The Privacy Act of 1974: An Introduction September 2010 For Official Use Only

Lesson 1: Introduction Lesson 1: Introduction

Trainer introductions Lesson 1: Introduction Welcome Course overview Trainer introductions

Participant Introductions Lesson 1: Introduction Participant Introductions Now it’s time to introduce ourselves Name Number of years with the Department of Defense (DoD) Current job, agency, or component Responsibilities

Lesson 1: Introduction Course Goals To raise awareness of the need to safeguard the personally identifiable information (PII) held by the Department of Defense To raise awareness of the penalties associated with Privacy Act violations

Course Objectives After completing this course, you will be able to: Lesson 1: Introduction Course Objectives After completing this course, you will be able to: Identify the policy objectives associated with the Privacy Act of 1974 Identify concepts and definitions associated with personally identifiable information (PII) Identify the nondisclosure rule and its 12 exceptions Identify safeguards and best practices that help ensure the protection of PII Identify the penalties for noncompliance with the Privacy Act of 1974

Course Structure Introduction Lesson 1: Introduction Course Structure Introduction The Privacy Act of 1974 Policy Objectives Concepts and Definitions Associated With PII Conditions of Disclosure Safeguarding PII Penalties for Noncompliance with the Privacy Act Scenario Exercise: Putting It All Together Course Summary

Lesson 2: The Privacy Act of 1974 Policy Objectives

Upon completion of this lesson, you will be able to: Lesson 2: The Privacy Act of 1974 Policy Objectives Lesson Objective Upon completion of this lesson, you will be able to: Identify the policy objectives associated with the Privacy Act of 1974

Code of Fair Information Practice Principles Lesson 2: The Privacy Act of 1974 Policy Objectives Code of Fair Information Practice Principles In 1972, the Advisory Committee on Automated Personal Data Systems explored the impact of computerized record-keeping on individuals and proposed a Code of Fair Information Practice Principles (FIPPs). FIPPs evolved into 8 generally accepted principles. These principles formed the basis for all subsequent codes and laws related to information collection, especially the Privacy Act of 1974.

Fair Information Practice Principles Lesson 2: The Privacy Act of 1974 Policy Objectives Fair Information Practice Principles The 8 generally accepted principles identified in the Code for Automated Personal Data Systems are: Collection limitation Data quality Purpose specification Use limitation Security safeguards Openness Individual participation Accountability

Inception of the Privacy Act of 1974 Lesson 2: The Privacy Act of 1974 Policy Objectives Inception of the Privacy Act of 1974 Congress turned its attention to the issue of data stored in insecure data banks in June 1974. The Senate Judiciary Committee's Subcommittee on Constitutional Rights discovered that billions of records were stored within Federal Government computers. Individuals did not know the information was being collected and had no recourse to review or correct it.

Objectives of the Privacy Act Lesson 2: The Privacy Act of 1974 Policy Objectives Objectives of the Privacy Act To restrict disclosure of personally identifiable records maintained by agencies To grant individuals increased rights of access to agency records maintained on themselves To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete To establish basic requirements for agencies to comply with standards for collection, use, maintenance, and dissemination of records 12

Lesson 3: Concepts and Definitions Associated with PII

After completing this lesson, you will be able to: Lesson 3: Concepts and Definitions Associated with PII Lesson Objective After completing this lesson, you will be able to: Identify concepts and definitions associated with personally identifiable information (PII)

Lesson 3: Concepts and Definitions Associated with PII Personally identifiable information (PII) is information about an individual that identifies, links to, relates to, is unique to, or describes him or her.

Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Protected Health Information (PHI) is a subset of personally identifiable information. Examples of PHI are a medical diagnosis; lab results; X-rays; and the date, time, and location of medical appointments.

Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of individuals' PHI from inappropriate disclosure.

Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. A single item or collection of items of PII maintained by an agency is called a record. Records are grouped into a collection for a specific purpose by an agency. When a personal identifier is used to retrieve records from such a collection, it is called a system of records (SOR).

Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. A system of records notice (SORN) is a description of the contents of an existing or planned system of records. A SORN states the purpose and authority by which the information in the system of records is collected, and identifies what data the agency intends to collect, how the data will be used and safeguarded, who will have access, and other details.

Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Routine use is the disclosure of a record outside the DoD for a use that is compatible with the purpose for which the information was collected and maintained by the DoD. The routine use must be included in the published system notice for the system of records involved.

The information is needed for official business Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Need-to-know is the authorized, official need to have access to information that is protected under the Privacy Act based on assigned duties and responsibilities. The need-to-know test is satisfied when the requester can establish either of the following: The information is needed for official business The information is required by law

Terrorism information Homeland security information Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Responsibility to share information was met within DoD on December 28, 2007, through the addition of a “Blanket Routine Use,” which allows the sharing of a record consisting of or relating to: Terrorism information Homeland security information Law enforcement information Responsibility to share information does not circumvent the need-to-know.

Sharing Information Appropriately Lesson 3: Concepts and Definitions Associated with PII Sharing Information Appropriately

Lesson 4: Conditions of Disclosure

After completing this lesson, you will be able to: Lesson 4: Conditions of Disclosure Lesson Objective After completing this lesson, you will be able to: Identify the nondisclosure rule Identify the 12 exceptions to the nondisclosure rule

General Disclosure Prohibition Lesson 4: Conditions of Disclosure General Disclosure Prohibition "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains." — 5 U.S.C. § 552a(b) There are 12 exceptions to this nondisclosure rule.

Exceptions to the Nondisclosure Rule Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule The following 3 slides list conditions in which it is acceptable to disclose PII from a Privacy Act record to a third party: To employees with a legitimate need-to-know When the FOIA requires release For a "routine use" identified in the system of records notice (SORN) that has been published in the Federal Register

Exceptions to the Nondisclosure Rule, cont. Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. To the Census Bureau for purpose of conducting the census For statistical research and reporting in which individuals will not be identified To the National Archives and Records Administration

Exceptions to the Nondisclosure Rule, cont. Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. To civil or criminal law enforcement under U.S. control For compelling circumstances affecting the health or safety of the individual To either House of Congress

Exceptions to the Nondisclosure Rule, cont. Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. To the Comptroller General Pursuant to a court order (a subpoena signed by a judge) To a consumer reporting agency in accordance with the Debt Collection Act

Lesson 5: Safeguarding PII

After completing this lesson, you will be able to: Lesson 5: Safeguarding PII Lesson Objective After completing this lesson, you will be able to: Identify safeguards and best practices that help ensure the protection of PII

Administrative Safeguards Lesson 5: Safeguarding PII Administrative Safeguards Verify that e-mail distribution lists are only for those with a need-to-know. Validate the use of the information against the purpose of collection in the SORN. Ensure that the component privacy officer reviews/updates the SORN.

Administrative Safeguards, cont. Lesson 5: Safeguarding PII Administrative Safeguards, cont. Beware of the surrounding environment when engaging in conversation involving PII. Ensure that telephone conversations are private. Check that information containing PII is necessary for the task. As a policy under the Privacy Act, ask whether a task can be completed without the PII.

Administrative Safeguards, cont. Lesson 5: Safeguarding PII Administrative Safeguards, cont. Do not take PII out of the office unless required by your official duties and approved by an appropriate authority. Mark hard copies of PII using prescribed markings such as “Sensitive” and cover with a coversheet or folder. Consult the component privacy officer before the creation of a System of Record (SOR) or information collection. The privacy officer will determine whether a SORN needs to be created to notify the public.

Use encryption for e- mails that include PII. Lesson 5: Safeguarding PII Technical Safeguards Use encryption for e- mails that include PII. Use only DoD-approved software. Use cover sheets, confirm fax numbers, and obtain transmission confirmation when faxing Do not use flash ("thumb") drives.

Use locks to secure PII/PHI when stored. Lesson 5: Safeguarding PII Physical Safeguards Use locks to secure PII/PHI when stored. Dispose of records according to established standards in the SORN or procedures established by the National Archives and Records Administration. Establish physical safeguards that protect information against reasonably identifiable threats that could result in unauthorized access or alteration. Test safeguards to ensure that they perform as intended.

Lesson 5: Safeguarding PII Best Practices Do not use information that was previously collected for a new use without informing the public by altering an existing SORN or creating a new one. Do not use a subset of existing data for a new purpose. Do not maintain data collections in secret. Do not use data from websites such as Wikipedia instead of authoritative Government sources.  Do not keep PII in an unapproved spreadsheet.

Lesson 5: Safeguarding PII Best Practices, cont. Collect information directly from the individual to the greatest extent practical. Verify that data retrieved are accurate, complete, relevant, and timely (up-to-date). Ensure that information is from the authorized official source. 

Penalties for Noncompliance with the Privacy Act Lesson 6: Penalties for Noncompliance with the Privacy Act Lesson 6: Penalties for Noncompliance with the Privacy Act

After completing this lesson, you will be able to: Lesson 6: Noncompliance and Penalties for Noncompliance with the Privacy Act Lesson Objective After completing this lesson, you will be able to: Identify the penalties for noncompliance with the Privacy Act of 1974

Noncompliance with the Privacy Act Lesson 6: Penalties for Noncompliance with the Privacy Act Noncompliance with the Privacy Act Individuals may be criminally liable if they knowingly and willfully: Disclose privacy data to any person not entitled to access Maintain a system of records without meeting public notice requirements Obtain or request records under false pretenses

Noncompliance with the Privacy Act, cont. Lesson 6: Penalties for Noncompliance with the Privacy Act Noncompliance with the Privacy Act, cont. Courts may award civil penalties against the Agency for: Improperly/unlawfully refusing to amend a record Improperly/unlawfully refusing to grant access to a record Failure to maintain accurate, relevant, timely, and complete information Failure to comply with any Privacy Act provision or agency rule that results in an adverse effect on the subject of the record

Penalties for Noncompliance Lesson 6: Penalties for Noncompliance with the Privacy Act Penalties for Noncompliance Criminal penalties: (Applies to the individual employee) A misdemeanor charge Maximum fine of $5,000

Penalties for Noncompliance , cont. Lesson 6: Penalties for Noncompliance with the Privacy Act Penalties for Noncompliance , cont. Civil penalties: (Applies to the agency not the employee) The cost of actual damages suffered ($1,000 minimum) Costs and reasonable attorney's fees

Putting It All Together Lesson 7: Scenario Exercise: Putting It All Together Lesson 7: Scenario Exercise: Putting It All Together

After completing this lesson, you will be able to: Lesson 7: Scenario Exercise: Putting It All Together Lesson Objective After completing this lesson, you will be able to: Identify errors in handling PII and demonstrate awareness of the appropriate action to take in managing PII

Lesson 7: Scenario Exercise: Putting It All Together The scenario that you are about to read is based in part on a real situation. You will read the scenario and answer questions about the appropriate actions to take.

Does this e-mail contain personally identifiable information? Lesson 7: Scenario Exercise: Putting It All Together Scenario Questions Does this e-mail contain personally identifiable information? Is this information protected under the Privacy Act? Does Judy have a need-to-know this information? Have the appropriate technical safeguards been applied in the transmittal of this e-mail? Is this a breach? If so, who should Judy report it to?

Lesson 8: Course Summary

Key Points from the Course Lesson 8: Course Summary Key Points from the Course Agency responsibilities: The Privacy Act of 1974 sets forth objectives for Federal agencies that maintain records with personally identifiable information. Summarized, these are: Agencies must restrict disclosure of personally identifiable records Individuals have rights of access to agency records about themselves Individuals can seek amendment of agency records about themselves

Key Points from the Course, cont. Lesson 8: Course Summary Key Points from the Course, cont. Agencies should abide by a Code of Fair Information Practice Principles that requires agencies to comply with standards for collection, maintenance, and dissemination of records. Safeguards: DoD employees and contractors must practice administrative, physical, and technical safeguards to protect PII from misuse or use without permission.

Course Objectives Reviewed Lesson 8: Course Summary Course Objectives Reviewed You should now be able to: Identify the policy objectives associated with the Privacy Act of 1974 Identify concepts and definitions associated with personally identifiable information (PII) Identify the nondisclosure rule and its 12 exceptions Identify safeguards and best practices that help ensure the protection of PII Identify the penalties for noncompliance with the Privacy Act of 1974

DoDD 5400.11, "DoD Privacy Program," May 8, 2007 Lesson 8: Course Summary Additional Resources You may also consult one of the following resources on privacy found at http://dpclo.defense.gov . DoDD 5400.11, "DoD Privacy Program," May 8, 2007 DoD 5400.11-R, "Department of Defense Privacy Program," May 14, 2007