Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.

Slides:



Advertisements
Similar presentations
Overview of the Privacy Act
Advertisements

Gaucho Round-Up FAQ’s This presentation covers some of the FAQ’s about campus clean-up day. Presentation #4 2/3/
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Office of Health, Safety and Security
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Privacy Rule Training
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information Privacy and Compliance Training For All Brigham Young University– Idaho Employees.
1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.
Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
FERPA 101 Student Records: Institutional Responsibility and Student Rights What Every University Employee Should Know Prepared by the Office of the Registrar.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.
Health Budgets & Financial Policy Privacy and HIPAA Security 15 December & December, & 1600 Bridge Number:
April 23, Massachusetts’ New Data Security Regulations: Ten Steps To Compliance Amy Crafts
PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous next Office of Management Privacy, Information and Records Management Services Privacy Safeguards Division.
CPS Acceptable Use Policy Day 2 – Technology Session.
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Protecting Personal Information at Fermilab. Outline F Why must we protect personal information? F What is Protected Personally Identifiable Information.
University Health Care Computer Systems Fellows, Residents, & Interns.
Family Educational Rights and Privacy Act. From the moment a child enters the school system, sensitive information is collected about the child (and even.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
FERPA: What you Need to Know The Family Educational Rights and Privacy Act & SEI.
FERPA Refresher Training Start. Page 2 of 11 Copyright © 2006 Arizona Board of Regents FERPA Refresher Training What is FERPA FERPA stands for Family.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
HIPAA Health Insurance Portability and Accountability Act of 1996.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
Research & Economic Development Office of Grants and Contracts Administration Data Security Presented by Debbie Bolick September 24, 2015.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Privacy Act United States Army (Managerial Training)
Personal data protection in research projects
WISHA, 7/23/04 Employee Medical and Exposure Records Chapter WAC Employer Responsibilities.
DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).
Privacy and Personal Information. WHAT YOU WILL LEARN: What personal information is. General guidelines for the collection of personal information. Your.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Office of Health, Safety and Security
Privacy principles Individual written policies
Privacy & Confidentiality
Providing Access to Your Data: Handling sensitive data
Red Flags Rule An Introduction County College of Morris
Spencer County Public Schools Responsible Use Policy for Technology and Related Devices Spencer County Public Schools has access to and use of the Internet.
Confidentiality of Information Acknowledgment and Agreement 2018
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HIPAA Overview.
Move this to online module slides 11-56
HQ Expectations of DOE Site IRBs
Colorado “Protections For Consumer Data Privacy” Law
Protecting Student Data
The Health Insurance Portability and Accountability Act
Presentation transcript:

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information. The Department of Energy (DOE) requires all employees of the Ames Laboratory to complete Privacy and Personally Identifiable Information (PII) Training annually.

The Privacy Act Allows the Laboratory to maintain information about an individual that is relevant and necessary. All DOE employees and contractors are subject and must comply. Complying with the Privacy Act - Governs the ability to maintain, collect, use, or disseminate a record about an individual Safeguarding PII - Define and protect The Privacy Act of 1974 is a law enacted to balance the government’s need to maintain information about individuals against unwarranted invasion of the individual’s privacy. All DOE employees and contractors are subject to the Privacy Act and must comply with its provisions. DOE Order 206.1, Department of Energy Privacy Program, ensures compliance with the privacy requirements set forth in the Privacy Act of 1974 and establishes a training and awareness program for all DOE federal and contractor employees to ensure all personnel are cognizant of their responsibilities. Privacy is comprised of two main components: compliance with the Privacy Act and safeguarding PII. Compliance governs the Laboratory’s responsibility about who can maintain, collect, use, or disseminate a record about an individual. Safeguarding PII includes how to define it and how to protect it.

System of Records Information collected must be stored in a System of Records (SOR). SORs at the Ames Laboratory include: Foreign Visits and Assignments. Access Control (photographs). Personnel Radiation. The Ames Laboratory collects and maintains PII necessary for business functions and stores the information in an electronic System of Records. This SOR is located in the moderate enclave, which protects it using various levels of security. Employees are granted access to PII and Privacy Act covered information only on a “need to know” basis in order to discharge the duties of the job for which they were hired.

Potential Privacy Violations Evaluate your day-to-day activities Phone Calls Ensure that shared data meets the need-to-know requirement. Be conscious of your surroundings. Do not use wireless or cordless phones when discussing PII. Common Information Handling Errors Unauthorized information sharing Browsing or using personal information As an employee of the Ames Laboratory, you should evaluate day-to-day work activities to determine if you may be violating the privacy of another individual. Some common work practices can pose risks to the privacy of the information you handle on a daily basis. For example, leaving someone’s personal information unattended on a printer or fax would be considered a violation. Telephone conversations with clients, vendors, co-workers, etc., are an integral part of our day to day activities. Assess the situation carefully and determine if the information the caller is requesting or you are sharing meets the “need to know” criteria. Ask questions and make sure the caller is authorized to receive the information they are requesting. Be conscious of who may be able to overhear your conversation, especially if you are discussing PII. Wireless and cordless phone transmissions are not secure, and your conversations may be picked up by other electronic equipment. Communication is a key component of the business world. But not every part of your workday can be shared. Before you share or send information, think carefully about the situation. You might think that sending or sharing another employee’s personal information to or with another employee is acceptable, but you could be violating privacy guidelines. What type of information are you sharing? Is the receiving party authorized or have a “need to know?” Computer Access is a wonderful tool and a necessity in the workplace today. But looking up information on another individual, if it is not necessary to do your job, is inappropriate and a violation of privacy guidelines.

Penalties - Criminal misdemeanor for each offense - Fines up to $5,000 - Civil penalties Violation of the Privacy Act is a serious legal matter. Each violation can be accompanied by a misdemeanor criminal charge and a fine of up to $5,000 for each offense, as well as administrative sanctions. The court system may also award civil penalties. You may be liable if you knowingly and willfully obtain or request records under false pretenses or disclose Privacy Act protected information to any person not entitled to access it. Not only is the Ames Laboratory liable for your actions and subject to fines and negative publicity, but you personally may be held liable for damages as well as face both criminal and/or civil penalties.

Privacy Principles It is each employee’s responsibility to: Assess and determine whether or not the information used is considered Protected PII. Protect the privacy of the individuals who entrust us with their information. Only share Protected PII with others for authorized purposes. Check with HR before sharing Protected PII information with a third party. Limit the exposure of Protected PII data and disclose the information on a “need to know” basis. Think Twice Rule: Is it reasonable? Is it necessary? Every employee at the Ames Laboratory is required to be knowledgeable about their individual responsibilities. Specifically, each If you aren’t sure if you should be releasing particular information, check with HR. Utilize the “Think Twice Rule” before you share information about individuals in every instance.

Recognizing PII Systems and Data DOE defines two classes of PII data: Public PII data is available in public sources such as phone books, public web pages, business cards, etc. Protected PII data is not available in public sources, and, if compromised, can cause serious or severe harm to an individual (ie. identity theft). PII systems are used to store and process Protected PII data for multiple individuals. DOE 206.1 defines two classes of PII: Public PII is information that is readily available to the public and if disclosed, normally causes no harm to the individual. Protected PII is not available from public sources and can be used for Identity Theft or to cause other harm. All PII data at the Ames Laboratory is stored on protected systems. Specific systems must be utilized to store and process PII data on employees.

Protected PII Examples Social Security Numbers (SSN) When associated with an individual (SSN + any of the following) Place of Birth Date of Birth Mother’s maiden name Biometric data Medical information Criminal history Financial information Employment history Ratings Disciplinary actions Protected PII is comprised of data elements about individuals that is in identifiable form. This means any representation of information that permits the identity of an individual to whom the information applies, to be reasonably inferred by either direct or indirect means. It is the responsibility of the Ames Laboratory to protect that information from loss and misuse. Security incidents involving personally identifiable information ca result in considerable harm, embarrassment, and inconvenience to an individual, and may lead to identity theft or other fraudulent use of the information. The Ames Laboratory and US DOE can experience a loss of public trust, legal liability, or remediation costs.

Public PII Examples Individual’s name or other identifier Phone numbers Email addresses Digital pictures Medical information pertaining to work status (X is out sick today) Medical information included in a health or safety report Personal information stored by individuals about themsevles on their assigned workstation or laptop Birthday cards Birthday emails Resumes, unless they include a Social Security Number Present and past position titles and occupational series Present and past grades Written biographies Academic credentials Present and past annual salary rates performance awards and bonuses Incentive awards Merit pay Meritorious or Distinguished Executive Ranks Allowance and differentials Public PII examples are numerous. These items may be readily available on public media, the internet or social networking sites. Individuals should be cognizant of all of the types of information out on public sources. Ames Laboratory employees will treat Public PII in the same manner as departmental/laboratory information.

PII Protection Standards Requires NIST Low Baseline controls (see NIST document 800-53 for more details) Protect to the same level as other program / department data Protected PII Requires NIST Moderate Baseline controls (see References for more details) Any suspected compromise of Protected PII data MUST be reported to Cyber Security staff within 45 minutes. May not be stored on portable media (ie. CDs, USB keys, or backup media) without FIPS 140-2 compliant encryption (see the IS office for details). Files stored on portable media must be deleted within 90 days or approval for continued use is documented. May not be stored on portable computing devices (ie. laptops or PDAs) without a waiver from DOE. Any system used to store this data must reside within a moderate network enclave. No Internet Access except by request. Any remote access requires 2-factor authentication Users may not have Administrative privileges. Workstations used to access PII data must implement 10 minute screen locks, and must only be used by users authorized to access PII data. Public PII NIST (The National Institute of Standards and Technology) dictates baseline controls for any SOR containing PII. The Ames Laboratory SOR resides in the moderate network enclave. Access is restricted based on job duties and users must adhere to strict login and password requirements. PII data workstations may only be used by PII authorized users and must employ screen locks when not attended to. Report any breach or disclosure of PII to Cyber Security taff within 45 minutes of discovery. Absolutely NO PII may be stored on a portable computing device.

Ames Laboratory PII Reporting Process A device designated as a PII system must be reported to the HR office. Be alert for systems not previously designated as a PII System. The system will be located in the Moderate Enclave and moderate security controls will be applied (details available in the references). Annual training will be required for all users of the system. An annual review of the system will be conducted to ensure controls are in place. Any computer that contains PII or accesses PII must be designated as such. HR must be aware of any system containing PII. If you see or find PII on a system that is not in the Moderate Enclave, report your findings to HR immediately. Annual and periodic system reviews are conducted by IS to search for PII and to ensure compliance.

Recommendations Limit the number of systems storing PII data. A central system is available to provide storage of PII data and controlled data access via Microsoft file shares. Encrypted backups are performed on a daily basis. This system is covered by appropriate moderate controls. Use this system for storing PII data instead of a desktop device. Contact the IS Office at 4-8348 or cybersec@ameslab.gov for more information. Data retention and disposal. PII should be limited to only that information which is specifically needed to carry out duties. PII data should only be retained for as long as is necessary to fulfill its intended purpose. Appropriately dispose of PII when it is no longer necessary to retain it. Contact the HR Office with questions. Know the flow of PII data. Where does the data come from? How is it backed up? Which users and which computers need access to the data? The Ames Laboratory utilizes a central file server system to store PII data and control access thereby reducing the risk of accidental disclosure. No PII should be saved to a desktop device. Review of retention policies and disposal of those records exceeding their lifecycle reduces risk of disclosure. If you have questions, contact HR.

PII Incident Reporting Protected PII, regardless of whether it is in paper or electronic form, must be protected from unauthorized access or disclosure throughout its lifecycle. [PII, DOE O 206.1] Any known or suspected loss of control or unauthorized disclosure of Protected PII must be reported. [Privacy Act] Any unauthorized disclosure of Protected PII contained in any System of Records (SOR). Suspected or confirmed incidents involving the breach of Protected PII or SOR must be reported to the IS Office (4-8348 or cybersec@ameslab.gov) within 45 minutes of discovery. If you are involved in or suspect a disclosure of Protected PII, you must report the disclosure to the IS Office within 45 minutes of discovery. If you have questions or are unsure, contact the IS Office at 294-8348 or cybersec@ameslab.gov for assistance.

Summary It is your responsibility to Safeguard PII Loss of PII: Can lead to identity theft (which is costly to the individual and the government) Can result in adverse actions being taken against the employee who loses PII Can erode confidence in the Government’s ability to protect personal information Safeguarding PII is EVERYONE’S responsibility. Loss of PII creates an adverse chain of events.

References Policy, Procedures, Guides and Forms for Ames Laboratory: - https://www.ameslab.gov. Select Forms & Documents (lower left). - The Policy section details the controls required in the 800-53 Moderate baselines, and the Moderate CSPP. DOE Order 206.1 Department of Energy Privacy Program: - https://www.directives.doe.gov/directives/current-directives/206.1-BOrder/view NIST Special Publications for protecting Moderate data: - http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf - http://csrc.nist.gov/publications/drafts/800-53-Appdendix-J/IPDraft_800-53-privacy-appendix-J.pdf For further information on anything discussed in the PII training, please refer to the reference documents listed.

Confidentiality Agreement Please print and sign the Ames Laboratory Confidentiality Agreement (you must be logged into the Ames Laboratory website to access the document) and return to Human Resources in 105 TASF. All employees are required to sign the Confidentiality Agreement each year. You will need to return your signed document to Human Resources after completing this training.

Assessment Tool Please return to Cyber Train: Click on “My Record,” and “Classes” Click on the course test icon You must achieve 80% on the test, and you can only attempt it once.