FIRST® Data Protection Policy

Updated: May 6, 2024

 FIRST Data Protection Policy

Document History

Version Description of Updates

FY22 [Initial version with history tracked]
Added FERPA, PIPEDA, and UK GDPR laws to definitions; added requirement
for DGT to approve new HQ platforms likely to be accessed by minors; added
FY23 vetting recommendations for PDO systems that collect personal data; added
clarity to age requirements for creating a FIRST account; reworked Data Sharing
section to describe data use by vendors and FIRST Key Donors and Sponsors
Added and updated definitions (pp. 4-7); minor edits for clarity and word choice
throughout; added more precision to description of training requirement when
FY24 sharing FIRST data (p. 10); added longer description of appropriate uses of
FIRST data by Key Donors and Sponsors (p. 11); required use of BCC for emails
with more than one recipient (p. 12)
Updated definitions; added FIRST IT Department as required reviewer of new
collection systems (p. 10); clarified required business roles/needs for sharing of
FY25
personal data (p.11); clarifications to Categories of Data Classification section
regarding labeling requirements (p. 14);

Approval

Originator Title Approved By Final Approval

Date
R. Hicks Senior Manager, Data FIRST Data Governance 9/30/21
Privacy and Executive Leadership
Teams
R. Hicks Senior Manager, Data FIRST Data Governance 6/6/22
Privacy and Executive Leadership
Teams
R. Hicks Senior Manager, Data FIRST Data Governance 5/31/23
Privacy and Executive Leadership
Teams
R. Hicks Senior Manager, Data FIRST Data Governance 5/6/24
Privacy and Executive Leadership
Teams

Issue Date: May 6 , 2024 2

Policy Brief and Purpose 4
Policy Scope 4
Terms and Definitions 4
Data Collection 8
Legitimate Purpose 9
Data Owner Assignment 9
Approval for New Collection Systems 9
Specific Protections for Minors 10
Demographic Information 10
Deidentification (Expert Determination) 11
Anonymization 11
Data Sharing 11
Internal Data Sharing 12
External Data Sharing 12
Data Retention and Destruction 12
Physical Printed Materials 13
Removable Electronic Media 13
Electronic Files 13
The Right to Be Forgotten 14
Categories of Data Classification 14
Personal Data (Personally Identifiable Information) (L1) 14
Highly Confidential Data (L2) 16
Company Confidential (L3) 17
Publicly Available (L4) 18
Reporting a Data Breach Incident 18
Policy Enforcement 18
Further Assistance 18

Issue Date: May 6 , 2024 3

Policy Brief and Purpose
We, at FIRST®, take the privacy and security of personal data very seriously. FIRST is
committed to continuously evaluating data protection as a global program while maintaining the
highest levels of adherence to federal, state, and international regulations.

This policy is intended to instruct and establish proper handling standards to ensure the quality,
integrity, and appropriate availability of FIRST data. This policy defines the responsibilities of
FIRST, our staff, agents, volunteers participating in our program, and Program Delivery
Organizations in relation to the access, retrieval, transmission, storage, destruction, and
retention of data to help ensure the safe, proper, and legal collection and processing of data
across FIRST programs globally.

Policy Scope
This policy applies to all data collected or processed by FIRST. This includes data used in the
administration, operations and development of the programs and supporting events. The policy
covers, but is not limited to, data in any form, including data collected via registration systems,
surveys, forms, audio-visual, third party, backup, archived data, or other data collected both
electronically and on paper. The policy applies to all individuals who have access to FIRST
data, including but not limited to employees, Program Delivery Partners, volunteers, and
vendors and other entities that have a contractual obligation to provide or access data controlled
or collected by FIRST related to their approved roles and responsibilities.

Terms and Definitions

(Note: Bolded words in definitions also have entries in this list.)

Anonymization is a type of data deidentification that permanently and completely removes

personal identifiers from data through techniques such as suppression, generalization, or noise
addition.

Anonymized data is data that can no longer be associated with an individual in any manner
and is permanently stripped of personally identifying elements which can never be re-associated
with the data or the underlying individual. In contrast to personal data, anonymized data is not
protected by the GDPR or other privacy frameworks.

Children's Online Privacy Protection Act (COPPA) is a law created to protect the privacy of
children under 13. The Act was passed by the U.S. Congress in 1998 and took effect on April 1,
2000. COPPA is managed by the Federal Trade Commission (FTC). Although nonprofits are
exempt from COPPA, FIRST has elected to comply with COPPA.

Issue Date: May 6 , 2024 4

Consent means a freely given, specific, informed, and unambiguous indication of the data
subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies
agreement to the processing of personal data relating to themselves or for minors they are
lawfully permitted to consent on behalf of.

Cross-border data transfer describes the transmission of personal data from one legal
jurisdiction to another. Many jurisdictions, most notably the European Union, place significant
restrictions on such transfers. The EU requires that the receiving jurisdiction be judged to have
“adequate” data protection practices.

Data collection happens when a user deliberately offers or shares personal data – for
example when filling out a registration form on a website.

Data controller refers to an entity that alone or jointly with others determines the purposes and
means of processing personal data. FIRST is the data controller of record for all personal
data collected from program participants via FIRST-managed systems including, but not limited
to, the FIRST Dashboard, Express Enrollment, and third-party platforms controlled by FIRST.
FIRST Program Delivery Organizations may also be data controllers if they collect data outside
of FIRST systems for their internal purposes, such as the maintenance of local mailing lists and
local consent forms.

Data Governance Team is the team authorized to establish, document, and enforce data rules,
policies, and procedures, and address grievances. The role of the Data Governance Team is to
ensure data protection, oversee data compliance, address complaints, set policy around data
minimization, data limitations, and other key governance areas. The Data Governance Team
has representatives from each department and program at FIRST. The Data Governance Team
can be contacted at [email protected] or through the IT Helpdesk. The Data Governance
Team reports to the Chief Operating Officer (COO) and the Executive Leadership Team.

Data minimization is the principle that data controllers should only collect and retain personal
data which is necessary to complete the task for which the data was collected. Data controllers
must only collect and process personal data that is relevant, necessary, and adequate to
accomplish the purposes for which it is collected and processed.

Data owner describes the persons or departments who exercise operational authority for
specified information and hold responsibility for establishing the controls for its collection,
processing, and dissemination.

Data processor refers to a third party, including vendors and other entities with a business
relationship with a data controller, that processes personal data on behalf of a data controller.
Data Controllers have a legal requirement in most jurisdictions to engage in vendor risk
management to ensure that all data processors handle personal data securely and only

Issue Date: May 6 , 2024 5

process data according to the policies set forth by the data controller and agreed to by the data
subject.

Data security refers to protection against unauthorized or unlawful processing and accidental
loss, destruction, or damage of data. It covers actions taken to maintain the confidentiality,
integrity, availability, and resilience of data systems. Data security encompasses the practices
and processes that are in place to ensure that data is not being used or accessed by
unauthorized individuals or parties. Data security includes aspects of collecting only the required
information, keeping it safe, and destroying information that is no longer needed.

Data subject is an identified or identifiable “natural” person. In the context of privacy law and
regulation, a data subject is a living human being whose personal data is held by a data
controller.

Data subject rights refers to a person’s ability to know how their personal data will be
collected, shared, used, disclosed, and kept secure, and for them to exercise choice and control
over these uses.

Deidentification refers to an action taken to remove identifying characteristics from personal

data. Basic deidentification involves stripping out the names and obvious identifiers from data
sets – essentially the removal of columns/fields in a dataset – but the rest of the data is left
untouched. Basic deidentification doesn’t always successfully anonymize data because it may
be possible to align separate identified data sets with a deidentified ones. Other, more rigorous
techniques may be required to fully anonymize data.

Expert determination is a process where a person with appropriate knowledge of and

experience with generally accepted statistical and scientific deidentification principles
determines the most appropriate method for rendering information not individually identifiable.
This person, through applying such principles and methods, determines that the risk is very
small that the information could be used, alone or in combination with other reasonably
available information, by an anticipated recipient to identify an individual who is a subject of the
information, and documents the methods and results of the analysis that justify such
determination.

Family Educational Rights and Privacy Act (FERPA) is a US federal law that establishes
requirements regarding the privacy protection of student educational records. It applies to all
academic institutions that receive funds under applicable U.S. Department of Education
programs. FERPA gives parents certain rights with respect to their children’s education
records. These rights transfer to the student when he or she reaches the age of 18 or attends a
school beyond the high school level. Students to whom the rights have transferred are referred
to as “eligible students.”

FIRST Privacy Policy is a public-facing policy that lives on the website at

https://www.firstinspires.org/about/ privacy-policy that outlines the principles and legal

Issue Date: May 6 , 2024 6

requirements for collecting and processing personal data at FIRST. The FIRST Privacy Policy
is a foundational document to the FIRST Data Protection Policy and should be read and
understood in conjunction with this policy. However, data collected outside of the direct control
of FIRST, or data collected locally by Program Delivery Organizations , should be defined in a
separate privacy policy created by the Program Delivery Organization or other entity collecting
and processing the data. Program Delivery Organizations should refer to the FIRST Program
Delivery Organization Data Privacy and Data Processor Minimum Standards contained in their
Program Delivery Organization Agreements when developing or reviewing their organization’s
privacy policy.

General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in European Union
law on data protection and privacy for all individuals within the European Union. It also
addresses the export of personal data outside the European Union. Any company that collects
data on EU residents is required to follow GDPR. Because FIRST conducts business in the EU,
FIRST has elected to comply with GDPR for all data, regardless of country of origin.

Lawful basis for data collection refers to the reasons that legally allow for the collection and
processing of personal data. In general, FIRST relies on the explicit affirmative consent of
data subjects to collect and process personal data. FIRST and our Program Delivery
Organizations should collect only data that is required for the support, performance, or
administration of FIRST programs, as described and allowed in the FIRST Privacy Policy.

List request is data requested by any individual working on behalf of FIRST, requiring
information on youth, mentor/coach, volunteers, schools, etc. List request output is in the form
of a list (e.g., rows of data identifying people, or teams or organization etc.) and not a summary
of the data (total counts, %, averages, etc.) and may contain personal information. Each row of
data is a record.

Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian

law with two goals: (1) to instill trust in electronic commerce and private sector transactions for
citizens, and (2) to establish a level playing field where the same marketplace rules apply to all
businesses.

Personal data (also known as personally identifiable information or PII, or personal information)
is information that can be used on its own or with other information to identify, contact or locate
a single person or to identify an individual in context. Personal data includes data types such as
name, email address, phone number, physical address, and government ID number, but it can
also include any other information that is linked or linkable to an individual in context, such as
medical, educational, financial, and employment information.

Processing means any operation or set of operations performed upon personal data or sets of
personal data, that can include, but is not limited to, the collection, retention, logging,
generation, transformation, use, disclosure, transfer, and disposal of the personal data. s

Issue Date: May 6 , 2024 7

Pseudonymization replaces the most identifying fields in a database with artificial identifiers or
pseudonyms. For example, a name could be changed to a unique number. The point is to make
the data record less identifying, thereby reducing concerns about data sharing and data
retention. It’s important to know that pseudonymized data is not the same as anonymized data.
Pseudonymized data retains a certain level of detail that allows tracking back of the data to its
original state, whereas in anonymized data the level of detail is reduced so much that rendering
a reverse compilation is impossible.

Pseudonymous data includes data or sets of data that have been amended so that no
individuals can be directly or indirectly identified from those data without a “key” that allows the
data to be re-identified. Pseudonymous data are treated as personal data because it is still
possible to identify individuals using the key.

Third-party vendors, in the context of data protection and privacy, are entities external to
FIRST who may collect, process, or store FIRST data. For example, HubSpot, Conference
Direct, Salesforce, Survey Monkey, Submittable, Tableau, etc., may all be considered third party
vendors and data processors for FIRST.

United Kingdom General Data Protection Regulation (UK GDPR) refers to the UK version of
the GDPR. In 2020, the United Kingdom left the European Union, but essentially maintained
the privacy framework established by the GDPR. The UK GDPR absorbs the privacy
compliance requirements of the EU's GDPR and combines them with the requirements of the
UK's Data Protection Act of 2018. The GDPR is retained in domestic law as the “UK GDPR,” but
the UK has the independence to keep the framework under review. The key principles, rights
and obligations remain the same.

Vendor risk management is an assessment of a third-party vendor for the vendor’s privacy
and information security frameworks and policies, access controls, and other practices related
to privacy and IT security. Privacy/security questionnaires, privacy impact assessments and
other checklists can be used to assess this risk.

Data Collection
FIRST employees, Program Delivery Partners, and entities with a specific contractual obligation
working on behalf of FIRST may, with the affirmative consent of the data subject, collect data on
persons, events, and business transactions. The collection of personal data must have a
legitimate business purpose, and the data category must be one listed in Section 2 of the FIRST
Privacy Policy. If a FIRST employee, program delivery partner or other entity working on behalf
of FIRST wishes to collect Personal Data from a category not detailed in the FIRST Privacy
Policy, the collection must be pre-approved by the Data Governance Team. Basic contact
information, such as name and email address, may be collected directly from individuals at

Issue Date: May 6 , 2024 8

outreach events; it is our policy to collect only the minimum amount of contact
information required to follow up with the person.

Legitimate Purpose
The data must only be collected when there is a legitimate business purpose which is aligned
with the business operations of FIRST. Legitimate business purposes for collecting information
include, but are not limited to, the provision of safe and high-quality programs, customer
communication, ongoing management of programs, planning financial and human resource
activities, travel, state and national reporting, and evaluation.

Data collections must be designed to maximize their usefulness to serve multiple needs, both
internal and/or external to FIRST. No collection process may generate a body of data which
duplicates information already available within another collection.

Data Owner Assignment

All data collected by FIRST must have a data owner assigned. If a data owner is not assigned,
any personal data will be directly governed by the Data Governance Team. The Data
Governance Team is responsible for setting the overall strategic direction of data collections
and authorizing the access, use, and disclosure of information from data collections. Data
owners have delegated responsibility for the day-to-day management of the data collection,
including the quality of the data, its security, timeliness, and adherence to standards. Data
owners must be designated by the department which manages the platform or system that
collects personal data, and the Data Governance Team must be made aware of the designated
data owner and data collection systems or platforms. Notification can be made by emailing
[email protected] or a report made at a Data Governance Team Meeting.

Approval for New Collection Systems

FIRST employees considering any new system, process, software, or other platform that
collects or processes any personal data, or any platform intended for users under the age of 18
– whether purchased from a third party or developed internally – must have prior approval of the
Data Governance Team and the FIRST Information Technology (IT) Department. The approval
process will allow the Data Governance Team to evaluate specific data collection methods, data
fields, data category labels, and proposed Data Owners. Until a request is approved, no new
data collection can occur.
FIRST Program Delivery Organizations considering any new local system or software that
collects or processes personal data for use in association with an official FIRST program or
event, or any platform intended for users under the age of 18, should evaluate these systems
with respect to 1) the FIRST Privacy Policy 2) their organization's privacy policy 3) the FIRST
Program Delivery Organization Data Privacy and Data Processor Minimum Standards and 4)
the laws and regulations that apply in their jurisdiction. If in doubt about the appropriateness of a
system, the Program Delivery Organization should contact the Data Governance Team.

Issue Date: May 6 , 2024 9

Specific Protections for Minors
At FIRST, we regard anyone under the age of 18 to be a minor for the purposes of this policy
and throughout the FIRST Privacy Policy. The FIRST privacy program is primarily built upon
the regulations set forth in COPPA, GDPR, PIPEDA, and US state-level privacy laws for the
protection of minors. Where applicable, additional privacy regulations for the protection of
minors may be relevant in certain jurisdictions outside of the United States, the European Union
Economic Area, and Canada. Program Delivery Organizations operating outside of these
jurisdictions must operate lawfully and in full compliance with local laws and regulations that
may apply to them not contemplated in this policy.

This strict adherence to these laws protecting minors requires that no employee,
volunteer, vendor, supplier, or agent of FIRST collect any personal data (either on paper
or electronically) without the affirmative consent of their parent or legal guardian for
minors under age 18. This includes, but is not limited to, registration data, contact information,
and travel documents.

Youth under the age of 13 are not permitted to create accounts or provide their own personal
data to FIRST under any circumstance; personal data from youth under 13 may only be
collected directly from a parent or legal guardian.

The collection of personal data directly from minors ages 13-17 requires the affirmative consent
of their parent or legal guardian. Collection of personal data from minors ages 13-17 outside of
this process may only occur if there is a legitimate business reason and the collection is
approved by the Data Governance Team.

It is the policy of FIRST that FIRST staff, Program Delivery Organizations, and volunteers
should collect the personal data of minors only when obtained directly from their parents or
guardians or consent is given by parents or guardians for the collection and use of minor’s data.
No student data should be collected from schools or other institutions unless the data
collection has been reviewed and approved by the Data Governance Team.

Note: As a general rule, unless you have valid, affirmative parent/guardian consent for
the collection and processing of a minor’s personal data, you should not be collecting it.

Demographic Information
To protect the privacy of the FIRST community, it is our policy that any demographic reports
issued to a third party do not contain identifiable information. To do so, we deidentify and
aggregate those reports, and only create reports that contain information from ten (10) or more
people. FIRST does not collect race and ethnicity data from users outside the US and Canada.

Issue Date: May 6 , 2024 10

Deidentification (Expert Determination)
It is our policy to deidentify data for demographic reports and archival purposes using the
“Expert Determination” as a standard best practice to decide on the appropriate method of
deidentification.

Anonymization
In certain cases, FIRST or the Data Governance Team may require anonymization of data
before it is used in a report or kept for archival purposes. Anonymization is the strictest type of
deidentification that results in data that can no longer be associated with an individual in any
manner. Both anonymization and other forms of deidentification aim to protect the privacy of
data subjects at FIRST.

Data Sharing
It is the policy of FIRST that personal data can only be shared with persons or entities who have
a specific and legitimate role that allows for such access, and have a legitimate business need
to have access to such data. A legitimate business role or need may be demonstrated by items
including, but not limited to, employment status, a Program Delivery Organization agreement, a
memorandum of understanding (MOU) or sponsor agreement, a data processing or data
sharing agreement, or a service contract or other business relationship.

To receive or process any personal data controlled by FIRST, all FIRST employees, FIRST
Program Delivery Organization staff, and select volunteers must complete approved FIRST
Data Protection and Privacy training and have an associated training completion record held by
FIRST IT or FIRST Volunteer Resources Department. Sharing any company personal data
with FIRST employees, Program Delivery Organization staff, or volunteers who have not
completed the appropriate training and do not have a legitimate business reason for
access to the data is strictly prohibited.

Vendors requiring access to FIRST personal data will be evaluated with respect to their data
protection and privacy practices by FIRST Strategic Sourcing, the FIRST IT Department, and
the FIRST Data Governance Team on a case-by-case basis. Personal data will only be shared
with approved vendors.

Requests from FIRST Key Donors and Sponsors for FIRST personal data, particularly images
and video, will be vetted by FIRST Development. Any personal data shared with Key Donors
and Sponsors may only be used for celebration, advertisement, or promotion of FIRST
programs, events, or scholarships; promotion and celebration of sponsor’s work with and
support of FIRST; or, for journalistic needs. FIRST prohibits the use of any images for any
commercial marketing or advertising.

Issue Date: May 6 , 2024 11

In special circumstances described in the FIRST Privacy Policy, FIRST may be required to
share medical and non-medical incident information, including personal data, with outside
entities such as insurers, venues or host sites, or law enforcement.

Internal Data Sharing

OneDrive, Teams, and SharePoint are the applications approved by the Data Governance
Team and IT for daily or ongoing internal data sharing with FIRST Employees, Program Delivery
Partners, or contractors. Where appropriate, other applications may be approved by the Data
Governance Team and/or IT. For more information on approved applications, please contact a
member of the IT Help Desk or Data Governance Team.

Personal data shared internally, including file sharing, may not be conducted through un-
encrypted email. Unencrypted email is one of the most common ways data is breached from
an organization.

For more information on the risks of using email, please contact a member of the IT Help Desk
or Data Governance Team.

External Data Sharing

OneDrive, Teams, and SharePoint are the approved programs for data sharing with third
parties. It is the policy of FIRST to utilize OneDrive, Teams, or SharePoint wherever practicable
for external data sharing. Encrypted email may be used for external data sharing when no other
options exist, however, any files sent via email should be password protected. The passwords
of protected files must not be sent together in the same email. Where possible it is preferred
that passwords are sent using text message, voice call or voicemail for added security. If text or
voice messages are not feasible, passwords may be sent through email but only as a separate
email with explicit instructions for the person to change the password at first use. Note:
Microsoft Excel does not support password protection on .csv files. You must convert
the file to an Excel document (.xlsx) before applying the password.

FIRST requires use of BCC for all communications involving more than one (1) email address
for parents, volunteers, and program participants including mentors/coaches unless there is a
legitimate business reason to share email addresses amongst the recipients.
For more information on the risks of using and/or sharing data externally, please contact a
member of the Data Governance Team or the IT Help Desk.

Data Retention and Destruction

It is the policy of FIRST to store and retain data in compliance with local, state, and federal
regulations when and if it has a legitimate business reason to do so.

Issue Date: May 6 , 2024 12

It is also the policy of FIRST to delete, remove, and destroy any data which is inaccurate, out of
date, or does not have a legitimate business reason to retain. In the case where destruction is
required, the following methods of destruction are approved by the Data Governance Team:

o Physical Printed Materials: shall be disposed of by one (or a combination) of the

following methods:
• Shredding - Media shall be shredded using cross-cut shredders.

• Shredding Bins - Disposal shall be performed using locked bins located on-site using
a licensed and bonded information disposal contractor.

• Incineration – Materials are physically destroyed using licensed and bonded

information disposal contractor.

Note: Safeguarding physical printed materials can be a unique challenge. No printed materials
containing Personal Data (L1), Highly Confidential (L2), or Company Confidential (L3) should be
left unattended. Materials should be accounted for and stored in a locked and secured case
where possible while in transit or storage.

o Removable Electronic Media: Physical devices shall be disposed of by one of the

methods:
• Overwriting - Overwriting uses a program to write binary data sector by sector onto
the media that requires sanitization. Overwriting must utilize a solution that makes a
minimum of 2 sector overwrites.

• Degaussing - Degaussing consists of using strong magnets or electric degaussing

equipment to magnetically scramble the data on a hard drive into an unrecoverable
state.

• Physical Destruction – Implies complete destruction of media by means of crushing

or disassembling the asset and ensuring no data can be extracted or recreated.

o Electronic Files: Electronic files, including those in clouds, desktops, folders, or in email,
shall be disposed of by one of the methods:
• Permanent Deletion – Deleting the file through the operating system or file explorer
and permanently emptying the trash or equivalent backup. In the case of email, both
the email and any attachment should be deleted as well as permanently emptied
from the trash.

Note: Files containing any Personal Data must be destroyed after the completion of their
intended use and may not be stored for archival or historical records.

Issue Date: May 6 , 2024 13

The Right to Be Forgotten
It is the policy of FIRST to honor any personal request for erasure from any person it has
collected and processed data on in accordance with the FIRST Privacy Policy. Anyone may
request that their personal data at FIRST be deleted by emailing [email protected].
FIRST employees, program delivery partners, and contractors must email
[email protected] if they receive a request for erasure.

To complete this process, the individual will need to provide their name, email address, phone
number, and other identifiers via a webform following the initial request. FIRST reserves the
right to confirm their identity before taking any action to delete personal data. FIRST will assess
each request to be forgotten on a case-by-case basis to determine the extent to which data can
be deleted. In some cases, FIRST will remove personal data from requestor’s record but may
retain deidentified information. In some cases, such as when data has been collected as part
of the Consent and Release forms or youth protection screening, personal data cannot be
lawfully deleted.

It is critical to understand this “Right to Be Forgotten” process. As a representative of FIRST,

you may be asked to fulfill this request. Please direct all such requests to
[email protected] and contact the Data Governance Team with any questions.

Categories of Data Classification

To protect the security, confidentiality, and integrity of FIRST data from unauthorized access,
modification, disclosure, transmission, or destruction, as well as to comply with applicable
international, federal, and state laws and regulations, all FIRST data is classified within security
levels. To the extent practicable, data, repositories, or file names (both printed and electronic)
must be correctly identified and labeled. List request output must be labeled in the title, footer,
or cover page, as applicable. FIRST legacy systems will be evaluated on a case-by-case basis
to determine the feasibility of placing warning notices to advise of sensitive data. As new
systems that collect, store, or process L1, L2, and L3 data are adopted, they should be
evaluated for compliance with this data classification and labelling requirement.

Note: Unclassified or unlabeled data is assumed to be L3 Company Confidential.

Personal Data (Personally Identifiable Information) (L1)

Personal Data (Personally Identifiable Information or PII) is any information about an individual
maintained by FIRST, including (1) any information that can be used to distinguish or trace an
individual‘s identity, such as name, social security number, date, and place of birth, mother‘s
maiden name, or biometric records; or (2) any other information that is linked or linkable to an
individual, such as medical, educational, financial, and employment information.

Issue Date: May 6 , 2024 14

At a minimum, Personal Data must be treated and handled as Company Confidential (L3), and
elements of Personal Data may be classified as Highly Confidential.

Examples of Personal Data include, but are not limited to, the following data elements or
categorizations:
● List request (e.g., rows of data identifying people, teams, or organizations, etc.)
containing personal data.
● Name, such as full name, maiden name, mother’s maiden name, or alias.
● Address information, such as a street address or email address.
● Telephone numbers, including mobile, business, and personal numbers.
● Personal identification number, such as social security number (SSN), passport number,
driver’s license number, taxpayer identification number, patient identification number,
and financial account or credit card number.
● Asset information, such as Internet Protocol (IP) or Media Access Control (MAC)
address or other host-specific persistent static identifier that consistently links to a
particular person or small, well-defined group of people.
● Personal characteristics, including a photographic image (especially of the face or
another distinguishing characteristic), fingerprints, or other biometric image or template
data (e.g., retina scan, voice signature, facial geometry).
● Information identifying personally owned property, such as vehicle registration number or
title number and related information.
● Linked Personal Data, information about an individual that is linked or linkable to one of
the above (e.g., name and date of birth, name and place of birth etc.…., race, religion,
weight, activities, geographical indicators, employment information, medical information,
education information, financial information).

Access
Access to Level 1 data will be granted upon approval from the data owner and a legitimate
business reason to have access to the data. In addition, FIRST Staff and Program Delivery
Organizations must complete data protection training prior to accessing level 1 data and only
access such data using FIRST credentials (e.g., @firstpartners.org). Third party entities such
as vendors or suppliers who have access to level 1 data must have proper data protection
practices in place and have a signed agreement with FIRST that includes a confidentiality
clause.

Storing
Personal Data will be stored on FIRST-supported servers, cloud infrastructure, and databases.
OneDrive and SharePoint sites are safe for these purposes. Personal Data should never be
stored on a personal device or device that does not have the minimum security protections
required by FIRST (for a list of security protections, see IT help desk).

Level 1 data can also reside in applications approved by the Data Governance Team. For a
complete list of approved applications, to find out if an application has been previously
approved, or to get a new application approved, please contact a member of the Data
Governance Team to receive clarification or instruction.

Issue Date: May 6 , 2024 15

Sharing
Level 1 data can be shared in applications approved by the Data Governance Team. For a
complete list of approved applications, to find out if an application has been previously
approved, or to get a new application approved, please contact a member of the Data
Governance Team to receive clarification or instruction.

Note: Personal Data may only be stored and transferred in encrypted formats and may NOT be
transmitted through email.

Highly Confidential Data (L2)

Highly Confidential (L2) is a class of information that, if disclosed or modified without
authorization, would have severe adverse effects on the operations, assets, or reputation of
FIRST or our obligations concerning information privacy. Information in this class includes, but
is not limited to:
● Information assets for which there are legal requirements for preventing disclosure or
financial penalties for disclosure.
● Information deemed confidential by federal and state legislation
● Payroll, personnel, and financial information with special privacy requirements.

Access
Access to Level 2 data will be granted upon approval from the data owner and a legitimate
business reason to have access to the data. In addition, FIRST Staff and Program Delivery
Organizations must complete data protection training prior to accessing level 2 data and only
access such data using FIRST credentials (e.g., @firstpartners.org). Third party entities such
as vendors or suppliers who have access to level 1 data must have proper data protection
practices in place and have a signed agreement with FIRST that includes a confidentiality
clause.

Storing
Highly confidential data will be stored on FIRST-supported and/or approved servers, cloud
infrastructure, and databases. OneDrive, Teams and SharePoint sites are recommended
locations for confidential data storage. Personal Data should never be stored on a personal
device or device that does not have the minimum security protections required by FIRST (for a
list of security protections, see IT help desk). In addition to the recommended locations, Level 2
data can also reside in applications approved by the Data Governance Team. For a complete
list of approved applications, to find out if an application has been previously approved, or to get
a new application approved contact the Data Governance Team.

Sharing
Level 2 data can also be shared in applications approved by the Data Governance Team. For a
complete list of approved applications, to find out if an application has been previously
approved, or to get a new application approved, please contact a member of the Data
Governance Team to receive clarification or instruction.

Issue Date: May 6 , 2024 16

Note: It is the recommendation of the Data Governance Team that whenever possible Highly
Confidential data only be stored and transferred in encrypted formats, including the use of
encrypted storage drives, and encrypted methods of transfer. Highly Confidential data may NOT
be transmitted through unencrypted email.

Company Confidential (L3)

Company Confidential (L3) is a class of information that, if disclosed or modified without
authorization, would have a serious adverse effect on the operations, assets, or reputation of
FIRST, or FIRST 's obligations concerning information privacy. Company Confidential
information is an information class used primarily for data that would harm the company, but not
necessarily any individual person if unauthorized exposure occurred. Information in this class
includes, but is not limited to:
● Corporate strategic documentation.
● Draft documents and policies not approved for distribution.
● Supplier contracts and communications.

This includes information that requires protection from unauthorized use, disclosure,
modification, or destruction, but is not subject to any of the items listed in the Level 1 definitions
above.

Access
Access to Level 3 data will be granted upon approval from the data owner and a legitimate
business reason to have access to the data. In addition, FIRST Staff and Program Delivery
Organizations must complete data protection training prior to accessing level 3 data and only
access such data using FIRST credentials (e.g., @firstpartners.org). Third party entities such
as vendors or suppliers who have access to level 3 data must have proper data protection
practices in place and have a signed agreement with FIRST that includes a confidentiality
clause.

Storing
Internal Use data can be stored in FIRST-supported applications, shared drives, and FIRST
issued laptop or desktop computers. Copies of this data shall not generally be made unless
business requires it.

Level 3 data can also reside in approved third-party hosted applications, but those applications
must be approved by the Data Governance Team. Third-Party hosted applications that store
this data must meet FIRST Data Privacy requirements and have signed an agreement with
FIRST.

Hard copy (physically printed) data shall be stored in locked receptacles and rooms.

Sharing

Issue Date: May 6 , 2024 17

Company Confidential data should be shared on FIRST-supported servers, cloud infrastructure
and databases. Any data that is transmitted on a recurring basis to external vendors must be
transmitted via SharePoint. Employees are permitted to transmit Level 3 data via unencrypted
email when required and sent to a known third party that has an existing business relationship
with FIRST.

Publicly Available (L4)

Publicly Available data is a FIRST category of information intended for public use that, when
used as intended, would have no adverse effect on the operations, assets, or reputation of
FIRST, or the obligations of FIRST concerning information privacy. There are no restrictions on
access, storing and sharing of L4 data.

Reporting a Data Breach Incident

In the event that Personal Data or highly confidential data is breached, you must immediately
contact the IT Help Desk at (800) 871-8326 , x222 or (603) 666-3906, x222, or
[email protected] and cc: [email protected]. The IT team will assess the
situation and remediate the incident as needed. Data breaches include not only data stored on
the cloud, server, computer, or other device, but also paper documents.

Policy Enforcement
All principles described in this policy must be strictly followed. A breach of data protection
guidelines could invoke disciplinary action as outlined in the employee handbook and, in certain
cases, possible legal action may be taken against any person who violates this policy. External
partners/agencies must follow any agreements/contracts and are subject to audit and potential
legal action due to policy violations.

Policy Review
The policy will be reviewed on a yearly basis. Notifications will be sent out when and if this
policy is updated. FIRST employees who wish to make comments or suggestions about the
Policy may forward them to the Data Governance Team.

Further Assistance
FIRST employees who require assistance in understanding this Policy or need consultation
regarding specific request are encouraged to contact the Data Governance Team at
[email protected] or contact the IT Help Desk at 1-800-871-8326, x222 or
[email protected]

Issue Date: May 6 , 2024 18

Approval
Approved by FIRST Data Governance Team and the FIRST Executive Leadership Team on
May 6, 2024.

Issue Date: May 6 , 2024 19