Protecting Personal Information
(published March 1, 2024)
Protecting Personal Information (PDF)
The National Endowment for the Humanities (NEH) requires recipients of NEH funding to protect Personally Identifiable Information (PII) under the performance of an award. This guidance applies to circumstances in which recipients of NEH funding collect PII. 2 CFR § 200.1 defines PII as “information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” PII includes, but is not limited to, names, contact information, banking information, and employment history.
Recipients of NEH funding, whether individuals or organizations, are responsible for:
- protecting and storing sensitive and confidential data, including PII;
- establishing and complying with institutional policies and procedures related to data security, data management, and data breaches;
- ensuring all employees, staff, consultants, contractors, and subrecipients are aware of their duty to safeguard PII;
- obtaining consent for collecting information and informing individuals how their PII is being used or shared;
- complying with local, state, and federal laws and regulations regarding PII; and
- notifying NEH within three business days of learning of a data breach involving PII collected under the performance of an NEH award.
This policy applies to all employees, contractors, volunteers, and subrecipients who have access to PII under awards supported by NEH. If necessary, recipients should provide training to project personnel to ensure their compliance.
Recipients should collect PII only for purposes directly related to grant activities, such as payment to consultants, participant reports, surveys, or compliance laws. PII related to NEH awards must be retained only as required for the purpose of the grant project. Do not share PII with NEH unless requested and only through encrypted means, when necessary.
NEH is not liable if a recipient incurs an inadvertent disclosure, release, loss, or data breach of PII.