Download presentation
Presentation is loading. Please wait.
1
Data Classification & Privacy Inventory Workshop
Data Classification and Privacy Inventory Workshop Data Classification & Privacy Inventory Workshop Implementing Security to Protect Privacy November 2005 State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
2
Welcome & Introductions
Data Classification and Privacy Inventory Workshop Welcome & Introductions Debra Reiger, State Information Security Officer Joanne McNabb, California Office of Privacy Protection Lester Chan,, California Office of HIPAA Implementation State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
3
Data Classification and Privacy Inventory Workshop
Workshop Agenda Welcome & Introductions - Debra Reiger Information Privacy & Security - Joanne McNabb Introduction to State Policy on Data Classification - Debra Reiger Break Protected Health Information - Lester Chan Conducting a Privacy Inventory - Joanne McNabb Workshop Exercise - Lester Chan State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
4
Information Privacy & Security
Data Classification and Privacy Inventory Workshop Information Privacy & Security Privacy: Individual’s interest in controlling the handling of his/her personal information Security: Organization’s interest in protecting information assets from unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use Information security is essential to privacy protection. State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
5
Data Classification and Privacy Inventory Workshop
“Personal information is like toxic waste – Managing it requires a high level of skill and training.” -Phil Agre, Technology and Privacy in a New Landscape This is where you come in. Phil Agre, Prof. of Information Studies, UCLA. State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
6
Why Protect Personal Information
Law and Policy Information Practices Act, HIPAA Data Classification, Encryption (soon) Risk Reduction SAM Security breach notification law (Civil Code § ) – Cost of notification $1-$25 per notice Identity Theft > 9 Million victims and $52.6 Billion in 2004
7
Protecting Personal Information
Classify data and identify records systems containing personal identifying information. Locate records needing special protection: Notice-Triggering Personal Information Health Information (Protected or Electronic) Protect with appropriate security measures Administrative, Technical, Physical
8
State Policy on Classifying Data
Classification of Information
9
Introduction State policy requires that we identify and classify our data and protect it appropriately. See SAM Sections Automated files and databases are essential public resources. We are the protectors of the public’s information. We must first classify and locate data before we can properly protect it.
10
Information Protection
Give appropriate protection from unauthorized: Use Access Disclosure Modification Loss Deletion
11
Information Classifications
Public Information Confidential Information
12
Public Information Information not exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws
13
Confidential Information
Information exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws
14
Sensitive & Personal Info
Data Classification and Privacy Inventory Workshop Sensitive & Personal Info Sensitive and personal information may occur in public and/or confidential records. Files and databases containing sensitive and/or personal information require special precautions to prevent inappropriate disclosure. State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
15
Sensitive Information
Requires special precautions to protect from: Unauthorized use Access Disclosure Modification Loss Deletion
16
Sensitive Information
May be either Public, or Confidential. Requires a higher than normal assurance of accuracy and completeness. Key factor is integrity. Typical records are agency financial transactions and regulatory actions.
17
Personal Information Identifies or describes an individual
Must be protected from inappropriate Access Use Disclosure Must also be accessible to data subjects upon request
18
Personal Information Identifies or describes an individual:
Name Home address Home phone etc. Sub-types of Personal Information: Notice-Triggering Personal Information Medical Information Protected Health Information Electronic Health Information
19
Notice-Triggering Personal Info
Name plus specific items or personal information: Social Security Number Driver’s license/I.D. card number Financial Account Number Requires notifying individuals if it is acquired by an unauthorized person.
20
Protected Health Information
HIPAA Covered Entities
21
Protected Health Information
Individually identifiable information created, received, or maintained by health care payers, providers, health plans or contractors, in electronic or physical form. State and federal laws require special precautions to protect from unauthorized use, access, or disclosure.
22
Electronic Health Information
Individually identifiable health information transmitted by electronic media or maintained in electronic media
23
Electronic Health Information
Health plans, clearinghouses or providers must ensure the privacy and security of electronic protected health information from unauthorized use, access or disclosure
24
Current Information Assess current systems for protected health information in physical (paper) and electronic form. Include personal information in the data classification portion of risk analysis and risk management Risk analysis and risk management are required of HIPAA covered entities
25
Future Data Systems Be aware of these data classifications as more data is created, maintained or transmitted. Plan for protecting your data during the system design phase. Collect data that you have the authority and need to collect.
26
Conducting a Privacy Inventory
Where is your data? Where is your personal data?
27
Privacy Inventory Process
Data Classification and Privacy Inventory Workshop Privacy Inventory Process ISO/PO gets management support. Each division/program identifies “Privacy Contact.” ISO/PO explains process to Privacy Contacts. Privacy Contacts complete Privacy Inventory Worksheet. ISO/PO/Program implement appropriate safeguards. ISO/PO conduct ongoing privacy awareness training for users (more on this later). State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
28
Overview of Worksheet Part I: Records System Inventory
Part II: Privacy Practices Inventory
29
Part I of Inventory Worksheet
Data Classification and Privacy Inventory Workshop Part I of Inventory Worksheet Records Systems Containing Personal Information Start with Records Inventory for Records Retention Schedule List only Records Systems containing personal information State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
30
1. Records System Group of records maintained for official purposes
Same as “Records Series” in Records Retention Handbook: Group of related records under a single filing category that deal with particular subject
31
Personal Information Information that describes an individual, including name, home address, home phone, etc. – defined in Civil Code Information on clients, consumers, applicants, licensees, employees, contractors – everyone
32
2. Description of Records
Examples Applications for general contractor’s license Personnel records of current employees Case records of recipients of in-home supportive service, past and present Consumer complaints
33
3. Sources of Records Examples:
Subject supplies information on application form Schools provide information on transcripts. DOJ provides information from criminal history records
34
4. Owner and Location Owner: Department/Division/Program that collects and maintains the records Location: Agency name and address where original records system is located Contact: Name, title, business contact information of agency official responsible for records system
35
5. Authority Citation of regulation or statute authorizing agency to collect and maintain records system
36
6. Media of Records System
Medium of “original” records system: electronic, paper, tape Additional media on which records are stored or used: PC Laptop Other portable device or medium
37
7. Type of Personal Information
Objective: Identify records systems containing personal information needing special protections Notice-triggering personal information (name plus SSN, DL/State ID number, financial account number) Health/medical information Other personal information (Home Address, MMN, DOB, etc.)
38
8. Confidential or Sensitive Info
Does the records system contain any confidential or sensitive information (other than personal information)? Confidential: Exempt from PRA Sensitive: For example, network configuration, agency bank records
39
9. Routine Uses & Disclosures
Purposes for which records were created Uses and users Disclosures outside agency that collects and maintains records system
40
Part II of Inventory Worksheet
Data Classification and Privacy Inventory Workshop Part II of Inventory Worksheet Privacy Practices Checklist of major practices per IPA, Government Code, etc. Optional – but good way to start to build privacy awareness State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
41
1. Privacy Policy Statement
Is your agency’s privacy policy statement posted in your office(s)? Is it posted on your Web site(s)? Government Code
42
2. Rules of Conduct Does your program/agency have written rules of conduct for handling records containing personal information? Civil Code If so, attach copy to Worksheet.
43
3. Access Guidelines Does your program/agency have regulations or guidelines telling individuals how they can access their own records? Civil Code – If so, attach copy to Worksheet.
44
4. Notice on Collection How do you provide notice (of authority, uses, disclosures, access procedures, etc.) when collecting personal information? Civil Code Printed on paper forms On online forms Other
45
5. Public Records Act Disclosures
Do you have written procedures for responding to PRA requests? How do you protect personal information in public records? If so, attach copy to Worksheet.
46
6. Retention & Destruction
Is this records system listed in your Records Retention Schedule?
47
7. Incident Notification Procedures
Does the program/division/department have written procedures for notification of privacy/security incidents? For example, lost/stolen laptop containing (possibly notice-triggering) personal information: Report as information security incident, not property theft
48
Data Classification and Privacy Inventory Workshop
Privacy Awareness Privacy Inventory raises awareness of privacy vulnerabilities and protection requirements Ongoing awareness training for all users is essential Coming soon from COPP State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
49
End of Presentation Questions Comments
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.