Protecting Personal Information at Fermilab. Outline F Why must we protect personal information? F What is Protected Personally Identifiable Information.

Slides:



Advertisements
Similar presentations
Computer and Mobile Device Equipment Security Brief May 29, 2008 Presented by: Kevin G. Sutton, Chief, Information Technology Unit.
Advertisements

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
 Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Department of Health and Human Services Personal Identity Verification Training APPLICANT.
Identity Theft Someone steals your personal information for his/her own gain It’s a crime!
“Personal Identity Verification (PIV) of Federal Employees and Contractors” October 27, 2005 Homeland Security Presidential Directive 12 (HSPD-12)
PII – Identifying and Managing Risk Presented by: UNL Office of Internal Audit and ITS Security March 2014.
Security, Privacy, and Ethics Online Computer Crimes.
Data Classification & Privacy Inventory Workshop
Harvard Human Subjects Payments Policy Effective 1/1/11 1.
PRIVACY ACT Federal Workers’ Compensation Conference 2014 Department of Labor.
What is personally identifiable information (PII)? KDE Employee Training Data Security Video Series 1 of 3 October 2014.
HIPAA What’s Said Here – Stays Here…. WHAT IS HIPAA  Health Insurance Portability and Accountability Act  Purpose is to protect clients (patients)
DOCUMENTATION Missouri Medicaid Audit and Compliance Provider Certification Review Materials.
Information Security Information Technology and Computing Services Information Technology and Computing Services
Protecting Sensitive Information PA Turnpike Commission.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Protecting Personal Information at Fermilab: Advanced Course Irwin Gaines – Lab Privacy Committee Chair.
HIPAA PRIVACY AND SECURITY AWARENESS.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
PRIVACY AND INFORMATION SECURITY ESSENTIALS Information Security Policy Essentials Melissa Short, IT Specialist Office of Cyber Security- Policy.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Compliance Strategies for Records Management
Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web 1 Component 4/Unit 2Health IT Workforce Curriculum.
Protecting Personal Information at Fermilab. What You Will Learn F Why must we protect personal information? F What are the laboratory policies governing.
HIPAA (health insurance portability and accountability act)
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Family Educational Rights and Privacy Act. From the moment a child enters the school system, sensitive information is collected about the child (and even.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
Group 3 Angela, Rachael, Misty, Kayelee, and Krysta.
Jefferson Lab Remote Access Review: Free-Electron Laser Wesley Moore FEL Computer Scientist 01 December 2010.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
SPH Information Security Update September 10, 2010.
Incident Security & Confidentiality Integrity Availability.
C4HCO Security and Privacy Discussion Bill Jenkins C4HCO Security and Privacy Officer 16 October 2013.
Chapter 2 Securing Network Server and User Workstations.
Incident Security & Confidentiality Integrity Availability.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015.
SPECIAL EDUCATION A REVIEW OF:  CHILD FIND/ SPED PROCESS  FERPA AND CONFIDENTIALITY  LENGTH OF SCHOOL DAY.
Government Agency’s Name April  At the end of this course, the learner will be able to: ◦ Define personally identifiable information ◦ List examples.
Government Agency’s Name April Identity Theft is when someone steals your personal information and uses it as their own, usually for some financial.
Safeguarding Sensitive Information. Agenda Overview Why are we here? Roles and responsibilities Information Security Guidelines Our Obligation Has This.
Computer Security Essentials for Fermilab Sysadmins Irwin Gaines and Matt Crawford Computing Division.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
POLICIES & PROCEDURES FOR HANDLING CONFIDENTIAL INFORMATION NOVEMBER 5 TH 2015.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
Identity Theft It’s a crime!
Protecting PHI & PII 12/30/2017 6:45 AM
Chapter 7. Identifying Assets and Activities to Be Protected
Protection of CONSUMER information
Streamline your HR document management processes
Protecting Personal Information at Fermilab
SPECIAL EDUCATION A REVIEW OF: CHILD FIND/ SPED PROCESS
Component 4: Introduction to Information and Computer Science Unit 2: Internet and the World Wide Web Lecture 4 This material was developed by Oregon.
Security of Data  
The Health Insurance Portability and Accountability Act
Personnel Training for Privacy
General Data Protection Regulation Q & A Session
AUP, EDP, & Centralized Printing
TRACE INITIATIVE: Confidentiality, Data Security, and Procedures for Protocol Violation or Adverse Event.
Colorado “Protections For Consumer Data Privacy” Law
PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
Presentation transcript:

Protecting Personal Information at Fermilab

Outline F Why must we protect personal information? F What is Protected Personally Identifiable Information (Protected PII)? F What are your obligations?

Why? F Identity theft based on improper disclosure of personal information is a serious problem F Several government agencies have been embarrassed by losses of large quantities of personal data F Orders from White House --> DOE --> Office of Science mandate more careful treatment of personal information F Fermilab respects the privacy of employees and users

What is Protected PII? F At Fermilab, Protected PII is defined as an individual’s name in combination with one or more of the following items: –social security number or foreign national ID number –passport number or visa number –driver’s license number –personal credit card number –bank account number –date and place of birth (both together, not one by itself) –mother’s maiden name –security clearance information –biometric information (fingerprints, retinal scan, DNA) –criminal records –detailed personal financial information (not merely salary history) –detailed medical records –detailed educational transcripts (not merely a list of degrees)

Your Obligations F You must not have any Protected PII on any of your computers F You will need to sign a statement that you have inspected your computers and deleted any Protected PII you discovered F “Your computer” means any computer that you are the sole user of, and any file space you have on shared systems or servers. System administrators will NOT examine users’ files; this is the responsibility if each user. F Note: this applies only to PII that “belongs” to Fermilab, and only to electronic copies of PII

Examples of PII that must be deleted F Resumes or transcripts containing social security numbers or other Protected PII F Conference databases with credit card numbers or visa numbers F Spreadsheets with credit card or passport numbers of division/section travelers F Word documents of trip reports or foreign travel forms containing passport numbers or other Protected PII F Note that it is OK to enter Protected PII into external databases (like FTMS for foreign travel) as long as no local copies of reports containing things like passport numbers are kept on your computer.

For more information F If you need to access any of the Protected PII maintained by the laboratory (for example, in HR or financial databases) you will need additional training about proper procedures F If you think you have a business need for keeping PII (or have any other questions) contact your division/section privacy representative

Division/Section Privacy Reps F AD: Arlene Lennox F CD: Irwin Gaines F PPD: Eileen Phillips F TD: John Konc F BSS: Bill Flaherty F ES&H: Tim Miller F FESS: Odarka Jurkiw F FIN: Tom Ackenhusen F WDRS: Heather Sidman

Advanced Course F For lab employees or users who need to access the small amount of protected PII the lab maintains F DOE orders mandate: –Protected PII can only be kept in moderate level Major Applications –Protected PII cannot be downloaded to portable devices or devices outside the boundary of the major application –Any such downloads require a waiver from the DOE site manager, must be renewed every 90 days, and the data must be encrypted –Any remote access to protected PII required two factor authentication and a 30-minute timeout –Any suspected loss of PII must be reported within 1 hour

Fermilab implementation F Two categories of protected PII: –Local access only: live in “locked room” major application No downloading or remote access possible Examples: neutron therapy, radiation film badge –Network access required Lives in financial systems major application (Peoplesoft, Oracle Financials) Only certain accounts will be allowed to access the PII portions of these databases, and no access at all from general internet Only special cases (e.g., particle accelerator school) require downloading; these will require waivers and encryption

Next Steps for PII F Adoption and issuance of policies and procedures by lab management F Appointing division/section privacy reps F Having all employees and users view training material and sign statement F Bring current caches of protected PII into full compliance

Other categories of information F Responsibility on data owner to categorize and protect data according to general guidelines F Level 4: Secure Access data: PII and other statute protected data; specific lab wide policies F Level 3: Restricted Access data: data whose loss or improper disclosure could result in significant harm to the laboratory or to individuals; access restricted to specific identified individuals with business need to know F Level 2: Limited Access data: data whose loss or disclosure could result in only limited harm; access must be restricted to broad groups of individuals F Level 1: Open Access data: no restrictions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.