This Directive establishes an external breach notification policy and plan for the U.S. Department of Education (ED). Based on this Directive, ED shall promptly and effectively determine whether or not to notify affected parties outside ED of a suspected or actual breach of personally identifiable information (PII) that ED maintains or processes. This policy applies to all PII maintained, collected, used, or disseminated by ED in any format. This plan also details the related procedures by which affected parties will be notified should such an event occur.
When a data breach involving PII occurs, ED will conduct a risk analysis. Based on this risk analysis ED will determine whether to notify individuals whose PII may have been involved in the breach and what steps if any ED will take to mitigate actual or potential harm.