DIVERSITY“Some people consider the Core Valuesa foundation. Some see them as aspirations.To me though, they’re not something we worktowards but part <strong>of</strong> who we are. I put thatexpectation on everyone. You start from aplace <strong>of</strong> excellence. Of diversity. Of trust. Ofentrepreneurship. Of pr<strong>of</strong>essionalism. ”—Michael DumlaoBEA Winner 2012, Diversity & Inclusion(Washington, DC)and any applicable contractual orlegal requirements. You must befamiliar with these factors beforestarting an assignment. As a generalmatter, avoid discussing confidentialinformation in public areas.Your obligation to maintain theconfidentiality and security <strong>of</strong> clientinformation continues not onlyduring and after the engagementends but also during and after youremployment with the firm.Using Client Information Protectinginformation from improper internalsharing is as important as preventingimproper external disclosure <strong>of</strong> it.You must only use client informationas permitted by our engagementcontract and/or applicable terms <strong>of</strong>use or NDAs that you have signed forthe engagement. You may disclosesuch information within the firmonly to those who have a “need toknow” and only then if contractuallypermitted.A critical asset that we bringto our clients is our ability tocomprehensively understand theirproblems and needs, even thoseoutside the scope <strong>of</strong> a currentengagement, and to identify firmresources that can help addressthem. If, based on client information,you learn <strong>of</strong> needs that otheremployees in the firm might be ableto help address, you should mentionthose resources to the client andobtain the client’s consent to providethem with relevant information.Returning, Destroying, or RetainingInformation After an EngagementEnds At the conclusion <strong>of</strong> anengagement, comply with allcontractual requirements for thereturn, destruction, and/or retention<strong>of</strong> confidential information. Wheresuch requirements do not apply,the firm’s Records and InformationManagement Policy determineswhether and how to maintain theinformation.28THE GREEN BOOK | The Booz Allen Hamilton Code <strong>of</strong> Business Ethics and Conduct
Executing Client NDAs For certainengagements, a client or third partymay request or require that youexecute an individual NDA. Unlessyou have been informed by yourmanagement that an NDA will berequired, you should not sign aclient or third-party NDA until youhave received direction from yourmanagement and/or cognizantcontract administrator.When an NDA is required, you mustreview it carefully and abide by itsprovisions, including those that limitsharing information within the firm.You may be personally liable forfailing to adhere to the terms <strong>of</strong>an NDA.Accessing and Handling PII PII isinformation that can be used touniquely identify, contact, or locatea single person, or that can be usedwith other sources to uniquely identifya single individual. This informationmay include names, addresses,Social Security numbers, credit cardnumbers, banking and financial data,health information, or other similardata.Before accepting PII, be sure thatwe have a contractual obligationto do so. Often, our work can beaccomplished with de-identified oraggregated information. When this isthe case, we require the party to giveus the data in that format.All engagements involving accessing,handling, or storing PII must beapproved in advance by the ChiefInformation and Security Officer(or designee) and must obtain allother approvals required by theRisk Matrix. When access to PIIis required, handle it according toapplicable contract provisions andprivacy laws. PII must only be sharedwith engagement team memberswho have a “need to know” theinformation and have completedall prerequisites (e.g., executingan NDA or completing training) forreceiving it. Under no circumstancesmay you use PII for any purposeexcept contract performance. Unlessrequired otherwise by our contract,you must return or destroy the PII(if applicable, in accordance withcontract requirements) when it is nolonger needed for the assignment.If you suspect that the security<strong>of</strong> such information has beencompromised, you must notify theComputer Incident Response Team(CIRT) at cirt@bah.com or the LawDepartment immediately beforetaking any further action.Access and Handling Protected HealthInformation (PHI). For certain clientengagements, you may be requiredto access, use, or disclose PHI. PHIincludes all individually identifiablehealth information accessed, used,or disclosed by an entity required tocomply with the Health InsurancePortability and Accountability Act(HIPAA). PHI may be in any form ormedium, whether electronic, paper,or oral, and includes informationthat relates to an individual’s past,present, or future physical or mentalhealth or condition; the provision <strong>of</strong>health care to the individual; or thepast, present, or future payment forthe provision <strong>of</strong> health care to theindividual. Employees accessing PHImust comply with all Code, policy,and contract requirements applicableto both PII and PHI.All engagements involving PHI mustbe approved in advance by the firm’sChief Information and Security Officerand all approvers identified in theRisk Matrix. If a client provides youPHI and you are not certain whetherthe engagement has been approvedfor PHI handling, you must safeguardthe PHI, contact your job manager,and not take further action untildirection is provided. Access to PHImay be granted to a subcontractoronly under an executed subcontractagreement that includes all relevantPHI requirements and an appropriatebusiness associate agreement ifrequired.Booz Allen and each employeeaccessing PHI are expected tocomply with the “minimum necessarystandard” regarding the information.This means that we first ensure thatthe work cannot be done with non-PHI data (e.g., de-identified data). Ifwe determine that we must accessPHI to perform the work, we willonly access and use the PHI that isminimally necessary to perform theclient engagement and only shareit with authorized members <strong>of</strong> theproject team who (1) have a need toknow the information to perform theirwork and (2) have complied with anycontract requirements for accessingthe PHI such as training.In accessing and handling PHI,you must comply with applicableregulations and terms in our clientcontract, including any associatedbusiness associate agreement aswell as any NDA, “Terms <strong>of</strong> Use,”or “Rules <strong>of</strong> Behavior” documentyou have signed or other handlinginstructions that you have beenprovided. In particular, you mustcomply with any data encryptionrequirements and limitations onmodifying PHI.You are prohibited from using anyPHI for any purpose other thanperforming your client engagement.Neither Booz Allen nor you may, underany circumstances, sell PHI receivedfrom a client or use PHI for marketingpurposes (other than client marketingspecified in the client contract) or anyother unauthorized purpose.You must immediately report anyactual or suspected unauthorizeddisclosure <strong>of</strong> PHI (including disclosuresby clients or other contractors) tothe CIRT at cirt@bah.com. Observed,suspected, or reported misconductrelated to PHI must be reported toone <strong>of</strong> the resources identified inThe Booz Allen Hamilton Code <strong>of</strong> Business Ethics and Conduct | GREEN BOOK 29Chapter V