cte privacy bridges module 3

7/29/2019 Cte Privacy Bridges Module 3

1/48

Privacy Act (PA) Request,

Violations and Reporting

Procedures

1


2/48

Module 3

Classify basic facts and terms about

Privacy Act (PA) Request, Violations andReporting Procedures .


3/48

Privacy Act Request

A request from a U.S. citizen or lawfullyadmitted alien (or requesters authorized agent)

to gain access to his records in a "System of

Records." to have information in his/her file corrected

to gain access to an "Accounting ofDisclosures" a list of all individuals whohad access to his file.


4/48

Allows U. S. Citizens and lawfully-admittedaliens to have access to their own records thatare filed within a "system of records."

A requester may ask to have incorrect factualdata amended.

No charge for the request.

Privacy Act


5/48

Request for Access

Persons, or their designated representatives, may ask for acopy of their records

Verify the identity of the requester to avoid unauthorizeddisclosures

How you verify identity will depend on the sensitivity of therequested records

Consider requests under both the Privacy Act and FOIA

Requesters should not use government equipment,supplies, stationery, postage, telephones, or official mail

channels for making PA requests

5


6/48

Processing a Request

Processing a Request for Access. Consider arequest from an individual for his or her ownrecords in a system of records under both the FOIAand the PA regardless of the Act cited.

Requesters should describe the records theywant.

They do not have to name a system of recordsnumber, should at least name a type of record

or functional area Should not use government equipment,

supplies, etc.

6


7/48

Processing a Request

Tell the requester if a record exists and how toreview the record.

Respond within 10 workdays

If not, send a letter explaining why and give an

approximate completion date no more than 20workdays after the first office received therequest.

If requester amends request Agency mustrespond to amendment requests within 30business days.

Show or give a copy of the record to the requesterwithin 30 workdays of receiving the request unlessthe system has an exemption published in theFederal Registeras a final rule.

7


8/48

Fees

Give the first 100 pages free and charge only reproductioncosts for the remainder.

Do not charge fees:

When an individual can get the records without charge(i.e., medical records)

For Search

For reproducing a document for the convenience of theAir Force

For reproducing a record so the requester can review it

Fee Waivers. Waive fees automatically if the direct costof reproduction is less than $25

8


9/48

Denying or Limiting Access

System managers process access denials within 5workdays after receipt of a request for access

Before denial action a request for access to a

record, make sure:

The system has an exemption published inthe Federal Register as a final rule

The exemption covers each document

Nonexempt parts are segregated.

9


10/48

Special Provision forMedical Records

If a physician believes that disclosing requestedmedical records could harm the persons mental orphysical health:

Requester needs a letter from physician to send

records

Offer the services of a military physician otherthat one who provided treatment if naming thephysician poses a hardship on the individual

NOTE: The PA requires that the PA Managerultimately ensure that the subject receives therecords

10


11/48

Third Party InformationIn PA System of Records

Ordinarily a person is entitled to their entire recordunder the Privacy Act.

Third party personal data Consult your servicing SJA before disclosing

third party information.

Generally, if the requester will be denied a right,privilege or benefit, the requester must be

given access to relevant portions of the file.

11


12/48

Civil Action

Withhold records compiled in connection with acivil action or other proceeding including any actionwhere the Air Force expects judicial or

administrative adjudicatory proceedings.

This exemption does not cover criminal actions.

Do not release attorney work products preparedbefore, during, or after the action or proceeding.

12


13/48

Denial Authorities

These officials or a designee may deny access oramendment of records as authorized by the Privacy Act.

13


14/48

Amendment Reasons

Individuals may ask to have their records amendedto make them accurate, timely, relevant, or

complete.

System managers will routinely correct a record ifthe requester can show that it is factually wrong(e.g., date of birth is wrong).

14


15/48

Responding to AmendmentRequest

Anyone may request minor corrections orally.Requests for more serious modifications should bein writing.

After verifying the identity of the requester, makethe change, notify all known recipients of therecord, and inform the individual.

Acknowledge requests within 10 workdays ofreceipt. Give an expected completion date unless

you complete the change within that time. Finaldecisions must take no longer than 30 workdays.

15


16/48

Approving or Denying

The Air Force does not usually amend a record when the changeis based on opinion, interpretation, or subjective officialjudgment.

Determinations not to amend such records constitute a denial,and requesters may appeal.

If the system manager decides not to amend the record,send a copy of the request, the record, and therecommended denial reasons to the denial authoritythrough the legal office and the PA office.

Legal offices will include a written legal opinion. The PA

officer reviews the proposed denial and legal opinion andmakes a recommendation to the denial authority.

The denial authority (MAJCOM CC) sends the requester aletter with the decision.

16


17/48

Contents of PA Case Files

Do not keep copies of disputed records in this file

File disputed records in their appropriate series

Use the file solely for statistics and to process requests

Do not use the case files to make any kind of determinationabout an individual.

Document reasons for untimely responses. These filesinclude:

Requests from and replies to individuals on whether asystem has records about them.

Requests for access or amendment.

Approvals, denials, appeals, and final review actions.

Coordination actions and related papers.

17


18/48

Appeals

Individuals who receive a denial totheir access or amendment requestmay request a denial review by writing

to the SAF through the denial authority, within 60

calendar days after receiving a denial letter.

The denial authority promptly sends a

complete appeal package to theMAJCOM PA Manager.

18


19/48

Appeals

The package must include:

the original appeal letter

the initial request

the initial denial

a copy of the record

any internal records or coordination actions relating tothe denial

the denial authoritys comments on the appellantsarguments

the legal reviews

19


20/48

Computer Matching

Computer matching programs electronically compare recordsfrom two or more automated systems that may include DOD,another Federal agency, or a state or other local government.

A system manager proposing a match that could result in anadverse action against a Federal employee must meet theserequirements of the PA:

prepare a written agreement between participants

secure approval of the Defense Data Integrity Board

publish a matching notice in the Federal Registerbeforematching begins

ensure full investigation and due process; and (5) act onthe information, as necessary

20


21/48

Computer Matching

The PA applies to matching programs that use records from: Federal

personnel or payroll systems and Federal benefit programs wherematching:

determines Federal benefit eligibility

checks on compliance with benefit program requirements

recovers improper payments or delinquent debts from current or

former beneficiaries

Matches used for statistics, pilot programs, law enforcement, taxadministration, routine administration, background checks and foreigncounterintelligence, and internal matching that won't cause any adverseaction are exempt from PA matching requirements.

Any activity that expects to participate in a matching program mustcontact AF-CIO/P immediately

Record subjects must receive prior notice of a match

21


22/48

Privacy Act Statement

Give a PAS orally or in writing

Display a sign in areas

Give a copy of the PAS if asked.

Do not ask the person to sign the PAS. PAS must include four items:

Authority

Purpose

Routine Uses

Disclosure

22


23/48

Requesting the SSN

Requesting SSN, provide Privacy Act Statement thattells the person:

the legal authority for requesting it

the uses that will be made of the SSN

whether providing the SSN is voluntary ormandatory.

DO NOT deny anyone a legal right, benefit, orprivilege for refusing to give their SSN unless the lawrequires disclosure, or a law or regulation adopted

before January 1, 1975 required the SSN and the AirForce uses it to verify a persons identity in a systemof records established before that date.

23


24/48

Requesting the SSN

The Air Force requests an individuals SSN andprovides the individual information required by lawwhen anyone enters military service or becomes anAir Force civilian employee.

Executive Order 9397, Numbering System for FederalAccounts Relating to Individual Persons, authorizesusing the SSN as a personal identifier.

SSNs are personal and unique to each individual.

Protect them as FOR OFFICIAL USE ONLY (FOUO).Within DOD, do not disclose them to anyone withoutan official need to know. Outside DOD, they are notreleasable without the persons consent.

24


25/48

Warning Banners

Information systems that contain information on individualsthat is retrieved by name or personal identifier are subject tothe PA.

The PA requires these systems to have a PA system noticepublished in the Federal Registerthat covers theinformation collection before collection begins.

In addition, all information systems subject to the PrivacyAct will have warning banners displayed on the first screen(at a minimum) to assist in safeguarding the information.

Use the following language for the banner:

PRIVACY ACT INFORMATION - The information accessed

through this system is FOR OFFICIAL USE ONLY and mustbe protected in accordance with the Privacy Act, AFI 33-332, DoDR 54400.11, and DoDR 5200.1, Appendix 3.

25

C C O 9


26/48

PRIVACY ACT OF 1974

Marking PA Material

Paper Copies

Electronic Copies

PRIVACY ACT OF 1974


27/48

PRIVACY ACT OF 1974

Marking PA material

Information systems containing data onindividuals that is retrieved by name orpersonal identifier are subject to the PrivacyAct

These systems must have a PA systemnotice be published in the Federal Register

http://www.archives.gov/federal-register/index.html

All information systems subject to the PAwill have warning banners displayed on thefirst screen (at a minimum)

PRIVACY ACT OF 1974


28/48

PRIVACY ACT OF 1974

Marking PA material

E-Mail - When transmitting personal informationensure it is adequately safeguarded, there is anofficial need, all addressees are authorized toreceive it under the PA, and it is protected from

unauthorized disclosure, loss, or alteration

Add FOUO to the beginning of the subject line

Add the following statement at the beginning ofthe e-mail:

This e-mail contains FOR OFFICIAL USE ONLY(FOUO) information which must be protectedunder the Privacy Act and AFI 33-332.


29/48

Information via E-Mail

Do not disclose personal information to anyoneoutside of DOD unless specifically authorized bythe PA

Do not send PA information to distribution listsor group e-mail addresses unless each memberhas an official need to know the personalinformation.

Before forwarding emails received with personal

information, verify that your intended recipientsare authorized to receive the information underthe PA

29


30/48

Privacy on the Web

Do not post personal information on publicly accessibleDOD web sites unless clearly authorized by law andimplementing regulation and policy

Do not post personal information on .mil private websites unless authorized by the local commander, forofficial purposes, and an appropriate risk assessment isperformed

Ensure public web sites comply with privacy policiesregarding restrictions on persistent and third partycookies, and add appropriate privacy and security

notices at major web site entry points and Privacy Actstatements or privacy advisories when collectingpersonal information.

30


31/48

Privacy on the Web

Include a Privacy Act statement on the web page if itcollects information directly from an individual that wemaintain and retrieve by his or her name or personalidentifier (i.e., SSN).

Anytime a web site solicits personally-identifyinginformation, even when not maintained in a PA system ofrecords, it requires a Privacy Advisory.

The Privacy Advisory informs the individual why theinformation is solicited and how it will be used. Post thePrivacy Advisory to the web page where the informationis being solicited, or through a well-marked hyperlink

Privacy Advisory

Please refer to the Privacy and Security Notice thatdescribes why this information is collected and how it will beused.

31

Personal Information on


32/48

Personal Information onShared Drive

Placing Personal Information on Shared Drives.Personal information should never be placed onshared drives for access by groups of individualsunless each person has an official need to know

the information to perform their job.

Official approved file plans and electronic systemsof record. Add appropriate access controls toensure access by only authorized individuals forapproved electronic files.

32


33/48

Recall Rosters

Recall Rosters are FOUO because they containpersonal information and should be shared withsmall groups at the lowest levels for officialpurposes to reduce the number of people withaccess to such personal information.

Commanders and supervisors should giveconsideration to those individuals with unlistedphone numbers, who do not want their numberincluded on the office recall roster. In thoseinstances, disclosure to the Commander orimmediate supervisor, or deputy, shouldnormally be sufficient.

33


34/48

Social Rosters

Before including personal information such asspouses names, home addresses, home phones,birth dates, and similar information on socialrosters or directories that are shared with groupsof individuals, ask for signed consent statements.

Otherwise, do not include the information. Consent statements must give the individual a

choice to consent or not consent, and clearly tellthe individual what information is being solicited,the purpose, to whom you plan to disclose the

information, and that consent is voluntary.Maintain the signed statements until no longerneeded.

34


35/48

Personal Notes

Personal Notes. The Privacy Act does not apply topersonal notes on individuals used as memory aids.

Personal notes may become Privacy Act records ifthey are retrieved by name or other personalidentifier and at least one of the following threeconditions apply:

keeping or destroying the records is not at thesole discretion of the author;

the notes are required by oral or writtendirective, regulation, or command policy; or

they are shown to other agency personnel.

35


36/48

USING THE FAX

Consider

sensitivity of information

location of equipmentequipment manned

Call first

Use cover sheet


37/48

PA Notifications

Include a PA Warning statement in

each AF publications that requirescollecting or keeping information ina system of records.

37


38/48

Violation PENALTIES

An individual may file a civil suit against the Air Force forfailing to comply with the Privacy Act.

You may sue other military members when a violation hasbeen determined.

38

Vi l ti P lti


39/48

Violation Penalties

For knowingly andwillfully disclosing information

from a system of records tosomeone not entitled to the info:

Misdemeanor criminal charge,and a fine of up to $5000.00

For knowingly and willfullymaintaining a System

of Records that doesnt meet thepublic notice requirements:

Misdemeanor criminal charge,and a fine of up to $5000.00

For knowingly and willfullyobtaining someone elses

records under false pretenses:

Misdemeanor criminal charge,

and a fine of up to $5000.00


40/48

40
http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/http://www.us-cert.gov/


41/48

Lost, Stolen, or CompromisedInformation

Report to United States Computer EmergencyReadiness Team (US Cert) within an hour of

discovery

Notify the MAJCOM Privacy Act office within 24hours for forwarding to the Air Force Privacy Act

Office within 48 of discovery.

41


42/48

Lost, Stolen, or CompromisedInformation Reporting:

Identify the organization/unit involved

Specify date of the breach and the number ofindividuals impacted

Briefly describe the facts and circumstances surroundingthe loss, theft, or compromise

Briefly describe actions taken in response to the breach

Investigate by whom

Results of inquiry

Action taken to mitigate any harm

The Commander shall determine whether administrative ordisciplinary action is warranted and appropriate

42


43/48

ReportingReporting

of

Lost, Stolen, or Compromised Personally Identifiable Information

a. Component/Organization involved:

Answer:

b. Date of incident and number of Individuals impacted (to include whether theyare DoD civilian, military, or contractor personnel; DoD civilian or militaryretirees; family members; other Federal personnel or members of the public,etc.):

Answer:

c. Brief description of incident, to include facts and circumstances surrounding theloss, theft, or compromise:

Answer:

d. Describe actions taken in response to the incident, to include whether theincident was investigated and by whom; the preliminary results of the inquiryif then known; actions taken to mitigate any harm that could result from theloss; whether the impacted individuals are being notified, and if not notifiedwithin 10 work days, that action will be initiated to notify the DeputySecretary; what remedial actions have been, or will be, taken to prevent asimilar such incident in the future, e.g., additional training conducted, new orrevised guidance issued, etc.;

Answer:

US CERT No.: ___________________

NOTE: Answer is not part of the original format of report

43

d


44/48

Protection and Disposing

Protecting. Maintaining information privacy is theresponsibility of every federal employee, militarymember, and contractor who comes in contact withinformation in any identifiable form and always protectit according to its sensitivity level.

Disposing of Records

Destroy by any method that prevents compromise,such as tearing, burning, or shredding, so long asthe personal data is not recognizable and beyondreconstruction

Degauss or overwrite magnetic tapes or other

magnetic medium

Dispose of paper products through the DefenseReutilization and Marketing Office or throughactivities that manager a base-wide recyclingprogram.

44


45/48

US-CERTUS Computer Emergency Readiness Team

45

http://www.us-cert.gov/

H l f l Li k


46/48

Helpful Links:

http://www.defenselink.mil/privacy/

http://www.defenselink.mil/privacy/SSNReductionPlan.pdf

http://www.ftc.gov/privacy/index.html

http://www.usdoj.gov/oip/index.html

http://www.usdoj.gov/oip/04_7_1.html

http://www.whitehouse.gov/omb/memoranda/index.html

QUESTIONS?
http://www.defenselink.mil/privacy/http://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.ftc.gov/privacy/index.htmlhttp://www.ftc.gov/privacy/index.htmlhttp://www.usdoj.gov/oip/index.htmlhttp://www.usdoj.gov/oip/index.htmlhttp://ogc.navy.mil/dodlinks.asphttp://www.usdoj.gov/oip/04_7_1.htmlhttp://www.usdoj.gov/oip/04_7_1.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.whitehouse.gov/omb/memoranda/index.htmlhttp://www.usdoj.gov/oip/04_7_1.htmlhttp://www.usdoj.gov/oip/04_7_1.htmlhttp://ogc.navy.mil/dodlinks.asphttp://www.usdoj.gov/oip/index.htmlhttp://www.usdoj.gov/oip/index.htmlhttp://www.ftc.gov/privacy/index.htmlhttp://www.ftc.gov/privacy/index.htmlhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/SSNReductionPlan.pdfhttp://www.defenselink.mil/privacy/


47/48

QUESTIONS?


48/48

48

cte privacy bridges module 3

Documents