PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous nextInstructions This training is intended for U.S. Department of Education contractors. If you are an employee, you must take the Mandatory Privacy Training through the Talent Management System (TMS). The link to TMS is on the home page of connectED.gov After you have reviewed the training slides, read and print the certificate found on the last page. Sign and date the certificate, then give it to your immediate supervisor and keep a copy for your own records.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous nextWELCOME Annual privacy awareness training emphasizes the importance of privacy safeguards at ED, explains privacy protection requirements, and details your responsibilities for protecting privacy information, regardless of format. Upon completion of this training you should be able to: define privacy protection terms; protect the personal privacy rights of individuals whose personal information ED maintains, including your own; identify potential threats to privacy protected data; and identify and report suspected or actual loss of privacy data. ED’s Privacy Safeguards Program is carried out by the Privacy Safeguards Division of the Office of Management’s (OM) Privacy, Information and Records Management Services (PIRMS).
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Who Must Take This Training? As part of ED’s orientation process, all new employees, including career, contractors, non career, interns, stay-in- school and detailees, must complete this training within 30 days of reporting to duty at ED and annually thereafter.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Why You Need This Training This training will help you to: 1. Protect the personal privacy rights of individuals whose personal information ED maintains, including your own. 2. Comply with laws, regulations, and policies that protect privacy data. 3. Understand your privacy responsibilities before being permitted access to agency information and information systems. 4. Understand your personal responsibility for protecting against the unauthorized disclosure of privacy protected information and preventing privacy breaches. 5. Maintain the public’s trust.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next What Data Require Protection? In general, any information about an individual that directly or indirectly identifies that person may require protection. The Office of Management and Budget (OMB) directs Federal agencies to protect personally identifiable information (PII). PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc. OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Sensitive PII (SPII) Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed. The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Examples of PII and SPII SSNs Date and place of birth Business cards Security clearance level Leave balances; type of leave used Family data Religion, race, national origin Performance ratings Participant’s names/results in ED studies Home address Home telephone number Personal address PII Includes all personal information associated with an individual, including: Sensitive PII Includes PII that could cause harm if wrongfully disclosed, including: SSNs Biometric identifiers (fingerprints, etc.) Date and place of birth Leave balances; type of leave used Religion, race, national origin Performance ratings Participants’ names/results in ED studies Alien registration number Driver’s license number Medical or financial information
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next What Is The Privacy Act? The Privacy Act (the Act) regulates how Federal agencies collect, maintain, use, and disclose an individual’s information. The Act protects “records”, i.e., any information about a person, such as education, financial, medical, criminal or work history, that contains one’s name or other personal identifier. The Act – requires Federal agencies to publish system of records notices (SORNs) so that the public is aware of what personal information is being maintained and how it will be used; requires that records about individuals are accurate, relevant, timely, and complete; and generally allows individuals to access and request corrections to records maintained on them. The Privacy Act of 1974, as amended. 5 U.S.C. §552a.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Privacy Act Systems of Records A system of records is a group of records that an agency maintains that: contains a personal identifier, such as a name, Social Security Number (SSN), etc., about a specific person; contains one other item of personal data (such as home address, performance rating, blood type, etc.); and is retrieved by a personal identifier. If you are the project lead or system owner, you must prepare a System of Records Notice (SORN) that will be published in the Federal Register. If you think this applies to your project, contact the Privacy Safeguards Division for assistance as soon as possible. The SORN process can take as long as 6-9 months.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Consequences for Violating The Privacy Act Criminal penalties may result in misdemeanor criminal charges and fines of up to $5,000 for each offense per violation for: knowingly and willfully disclosing Privacy Act data to any person(s) not entitled to access it; knowingly and willfully requesting or obtaining records under false pretenses; and willfully maintaining a system of records without meeting the Act’s public notice requirements. NOTE: The Privacy Act authorizes criminal remedies against Federal employees and contractors.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Consequences for Violating The Privacy Act (cont.) Civil remedies may result in payments of actual damages and payments of reasonable attorney’s fees when an agency fails to: comply with any provision of the Act, or agency rule, that results in an adverse effect on an individual, including – refusing to amend an individual’s record in a system of records in accordance with the individual’s request; refusing to comply with a person’s request for access to the information pertaining to them in a system of records; and failing to maintain accurate, relevant, timely and complete systems of records. NOTE: The Privacy Act only authorizes civil remedies against Federal agencies, not Federal employees.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Determining Privacy Risks Determining Privacy Risks The initial review of the privacy risks of ED Information Technology (IT) systems and data collections is conducted at the beginning of the system lifecycle. This review is a Privacy Threshold Analysis (PTA). The PTA process helps determine what privacy documentation is required and what privacy issues should be addressed when a system is being developed or modified. System owners and/or project managers complete the brief PTA form by providing basic information about the system in order to determine if additional documentation is required.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Determining Privacy Risks The E-Government Act of 2002, requires Federal agencies to conduct Privacy Impact Assessments (PIAs) for IT systems that contain information in identifiable form in order to identify and address privacy risks. A completed PIA details how the information is collected, stored, protected, shared and managed electronically by a Federal agency. A PIA must be conducted: before developing or procuring IT systems that collect or maintain PII about the public; or when initiating a new electronic collection of information in identifiable form for 10 or more people. A PIA must be updated when changes to the system, collection, or process create new or altered privacy risks. PIAs must be made available at
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Special Consideration For SSNs Collect only as a last resort! SSNs may not be collected or used unless: authorized by law, regulation, or presidential order, and/or necessary for a documented agency purpose; there is approved documentation that no reasonable alternative exists; or these requirements must be met before developing or modifying a system, or implementing a program that collects, uses, maintains, or discloses SSNs.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY previous next Safeguarding PII Minimize PII Collect only PII that you are authorized to collect, and at the minimum level necessary to accomplish a required purpose. Limit number of copies containing PII to the minimum needed. Secure PII When not in use, store PII in an appropriate access- controlled environment. Use fictional personal data for presentations or training. Review documents for PII prior to posting on ED web pages. Safeguard PII in any format around your work area. Disclose PII only to those authorized to see it. Safeguard the transfer of PII Do not PII unless it is encrypted or in a password protected attachment. Alert FAX recipients of incoming transmission. Use services that provide tracking and confirmation of delivery when mailing or shipping PII offsite. Dispose of PII Properly Delete/dispose of PII at the end of its retention period or transfer it to the custody of the National Archives, as specified by its applicable records retention schedule.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next What Is A Privacy Breach? A privacy breach occurs when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people and/or for unauthorized purposes. This includes PII in any format, and whether or not it is a suspected or confirmed loss. Examples of PII breaches: PII left on the printer or scanner; PII ed without encryption or other protection; PII mailed to the wrong recipient; PII stored on a stolen laptop or thumb drive; and PII posted to a public-facing website, etc.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next If You Suspect a Privacy Breach If you lose or suspect a loss of PII, it is your responsibility to notify your immediate supervisor and your computer security officer (CSO) or Information Systems Security Manager (ISSM) at once. Be ready to provide the facts of the incident, including the number of records exposed, the type of PII lost (name, SSN, addresses), if the data is still at risk, etc. Immediate action is important because agencies must report a breach involving PII within one hour of discovering the breach or potential breach. Once your report is made, ED will determine appropriate next steps.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next There are Risks if PII is Lost or Stolen Risks to the Victim Identity theft, including financial loss and impact on job, credit, and reputation; Embarrassment; Emotional distress; and Loss of confidence in the government. Risks to the ED Employee Disciplinary action, loss of clearance, employment, or access to PII; Penalties under the Privacy Act; and Diminished reputation. Risks to ED Diminished reputation; Costs of mitigation; Litigation and associated costs; Impact on agency processes; and Loss of the public trust.
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next ED Penalties for Unauthorized Disclosure of PII ED employees may be subject to disciplinary action for failure to safeguard PII, including: reprimand; suspension; demotion; or removal from employment. Personnel Manual Instruction (Appendix A)
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Questions about Safeguarding PII? Consult your Supervisor Contact your Principal Office Computer Security Officer or Information System Security Manager Contact ED’s Privacy Safeguards Program: Privacy Service Line at , or Visit ED’s Privacy Safeguards Division webpage on connectED.gov:
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 Certificate of Completion I have completed the Privacy Safeguards Annual Training for ED Employees and Contractors, FY I am aware of my responsibilities to safeguard privacy information and that there may be consequences for not doing so. PRINT NAMESIGNATURE DATE