Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Privacy Act of 1974: An Introduction September 2010

Published byRosemary Walsh Modified over 5 years ago

Similar presentations

Presentation on theme: "The Privacy Act of 1974: An Introduction September 2010"— Presentation transcript:

1 The Privacy Act of 1974: An Introduction September 2010
For Official Use Only

2 Lesson 1: Introduction Lesson 1: Introduction

3 Trainer introductions
Lesson 1: Introduction Welcome Course overview Trainer introductions

4 Participant Introductions
Lesson 1: Introduction Participant Introductions Now it’s time to introduce ourselves Name Number of years with the Department of Defense (DoD) Current job, agency, or component Responsibilities

5 Lesson 1: Introduction Course Goals To raise awareness of the need to safeguard the personally identifiable information (PII) held by the Department of Defense To raise awareness of the penalties associated with Privacy Act violations

6 Course Objectives After completing this course, you will be able to:
Lesson 1: Introduction Course Objectives After completing this course, you will be able to: Identify the policy objectives associated with the Privacy Act of 1974 Identify concepts and definitions associated with personally identifiable information (PII) Identify the nondisclosure rule and its 12 exceptions Identify safeguards and best practices that help ensure the protection of PII Identify the penalties for noncompliance with the Privacy Act of 1974

7 Course Structure Introduction
Lesson 1: Introduction Course Structure Introduction The Privacy Act of 1974 Policy Objectives Concepts and Definitions Associated With PII Conditions of Disclosure Safeguarding PII Penalties for Noncompliance with the Privacy Act Scenario Exercise: Putting It All Together Course Summary

8 Lesson 2: The Privacy Act of 1974 Policy Objectives

9 Upon completion of this lesson, you will be able to:
Lesson 2: The Privacy Act of 1974 Policy Objectives Lesson Objective Upon completion of this lesson, you will be able to: Identify the policy objectives associated with the Privacy Act of 1974

10 Code of Fair Information Practice Principles
Lesson 2: The Privacy Act of 1974 Policy Objectives Code of Fair Information Practice Principles In 1972, the Advisory Committee on Automated Personal Data Systems explored the impact of computerized record-keeping on individuals and proposed a Code of Fair Information Practice Principles (FIPPs). FIPPs evolved into 8 generally accepted principles. These principles formed the basis for all subsequent codes and laws related to information collection, especially the Privacy Act of 1974.

11 Fair Information Practice Principles
Lesson 2: The Privacy Act of 1974 Policy Objectives Fair Information Practice Principles The 8 generally accepted principles identified in the Code for Automated Personal Data Systems are: Collection limitation Data quality Purpose specification Use limitation Security safeguards Openness Individual participation Accountability

12 Inception of the Privacy Act of 1974
Lesson 2: The Privacy Act of 1974 Policy Objectives Inception of the Privacy Act of 1974 Congress turned its attention to the issue of data stored in insecure data banks in June 1974. The Senate Judiciary Committee's Subcommittee on Constitutional Rights discovered that billions of records were stored within Federal Government computers. Individuals did not know the information was being collected and had no recourse to review or correct it.

13 Objectives of the Privacy Act
Lesson 2: The Privacy Act of 1974 Policy Objectives Objectives of the Privacy Act To restrict disclosure of personally identifiable records maintained by agencies To grant individuals increased rights of access to agency records maintained on themselves To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete To establish basic requirements for agencies to comply with standards for collection, use, maintenance, and dissemination of records 12

14 Lesson 3: Concepts and Definitions Associated with PII

15 After completing this lesson, you will be able to:
Lesson 3: Concepts and Definitions Associated with PII Lesson Objective After completing this lesson, you will be able to: Identify concepts and definitions associated with personally identifiable information (PII)

16 Lesson 3: Concepts and Definitions Associated with PII
Personally identifiable information (PII) is information about an individual that identifies, links to, relates to, is unique to, or describes him or her.

17 Lesson 3: Concepts and Definitions Associated with PII
Definitions, cont. Protected Health Information (PHI) is a subset of personally identifiable information. Examples of PHI are a medical diagnosis; lab results; X-rays; and the date, time, and location of medical appointments.

18 Lesson 3: Concepts and Definitions Associated with PII
Definitions, cont. The Health Insurance Portability and Accountability Act of (HIPAA) protects the privacy of individuals' PHI from inappropriate disclosure.

19 Lesson 3: Concepts and Definitions Associated with PII
Definitions, cont. A single item or collection of items of PII maintained by an agency is called a record. Records are grouped into a collection for a specific purpose by an agency. When a personal identifier is used to retrieve records from such a collection, it is called a system of records (SOR).

20 Lesson 3: Concepts and Definitions Associated with PII
Definitions, cont. A system of records notice (SORN) is a description of the contents of an existing or planned system of records. A SORN states the purpose and authority by which the information in the system of records is collected, and identifies what data the agency intends to collect, how the data will be used and safeguarded, who will have access, and other details.

21 Lesson 3: Concepts and Definitions Associated with PII
Definitions, cont. Routine use is the disclosure of a record outside the DoD for a use that is compatible with the purpose for which the information was collected and maintained by the DoD. The routine use must be included in the published system notice for the system of records involved.

22 The information is needed for official business
Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Need-to-know is the authorized, official need to have access to information that is protected under the Privacy Act based on assigned duties and responsibilities. The need-to-know test is satisfied when the requester can establish either of the following: The information is needed for official business The information is required by law

23 Terrorism information Homeland security information
Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Responsibility to share information was met within DoD on December 28, 2007, through the addition of a “Blanket Routine Use,” which allows the sharing of a record consisting of or relating to: Terrorism information Homeland security information Law enforcement information Responsibility to share information does not circumvent the need-to-know.

24 Sharing Information Appropriately
Lesson 3: Concepts and Definitions Associated with PII Sharing Information Appropriately

25 Lesson 4: Conditions of Disclosure

26 After completing this lesson, you will be able to:
Lesson 4: Conditions of Disclosure Lesson Objective After completing this lesson, you will be able to: Identify the nondisclosure rule Identify the 12 exceptions to the nondisclosure rule

27 General Disclosure Prohibition
Lesson 4: Conditions of Disclosure General Disclosure Prohibition "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains." — 5 U.S.C. § 552a(b) There are 12 exceptions to this nondisclosure rule.

28 Exceptions to the Nondisclosure Rule
Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule The following 3 slides list conditions in which it is acceptable to disclose PII from a Privacy Act record to a third party: To employees with a legitimate need-to-know When the FOIA requires release For a "routine use" identified in the system of records notice (SORN) that has been published in the Federal Register

29 Exceptions to the Nondisclosure Rule, cont.
Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. To the Census Bureau for purpose of conducting the census For statistical research and reporting in which individuals will not be identified To the National Archives and Records Administration

30 Exceptions to the Nondisclosure Rule, cont.
Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. To civil or criminal law enforcement under U.S. control For compelling circumstances affecting the health or safety of the individual To either House of Congress

31 Exceptions to the Nondisclosure Rule, cont.
Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. To the Comptroller General Pursuant to a court order (a subpoena signed by a judge) To a consumer reporting agency in accordance with the Debt Collection Act

32 Lesson 5: Safeguarding PII

33 After completing this lesson, you will be able to:
Lesson 5: Safeguarding PII Lesson Objective After completing this lesson, you will be able to: Identify safeguards and best practices that help ensure the protection of PII

34 Administrative Safeguards
Lesson 5: Safeguarding PII Administrative Safeguards Verify that distribution lists are only for those with a need-to-know. Validate the use of the information against the purpose of collection in the SORN. Ensure that the component privacy officer reviews/updates the SORN.

35 Administrative Safeguards, cont.
Lesson 5: Safeguarding PII Administrative Safeguards, cont. Beware of the surrounding environment when engaging in conversation involving PII. Ensure that telephone conversations are private. Check that information containing PII is necessary for the task. As a policy under the Privacy Act, ask whether a task can be completed without the PII.

36 Administrative Safeguards, cont.
Lesson 5: Safeguarding PII Administrative Safeguards, cont. Do not take PII out of the office unless required by your official duties and approved by an appropriate authority. Mark hard copies of PII using prescribed markings such as “Sensitive” and cover with a coversheet or folder. Consult the component privacy officer before the creation of a System of Record (SOR) or information collection. The privacy officer will determine whether a SORN needs to be created to notify the public.

37 Use encryption for e- mails that include PII.
Lesson 5: Safeguarding PII Technical Safeguards Use encryption for e- mails that include PII. Use only DoD-approved software. Use cover sheets, confirm fax numbers, and obtain transmission confirmation when faxing Do not use flash ("thumb") drives.

38 Use locks to secure PII/PHI when stored.
Lesson 5: Safeguarding PII Physical Safeguards Use locks to secure PII/PHI when stored. Dispose of records according to established standards in the SORN or procedures established by the National Archives and Records Administration. Establish physical safeguards that protect information against reasonably identifiable threats that could result in unauthorized access or alteration. Test safeguards to ensure that they perform as intended.

39 Lesson 5: Safeguarding PII
Best Practices Do not use information that was previously collected for a new use without informing the public by altering an existing SORN or creating a new one. Do not use a subset of existing data for a new purpose. Do not maintain data collections in secret. Do not use data from websites such as Wikipedia instead of authoritative Government sources.  Do not keep PII in an unapproved spreadsheet.

40 Lesson 5: Safeguarding PII
Best Practices, cont. Collect information directly from the individual to the greatest extent practical. Verify that data retrieved are accurate, complete, relevant, and timely (up-to-date). Ensure that information is from the authorized official source. 

41 Penalties for Noncompliance with the Privacy Act
Lesson 6: Penalties for Noncompliance with the Privacy Act Lesson 6: Penalties for Noncompliance with the Privacy Act

42 After completing this lesson, you will be able to:
Lesson 6: Noncompliance and Penalties for Noncompliance with the Privacy Act Lesson Objective After completing this lesson, you will be able to: Identify the penalties for noncompliance with the Privacy Act of 1974

43 Noncompliance with the Privacy Act
Lesson 6: Penalties for Noncompliance with the Privacy Act Noncompliance with the Privacy Act Individuals may be criminally liable if they knowingly and willfully: Disclose privacy data to any person not entitled to access Maintain a system of records without meeting public notice requirements Obtain or request records under false pretenses

44 Noncompliance with the Privacy Act, cont.
Lesson 6: Penalties for Noncompliance with the Privacy Act Noncompliance with the Privacy Act, cont. Courts may award civil penalties against the Agency for: Improperly/unlawfully refusing to amend a record Improperly/unlawfully refusing to grant access to a record Failure to maintain accurate, relevant, timely, and complete information Failure to comply with any Privacy Act provision or agency rule that results in an adverse effect on the subject of the record

45 Penalties for Noncompliance
Lesson 6: Penalties for Noncompliance with the Privacy Act Penalties for Noncompliance Criminal penalties: (Applies to the individual employee) A misdemeanor charge Maximum fine of $5,000

46 Penalties for Noncompliance , cont.
Lesson 6: Penalties for Noncompliance with the Privacy Act Penalties for Noncompliance , cont. Civil penalties: (Applies to the agency not the employee) The cost of actual damages suffered ($1,000 minimum) Costs and reasonable attorney's fees

47 Putting It All Together
Lesson 7: Scenario Exercise: Putting It All Together Lesson 7: Scenario Exercise: Putting It All Together

48 After completing this lesson, you will be able to:
Lesson 7: Scenario Exercise: Putting It All Together Lesson Objective After completing this lesson, you will be able to: Identify errors in handling PII and demonstrate awareness of the appropriate action to take in managing PII

49 Lesson 7: Scenario Exercise: Putting It All Together
The scenario that you are about to read is based in part on a real situation. You will read the scenario and answer questions about the appropriate actions to take.

50 Does this e-mail contain personally identifiable information?
Lesson 7: Scenario Exercise: Putting It All Together Scenario Questions Does this contain personally identifiable information? Is this information protected under the Privacy Act? Does Judy have a need-to-know this information? Have the appropriate technical safeguards been applied in the transmittal of this ? Is this a breach? If so, who should Judy report it to?

51 Lesson 8: Course Summary

52 Key Points from the Course
Lesson 8: Course Summary Key Points from the Course Agency responsibilities: The Privacy Act of sets forth objectives for Federal agencies that maintain records with personally identifiable information. Summarized, these are: Agencies must restrict disclosure of personally identifiable records Individuals have rights of access to agency records about themselves Individuals can seek amendment of agency records about themselves

53 Key Points from the Course, cont.
Lesson 8: Course Summary Key Points from the Course, cont. Agencies should abide by a Code of Fair Information Practice Principles that requires agencies to comply with standards for collection, maintenance, and dissemination of records. Safeguards: DoD employees and contractors must practice administrative, physical, and technical safeguards to protect PII from misuse or use without permission.

54 Course Objectives Reviewed
Lesson 8: Course Summary Course Objectives Reviewed You should now be able to: Identify the policy objectives associated with the Privacy Act of 1974 Identify concepts and definitions associated with personally identifiable information (PII) Identify the nondisclosure rule and its 12 exceptions Identify safeguards and best practices that help ensure the protection of PII Identify the penalties for noncompliance with the Privacy Act of 1974

55 DoDD 5400.11, "DoD Privacy Program," May 8, 2007
Lesson 8: Course Summary Additional Resources You may also consult one of the following resources on privacy found at . DoDD , "DoD Privacy Program," May 8, 2007 DoD R, "Department of Defense Privacy Program," May 14, 2007

Download ppt "The Privacy Act of 1974: An Introduction September 2010"

Similar presentations

PRIVACY ACT OF 1974 OVERVIEW. FAIR INFORMATION PRACTICES The Privacy Act is primarily concerned with fair information practices. The Privacy Act is primarily.

PRIVACY ACT OF 1974 OVERVIEW. FAIR INFORMATION PRACTICES The Privacy Act is primarily concerned with fair information practices. The Privacy Act is primarily.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
Mandatory training for all Users who have access to Privacy Act Data

Mandatory training for all Users who have access to Privacy Act Data
Protection of privacy for all Students!

Protection of privacy for all Students!
Overview of the Privacy Act

Overview of the Privacy Act
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

Similar presentations

Ads by Google