Federal agencies are looking closely at how grantees are protecting personally identifiable information (PII) in their data systems, grant documentation, hardcopy files, etc. The Uniform Guidance (2CFR200) explicitly requires grantees to have a system in place, as part of their internal controls, for safeguarding PII of their employees, the clients they serve, their donors, the board members—anyone that provides personal/sensitive information. Previous grant management regulations were silent on the matter. If you haven’t updated your organization’s policies and procedures yet, it’s time to get on it! BTW, this also applies to pass-through entities and their sub-grantees.