DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.

Slides:



Advertisements
Similar presentations
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Advertisements

Privacy Reporting and Investment Certification TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Overview of the Privacy Act
IT Security Law for Federal Agencies As of: 30 December 2002.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.
PII Breach Management and Risk Assessment
Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.
FY 2015 Privacy Act Training Overview of the Privacy Act of 1974
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Annual Army FOIA/Privacy/Records Management Conference Privacy Leadership – Accountability - Action presented by Samuel P. Jenkins, Director Defense Privacy.
Data Classification & Privacy Inventory Workshop
PRIVACY TRAINING 101 CIA-PPI-PII
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Computer Security: Principles and Practice
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
DEED WorkForce Center Reception and Resource Area Certification Program Module 2 Unit 1b: WorkForce Center System II Learning Objectives III.
Complying With The Federal Information Security Act (FISMA)
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
The Privacy Act of 1974: An Introduction The Privacy Act of 1974: An Introduction September 2010 For Official Use Only 0.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION TECHNOLOGY SERVICES Privacy 101 Information Security and Privacy Office.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
(Compliance Training)
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Revisions to Primacy State Underground Injection Control Programs Primacy State Implementation of the New Class V Rule.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
1 PARCC Data Privacy & Security Policy December 2013.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
Privacy Act United States Army (Managerial Training)
Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.
FOIA Processing and Privacy Awareness at NOAA Prepared by Mark H. Graff NOAA FOIA Officer OCIO/GPD (301)
AGENDA ■Department of Child Support Services Information Security Office (DCSS-ISO) Responsibilities ■Definition of Federal Tax Information (FTI) ■Requirements.
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
For Official Use Only (FOUO) and Similar Designations NPS Security Office
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Understanding Privacy An Overview of our Responsibilities.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Information Security and Privacy Office
Privacy and Security Basics for Falls Evidence Based Programs Data Collection . October 2016.
Privacy and Security Basics for CDSME Data Collection
Obligations of Educational Agencies: Parents’ Bill of Rights
FOIA, Privacy & Records Management Conference 2009
FOIA, Privacy & Records Management Conference 2009
Red Flags Rule An Introduction County College of Morris
Samuel P. Jenkins, Director Defense Privacy Office
The Privacy Act of 1974: An Introduction September 2010
HQ Expectations of DOE Site IRBs
Privacy Awareness: Safeguarding PII
Presentation transcript:

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity Protection and Management Expo Orlando, Florida April 2011

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Purpose The purpose of this presentation is to provide a summary of the administrative, physical, and technical safeguards that are applicable to systems that collect, use, maintain, or disseminate personally identifiable information (PII). 2

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Objectives  Upon completion of this presentation, you should be able to: Understand the role of safeguards that should be applied to systems of records (SORs). Explore the physical, technical, and administrative safeguards for protecting PII. Define the role of Privacy Impact Assessments and SORNs in safeguarding PII. 3

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  The Privacy Act of 1974 requires agencies to: Establish Rules of Conduct. Establish Safeguards. Maintain accurate, relevant, timely, and complete information. Privacy Act and Safeguards 4

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Act and Safeguards  Safeguards are used to protect agencies from “reasonably anticipated threats.” Threats may cause harm, embarrassment, inconvenience, or unfairness.  Threats to personal information include: Unauthorized access. Unauthorized alteration. Unauthorized disclosure. 5

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Act and Safeguards  Safeguards should be tailored to the: Size and sensitivity of each system. System-specific vulnerabilities.  Types of Safeguards: Administrative. Physical. Technical. 6

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Physical Safeguards 7

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Physical Safeguards  Paper records should be stored in locked cabinets.  Records being faxed or mailed should have a coversheet.  Facilities handling PII should be access controlled and hardware should be locked up.  Never leave files, storage media, or computers unattended or in vehicles. 8

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Physical Safeguards  Records Disposal – Retirement or deletion of a record does not obviate need for safeguards. Must render discarded info unrecognizable and beyond reconstruction. Destruction should be tailored to the time of media involved. ○ Paper – burn, shred. ○ Electronic – overwrite, degauss incinerate. 9

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Technical Safeguards 10

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  Security Requirements include: Encryption. Control Remote Access. Time-Out Function. Log and Verify. Ensure Understanding of Responsibilities. Technical Safeguards 11

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Technical Safeguards  Ensure all s with PII are encrypted and that all recipients have a ‘need to know.’  Ensure records are access controlled. PII on shared drives should only be accessible to people with a ‘need to know’  Ensure Social Security numbers (including the last 4) are not posted on public facing websites. 12

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Administrative Safeguards 13

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Admin Safeguards - Policies  Agencies must have policies in place for PII handling, specifically defining: Affected Individuals. Affected Actions. Consequences. 14

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  Agencies are responsible to ensure staff handling PII are adequately trained: Training must be commensurate with an individual’s responsibilities. Training will be a prerequisite before permitted access to DoD systems. Such training is mandatory for affected DoD personnel and contractors. Admin Safeguards - Training 15

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Admin Safeguards - Training  Components shall ensure receipt of Privacy Act training, such as: Orientation Training. Specialized Training. Management Training. Privacy Act Systems of Records Training. 16

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Admin Safeguards - Training  Annual Refresher Training. Provided to ensure continued understand of their responsibilities. All personnel with authorized access to PII shall annually acknowledging their understanding. 17

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  DoD Components shall expand their training materials and program to include specific privacy and security awareness segments to their training program(s). Admin Safeguards - Training 18

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Admin Safeguards – Breach Handling  Existing Requirements: FISMA Requirements. Incident Handling and Response Mechanism.  OMB M modified breach reporting rules.  Modified Agency Reporting Requirements: US-CERT Modification. Develop and Publish a Routine Use. ○ Effective Response. ○ Disclosure of Information. 19

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Admin Safeguards – Breach Handling  Breach Notification: Criteria to Consider: Whether Breach Notification is Required. Timeliness of the Notification. Source of the Notification. Contents of the Notification. Means of Providing Notification. Who Receives Notification: Public Outreach in Response to a Breach. 20

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Admin Safeguards – Review & Report  Under the Federal Information Security Management Act (FISMA) agencies must: Review PII holdings & report to Congress Annually. Review and reduce the volume of PII. Specifically, Agencies Must Reduce the Use of Social Security Numbers. ○ Eliminate Unnecessary Use. ○ Explore Alternatives. 21

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  As part of FISMA privacy reporting, DoD Components are required to: Confirm that they have established, or are in the process of establishing, PII review plans; or Provide a schedule for periodically updating their review of their holdings.  It is DoD policy that: All automated systems containing PII are registered in the Defense Information Technology Portfolio Repository (DITPR). Admin Safeguards – Review & Report 22

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  It is DoD policy that (continued): Updates to OMB be designed so that: ○ IT systems with PII reviewed on same cycle as Defense Information Assurance Certification and Accreditation Process (DIACAP). ○ PIA/SORNs reviewed at least once every two years. Components shall report results to DPCLO on FISMA schedule. Admin Safeguard – Review & Report 23

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Impact Assessments (PIA) & System of Records Notices (SORN) 24

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  A Privacy Impact Assessment (PIA) is an analysis of how information is handled to: Ensure handling conforms to applicable legal, regulatory, and policy requirements. Determine the risks and effects of collecting, using, maintaining, and disseminating PII in an electronic information system, and Mitigate potential privacy risks. OMB (9/26/2003), EGOV 208(b) Admin Safeguards – PIAs & SORNs 25

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  When is a PIA Required when PII is collected from: Existing information systems and electronic collections where a PIA has not previously been completed and that collects PII about Federal personnel and contractors. New information systems or electronic collections: ○ Prior to developing or purchasing; and ○ When converting paper records to electronic systems. Admin Safeguards – PIAs & SORNs 26

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE  A PIA is not required when the information system or electronic collection: Does not collect, maintain or disseminate personal identifying information. Is a National Security System (including systems that process classified information). Admin Safeguard – PIAs & SORNs 27

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Admin Safeguards – PIAs & SORNs  What is a SORN? A SORN is a public notice of an agency’s intent to collect & retrieve PII in a SOR. SORNs include: ○ The safeguards that will be applied to the system. ○ The who, what, why, and where of the system. ○ Processes for access and correction of records. A SORN must be published in the Federal Register before a system can begin to collect PII. 28

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE PIA/SORN Essential Elements Crosswalk 29

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE PIA/SORN Crosswalk Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements Crosswalk PIASORN What privacy information is collectedCategories of Records in the System Why the information is collected Authority/Purpose(s) What the intended uses are for the information Purposes(s) With whom the information is sharedRoutine Uses What opportunities individuals have to decline to provide PII Privacy Act Statement/Notification procedure How information is securedSafeguards What privacy risks need to be addressed Narrative Statement/Probable or potential effects on the privacy of individuals. Whether a System of Records Notice (SORN) exists (Not applicable) 30

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE PRIVACY IMPACT ASSESSMENT (PIA) DoD Information System/Electronic Collection Name: DoD Component Name: SECTION 4: REVIEW AND APPROVAL SIGNATURES Prior to the submission of the PIA for review and approval, the PIA must be coordinated by the Program Manager or designee through the Information Assurance Manager and Privacy Representative at the local level. Program Manager or Other Official Signature (to be used at Component discretion) Component Senior Information Assurance Officer Signature or Designee Component Privacy Officer Signature Component CIO Signature (Reviewing Official) Source: DD Form 2930 PIA/SORN Crosswalk 31

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Focused on meeting the information requirements of the Agency while ensuring the protection of the rights of the individual in the collection, use and dissemination of PII. Focused on protecting the information and information systems supporting the operations and assets of an organization. Privacy’s success is dependent on establishment of basic foundation for information security. PRIVACYSECURITY NIST Draft Guide to Protecting the Confidentiality of (PII) (1/09) Critical Privacy – Security Interface 32 PIA/SORN Crosswalk 32

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Summary  You should now be able to: Understand the role of safeguards that should be applied to systems of records (SORs). Explore the physical, technical, and administrative safeguards for protecting PII. Define the role of Privacy Impact Assessments and SORNs in safeguarding PII. 33

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Resources  DoD R, Department of Defense Privacy Program, May 14,  OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22,  DoD Implementation: Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII), June 5,  DD Form 2930, “Privacy Impact Assessment (PIA),”  OSD Memorandum , “Social Security Numbers Exposed on Public Facing & Open Government Websites.”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.