Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 2013 Annual PII Training Certificate This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding.

Published byHilary Black Modified over 9 years ago

Similar presentations

Presentation on theme: "1 2013 Annual PII Training Certificate This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding."— Presentation transcript:

1 1 2013 Annual PII Training Certificate This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding PII. I also understand that I may be subject to disciplinary actions for failure to properly protect and safeguard PII data. _________________________________ _________________ NameDate

2 Privacy Act Personally Identifiable Information (PII) Training

3 Questions this Module Will Answer … What is Personally-Identifiable Information (PII)? What are your roles and responsibilities regarding the Privacy Act? What often causes PII loss or compromise? What are the potential costs? How can you prevent losing or compromising PII? How should you handle, protect and dispose of PII? What should you do if PII is lost or compromised? PMT | Apr 2013 | v 0.1 | Privacy Act 3

4 You Are Responsible for … Ensuring you complete PII training annually Abiding by protocols when collecting, maintaining, destroying, or disseminating personal information Periodically reviewing shared devices for compliance Practicing Limited Access Principles Ensuring that contracts include privacy clauses FAR 52-224- 1 and 52.224-2 and that contract language addresses how data is to be disposed at the end of the contract Identifying the Privacy Act System of Records Notice (SORN) and following the rules set in the notice PMT | Apr 2013 | v 0.1 | Privacy Act 4

5 What is the Privacy Act? The Privacy Act of 1974, as amended by 5 U.S.C. 552a, regulates the collection, use, safeguarding, and disposition of personal information in government- wide systems of records PMT | Apr 2013 | v 0.1 | Privacy Act 5

6 Personally Identifiable Information (PII) PII refers to information that can be used to distinguish or trace an individual’s identity PII needs to be protected and released only on a need-to-know basis Two Types – Sensitive – Non-Sensitive PMT | Apr 2013 | v 0.1 | Privacy Act 6

7 Sensitive PII Sensitive PII is information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual PMT | Apr 2013 | v 0.1 | Privacy Act 7 Sensitive PII elements include, but are not limited to:

8 Non-Sensitive PII Non-Sensitive PII is information, that could be sensitive to an employee; could also be information that is needed to do the business of the agency Non-Sensitive PII elements include but are not limited to: PMT | Apr 2013 | v 0.1 | Privacy Act 8 Pay grade and/or salary Performance ratings Leave being used (LA/LS/LWOP) Business related data Business card Phone directory of agency Office location Business telephone number Business email address Badge number Other information that is not releasable to the public

9 What Is a System of Records Notice? Before DON can use a system of records to collect and maintain information on an individual it must publish a Privacy Act System of Records Notice (SORN) in the Federal Register – Informs the general public of what data will be collected, its purpose, and on who’s authority – Sets the rules the DON will follow in collecting and maintaining personal data PMT | Apr 2013 | v 0.1 | Privacy Act 9

10 What Is a Privacy Act System of Records ? A Privacy Act system of records is "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual” PMT | Apr 2013 | v 0.1 | Privacy Act 10 The DON Chief Information Officer lists over 150 DON Privacy Act system of records www.doncio.navy.mil www.doncio.navy.mil Equal Employment Opportunity in the Federal Government Complaint and Appeal Records (EEOC/GOVT) General Personnel Records (OPM/GOVT-1) Equal Employment Opportunity in the Federal Government Complaint and Appeal Records (EEOC/GOVT) General Personnel Records (OPM/GOVT-1) Government-Wide Examples Organization Management and Locator System (NM05000-2) Time and Attendance Feeder Records (NM07421-1) Employee Relations (NM12771-2) Organization Management and Locator System (NM05000-2) Time and Attendance Feeder Records (NM07421-1) Employee Relations (NM12771-2) DON Examples

11 Why Protect? Regulations To prevent unauthorized uses To protect against Identity Theft To avoid compromise To avoid loss Protects business practices PMT | Apr 2013 | v 0.1 | Privacy Act 11

12 How to Protect PII? Question individuals who request PII data Assure Need-to-Know Safeguard personal data Maintain close control of data Store data out-of-sight Take steps to properly destroy data Lock offices Lock cabinets Use DD2923 cover sheet PMT | Apr 2013 | v 0.1 | Privacy Act 12

13 How to Protect Email? Email Encrypt all email containing PII and FOUO data Ensure PKI certificate has been published to the Global Address Listing (GAL)/Microsoft Outlook so email can be encrypted Use the recommended warning statement in email when sending PII data: FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE - Any misuse or unauthorized disclosure can result in both civil and/or criminal penalties. – Statement should be at the top of email message – FOUO should be present in the subject box of the email – Statement should only be used in email that contain sensitive data – Should not be used as a blanket statement 13PMT | Apr 2013 | v 0.1 | Privacy Act

14 How to Protect Muster/Recall Rosters? Muster/Recall Rosters – Access on a need-to-know basis – Shall never contain SSN’s – Only contain names (abbreviated), addresses, and telephone numbers – Use Cover Sheet – FOUO/Privacy Statement – Do NOT hang muster/recall cards around your neck – If lost have a way for someone who finds it to return or destroy 14PMT | Apr 2013 | v 0.1 | Privacy Act

15 How to Protect When Faxing? Faxing – Per Department of the Navy GENADMIN message 171625ZFEB2012 Use of Fax Machines to send SSN’s and other PII by DON Personnel is PROHIBITED except when: – Another more secure means of transmitting is not practical – A process outside of DON control requires faxing such as: DFAS, TRICARE, Defense Manpower Data Center (DMDC) – In cases where operational necessity requires expeditious handling 15PMT | Apr 2013 | v 0.1 | Privacy Act

16 Additional Protection Info When Faxing When sending a fax utilize a Privacy Act Cover Sheet and verify receipt External customers such as service veterans, Air Force and Army personnel, dependents, and retirees may continue to fax documents containing PII to DON activities but shall be strongly encourage to use an alternative means such as: – USPS – Scanning and transmit using a secure means PMT | Apr 2013 | v 0.1 | Privacy Act16

17 How to Protect Outlook Calendar/Cell Phone? Shared Outlook Calendar – Do not post Type of leave taking Where you are on travel Birthdays – Keep personal and work calendar separate Cell phone Initials Last name and first initial Last name only 17PMT | Apr 2013 | v 0.1 | Privacy Act

18 Disposal and Reducing Risk Cross cut shred documents with PII Place only shredded PII into recycling Use caution when copying documents with PII Posters available on RFCC COI – Faxing – Copying – Shredding https://mynavair.navair.navy.mil/portal/server.pt/comm unity/privacy_act/1176/privacy_act_resources/57552 18PMT | Apr 2013 | v 0.1 | Privacy Act

19 Not Protecting PII If PII is: – Lost – Stolen – Compromised You will need to take action! – Does it need to be reported? – Can you define the data and who it belonged to? – Is it a Breach? 19PMT | Apr 2013 | v 0.1 | Privacy Act

20 Breach A PII breach is the loss of control, unauthorized disclosure, or unauthorized access of personal information, or the compromise of privacy-sensitive information. It could be: – Loss of device which houses PII data (lap top, cell phone, PDA, hard drives, portable storage device, etc.) – IT System being hacked – Email containing PII data sent unencrypted outside of our control – PII data in recycling (not shredded) – PII data left out in open areas (cubes, printers, faxes) 20PMT | Apr 2013 | v 0.1 | Privacy Act

21 What Makes A Breach Reportable? Will the lost or stolen data lead to harm, embarrassment, or identity theft? Is the likelihood high that PII will be or has been used by unauthorized individuals? Was the data unprotected? Could there have been a disclosure of private facts? Could there be an unwarranted exposure of PII leading to humiliation or loss of self-esteem? Could there be a potential for blackmail? PMT | Apr 2013 | v 0.1 | Privacy Act21

22 Causes of PII Loss or Compromise PMT | Apr 2013 | v 0.1 | Privacy Act22 Human error Unprotected PII sent using email or by fax Lost portable storage devices Stolen laptops Posting PII on bulletin or check-in/out boards Using inappropriate methods for disposing of documents containing PII Posting PII in public folders, on internal websites (e.g., MyNAVAIR), or on the Internet

23 Impact of a Breach PMT | Apr 2013 | v 0.1 | Privacy Act23 Embarrassing Facilitates identity theft Compromises business practices Erodes confidence in the Government’s ability to protect PII information Results in disciplinary action against the offender Emotionally stressful

24 Examples of Breaches DON has reported the following types of breaches: – Stolen lap top – Unencrypted emails – Resumes in recycling – Navy copiers erroneously sold before hard drives sanitized – Employee downloaded PII to unencrypted CD – A Sailor and his civilian girlfriend were allegedly attempting to steal the identity of multiple staff members – Missing hard drives PMT | Apr 2013 | v 0.1 | Privacy Act 24

25 PII Violations Violations which may lead to criminal penalties include: – Collecting data without meeting the Federal Register publication requirement (SORN) – Sharing data with unauthorized individuals – Acting under false pretenses or facilitating those acting under false pretenses PMT | Apr 2013 | v 0.1 | Privacy Act 25 Penalties for violating the Privacy Act include a misdemeanor charge with jail time of up to one year and fines of up to $5,000

26 What Should You Do If PII Is Breached? Notify your immediate supervisor and the Site Privacy Act Coordinator Gather the following information for reporting purposes: – Date of breach – Circumstances – What was lost – Number of employees affected – Mitigation PMT | Apr 2013 | v 0.1 | Privacy Act 26 Seek additional assistance from your Site Privacy Act Coordinator as needed

27 Summary Recognize the difference between Sensitive and Non-Sensitive PII Actively voice and demonstrate your support to protect PII Protect, DON’T collect! Collecting PII in a system requires a SORN Properly handle, protect, and dispose of PII Take action to report and mitigate situations where PII may have been lost or compromised PMT | Apr 2013 | v 0.1 | Privacy Act 27

28 28 2013 Annual PII Training Certificate This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding PII. I also understand that I may be subject to disciplinary actions for failure to properly protect and safeguard PII data. _________________________________ _________________ NameDate

29 Privacy Act Personnel Management Training for New Supervisors

Download ppt "1 2013 Annual PII Training Certificate This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Mandatory training for all Users who have access to Privacy Act Data

Mandatory training for all Users who have access to Privacy Act Data
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Overview of the Privacy Act

Overview of the Privacy Act
Office of Health, Safety and Security

Office of Health, Safety and Security
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.

Key Changes to HIPAA from the Stimulus Bill (ARRA) Children’s Health System Department Leadership Meeting October 28, 2009 Kathleen Street Privacy Officer/Risk.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.

1 DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY DEFENSE LOGISTICS AGENCY AMERICA’S COMBAT LOGISTICS SUPPORT AGENCY WARFIGHTER SUPPORT.
1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.

1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.

ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.

Similar presentations

Ads by Google