privacy safeguards annual training fy 2011 previous next office of management privacy, information...

PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011 previous

next

Office of Management

Privacy, Information and Records Management Services

Privacy Safeguards Division

PRIVACY SAFEGUARDS ANNUAL TRAINING FY 2011

2

previous

next

Instructions

This training is intended for U.S. Department of Education contractors. If you

are an employee, you must take the Mandatory Privacy Training through the

Talent Management System (TMS). The link to TMS is on the home page of

connectED.gov

After you have reviewed the training slides, read and print the certificate found

on the last page. Sign and date the certificate, then give it to your immediate

supervisor and keep a copy for your own records.


3

previous

next

WELCOME

Annual privacy awareness training emphasizes the importance of privacy safeguards at ED, explains privacy protection requirements, and details your responsibilities for protecting privacy information, regardless of format.

Upon completion of this training you should be able to: define privacy protection terms;

protect the personal privacy rights of individuals whose personal information ED maintains, including your own;

identify potential threats to privacy protected data; and

identify and report suspected or actual loss of privacy data.

ED’s Privacy Safeguards Program is carried out by the Privacy Safeguards Division of the Office of Management’s (OM) Privacy, Information and Records Management Services (PIRMS).


4

previous

next

Who Must Take This Training?

As part of ED’s orientation process, all new employees, including career, contractors, non career, interns, stay-in-school and detailees, must complete this training within 30 days of reporting to duty at ED and annually thereafter.


5

previous

next

Why You Need This Training

This training will help you to:

1. Protect the personal privacy rights of individuals whose personal information ED maintains, including your own.

2. Comply with laws, regulations, and policies that protect privacy data.

3. Understand your privacy responsibilities before being permitted access to agency information and information systems.

4. Understand your personal responsibility for protecting against the unauthorized disclosure of privacy protected information and preventing privacy breaches.

5. Maintain the public’s trust.


6

previous

next

What Data Require Protection?

In general, any information about an individual that directly or indirectly identifies that person may require protection.

The Office of Management and Budget (OMB) directs Federal agencies to protect personally identifiable information (PII).

PII is information that can be used to distinguish a person’s identity, e.g., name, social security number, biometric data, etc., alone, or when

combined with other personal data, linked or linkable to a specific person, such as date and place of birth, mother’s maiden name, etc.

OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007


7

previous

next

Sensitive PII (SPII)

Some PII is always sensitive and requires a high level of protection because of the substantial harm to an individual that could occur if it were wrongfully disclosed.

The level of protection should reflect the sensitivity of the data – data that is determined by the owner to be of high value or that represents a high risk to the individual if it were wrongfully disclosed requires increased protection.


8

previous

next

Examples of PII and SPII

SSNs Date and place

of birth Business cards Security clearance

level Leave balances;

type of leave used Family data Religion, race,

national origin Performance ratings

Participant’s names/results in ED studies

Home address Home telephone

number Personal e-mail

address

PIIIncludes all personal information associated with

an individual, including:

Sensitive PIIIncludes PII that could cause harm if wrongfully

disclosed, including:

SSNs Biometric identifiers (fingerprints, etc.) Date and place of birth Leave balances; type of leave used Religion, race, national origin Performance ratings Participants’ names/results in ED studies Alien registration number Driver’s license number Medical or financial information


9

previous

next

What Is The Privacy Act?

The Privacy Act (the Act) regulates how Federal agencies collect, maintain, use, and disclose an individual’s information.

The Act protects “records”, i.e., any information about a person, such as education, financial, medical, criminal or work history, that contains one’s name or other personal identifier. The Act – requires Federal agencies to publish system of records notices (SORNs) so

that the public is aware of what personal information is being maintained and how it will be used;

requires that records about individuals are accurate, relevant, timely, and complete; and

generally allows individuals to access and request corrections to records maintained on them.

The Privacy Act of 1974, as amended. 5 U.S.C. §552a.


10

previous

next

Privacy Act Systems of Records

A system of records is a group of records that an agency maintains that: contains a personal identifier, such as a name, Social Security Number

(SSN), etc., about a specific person; contains one other item of personal data (such as home address,

performance rating, blood type, etc.); and is retrieved by a personal identifier.

If you are the project lead or system owner, you must prepare a System of Records Notice (SORN) that will be published in the Federal Register.

If you think this applies to your project, contact the Privacy Safeguards Division for assistance as soon as possible. The SORN process can take as long as 6-9 months.


11

previous

next

Consequences for Violating The Privacy ActCriminal penalties may result in misdemeanor criminal charges and fines of

up to $5,000 for each offense per violation for:

knowingly and willfully disclosing Privacy Act data to any person(s) not entitled to access it;

knowingly and willfully requesting or obtaining records under false pretenses; and

willfully maintaining a system of records without meeting the Act’s public notice requirements.

NOTE: The Privacy Act authorizes criminal remedies against Federal employees and contractors.


next

Consequences for Violating The Privacy Act (cont.)Civil remedies may result in payments of actual damages and payments

of reasonable attorney’s fees when an agency fails to:

comply with any provision of the Act, or agency rule, that results in an adverse effect on an individual, including –

refusing to amend an individual’s record in a system of records in accordance with the individual’s request;

refusing to comply with a person’s request for access to the information pertaining to them in a system of records; and

failing to maintain accurate, relevant, timely and complete systems of records.

NOTE: The Privacy Act only authorizes civil remedies against Federal agencies, not Federal employees.


13

previous

next

Determining Privacy Risks

The initial review of the privacy risks of ED Information Technology (IT) systems and data collections is conducted at the beginning of the system lifecycle. This review is a Privacy Threshold Analysis (PTA).

The PTA process helps determine what privacy documentation is required and what privacy issues should be addressed when a system is being developed or modified.

System owners and/or project managers complete the brief PTA form by providing basic information about the system in order to determine if additional documentation is required.


14

previous

next

Determining Privacy Risks

The E-Government Act of 2002, requires Federal agencies to conduct Privacy Impact Assessments (PIAs) for IT systems that contain information in identifiable form in order to identify and address privacy risks.

A completed PIA details how the information is collected, stored, protected, shared and managed electronically by a Federal agency. A PIA must be conducted: before developing or procuring IT systems that collect or maintain PII about the public;

or when initiating a new electronic collection of information in identifiable form for 10

or more people. A PIA must be updated when changes to the system, collection, or process create

new or altered privacy risks.

PIAs must be made available at www.ed.gov.

http://www.ed.gov/


15

previous

next

Special Consideration For SSNs

Collect only as a last resort! SSNs may not be collected or used unless:

authorized by law, regulation, or presidential order, and/or necessary for a documented agency purpose;

there is approved documentation that no reasonable alternative exists; or

these requirements must be met before developing or modifying a system, or implementing a program that collects, uses, maintains, or discloses SSNs.


16

previous

next

Safeguarding PIIMinimize PII Collect only PII that you are authorized to collect, and at

the minimum level necessary to accomplish a required purpose.

Limit number of copies containing PII to the minimum needed.

Secure PII When not in use, store PII in an appropriate access-

controlled environment. Use fictional personal data for presentations or training. Review documents for PII prior to posting on

ED web pages. Safeguard PII in any format around your work area. Disclose PII only to those authorized to see it.

Safeguard the transfer of PII Do not e-mail PII unless it is encrypted or in a

password protected attachment. Alert FAX recipients of incoming transmission. Use services that provide tracking and confirmation

of delivery when mailing or shipping PII offsite.

Dispose of PII Properly Delete/dispose of PII at the end of its retention period or

transfer it to the custody of the National Archives, as specified by its applicable records retention schedule.


next

What Is A Privacy Breach?A privacy breach occurs when PII is lost or stolen, or is disclosed or otherwise exposed to unauthorized people and/or for unauthorized purposes.

This includes PII in any format, and whether or not it is a suspected or confirmed loss.

Examples of PII breaches: PII left on the printer or scanner; PII e-mailed without encryption or other protection; PII mailed to the wrong recipient; PII stored on a stolen laptop or thumb drive; and PII posted to a public-facing website, etc.


next

If You Suspect a Privacy Breach If you lose or suspect a loss of PII, it is your responsibility to notify your immediate

supervisor and your computer security officer (CSO) or Information Systems Security Manager (ISSM) at once.

Be ready to provide the facts of the incident, including the number of records exposed, the type of PII lost (name, SSN, addresses), if the data is still at risk, etc.

Immediate action is important because agencies must report a breach involving PII within one hour of discovering the breach or potential breach.

Once your report is made, ED will determine appropriate next steps.


next

There are Risks if PII is Lost or Stolen

Risks to the Victim Identity theft, including financial loss and

impact on job, credit, and reputation; Embarrassment; Emotional distress; and Loss of confidence in the government.

Risks to the ED Employee Disciplinary action, loss of clearance,

employment, or access to PII; Penalties under the Privacy Act; and Diminished reputation.

Risks to ED Diminished reputation; Costs of mitigation; Litigation and associated costs; Impact on agency processes; and Loss of the public trust.


next

ED Penalties for Unauthorized Disclosure of PII

ED employees may be subject to disciplinary action for failure to safeguard PII, including: reprimand;

suspension;

demotion; or

removal from employment.

Personnel Manual Instruction 751-1 (Appendix A)

http://connected.ed.gov/doc_img/pmi_751-1.doc

http://connected.ed.gov/doc_img/pmi_751-1.doc


next

Questions about Safeguarding PII?

Consult your Supervisor

Contact your Principal Office Computer Security Officer or Information System Security Manager

Contact ED’s Privacy Safeguards Program:

Privacy Service Line at 202-401-1269, or

E-mail: [email protected]

Visit ED’s Privacy Safeguards Division webpage on connectED.gov:

http://connected.ed.gov/index.cfm?office=om&cid=be9ae700-b2b4-e2e1-fcbe-b2d9beb90b93

mailto:[email protected]

http://connected.ed.gov/index.cfm?office=om&cid=be9ae700-b2b4-e2e1-fcbe-b2d9beb90b93


Certificate of CompletionI have completed the Privacy Safeguards Annual Training for

ED Employees and Contractors, FY 2011.

I am aware of my responsibilities to safeguard privacy information and that there may be consequences for not

doing so.

PRINT NAME SIGNATURE

DATE

privacy safeguards annual training fy 2011 previous next office of management privacy, information...

Documents

privacy information

privacy responsibilities

mandatory privacy training

privacy breaches

office of management

privacy protected data

privacy protection terms

eds privacy safeguards