Safeguarding Privacy Act Data Awareness Training for ALL DeCA Employees and Contractors.

Slides:



Advertisements
Similar presentations
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Advertisements

Protect Our Students Protect Ourselves
FERPA: Family Educational Rights and Privacy Act
Mandatory training for all Users who have access to Privacy Act Data
CONFIDENTIALITY / PRIVACY. Federal Laws Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Overview of the Privacy Act
Privacy and Information Security Training ( ) VUMC Privacy Website
HIPAA Training: Health Insurance Portability and Accountability Act.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
LMC WHAT IS HIPAA AND HOW TO COMPLY WITH IT? Health Insurance Portability and Accountability Act of 1996.
 Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
WORKFORCE CONFIDENTIALITY HIPAA Reminders. HIPAA 101 The Health Insurance Portability and Accountability Act (HIPAA) protects patient privacy. HIPAA is.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training
Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.
FERPA: Family Educational Rights and Privacy Act.
FERPA The Family Educational Rights and Privacy Act.
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
Privacy Act 101 Orientation training for all Military Members, Civilian Employees, and Contractor Personnel.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
Protecting Sensitive Information PA Turnpike Commission.
Section Ten: Security Violations and Deviations Note: All classified markings contained within this presentation are for training purposes only.
The Privacy Act of 1974: An Introduction The Privacy Act of 1974: An Introduction September 2010 For Official Use Only 0.
Practical Information Management
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
HIPAA PRIVACY AND SECURITY AWARENESS.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
HIPAA Training Developed for Ridgeview Institute 2012 Hospital Wide Orientation.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Why Respect Privacy and Confidentiality? Access to Confidential Information (OP ) Protection and Security of Protected Health Information (OP.
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Privacy Act United States Army (Managerial Training)
TOP 10 DHS IT SECURITY & PRIVACY BEST PRACTICES #10 Contact The Office of Systems & Technology for appropriate ways to proceed if you need access to.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
TASFAA 2016 Legacy of Leadership. TASFAA 2016 Legacy of Leadership Family Educational Rights and Privacy Act (FERPA) An Overview Molly Thompson Associate.
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
For Official Use Only (FOUO) and Similar Designations NPS Security Office
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
HIPAA Privacy What Every Staff Member Needs to Know.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Protect Our Students Protect Ourselves
Privacy and Security Basics for Falls Evidence Based Programs Data Collection . October 2016.
Privacy and Security Basics for CDSME Data Collection
HIPAA Online Student Orientation
Disability Services Agencies Briefing On HIPAA
The Health Insurance Portability and Accountability Act
The Privacy Act of 1974: An Introduction September 2010
HIPAA Do’s and Don'ts: What is Really Behind Protected Health Information (PHI) and Health Care Privacy Rules Paul Sisler, Director, Information Services;
Family Educational Rights and Privacy Act of 1974
Presentation transcript:

Safeguarding Privacy Act Data Awareness Training for ALL DeCA Employees and Contractors

2 Time for a reminder! In a number of recent incidents, personal data has been lost, stolen, or compromised Most notable - In May of 2006, a theft of a laptop from a Federal employees home contained personal data involving 26.5 million veterans Dont allow yourself OR a member of your staff to be the next individual accused of carelessly handling personal data!

3 What is Privacy Data? Personally identifiable information such as: –Social Security Numbers –Home Addresses –Telephone Numbers Special Categories of Privacy Data: –Investigative Files –Employee Information (including OPF & medical information) –Security Clearance Files –Adverse Action Information

4 Privacy Data & DeCA We are extremely careful dealing with patron information, such as: –Social Security Numbers (check acceptance) –Credit Card Numbers –Debit Card Numbers –WIC Cards/Vouchers

5 Privacy Data & DeCA (contd) We must show the same concern when dealing with employees data by: –Avoiding improper sharing of information, such as spreading gossip that would embarrass or harm a person; for example: Did you know that Mary has a bad credit rating? –Utilizing properly to forward Privacy data; for example: Avoiding the use of Reply to All, unless appropriate; Obtaining the employees consent when sending out notices (i.e., loss of loved ones) containing home addresses, etc. –Failing to safeguard Privacy data in our cubicles, on our desks, and on our computers; for example: Leaving documents out in the open when away from your desk

6 Safeguarding Requirements Three Levels of Safeguards: –Administrative (FOUO/Privacy Act Markings, etc.) –Physical (Cabinets, drawers, folders, etc.) –Computer (Passwords, encryption, etc.) Individuals responsible for safeguards: –Individual users –Information Technology System Designers –Privacy Act System Managers –Privacy Act Officials As individuals, we must ALL do our best to proactively protect the privacy rights of all individuals, to include all employees and patrons

7 Marking Privacy Data Privacy Act data is to be handled as: For Official Use Only (FOUO) Mark Privacy Act data with a handling notice when it is created or received: –Privacy Act of 1974 Data; or –Privacy Act Data; or –For Official Use Only Place marks at the top and bottom of each page or screen Reminder: Before disseminating Privacy Act data, ensure that it carries the FOUO handling notice!

8 Storing Privacy Data Duty Hours –Cover or place in an out-of-sight location when those not authorized access enter the work space –Lock computers when leaving – even for brief periods –DO NOT share your password with ANYONE! After Duty Hours –If the building is locked or manned by security, place records containing Privacy information in closed drawers or cabinets –Special categories of Privacy data should be placed in LOCKED offices, drawers, or cabinets Reminder: Give Privacy Act information in the workplace the same degree of security you should for your OWN most sensitive personal/financial information at home!

9 Sharing Privacy Act Data Follow the need-to-know principle Inside DeCA, share only with those specific DeCA employees/contractors who need the data to perform official, assigned duties Outside of DeCA, share only with those individuals and entities that are listed in the Routine Use clause of the governing Privacy Act system notice and to whom the Privacy Act System Manager allows disclosures If you have doubts about sharing data, consult with your supervisor or your Privacy Officer

10 Removal of Privacy Data from Work Area NO Privacy data should be removed UNLESS necessary to perform your official duty Written consent from your immediate supervisor MUST be obtained and must identify the following: –Type/description of data –Reason for removal –Date and expected time for return When TDY, ensure that you secure records in the local DeCA facility OR secure them out of sight in the hotel or billeting facilities When teleworking, treat Privacy protected data the same way you would treat your most personal, sensitive information Questions about whether it is appropriate to grant authority? Contact your Privacy Officer, Deputy General Counsel Litigation/FOIA, or Senior Privacy Official, all located in the Office of General Counsel

11 Transporting Privacy Data Ground Mail: –You may double wrap using an inner and outer envelope if appropriate –Mark on the inner envelope that it contains Privacy Act data –Mark the outer envelope to the attention of an authorized recipient –Never indicate on the outer envelope that it contains Privacy data –Never use holey joes or messenger-type envelopes Handcarry: –Use envelopes or a Sensitive Unclassified Information cover sheet (DeCAF 30-34) to shield contents –Announce in the opening line and in the last line of text that you are relaying Privacy Act data or FOUO material Facsimile: –Use a fax cover sheet –Make sure the cover sheet clearly indicates who it goes to and that the fax contains Privacy Act data –If the receiving fax machine is in a common area (or if you are uncertain), call ahead to make arrangements for receipt

12 Disposition/Inappropriate Disclosure Disposing of Privacy Data –When no longer required, Privacy Act data should be disposed of in a manner that renders the information unrecognizable or beyond reconstruction –Use any means that prevents/accomplishes the task and prevents inadvertent compromise –Refer to your Records Schedule for proper disposition of Agency records Reporting Inappropriate Disclosures –In the event that Privacy protected information is compromised or inappropriately/inadvertently released, immediately report it to your Privacy Act Officer –Agency must report to Department of Homeland Security within the hour. ERR ON THE SIDE OF CAUTION! If you are not certain whether an inadvertent release or an actual compromise has occurred, consult with your Privacy Officer.

13 Criminal Penalties for Noncompliance with the Privacy Act For knowingly and willfully disclosing Privacy Act data to any person not entitled to access For maintaining a System of Records without meeting the public notice requirements For knowingly and willfully requesting or obtaining records under false pretenses Individual employees charged with a misdemeanor criminal charge; may be fined up to $5,000

14 Civil Penalties for Noncompliance with the Privacy Act The Privacy Act also imposes civil penalties for: –Failing to comply with any Privacy Act provision or Agency rule that results in an adverse effect –Failing to maintain accurate, relevant, timely and complete data –Unlawfully refusing to amend a record –Unlawfully refusing to grant access to records Penalties include: –Payment of actual damages –Payment of reasonable attorneys fees Civil penalties are imposed on agencies, not individuals; however, Agency employees responsible for civil violations for which the Agency may be penalized are subject to administrative sanctions, such as removal from employment

15 If You Have Access to Personal Data... Protect the data at all times Do NOT share it with anyone unless: –The recipient is an employee/contractor who has a need for the record in the performance of their duties; or –The individual has given you written consent to disclose it Password protect personal data placed on: –Shared drives –Internet –Intranet Think about the likely results your actions (For example: If I do this, will I increase the risk of unauthorized access?)

16 Some useful pointers… NEVER leave a document containing privacy protected information unattended at the copier! Prior to faxing a document containing sensitive information, call the intended recipient to ensure prompt pickup! Be cognizant when printing privacy data; ensure you are selecting a printer that you have access to and ensure prompt retrieval! When sending s, ensure recipient has a need to know; when sending personal notifications (such as a death in the family), remember to obtain permission before disseminating Make sure you use sealable opaque envelopes when routing personal data When opening mail, be sure to pay extra attention to any special instructions/restrictions on the outside of the envelope so you dont accidentally disclose personal information protected by the Privacy Act

17 Recognize Your Personal Responsibility Respect the privacy of others Take privacy protection seriously Alert your supervisor or other management official when you see personal data left unattended Report suspected Privacy compromises to your Privacy Officer Know the Privacy Act requirements Use COMMON SENSE! If you have any questions or concerns about your individual responsibilities concerning the Privacy Act, please contact the DeCA Privacy Officer!

18 Contact Information DeCA Privacy Officer Donna Williamson Office of General Counsel DSN (804)