Privacy 201 Training for Supervisors The Privacy Act of 1974 5 U.S.C. 552a.

Slides:



Advertisements
Similar presentations
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Advertisements

Protect Our Students Protect Ourselves
FERPA: Family Educational Rights and Privacy Act
Mandatory training for all Users who have access to Privacy Act Data
Privacy 201 Training for Supervisors
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Protection of privacy for all Students!
Overview of the Privacy Act
FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
HIPAA Privacy Rule Training
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
NAU HIPAA Awareness Training
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
INDIANA UNIVERSITY OFFICE OF THE VICE PRESIDENT AND GENERAL COUNSEL Indiana Access to Public Records Act (APRA) Training.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.
ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.
PA/FOIA INTERFACE OSD/JS Privacy Office (703)
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
FERPA: Family Educational Rights and Privacy Act.
FERPA The Family Educational Rights and Privacy Act.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
1 FERPA and Student Privacy in Records of University Research ECURE March 1, 2005 Richard Rainsberger, Ph.D. Consultant, Education Records Law and Privacy.
Privacy Act 101 Orientation training for all Military Members, Civilian Employees, and Contractor Personnel.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
The Privacy Act of 1974: An Introduction The Privacy Act of 1974: An Introduction September 2010 For Official Use Only 0.
Practical Information Management
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
HIPAA PRIVACY AND SECURITY AWARENESS.
An Educational Computer Based Training Program CBTCBT.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Family Educational Rights and Privacy Act. From the moment a child enters the school system, sensitive information is collected about the child (and even.
HOOVER CITY SCHOOLS In-Service Training: Annual Review of.
FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.
Family Educational Rights and Privacy Act (FERPA) UNION COLLEGE.
The right item, right place, right time. Privacy Act 101 Privacy Awareness Training AUDIENCE: DLA Workforce Annually (Civilian employees, Military members,
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
The right item, right place, right time. Privacy Act 102 Privacy Training for DLA Supervisors / Managers.
Headquarters U. S. Air Force I n t e g r i t y - S e r v i c e - E x c e l l e n c e Freedom Of Information Act/Privacy Act Interface Freedom Of Information.
IM NETWORK MEETING 20 TH JULY, 2010 CONSULTATION WITH 3 RD PARTIES.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
When Can You Redact Information Without Requesting an Attorney General Decision? Karen Hattaway Assistant Attorney General Open Records Division Views.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Privacy Act United States Army (Managerial Training)
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
Your Rights! An overview of Special Education Laws Presented by: The Individual Needs Department.
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
Final HIPAA Rule Special Training What you need to know to remain compliant with the new regulations.
Miners Rights Rights & Responsibilities Under the Mine Safety & Health Act of 1977 NC DOL Mine & Quarry Bureau Mine Safety & Health Training Revised 2010.
For Official Use Only (FOUO) and Similar Designations NPS Security Office
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
New Hire HIPAA Orientation. HIPAA Overview HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of HIPAA.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
HIPAA Privacy Rule Training
Indiana Access to Public Records Act (APRA) Training
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
Employee Privacy and Privacy of Employee Information
Government Data Practices & Open Meeting Law Overview
The Health Insurance Portability and Accountability Act
Presentation transcript:

Privacy 201 Training for Supervisors The Privacy Act of U.S.C. 552a

2 PRIVACY REFRESHER From Privacy 101, you know that the Privacy Act is...  “... a means to regulate the collection, use, and safeguarding of personal data.”  A statute that applies to the Executive Branch of the Federal government.

3 PRIVACY REFRESHER In Privacy 101, you also learned that the Privacy Act: Applies to U.S. Citizens & Lawfully Admitted Aliens Applies to U.S. Citizens & Lawfully Admitted Aliens Covers “Systems of Records” – A Group of Files that Covers “Systems of Records” – A Group of Files that Contains a personal identifier (name, SSN, badge #, etc.) Contains a personal identifier (name, SSN, badge #, etc.) Contains one other element of personal data Contains one other element of personal data Is retrieved by personal identifier Is retrieved by personal identifier Provides Citizens/Lawful Aliens with Guaranteed Rights – Provides Citizens/Lawful Aliens with Guaranteed Rights – To access/amend their records To access/amend their records To appeal agency decisions To appeal agency decisions To sue for breaches To sue for breaches

4 PRIVACY REFRESHER Privacy 101 also taught you that:  Agencies may not collect data without first publishing a system notice in the Federal Register announcing the collection.  The system notice sets the rules for collecting, using, sharing, and safeguarding data.  The DON and Government-Wide Privacy Act system notices are at

5 Do you Supervise Employees, Military Members, or Contractors Who... Initiate data collections? Initiate data collections? Receive Privacy data in the course of conducting DON business? Receive Privacy data in the course of conducting DON business? Create, manage, or oversee files or databases containing personal data? Create, manage, or oversee files or databases containing personal data? Disseminate personal data? Disseminate personal data?

6 If “Yes,” You Have a Duty to Ensure that... Your staff receives Privacy Act training. Your staff receives Privacy Act training. No data collection is undertaken unless DON has published a system notice covering the collection. No data collection is undertaken unless DON has published a system notice covering the collection. Access to data is limited to those employees specifically assigned to the program – not all office employees! Access to data is limited to those employees specifically assigned to the program – not all office employees! Data is transmitted in a secure manner. Data is transmitted in a secure manner. Data is safeguarded during and after duty hours. Data is safeguarded during and after duty hours. Your staff is complying with the Privacy Act, DoD Privacy rules (DoD R), and the DON Privacy Act Fair Information Principles. Your staff is complying with the Privacy Act, DoD Privacy rules (DoD R), and the DON Privacy Act Fair Information Principles.

7 SUPERVISOR’S ROADMAP FOR MEETING PRIVACY RESPONSIBILITIES  Is Your Staff Privacy-Trained?  Ensure your staff annually reviews the Privacy 101 training and DON Privacy Act Fair Information Practices, both available at  Are Your Data Collections Properly Conducted?  Ensure your staff consults with the Privacy Office before –  Initiating new data collections.  Adding new elements to an existing, approved database.  Creating or revising forms that collect personal data.  Deploying surveys.  Ensure your staff includes a Privacy Act Statement on all forms, surveys, or websites that collect personal data.

8 SUPERVISOR’S ROADMAP FOR MEETING PRIVACY RESPONSIBILITIES  Do You and Your Staff Practice Limited Access Principles?  Grant access to only those specific employees who require the record to perform specific assigned duties.  Your staff must closely question other DON individuals who ask for your data.  Why do they need it? How will it be used?  Is the purpose compatible with the original purpose of the collection?

9 SUPERVISOR’S ROADMAP FOR MEETING PRIVACY RESPONSIBILITIES Are Your Workers Transmitting Personal Data Properly?  Do not use “holey joes” or interoffice mail envelopes to route personal data. Use sealable, opaque envelopes addressed to an authorized recipient.  When ing personal data –  Use Common Access Card protocols to ensure confidentiality.  Verify that each addressee is an authorized data recipient.

10 SUPERVISOR’S ROADMAP FOR MEETING PRIVACY RESPONSIBILITIES  Is Your Staff Safeguarding Personal Data?  Mark records “For Official Use Only – Privacy Sensitive” when created.  For e-records, include “For Official Use Only-Privacy Sensitive” on data screens and in headers/footers of printouts.  Place records in file cabinets, overhead bins, or desk drawers for overnight storage.  Cover paper records when a third party enters the workspace.  Use filter screens on terminals to blacken angular views.

11 SUPERVISOR’S ROADMAP FOR MEETING PRIVACY RESPONSIBILITIES  Is Your Staff Following the DON Privacy Act Fair Information Principles?  Periodically ask your staff to review the DON Code of Fair Information Principles (See  Immediately report to you, the Privacy Act Office, or the Information Technology staff instances of personal data posted to public or shared websites, E-workplace, shared calendars, or shared drives.

12 Keeping Privacy at Top of Mind  Use Staff Meetings to Stress Good Privacy Practices.  Voice your commitment to protecting individual privacy.  Applaud workers who practice good privacy principles!  Remind staff to use caution when posting data to shared drives, e- workplace, or multi-access calendars.  Post no personal data.  Periodically review shared devices for compliance.  Question Workers Who Leave Personal Data in the Open.

13 Keeping Privacy at Top of Mind - Continued  Question Employees Who Fail to Lock Terminals When Leaving the Work Area.  Scrutinize Proposed New Data Collections and Surveys.  Ask project managers to consult with the Privacy Act Office.  Contracting out a Function?  Include the Federal Acquisition Regulation Privacy clauses in the contract. (FAR & )  Include language in the contract addressing how the data is to be disposed of at contract end.  Contact the Privacy Office for more requirements.

14 Supervising Privacy Act System Managers A “System Manager” is an individual assigned to oversee, manage, direct, and control a Privacy Act system of records. System managers require specialized Privacy Act training. System Manager Duties: System Manager Duties: Comply with 32 CFR 323 and DoD R. Comply with 32 CFR 323 and DoD R. Follow Rules in the Published System Notice. Follow Rules in the Published System Notice. Respond to First-Party Access and Amendment Requests. Respond to First-Party Access and Amendment Requests. Determine if Third-Party Disclosures are Authorized. Determine if Third-Party Disclosures are Authorized. Maintain an Accounting of all Third-Party Disclosures. Maintain an Accounting of all Third-Party Disclosures. And More! And More! System Managers may not institute changes to a system without first consulting with the Privacy Act Office. System Managers may not institute changes to a system without first consulting with the Privacy Act Office. Encourage your System Managers to work closely with the DON/CMC Privacy Offices in executing their duties. Encourage your System Managers to work closely with the DON/CMC Privacy Offices in executing their duties.

15 Discussing Privacy Matters When discussing a person’s health, financial affairs, personnel actions, criminal history, family affairs, or other personal aspect of his or her life, it is important to remember that details should not be brought up in staff meetings or discussed in common areas. When discussing a person’s health, financial affairs, personnel actions, criminal history, family affairs, or other personal aspect of his or her life, it is important to remember that details should not be brought up in staff meetings or discussed in common areas. Personal matters should never be discussed with anyone without a strict need to know. Personal matters should never be discussed with anyone without a strict need to know.

16 What are Some Examples of Personal Data? PERSONAL DATA  Electronic & physical home address and phone number  Type of leave used (but not administrative or holiday)  Performance rating  Health, financial, & medical data  Misconduct information  On the job injury data  Gov’t-paid, personal development training, e.g. –  “Rid Yourself of Debt”  “Coping with your Unruly Child”  “Beating your Drug Habit” NON-PERSONAL DATA  Position description & duties  Job title, series, and grade  Duty address (but not overseas)  Duty schedule (days & hours)  Gov’t paid, work-related training, e.g. –  “Providing Good Customer Service”  “Become a Great Public Speaker”  “Principles of Grammar”

17 Recall Rosters Employees are encouraged to give supervisors their home telephone numbers, but they do not have to agree to share them with co-workers. Employees are encouraged to give supervisors their home telephone numbers, but they do not have to agree to share them with co-workers.  If an employee objects to having his/her telephone number placed on a recall roster:  List “Unlisted” or “Unpublished” instead of home number.  Arrange to call the employee yourself during alerts or exercises.  Remember to mark the recall roster “For Official Use Only- Privacy Sensitive” – Any misuse or unauthorized access may result in both civil and criminal penalties.  Instruct your staff that the roster is to be used for official purposes only and kept in a secure location.

18 WHEN DATA MAINTAINED BY DON OR DON CONTRACTORS IS LOST, STOLEN, OR COMPROMISED...  Notify affected individual(s) within 10 days.  Coordinate notification with the Privacy Act Office.  Covered Individuals:  Military members and retirees.  Civilian employees (appropriated or non-appropriated).  Family members of a covered individual.  Other individuals affiliated with DoD (e.g., volunteers).  As a minimum, advise individual of:  Data elements involved.  Circumstances surrounding the incident.  What protective actions the individual can take.

19 LOST, STOLEN, OR COMPROMISED DATA (Continued)  Multiple or Unidentifiable Individuals Involved?  Provide generalized notice to the potentially affected population.  Can’t Notify the Individual Within 10 Days?  Notify CNO (DNS-36) immediately.  Include reason for delay (e.g., notification delayed at request of law enforcement authorities).

20 PRIVACY CRIMINAL PENALTIES  What Privacy Violations May Lead to Criminal Penalties?  Collecting data w/o meeting the Federal Register publication requirement.  Sharing data with unauthorized individuals.  Acting under false pretenses.  Facilitating those acting under false pretenses.  Penalties:  Misdemeanor Charge (jail time of up to one year).  Fines of up to $5,000.

21 PRIVACY CIVIL PENALTIES  What Privacy Violations May Lead to Civil Penalties?  Unlawfully refusing to amend a record or grant access.  Failure to maintain accurate, relevant, timely, and complete data.  Failure to comply with any Privacy Act provision or agency rule that results in any adverse effect.  Penalties:  Actual Damages  Attorney Fees  Removal from Employment

22 THE DON CODE OF PRIVACY ACT FAIR INFORMATION PRINCIPLES To assure personal information submitted to DON is properly protected, DON has devised a “Code of Privacy Act Fair Information Principles.” To assure personal information submitted to DON is properly protected, DON has devised a “Code of Privacy Act Fair Information Principles.” The “Code of Privacy Act Fair Information Principles” consists of 10 policies that the DON workforce will follow when handling personal information. The “Code of Privacy Act Fair Information Principles” consists of 10 policies that the DON workforce will follow when handling personal information. The “Code” is our promise to citizens/lawful aliens that we will safeguard and properly use their data. The “Code” is our promise to citizens/lawful aliens that we will safeguard and properly use their data.

23 THE DON CODE OF FAIR INFORMATION PRINCIPLES 1. The Principle of Openness: When we collect personal data from you, we will inform you of the intended uses of the data, the disclosures that will be made, the authorities for the collection, and whether the collection is mandatory or voluntary. We will collect no data subject to the Privacy Act unless a Privacy Act system notice has been published in the Federal Register and posted on the Master List of Privacy Act Systems or Records Notices website, available at: 2. The Principle of Individual Participation: Unless DON has claimed an exemption from the Privacy Act, we will, upon request, grant you access to your records; provide a list of disclosures made outside the Department of Defense; and make corrections to your file if shown to be in error. 3. The Principle of Limited Collection: DON will collect only those personal data elements required to fulfill an official function or mission grounded in law. Those collections will be conducted by lawful and fair means.

24 THE DON CODE OF PRIVACY ACT FAIR INFORMATION PRINCIPLES 4. The Principle of Limited Retention: DON will retain your personal information only as long as necessary to fulfill the purposes for which it is collected. Records will be destroyed in accordance with established DLA records management principles. 5. The Principle of Data Quality: DON will strive to maintain only accurate, relevant, timely, and complete data about you. 6. The Principle of Limited Internal Use: DON will use your personal data only for lawful purposes. Access to your data will be limited to those Department of Defense individuals with an official need for access. 7. The Principle of Disclosure: DON employees and military members will zealously guard your personal data to ensure that all disclosures are made with your written permission or are made in strict accordance with the Privacy Act.

25 THE DLA CODE OF FAIR INFORMATION PRINCIPLES 8. The Principle of Security: Your personal data is protected by appropriate safeguards to ensure security and confidentiality. Electronic systems will be periodically reviewed for compliance with the security principles of the Privacy Act, the Computer Security Act, and related statutes. Elec- tronic collections will be accomplished in a safe and secure manner. 9. The Principle of Accountability: DON and our employees, military members, and contractors are subject to civil and criminal penalties for certain breaches of Privacy. DON is diligent in sanctioning individuals who violate Privacy rules. 10. The Principle of Challenging Compliance: You may challenge DON if you believe that DON has failed to comply with these principles, the Privacy Act, or the rules in a system of records notice. Challenges may be addressed to the person accountable for compliance with this Code, the local Privacy Act manager, CNO (DNS-36) or CMC (ARSF)..

26 SIDEBAR: SUPERVISOR’S NOTES Are they personal or agency records? SIDEBAR: SUPERVISOR’S NOTES Are they personal or agency records? Supervisor’s notes are sometimes requested under the Freedom of Information Act (FOIA). “Personal” records of employees are excluded from FOIA coverage. Below are some questions that are examined when determining whether supervisor’s notes would be considered an “agency” record or a “personal” record: Were they created on government time? Were they created on government time? Were they shared with other employees/officials? Were they shared with other employees/officials? Were they filed with official agency records? Were they filed with official agency records? Were they used in the decisionmaking process? Were they used in the decisionmaking process? Were they required to be created by rule, policy, or custom? Were they required to be created by rule, policy, or custom?

27 Sidebar: Supervisor’s Notes Were the notes created on Government time?  “Agency records” are generally those documents that are created or received in the course of conducting agency business. Despite that definition, not all files created on Government time are automatically regarded as “agency” records.  The reverse is also true. Records you create on your personal time may rise to “agency” records - depending on how they are used and filed within DON.  So the use of government time is not always 100% determinative. Thus, the timing of creation must be examined in conjunction with the others factors.

28 Sidebar: Supervisor’s Notes Were the notes shared with other employees?  Once you share your notes with Human Resources, Counsel, or other third parties, they generally lose their “personal” status.  Keeping your notes close- hold until the time is ripe to share them protects employee privacy and allows you to make fair decisions unencumbered by special interest concerns.

29 Sidebar: Supervisor’s Notes Were the notes filed with official agency records? Once notes are filed with official agency records, they lose their “personal record” status. Once notes are filed with official agency records, they lose their “personal record” status. Filing them separately, such as in a locked desk drawer or your briefcase, helps protect their “personal” status. Filing them separately, such as in a locked desk drawer or your briefcase, helps protect their “personal” status.

30 Sidebar: Supervisor’s Notes Were they used in the decisionmaking process? Generally, once supervisors use their notes in deciding employee appraisals, taking disciplinary actions, rewarding exceptional workers, or similar uses, the notes become “agency” records. Generally, once supervisors use their notes in deciding employee appraisals, taking disciplinary actions, rewarding exceptional workers, or similar uses, the notes become “agency” records. In adverse action situations, the notes may be required to be disclosed to the employee as part of the disciplinary process. In adverse action situations, the notes may be required to be disclosed to the employee as part of the disciplinary process.

31 Sidebar: Supervisor’s Notes Were they required to be created by rule, policy, or custom?  In some cases, the taking of notes is required to be accomplished by rule, policy, or custom. In those cases, the notes would be deemed to be “agency” records.  Examples:  Notes taken by a recording secretary during a meeting.  Notes taken by an individual assigned to route incoming emergency telephone calls.  Notes taken by an individual assigned to receive Defense “Hotline” telephone calls.

32 CONCLUSIONS You and your staff are entrusted with the personal information of others. You are the first line of defense in safeguarding privacy and protecting DON from damaging lawsuits. You and your staff are entrusted with the personal information of others. You are the first line of defense in safeguarding privacy and protecting DON from damaging lawsuits.

33

34 9 Questions to Test your Knowledge! (Answers appear on the slide immediately following) Q1: Which of the following is not a goal of the Privacy Act? a. Keeping personal information out of the hands of government. b. Eliminating "secret" file systems by letting the public know about data collections. c. Establishing and guaranteeing rights of data subjects. d. Establishing rules for collecting, using, and safeguarding data.

35 The Answer to Q1 is a. See Slides 2, 3, and 4. Q2: The Privacy Act protects: a. Only U.S. citizens and lawfully admitted aliens. b. Federal, state, and local government workers only. c. All individuals and business entities. d. All of the above.

36 The Answer to Q2 is a. See Slide 3. Q3: The Privacy Act covers data held in "systems of records." A "system" consists of – a. Any group of files maintained electronically. b. A group of files containing Social Security Numbers. c. A group of files that are retrieved by personal identifier and contain, in addition to identifier, one other element of personal data about the individual. d. None of the above.

37 The Answer to Q3 is c. See Slide 3. Q4: Who must comply with the Privacy Act? a. All U.S. citizens. b. All Executive Branch Federal employees, military members, and Federal contractors. c. Only supervisors of persons who collect or maintain personal information in a system of records. d. Only those persons who collect and use data.

38 The Answer to Q4 is b. See Slides 2, 5, and 6. Q5: Which of the following would generally be inappropriate to discuss at your next staff meeting? a. The upcoming week's work schedule. b. Your serious commitment to Privacy Act principles and your expectations of staff. c. The good work of one employee in meeting a short deadline. d. The fact that you are considering disciplinary action against an employee based on notes you've been keeping.

39 The answer to Q5 is d for 2 reasons: (1) Prematurely discussing details in your notes could cause them to lose their "personal record" status. (2) Any discussion with staff should not occur until after the action is approved. Even then, details should be limited to those core facts the staff needs to know. See Slides 12, 24, and 28. Q6: The penalties for violating the Privacy Act include which of the following? a. Jail time of up to one year. b. Fines of up to $5,000. c. Removal from employment. d. All of the above

40 The Answer to Q6 is d. See Slides 20 and 21. Q7: Which of the following statements are true? a. Supervisors have a duty to ensure their staff members comply with the Privacy Act. b. Supervisors may waive Privacy requirements during peak periods of heavy work provided the waiver is in writing. c. Supervisors must ensure their staff members have received Privacy training. d. Supervisors may recommend disciplinary action for a staff member who fails to follow Privacy rules. e. All are true.

41 The correct answers to Q7 are a, c, and d. No individual has the authority to waive Privacy Act compliance. See Slides 6, 7, and 25. Q8: Supervisors need not be concerned with the safeguarding of electronic records since that is controlled by the Information Technology staff. True or False?

42 Q8 is false. While the Information Technology staff establishes technical protocols to protect data, supervisors have a duty to ensure that staff members are following those protocols and that breaches are reported. See Slides 6, 9 and Q9: Which of the following statements are true regarding the use of shared calendars? a. It is ok to show that an employee is on sick leave. b. It is ok to show that an employee is teleworking. c. It is ok to show that an employee is away at a professional meeting. d. It is ok to show that an employee is on a compressed day off. e. It is ok to show that an employee is on LWOP. f. It is ok to show that an employee is on leave.

43 For Q9, answers b, c, d, and f are correct. The use of sick, annual, family, religious, LWOP or AWOL should never be entered on shared calendars. See Slides 12 and 16. Thank you for completing this important training! Questions? Contact Doris Lama,

Certificate of Completion Congratulations on your completion of Privacy Act 201 PA Training for all DON Supervisors Name_________________ Date Completed ________________ (To print this page, select File-Print from your toolbar. If you are in “Slide Show” mode, right click this screen and select “End Show.” You will be returned to either “slide sorter” or “normal” view.)