PRESS “F5” ON YOUR KEY BOARD TO PROPERLY START THIS TRAINING MODULE

Slides:



Advertisements
Similar presentations
PRIVACY ACT OF 1974 OVERVIEW. FAIR INFORMATION PRACTICES The Privacy Act is primarily concerned with fair information practices. The Privacy Act is primarily.
Advertisements

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Mandatory training for all Users who have access to Privacy Act Data
Safeguarding Privacy Act Data Awareness Training for ALL DeCA Employees and Contractors.
Privacy Act: System of Records Notices and Privacy Act Statements TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
I.D. Theft Alaska’s New Protection of Personal Information Act Ed Sniffen Senior Assistant Attorney General Alaska Department of Law.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.
FY 2015 Privacy Act Training Overview of the Privacy Act of 1974
Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.
ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.
PRIVACY ACT OVERVIEW The Basic Concepts of the Act United States Pacific Command (USPACOM) FOIA & Privacy Act Conference presented by Samuel P. Jenkins,
PA/FOIA INTERFACE OSD/JS Privacy Office (703)
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Data Classification & Privacy Inventory Workshop
Privacy and Security Basics for CDSME Data Collection Sue Lachenmayr, MPH, CHES Updated April 10, 2014.
HIPAA Health Insurance Portability & Accountability Act of 1996.
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
Privacy Act 101 Orientation training for all Military Members, Civilian Employees, and Contractor Personnel.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The Privacy Act of 1974: An Introduction The Privacy Act of 1974: An Introduction September 2010 For Official Use Only 0.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
HIPAA PRIVACY AND SECURITY AWARENESS.
Privacy and Security of Protected Health Information NorthPoint Health & Wellness Center 2011.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
INFORMATION TECHNOLOGY SERVICES Privacy 101 Information Security and Privacy Office.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
The right item, right place, right time. Privacy Act 101 Privacy Awareness Training AUDIENCE: DLA Workforce Annually (Civilian employees, Military members,
Public Review Committee Linda Sullivan-Colglazier Assistant Attorney General July 28, 2011.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
(Compliance Training)
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Privacy Act United States Army (Managerial Training)
FERPA for the Financial Aid Office NCASFAA Fall Conference November 2012.
FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
For Official Use Only (FOUO) and Similar Designations NPS Security Office
You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Information Security and Privacy Office
Privacy and Security Basics for Falls Evidence Based Programs Data Collection . October 2016.
Privacy and Security Basics for CDSME Data Collection
Obligations of Educational Agencies: Parents’ Bill of Rights
FOIA, Privacy & Records Management Conference 2009
FOIA, Privacy & Records Management Conference 2009
Disability Services Agencies Briefing On HIPAA
HIPAA Overview.
The Health Insurance Portability and Accountability Act
The Privacy Act of 1974: An Introduction September 2010
Presentation transcript:

PRESS “F5” ON YOUR KEY BOARD TO PROPERLY START THIS TRAINING MODULE PRESS “F5” ON YOUR KEY BOARD TO PROPERLY START THIS TRAINING MODULE. Then, click the arrow at the bottom right of this slide to begin the training module.

Defense Security Cooperation Agency FY 2014 Privacy Training Sponsored by the Office of General Counsel

Annual Training Requirements This training is required by DoD 5400.11, DoD 5400.11-R, DoD Privacy Program, and OSD Administrative Instruction 81. Note, 100% compliance with the annual Privacy training requirement is expected from all civilian, military, and contractor personnel with DSCA, the Regional Centers and Field Activities. Staff must complete the “Automated Proof of Training” slide at the end of this module to ensure the Office of General Counsel receives proof that you have met the requirement. You should also print a copy of your certificate of completion for your records.

Overview of the Privacy Act of 1974

What is the Privacy Act of 1974? The Privacy Act of 1974 is a Federal statute enacted by Congress to provide U.S. citizens and lawfully admitted aliens who are permanent residents with the right to privacy in records that are maintained and used by Federal agencies. The Privacy Act does not apply to deceased persons, but under certain circumstances, may apply to the relatives of the deceased. By establishing the Privacy Act, Congress intended to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from a Federal agency’s collection, maintenance, use, and disclosure of personal information about them.

What does the Privacy Act require of Federal agencies? (continued) The Privacy Act requires federal agency to: Maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by law; Collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations involving the individual’s rights, benefits, privileges under Federal programs. Maintain all records which are used by the agency in making any determination about any individual with accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual in the determination. Prior to disseminating any record about an individual to any person other than an agency, except for disclosures under the FOIA, make reasonable efforts to ensure that records are accurate, complete, timely, and relevant for agency purposes.

What does the Privacy Act require of Federal agencies? (continued) Maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless otherwise authorized by law, the subject individual, or law enforcement activity. Make reasonable efforts to serve notice on an individual when any record on the individual is made available under compulsory legal process. This notice is only required when the process becomes a matter of public record. Establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, including guidance to such person regarding the provisions of the Privacy Act, other applicable rules and procedures, and penalties for noncompliance.

What does the Privacy Act Require of Federal agencies? (continued) Establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. Permit the individual, upon a written request, to review agency records that are maintained about them; and request an amendment of agency records upon showing that the records about them are not accurate, relevant, timely, or complete.

What does the Privacy Act require of Federal agencies? (continued) PRIVACY ACT STATEMENT When an agency solicits personal information from an individual for a system of records, the Privacy Act requires agencies to tell the individual in writing of: The statute or executive order of the President that authorizes the agency to solicit the information. The principal purposes for which the information is intended to be used. How the information will be used. Whether the disclosure of the information is mandatory or voluntary, and the effects, if any, on the individual for not providing all or any part of the information.

What does the Privacy Act require of Federal agencies? (continued) PRIVACY ACT STATEMENT When an agency requests an individual to disclose his or her social security number (SSN), Section 7 of the Privacy Act provides that it shall be unlawful to deny any individual any right, benefit, or privilege provided by law because the individual refuses to disclose his or her SSN. IMPORTANT NOTE: The expanded use of SSNs, in any form, is unacceptable within the Department. DoD Components are now instructed to evaluate their use of SSNs and to eliminate all unnecessary collections of SSNs that do not meet one or more of the 12 acceptable uses, as outlined in DoDI 1000.30, "Reduction of Social Security Number (SSN) Use Within DoD," August 1, 2012. The new instruction also establishes policy and assigns responsibilities for SSN use reduction in DoD.

Can an agency disclose records about an individual? No, Federal agencies must not disclose any “record” which is contained in a “system of records” to any person, except at the written request or prior written consent of the person to whom the record relates. However, there are exceptions for certain disclosures within the Government, including routine disclosures required by law. The Defense Privacy and Civil Liberties (DPCLO) publishes a list of DoD blanket routine uses on its website at www.dpclo.defense.gov/privacy /sorns/ blanket_routine_uses.html.

What is a record? The Privacy Act defines a “record” as any item, collection, or grouping of information about an individual that is maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the name, or identifying number, symbol, or other identifying particular assigned to the individual such as a finger or voice print or a photograph. In the Privacy Act community, the term used to describe these identifiers is called, personally identifiable information (PII).

How does DoD define PII? DoD 55400.11-R, “Department of Defense Privacy Program,” defines PII as information about an individual that identifies, links, relates or is unique to, or describes him or her (e.g., a Social Security Number, age, military rank, civilian grade, marital status, race, salary, home/office phone numbers, other demographic, biometric, personnel, medical and financial information, etc.), when linked to a record that is maintained in a “system of records.”

What is a system of records? A “system of records” is as a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Examples of a “system of records” may include the following: Electronic systems funded by DSCA for data management, including systems maintained in a commercial environment Applications such as Microsoft Access or Excel used to create databases or spreadsheets Paper or physical records maintained in file cabinets or drawers Because of the retrieval requirement, some system of records may not be subject to the Privacy Act. However, staff should consult DSCA/OGC Privacy Act Officials to determine the applicability of the requirement.

Can I maintain a system of records in connection with my official duties? Yes. However, to maintain a “system of records,” the Privacy Act requires Federal agencies to publish a notice for public comment in the Federal Register which describes, among other things, the existence, uses, and legal authority for the collection of each new or significantly revised system of records. DoD Privacy Program regulation states, “the system notice must be published in the Federal Register before a Component begins to operate the system (e.g., collect or use the information).

Do I have to publish a notice in the Federal Register if the data collected will not invade an individual’s personal privacy? A notice must be published in the Federal Register if you “retrieve” an individual’s information by a personal identifier linked only to them, regardless of whether or not the information will cause an invasion of personal privacy. If you believe your collection (paper or electronic) is a system of records within the meaning of the Privacy Act, and you do not have a published system notice in the Federal Register, please contact DSCA/OGC Privacy Act Officials so that we may assist you and the agency with complying with the reporting requirement .

ADDITIONAL INFORMATION YOU SHOULD KNOW

Your collection may also trigger the following Federal requirements apart from the Privacy Act: Section 208 of the E-Gov Act of 2002 requires an agency Chief Information Officer (CIO) to ensure that a privacy impact assessment (PIA) is conducted and reviewed for applicable IT systems, including privacy notices on government websites and privacy policies in machine readable formats. Federal Information Security Management Act (FISMA) requires an agency to provide information security protections for IT systems appropriate with risk and magnitude of harm. Paperwork Reduction Act (PRA) requires an agency to seek and obtain OMB approval before undertaking a collection of information for ten or more members of the public. Chapter 31 of Title 44 U.S.C., requires an agency to ensure efficient and effective records management. Note, there are also DoD issuances that coincide with each of these Federal requirements.

Who is responsible for ensuring the Privacy Act requirements and other the Federal requirements associated with the data collection are met? You should immediately contact your designated DSCA officials for Privacy, Information Assurance (electronic collection only), Records Management and DoD Internal/External Information Collections for assistance with meeting the requirements. The System/Program Manager is responsible for ensuring that all Federal requirements are completed for the electronic or paper collections. OSD/JS Privacy Office

PERSONALLY IDENTIFIABLE INFORMATION (PII) SAFEGUARDING PERSONALLY IDENTIFIABLE INFORMATION (PII)

What can I do to safeguard PII? STORING PII During Duty Hours Cover with DD 2923 (Privacy Act Cover Sheet) or place in an out-of- sight location when those who do not have authorized access enter the work space. Use filtering devices on computer screens to blacken the view. Lock computers when leaving – even for brief periods of time. After Duty Hours If the building is locked or manned by security, place records in locked or unlocked drawer or cabinet. Special categories of Privacy data should be placed in locked receptacles.

What can I do to safeguard PII? (continued) SHARING PII Follow the “need-to-know” principle. Share only with those specific DoD employees who need the data to perform their official duties. If the System Manager has granted you authority to make disclosures outside DoD: Share only with those individuals and entities listed under the DoD blanket routine uses published on DPCLO’s public website. If you have doubts about sharing data, consult with the System Manager or DSCA/OGC Privacy Act Officials.

What can I do to safeguard PII? (continued) TRANSPORTING PII Using E-mail Do not send PII to your personal email account (e.g., Yahoo, gmail, hotmail, or to any other “commercial” email address). Send emails only to recipients with a need-to-know. Ensure emails contain “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE” in the subject line. Ensure emails contain the warning language, “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both civil and criminal penalties” in the body of the email. Digitally sign and encrypt all emails containing PII. Using Fax Machine Ensure the document is properly marked “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE.” Ensure you have the correct fax number. Have someone stand-by at the receiving end of the fax.

What can I do to safeguard PII? (continued) TRANSPORTING PII Using Ground Mail Ensure the envelope is addressed to an authorized recipient and properly marked “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE.” Double wrap by putting the initially sealed envelope in a second sealed, unmarked envelope addressed to the authorized recipient. Hand Carrying Cover with DD 2923 (Privacy Act Cover Sheet) to shield personal content(s). This cover sheet is publicly available on the internet.

What can I do to safeguard PII? (continued) DISPOSING of PII A disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction. Disposal methods may include the following: Burning Melting Chemical decomposition Pulping Pulverizing Shredding Mutilation Degaussing Delete/Empty Recycle Bin

PRIVACY BREACH

What is a privacy breach? A breach is a loss of control, unauthorized disclosure, or unauthorized access of personal information when individuals other than authorized users gain access to such information an other than authorized purpose.

Should I attempt to contain the breach? Absolutely yes! If you are able to stop or contain the breach, you should immediately take necessary actions to prevent or limit potential harm to the affected individual(s).

What should I do in the event of a privacy breach? Upon becoming aware of the loss, theft, or improper disclosure of personal information (paper or electronic), you must report the incident to: Your Supervisor/Manager immediately; Electronic only: The United States Computer Emergency Readiness Team (US CERT) within one hour of discovery at https://forms.us- cert.gov/report/; and DSCA/OGC Privacy Officials within 24 hours at DSCA-OGC-PII- BreachNotification@dsca.mil. Note, your notice should contain information, in accordance with Chapter 10.6.1.2. of DoD Directive 5400.11-R, “DoD Privacy Program,” May 14, 2007.

PENALTIES

Are there any penalties for violating the Privacy Act? Yes. The Privacy Act provides for both criminal and civil penalties for noncompliance. Criminal Penalties If any officer or employee of a government agency knowingly and willfully discloses personally identifiable information will be found guilty of a misdemeanor and fined a maximum of $5,000. Also, if any agency employee or official willfully maintains a system of records without disclosing its existence and relevant details as specified above can be fined a maximum of $5,000. The same misdemeanor penalty (and $5,000 maximum fine) can be applied to anyone, including contractor personnel, who knowingly and willfully requests an individual's record from an agency under false pretenses.

Are there any penalties for violating the Privacy Act? (continued) CIVIL PENALTIES If an agency refuses to allow an individual access to his or her records and/or to amend an individual's record upon request, the individual can sue in civil court to have the records produced and /or amended. The court can also make the Government pay the individual reasonable attorney's fees or other litigation costs. If an agency has violated any other section of the Privacy Act, and a court finds that the violation is "intentional or willful," the court can make the Government pay to the individual actual damages suffered as a result of the violation (but in no case shall a person entitled to recovery receive less than the sum of $1,000), along with costs and reasonable attorney's fees.

Contact Information Please direct all privacy related matters to your DSCA/OGC Privacy Act Officials at (703) 604-0295.

You have completed the FY 2014 Privacy Act Training Module! To ensure you receive credit for meeting this annual requirement, click the link below to complete the automated email notification as well as obtain a copy of your certificate for your records. (CLICK HERE)