the privacy act of 1974: an introduction the privacy act of 1974: an introduction september 2010 for...

The Privacy Act of 1974: An Introduction

The Privacy Act of 1974:An Introduction

September 2010For Official Use Only1


Lesson 1: Introduction

2




Welcome

• Course overview

• Trainer introductions

3



Participant Introductions

Now it’s time to introduce ourselves

• Name

• Number of years with the Department of Defense (DoD)

• Current job, agency, or component

• Responsibilities

4



Course Goals

• To raise awareness of the need to safeguard the personally identifiable information (PII) held by the Department of Defense

• To raise awareness of the penalties associated with Privacy Act violations

5



Course Objectives

After completing this course, you will be able to:

• Identify the policy objectives associated with the Privacy Act of 1974

• Identify concepts and definitions associated with personally identifiable information (PII)

• Identify the nondisclosure rule and its 12 exceptions

• Identify safeguards and best practices that help ensure the protection of PII

• Identify the penalties for noncompliance with the Privacy Act of 1974

6



Course Structure

1. Introduction

2. The Privacy Act of 1974 Policy Objectives

3. Concepts and Definitions Associated With PII

4. Conditions of Disclosure

5. Safeguarding PII

6. Penalties for Noncompliance with the Privacy Act

7. Scenario Exercise: Putting It All Together

8. Course Summary

7


Lesson 2: The Privacy Act of 1974

Policy Objectives

8

Lesson 2: The Privacy Act of 1974 Policy Objectives



Lesson Objective

Upon completion of this lesson, you will be able to:


9



Code of Fair Information Practice Principles

• In 1972, the Advisory Committee on Automated Personal Data Systems explored the impact of computerized record-keeping on individuals and proposed a Code of Fair Information Practice Principles (FIPPs).

• FIPPs evolved into 8 generally accepted principles.

• These principles formed the basis for all subsequent codes and laws related to information collection, especially the Privacy Act of 1974.

10

FerencRJ

Deleted additional slides on FIPPs.



Fair Information Practice Principles

The 8 generally accepted principles identified in the Code for Automated Personal Data Systems are:

1.Collection limitation

2.Data quality

3.Purpose specification

4.Use limitation

5.Security safeguards

6.Openness

7.Individual participation

8.Accountability11



Inception of the Privacy Act of 1974

• Congress turned its attention to the issue of data stored in insecure data banks in June 1974.

• The Senate Judiciary Committee's Subcommittee on Constitutional Rights discovered that billions of records were stored within Federal Government computers.

• Individuals did not know the information was being collected and had no recourse to review or correct it.

12



Objectives of the Privacy Act

• To restrict disclosure of personally identifiable records maintained by agencies

• To grant individuals increased rights of access to agency records maintained on themselves

• To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete

• To establish basic requirements for agencies to comply with standards for collection, use, maintenance, and dissemination of records

13


Lesson 3: Concepts and Definitions

Associated with PII

14

Lesson 3: Concepts and Definitions Associated with PII



Lesson Objective

After completing this lesson, you will be able to:


15



Definitions

• Personally identifiable information (PII) is information about an individual that identifies, links to, relates to, is unique to, or describes him or her.

16



Definitions, cont.

• Protected Health Information (PHI) is a subset of personally identifiable information.

• Examples of PHI are a medical diagnosis; lab results; X-rays; and the date, time, and location of medical appointments.

17



Definitions, cont.

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of individuals' PHI from inappropriate disclosure.

18



Definitions, cont.

• A single item or collection of items of PII maintained by an agency is called a record.

• Records are grouped into a collection for a specific purpose by an agency. When a personal identifier is used to retrieve records from such a collection, it is called a system of records (SOR).

19



Definitions, cont.

• A system of records notice (SORN) is a description of the contents of an existing or planned system of records. A SORN states the purpose and authority by which the information in the system of records is collected, and identifies what data the agency intends to collect, how the data will be used and safeguarded, who will have access, and other details.

20



Definitions, cont.

• Routine use is the disclosure of a record outside the DoD for a use that is compatible with the purpose for which the information was collected and maintained by the DoD. The routine use must be included in the published system notice for the system of records involved.

21



Definitions, cont.

• Need-to-know is the authorized, official need to have access to information that is protected under the Privacy Act based on assigned duties and responsibilities.

• The need-to-know test is satisfied when the requester can establish either of the following:

1. The information is needed for official business 2. The information is required by law

22



Definitions, cont.

• Responsibility to share information was met within DoD on December 28, 2007, through the addition of a “Blanket Routine Use,” which allows the sharing of a record consisting of or relating to:

– Terrorism information– Homeland security information– Law enforcement information

• Responsibility to share information does not circumvent the need-to-know.

23



Sharing Information Appropriately

24


Lesson 4: Conditions of Disclosure

25




Lesson Objective


• Identify the nondisclosure rule

• Identify the 12 exceptions to the nondisclosure rule

26



General Disclosure Prohibition

• "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains."

— 5 U.S.C. § 552a(b)

• There are 12 exceptions to this nondisclosure rule.

27



The following 3 slides list conditions in which it is acceptable to disclose PII from a Privacy Act record to a third party:

1.To employees with a legitimate need-to-know

2.When the FOIA requires release

3.For a "routine use" identified in the system of records notice (SORN) that has been published in the Federal Register

28

Exceptions to the Nondisclosure Rule



Exceptions to the Nondisclosure Rule, cont.

4. To the Census Bureau for purpose of conducting the census

5. For statistical research and reporting in which individuals will not be identified

6. To the National Archives and Records Administration

29




7. To civil or criminal law enforcement under U.S. control

8. For compelling circumstances affecting the health or safety of the individual

9. To either House of Congress

30




10.To the Comptroller General

11.Pursuant to a court order (a subpoena signed by a judge)

12.To a consumer reporting agency in accordance with the Debt Collection Act

31


Lesson 5: Safeguarding PII

32




Lesson Objective



33



Administrative Safeguards

1. Verify that e-mail distribution lists are only for those with a need-to-know.

2. Validate the use of the information against the purpose of collection in the SORN.

3. Ensure that the component privacy officer reviews/updates the SORN.

34



Administrative Safeguards, cont.

4. Beware of the surrounding environment when engaging in conversation involving PII.

5. Ensure that telephone conversations are private.

6. Check that information containing PII is necessary for the task. As a policy under the Privacy Act, ask whether a task can be completed without the PII.

35



Administrative Safeguards, cont.

7. Do not take PII out of the office unless required by your official duties and approved by an appropriate authority.

8. Mark hard copies of PII using prescribed markings such as “Sensitive” and cover with a coversheet or folder.

9. Consult the component privacy officer before the creation of a System of Record (SOR) or information collection. The privacy officer will determine whether a SORN needs to be created to notify the public.

36



Technical Safeguards

1. Use encryption for e-mails that include PII.

2. Use only DoD-approved software.

3. Use cover sheets, confirm fax numbers, and obtain transmission confirmation when faxing

4. Do not use flash ("thumb") drives.

37



Physical Safeguards

1. Use locks to secure PII/PHI when stored.

2. Dispose of records according to established standards in the SORN or procedures established by the National Archives and Records Administration.

3. Establish physical safeguards that protect information against reasonably identifiable threats that could result in unauthorized access or alteration.

4. Test safeguards to ensure that they perform as intended.

38


Best Practices

• Do not use information that was previously collected for a new use without informing the public by altering an existing SORN or creating a new one.

• Do not use a subset of existing data for a new purpose.

• Do not maintain data collections in secret.

• Do not use data from websites such as Wikipedia instead of authoritative Government sources.

• Do not keep PII in an unapproved spreadsheet.

39



Best Practices, cont.

• Collect information directly from the individual to the greatest extent practical.

• Verify that data retrieved are accurate, complete, relevant, and timely (up-to-date).

• Ensure that information is from the authorized official source.

40



Lesson 6: Penalties for Noncompliance with the Privacy Act

41

Lesson 6: Penalties for Noncompliance

with the Privacy Act


Lesson Objective



42

Lesson 6: Noncompliance and Penalties for Noncompliance with the Privacy Act


Noncompliance with the Privacy Act

Individuals may be criminally liable if they knowingly and willfully:

• Disclose privacy data to any person not entitled to access

• Maintain a system of records without meeting public notice requirements

• Obtain or request records under false pretenses

43



Noncompliance with the Privacy Act, cont.

Courts may award civil penalties against the Agency for:

• Improperly/unlawfully refusing to amend a record

• Improperly/unlawfully refusing to grant access to a record

• Failure to maintain accurate, relevant, timely, and complete information

• Failure to comply with any Privacy Act provision or agency rule that results in an adverse effect on the subject of the record

44




Penalties for Noncompliance

Criminal penalties: (Applies to the individual employee)

•A misdemeanor charge

•Maximum fine of $5,000

45



Penalties for Noncompliance , cont.

Civil penalties: (Applies to the agency not the employee)

•The cost of actual damages suffered ($1,000 minimum)

•Costs and reasonable attorney's fees

46


Lesson 7: Scenario Exercise: Putting It All Together

47

Lesson 7: Scenario Exercise:

Putting It All Together


Lesson Objective


• Identify errors in handling PII and demonstrate awareness of the appropriate action to take in managing PII

48




Scenario

The scenario that you are about to read is based in part on a real situation. You will read the scenario and answer questions about the appropriate actions to take.

49


Scenario Questions

• Does this e-mail contain personally identifiable information?

• Is this information protected under the Privacy Act?

• Does Judy have a need-to-know this information?

• Have the appropriate technical safeguards been applied in the transmittal of this e-mail?

• Is this a breach? If so, who should Judy report it to?

50



Lesson 8: Course Summary

51



Key Points from the Course

• Agency responsibilities: The Privacy Act of 1974 sets forth objectives for Federal agencies that maintain records with personally identifiable information. Summarized, these are:

– Agencies must restrict disclosure of personally identifiable records

– Individuals have rights of access to agency records about themselves

– Individuals can seek amendment of agency records about themselves

52



Key Points from the Course, cont.

• Agencies should abide by a Code of Fair Information Practice Principles that requires agencies to comply with standards for collection, maintenance, and dissemination of records.

• Safeguards: DoD employees and contractors must practice administrative, physical, and technical safeguards to protect PII from misuse or use without permission.

53



Course Objectives Reviewed

You should now be able to:



• Identify the nondisclosure rule and its 12 exceptions



54



Additional Resources

You may also consult one of the following resources on privacy found at http://dpclo.defense.gov .

•DoDD 5400.11, "DoD Privacy Program," May 8, 2007

•DoD 5400.11-R, "Department of Defense Privacy Program," May 14, 2007

55


the privacy act of 1974: an introduction the privacy act of 1974: an introduction september 2010 for...

Documents

privacy act violations

introduction lesson

introduction course

introduction course

introduction course

policy objectives inception

identifiable information

information collection