Presentation is loading. Please wait.

Presentation is loading. Please wait.

FOIA, Privacy & Records Management Conference 2009

Published byJemimah Goodwin Modified over 6 years ago

Similar presentations

Presentation on theme: "FOIA, Privacy & Records Management Conference 2009"— Presentation transcript:

1 FOIA, Privacy & Records Management Conference 2009
Date:11/16/2009 System of Records Notice (SORN) and Privacy Impact Assessments (PIAs) Introduce myself and the rest of the panel. Mr. Leroy Jones, Jr. Army Privacy Office (703) Mrs. Margaret Hamrick Army Privacy Office (703) Ms Cynthia Dixon CIO/G (703) Ms Cathy Cowan CIO/G (703) Ms Melissa Hicks NETCOM/9TH SC A (703) Mr. Joseph Cornwell NETCOM/9TH SC A (703)

2 System of Record Notice (SORN) and Privacy Impact Assessments (PIAs)
Purpose of this session To provide information/guidance on SORNs To provide guidance on what NETCOM/9th Sig Accreditation and FISMA To provide an understanding of the PIA process To provide guidance and training on correctly completing the PIA template DD Form 2930 We will be discussing the PIA process from the time a PIA is submitted until it gets signed by the CIO G6. There will a discussion on what NETCOM is expecting to see, a discussion on SORNS and PIAs and how the three work together to make sure your PIA is correct. Please hold all your question until the end, thank you. Now I will turn this over to the CIO/G6 team.

3 System of Record IAW DoD 5400.11-R (Defense Privacy Program)
DL1.24, System of Record (SOR) is a group of any Records (paper or electronic) under the control of a DoD Component (Army) from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual (such as SSN, date of birth, symbol, etc.).

4 System of Record Notices (SORN)
Definition A description of a group of records that: Under the control of the Agency (Army, etc) Is published in the Federal Register (FR) Authorizes the collection of Personally Identifiable Information (PII) If records are not retrieved by an individuals name or personal identifier, they are not a PA system of records

5 PII &System of Record Notices
OMB Memorandum, M-07-16, 22 May 2007 states: Personally Identifiable Information (PII) refers to information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.*

6 Responsibilities PRIVACY OFFICERS:
A Privacy Official is appointed at Command levels throughout the Army Execute the privacy program in functional areas and activities under their responsibility. Ensure that Privacy Act records collected and maintained within the Command or agency are properly described in a Privacy Act system of record notice.

7 Responsibilities (cont.)
Ensure: No undeclared system of records are being maintained. A Privacy Act Statement is provided to individuals when information is collected that will be maintained in a system of record. Each Privacy Act system of record notice within their purview is reviewed biennially. Updated or new System of Record Notices are submitted to the Army Privacy Office.

8 Responsibilities (cont.)
SYSTEM MANAGERS: Prepare new, amended, or altered Privacy Act system of record notices and submit to Command Privacy Officer for review. Ensure: Appropriate procedures and safeguards are developed, implemented, and maintained. All personnel with access to each system are award of their responsibilities for protecting personal information being collected and maintained under the Privacy Act. Each SORN within their area of responsibility is reviewed biennially. (

9 SORN Review/Update Download copy of published SORN into word doc from Review and edit the 18 categories of the SORN 1. READ the some of the 18 categories and tell them a copy is available for them on the table, etc. 2. ALSO, let them know that a copy of a PUBLISHED SORN is available for them.

10 SORN Categories https://www.rmda.army.mil/privacy/docs/foia-sorn.pdf
System identifier System name System location Categories of individuals covered by the system Categories of records in the system Authority for maintenance of the system Purpose(s) Routine uses Storage Retrievability Safeguards Retention and disposal System manager(s) and address Notification procedures Record access procedures Contesting record procedures Record source categories Exemptions claimed for the system Let them know copies are available for them that describes each category. Also instructions posted on the RMDA website at and further guidance found in DoD R, Defense Privacy Program.

11 System of Record Notice
Privacy Act System of Records Notices (SORNS) Required Documentation Additions Narrative statement and SORN Alterations - Narrative statement, proposed changes to existing - SORN, and SORN with changes incorporated Amendments SORN with proposed changes and SORN with the changes incorporated Deletions - Preamble and notice to request SORN deletion - Include what happened to the existing records - If now covered under another SORN state which one Exemptions (submitted with additions or alterations) - Documentation that your Office of General Counsel (OGC) or legal section has reviewed and agrees with exemption

12 Accreditation and FISMA
Place Holder for NETCOM Slides

13 Personally Identifiable Information (PII)
What is Personally Identifiable Information? social security number name date of birth gender rank address mother’s maiden name Driver’s license and more biometrics employment material status spouse information educational information citizenship disability information marital status medical information

14 Personally Identifiable Information (PII)
Definition of PII Personally Identifiable Information (PII) Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone; Or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

15 Purpose of the PIA To analyze how PII is handled in order to:
Determine conformance with applicable legal, regulatory, and policy requirements regarding privacy Assess the risks and effects of collecting, maintaining and disseminating PII Examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. Privacy Impact Assessments (PIA) requirements: IAW OMB directive, PIA is required for systems that collect, maintain, and disseminate PII on members of the public (excluding members of DoD). DoD requirement expands the requirement to review all systems to determine if they collect PII and conduct a PIA on those systems regardless whether they collect PII on members of DoD. 15

16 When is a PIA required? System that collect, maintain, use, or disseminate PII on the general public, federal personnel (government civilians, members of the military, and Non-appropriated fund employees), contractors, and Foreign Nationals employed on military bases overseas; Prior to developing or purchasing new DoD information or electronic systems, (this includes DoD information systems and electronic collections supported through contracts with external sources that collect, maintain, use, or disseminate PII); There is a significant change to a system, to include new application functionalities or changes in privacy risk; For legacy systems; When converting from paper-based records that contain PII to an electronic system. Per the IG for accountability purposes all systems will have a PIA even if you don’t meet these requirements. This only involves selecting the “no” box on the first page, providing the DITPR and AMPS numbers, gathering all the required signatures and sending the PIA to the CIO/G-6 We have more on the this when we review the PIA template.

17 Privacy Impact Assessments (PIAs)
CIO/G-6 New Process References Updates previous policies PIA tool , and various forms of PII data New DD Form 2930 and web site for new form location PIA update process PIA SORN(s) When a PIA is not required PIA and Privacy Office POCs Introduce the team Policy Speak to how to for PIAs

18 PIA REQUIREMENTS OVERVIEW
Must be submitted on New form – DD Form 2930 PIAs must be reviewed and updated every three years in conjunction with the Certification and Accreditation (C&A) cycle as a component of the DoD Information Assurance Certification and Accreditation Process (DIACAP) package. A System of Records Notice (SORN), is required if a group of files (paper or electronic) are retrieved by name, date of birth, social security number, contains a personal identifier assigned to an individual. (This is misplaced since talking next chart) The authorities in the PIA and the SORN should be consistent (use this instead) Per the IG for accountability purposes all systems will have a PIA even if you don’t meet these requirements. This only involves selecting the “no” box on the first page, providing the DITPR and AMPS numbers, gathering all the required signatures and sending the PIA to the CIO/G-6 We have more on the this when we review the PIA template.

19 Privacy Impact Assessments (PIAs)
Department of Defense DD Form 2930: Template Instruction:

20 PIA Template Enter DoD Information System/Electronic Collection Name:
Enter the full name of the system, with acronym in parentheses Enter DoD Component Name: Entry should always begin with U. S. Army, then add the name of the system owner’s organization. Don’t go into too much detail, because your audience is the general public and they may not recognize the finer details of Army Organization. It is very important to identify the system correctly. This is why we ask for so many different identifiers. SECTION 1: IS A PIA REQUIRED? Choose one option from the choices below. (Choose (3) for foreign nationals). Family members, dependants, and those who have not reported for duty as civilian employees or military personnel are considered members of the general public. Section 208 of the E-Government Act of 2002 requires all federal government agencies to conduct PIAs for all new or substantially changed systems that collects, maintains, or disseminates personally identifiable information. IG requires all systems have a PIA. If your system does not fall under options 1, 2 or 3 then select number 4. In the next part of the PIA there is an area for the DITPR number. At the request of the 9th Signal Command to help facilitate their review, please enter the DITPR and the ATARR number

21 PIA Template con’t 007-21-01-16-02-3116-00 AAFES 0405.11
SECTION 2: PIA SUMMARY INFORMATION: SORNS are required for all systems that have data that is retrievable by PII. Self explanatory. Enter the DITPR ID Number, as  along with the AITR ID Number, in parenthesis’s in APMS If the system is not registered in the DITPR, check “No”. However, if there is an AITR ID number (usually for applications) those could be listed here with an explanation of why the system isn’t registered in DITPR. The AITR Number can be found in APMS under the “Required Data” Form on Tab1 (Army Requirements) General Information Section. c. The table of UPIs for the Presidential Budget is posted on the US Army CIO web site which can be found in the “FOIA Privacy & Records Management Conference book. To find the UPI for a particular IT System, search for the Acronym or system title. If not found then the system does not have a UPI number select “NO”. d. d. Enter the SORN Identifier number only in the text box. If there is a question regarding the existence of a SORN or if a SORN needs to be created or updated, contact your Privacy Official with any questions regarding SORN issues. If the SORN has been submitted for as new or updated and not received approval yet the enter the “Pending” for the SORN Number and the date you submitted the SORN. AAFES

22 PIA Template con’t e. The OMB Control Number table can be found on the US Army CIO web site. Search for the system title, if not found then the system does not have an OMB Control Number select “NO.” f. All system MUST have an Authority to Operate. “Authority for Maintenance of the System” can be found in the SORN. Insert the “Authority for Maintenance of the System” found in the SORN that relate to your system. If the SORN covers more than one system then the Authorities listed on the PIA MUST be in the SORN. Stands to reason that if the SORN covers only your system then the Authorities listed on the PIA MUST match the SORN. (b) is valid only if no SORN exists. (c) is valid only if no SORN exists.

23 PIA Template con’t g. This is where you get to briefly tell us about your system in layman's terms. Item (1) – Tell us the purpose of the system, why this system contains an individual’s PII, how it is used and protected. Be detailed enough so that a layman can understand but brief enough so as not to write a book. Give a brief and general description of the type of PII you are collecting ei. Military information, educational information. Item (2) – Describe (not list) the risks and safeguards. Section 3d addresses physical, technical and administrative controls. Standard language “Due to the level of safeguarding, we believe the risk to individuals’ privacy to be minimal. There are no risks in providing an individual the opportunity to object or consent, or in notifying individuals. Appropriate safeguards are in place for the collection, use and safeguarding of information.” h. List agencies not systems that PII is shared with. There have been systems that share their information with the entire Army, so instead of listing them all give us a generic statement like “Because of the nature of our data we share with all Army organizations.” Or “Because of the nature of our data we share with all Air Force, Navy, Marine Corps, Coast Guard, and Military Entrance Processing Command.” Think about what agencies receive reports from this system?” Contractors section – describe the language in the contract that addresses the protection of PII.

24 PIA Template con’t i. If “Yes” Describe the method for objecting. Example “This system will provide a privacy act statement upon every login and require end users to accept the prescribed conditions in order to use ACT. “ If “No” give the reason and individual do not have the opportunity to object. Example could be that they were injured in combat and are unconscious. This system does not get data from the individual only from other systems. j. The same logic applies here but for giving content for the specific use of their PII.

25 PIA Template con’t k. Is self explanatory.
Your need to describe the format. NOTE: Only PIAs that pertain to the Public are posted on the CIO G6 web.

26 PIA Template con’t This is where you get specific about what PII you collect. The PII you state here MUST be in the SORN. If “Other,” specify the PII or explain any PII grouping selected i.e. Photos, passport information, NSPS data, etc (2) Where does the information come from? If information is obtained from a system then state the system not the agencies.

27 PIA Template con’t (3) Think about how you get the PII. If you get it in Paper form could you also get it via FAX? If you get it Face to Face could you get it via the phone? (4) Elaborate on why the collection of PII is necessary. Is it for validation, to identify someone, etc. (5) Elaborate on intended use of the PII. What do you intend to do with my PII? b. The appendix describes aggregation as “Any process in which information is gathered and expressed in a summary form for purposes such as statistical analysis. A common aggregation purpose is to compile information about particular groups based on specific variables such as age, profession, or income.” If there is a question as to whether a system derives new PII about an individual through data aggregation, please contact the CIO/G-6 PIA Team via at

28 PIA Template con’t c. Does the developer use real data for testing? If so then select Developers. d. (1) If the system resides in a government facility then minimum controls are Security Guards and Identification Badges. Indicate all that apply not only to compound or building access but also to the room that the system resides in. If you check “Other”, describe it in the text box provided. (2) What are you technical controls? Normally if you have a CAC the you have PKI. Army now requires all data at rest to be encrypted so I imagine that your system would be encrypted to accommodate this regulation.

29 PIA Template con’t (3) Because of the data at rest regulation I would hope that your backups were encrypted. If you are requiring specific training in order to access the system, that would go here. e. Ensure this information and APMS are the same. This is the area that relates to FISMA and where the 9th Signal Command will start their review from. The area in APMS under the “Required Data” Form on “Tab4 (DITPR Compliance Tab1)” FISMA Section. f. Be detailed on how the handling practices of individuals PII affect their privacy This statement may be added: “Controls are in place and effective in mitigating all risks to an acceptable level for protecting systems and data up to and including 'For Official Use Only' Privacy Act data.”

30 PIA Template con’t g. Be detailed on what measures have been put in place for existing systems This statement may be added: “Due to the level of safeguarding addressed in Section 3d, we believe the risk to individuals' privacy to be minimal. There are no identifiable privacy risks at this time.” h. Be detailed on what measures have been put in place for new systems

31 PIA Template con’t PM signs in the Program Manager or Designee Signature section, this can be done digitally. Components IA Officer signs the first Other Official Signature (to be used at Component discretion) section, this can be done digitally.

32 PIA Template con’t Components Privacy Officer signs the next Other Official Signature (to be used at Component discretion) section, this can be done digitally. Army’s IA Official signs this section, this can be done digitally. Army’s Privacy Official signs this section, this can be done digitally.

33 PIA Template con’t Army’s CIO Official signs this section, this can be done digitally.

34 PIA Template con’t

35 After PIA is Approved and Signed
Office of Army CIO will: Send a signed copy to the command Update the Army CIO web site list of approved PIAs Send a copy to ASD NII (who will send to OMB –if on Public) Maintain an electronic and hard copy file of all approved PIAs Update the DITPR-DOA and ask command to review and update as necessary

36 Your Thoughts, Questions and Recommendations
Privacy Impact Assessments (PIAs) Your Thoughts, Questions and Recommendations

Download ppt "FOIA, Privacy & Records Management Conference 2009"

Similar presentations

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Overview of the Privacy Act

Overview of the Privacy Act
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
REQUESTING TRANSCRIPTS Student Training Presentation.

REQUESTING TRANSCRIPTS Student Training Presentation.
Electronic Data Interchange (EDI)  Supervisor must file claims Electronically with EDI within 2 working day of employee notice  Filing Claims Electronically.

Electronic Data Interchange (EDI)  Supervisor must file claims Electronically with EDI within 2 working day of employee notice  Filing Claims Electronically.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Safeguarding Personally Identifiable Information (PII) Samuel P. Jenkins Director for Privacy Defense Privacy.
System of Records Notice (SORN) Basics

System of Records Notice (SORN) Basics
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity.
Mandatory Annual ACE Training Fiscal Year 2010 – 2011.

Mandatory Annual ACE Training Fiscal Year 2010 – 2011.
Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.

Ames Laboratory Privacy and Personally Identifiable Information (PII) Training Welcome to the Ames Laboratory’s training on Personally Identifiable Information.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.

1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
Author Instructions How to upload Abstracts and Sessions to the Paper Management System.

Author Instructions How to upload Abstracts and Sessions to the Paper Management System.
Social Innovation Fund Creating an Application in eGrants Technical Assistance Call 1 – 2:00 p.m. Eastern Time on Friday, March 19, 2010 888-469-1366;

Social Innovation Fund Creating an Application in eGrants Technical Assistance Call 1 – 2:00 p.m. Eastern Time on Friday, March 19, ;
(Compliance Training)

(Compliance Training)
How to Submit An Amendment Tips from the 21 st CCLC Unit Updated September 17, 2009.

How to Submit An Amendment Tips from the 21 st CCLC Unit Updated September 17, 2009.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.

HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.

Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.

Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.

Similar presentations

Ads by Google