of 1974;
(7) Reports that disclose security vulnerabilities;
(8) Information that could result in physical risk to individuals;
(9) Company proprietary information.
(10) Deliberative information relating to internal DOJ or Executive Branch policy
and decision making.
- The Department of Justice has access to a considerable amount of unclassified information which must be safeguarded to comply with existing laws and regulations or to protect individual rights or critical operations of the Department or the integrity of the policy making process. It is the policy of the Department to comply with these laws and regulations and provide adequate protection to safeguard sensitive information.
- It is the policy of the Department to comply with requests for public access to information in accordance with existing laws and regulations.
- Heads of Departmental organizations are responsible for
ensuring compliance with this Order, specifically
(1) Issuing directives, if needed, establishing criteria for identifying Limited Official Use
information within their organization in accordance with paragraph 5.
(2) Ensuring that adequate security measures and procedures are implemented to protect
Limited Official Use information.
(3) Protecting material identified as Limited Official Use received from other organizations
within the Department.
(4) Ensuring that employees of their organization are aware of their responsibility to protect
Limited Official Use information.
(5) Providing the Assistant Attorney General for Administration with a copy of any
implementing directive which lists the categories of information included under Limited
Official Use to ensure that the categories are consistent with DOJ policy.
- The Department Security Officer is responsible for reviewing compliance with this order and for providing guidance to Departmental organizations regarding identification and protection of Limited Official Use information.
- Heads of Departmental organizations are responsible for ensuring compliance with this Order, specifically including:
- CROSS REFERENCES. Departmental personnel should contact
their Security Programs Manager or the Department Security
Officer if copies of the non-DOJ references are needed to
comply with the requirements of paragraph 13c. Field office
personnel should contact their Security Programs Manager or
the Department Security Officer if copies of paragraph 8a or
8f are needed.
- Order DOJ 2640.1, Privacy Act Security Regulations for Systems of Records.
- Order DOJ 2640.2, Automated Data Processing (ADP) Security.
- Order DOJ 2620.5A, Safeguarding Tax Returns and Tax Return Information.
- National Bureau of Standards Federal Information Processing Standards Publication 46, Data Encryption Standard.
- Federal Telecommunications Standard 1027, General Security Requirements for Equipments Using the Data Encryption Standard.
- Order DOJ 2710. 9A, Records Disposition Program.
- 28 C.F.R. 45.735-10, Improper Use of Official Information.
- 28 C.F.R. 16.56, Employee Standards of Conduct With Regard to Privacy.
- 28 C.F.R. 50.2, Release of Information to Personnel of the Department of Justice Relating to Criminal and Civil Proceedings.
- 28 C.F.R. 22.1, Confidentiality of Identifiable Research and Statistical Information.
- FREEDOM OF INFORMATION ACT (FOIA) AND PRIVACY ACT OF 1974. The identification of material as Limited Official Use information has no connection with the Freedom of Information Act (5 U.S.C. 552) and cannot be used as a reason for approving or denying FOIA requests. Requests for access to Limited Official Use material will be considered in a similar manner as requests for any other Department information. Information subject to the Privacy Act (5 U.S.C. 552a) is required to be protected in accordance with paragraph 8a and may be included as Limited Official Use by the head of the organization concerned.
- DESIGNATING AUTHORITIES.
- Heads of Departmental organizations have the authority to specify the categories or types of information, which originate in their organization or are prepared for the use of their organization, that are designated as Limited Official Use. If the sensitivity of the information requires protection in excess of the minimum levels established in this order, they should ensure that such criteria are known to all offices who have custody of the information.
- Heads of departmental organizations shall identify those subordinate officials who have authority to determine which information originating under their supervision or cognizance requires protection against unauthorized disclosure. The officials so designated are responsible for ensuring that personnel under their direction are aware of information that is considered Limited Official Use.
- IDENTIFICATION AND MARKING. Department material which contains information that the head of the Departmental organization has determined requires protection against unauthorized disclosure must be identified as Limited Official Use to ensure that all persons having access to the information are aware of the protection requirement. The identification of Limited Official Use may be done by a marking of Limited Official Use on the first page of the material, by a notation in a covering memo, by inclusion in a category identified as Limited Official Use in an organization directive and known to all personnel handling the information, or any other method authorized by the head of the departmental organization. The purpose of identifying Limited Official Use information is to ensure that all recipients of the material are aware that the information requires protection. The identification method selected should have a minimal effect on the operational efficiency of the organization.
- CUSTODY AND STORAGE.
- Personnel who have custody of material designated as Limited Official Use shall exercise due caution to ensure that the information is not available to individuals who have no requirement for it. At a minimum, unauthorized individuals must not be able to enter areas unobserved and have visual access to Limited Official Use information.
- During non-duty hours, Limited Official Use material shall be afforded minimum protection of storage in a locked desk or file cabinet, or storage in a facility or area using physical access control measures which afford adequate protection to prevent unauthorized access. The sensitivity of some Limited Official Use material may require a higher level of protection such as a safe with a combination lock.
- Limited Official Use information stored and processed by an ADP facility shall have adequate physical, administrative and technical safeguards in accordance with paragraph 8b. Tax information must be protected in accordance with paragraph 8c.
- DISSEMINATION AND TRANSMISSION.
- Information which has been identified and is known by the recipient as Limited Official Use shall be safeguarded from disclosure to unauthorized individuals whether or not the material is physically marked. Safeguarding from disclosure includes precautions against oral disclosure, prevention of visual access to the information and precautions against release of the material to unauthorized personnel.
- Limited Official Use information leaving the control of the originating organization must be transmitted in a single opaque envelope or in a wrapping properly sealed and addressed.
- Electronically transmitted messages or data containing Limited Official Use information shall be preceded by the term Limited Official Use at the beginning of the text. If data encryption techniques are employed, the equipment must use the Data Encryption Standard algorithm (paragraph 8d) and meet the Federal Telecommunications Standard 1027 (paragraph 8e), or be approved for National Security Information.
- An ADP facility handling Limited Official Use information or a remote facility used to access Limited Official Use information from an ADP system via communications links shall implement procedures to protect the information in accordance with paragraph 8b. The managers of sensitive systems accessed via communications links must consider the threats to the data in determining whether security measures such as data encryption, use of dedicated lines, terminal or user identifiers, or control and marking of output should be implemented.
- Limited Official Use information may be discussed on the telephone; however, the ease of interception of telephone conversations dictates that discretion be used where the threat of interception exists. In the latter case, the use of voice privacy equipment or secure telephones should be considered.
- CONTRACTOR PERSONNEL. If Limited Official Use information must be released to nongovernment personnel as part of a contract or grant, the head of the Departmental organization shall determine if the sensitivity of the information justifies a requirement for an investigation of contractor personnel handling the sensitive information. The procurement document must include the contractor background investigation requirements and other security requirements of the contract. The Security Programs Manager of the Departmental organization requesting the contract shall (1) determine the extent of the investigation required, ranging from FBI name and fingerprint checks to full-field background investigations, and (2) develop the mandatory security requirements for the contract. The contractual security requirements shall be forwarded to the Departmental organization's Security Programs Manager for concurrence prior to submitting the solicitation document to the procurement office.
- Record material may not be destroyed without appropriate disposition authority. (See paragraph 8f.) When such authority exists, physical destruction may be accomplished in the manner described in the succeeding paragraphs.
- Where appropriate, Limited Official Use material may be destroyed by tearing it into small pieces and discarding with other waste material. Material of higher sensitivity must be destroyed by shredding or other methods such as burning or pulping. Small segments of microfiche and microfilm may be readable; therefore, destruction into very small particles or strips is necessary.
- ADP storage media containing Limited Official Use data should be overwritten with nonsensitive data prior to release of the storage media. Storage media containing data of greater sensitivity should be degaussed, sanitized and/or destroyed.
- ADDITIONAL PROTECTION REQUIREMENTS. The safeguards prescribed in this order are minimum requirements except where otherwise noted. The sensitivity of the information and threats to it should be considered in determining the adequacy of existing safeguards and the need for additional security protection.
- MATERIAL PROM OTHER DEPARTMENTS. A number of government agencies have issued regulations for protecting sensitive information using designations such as For Official Use Only or Limited Official Use. Sensitive material from other government agencies or proprietary information from private concerns should be safeguarded from unauthorized disclosure in accordance with this order or provided additional protection in accordance with the specific requirements of the agency providing the sensitive information.
- UNAUTHORIZED DISCLOSURE. Heads of Departmental organizations shall ensure that prompt and appropriate administrative action is taken against personnel responsible for disclosure of Limited Official Use material to unauthorized individuals and issue appropriate directives, if needed, to effect this action.
/s/KEVIN D. ROONEY
Assistant Attorney General