Presentation on theme: "Safeguarding Privacy Act Data Awareness Training for ALL DeCA Employees and Contractors."— Presentation transcript:
Safeguarding Privacy Act Data Awareness Training for ALL DeCA Employees and Contractors
2 Time for a reminder! In a number of recent incidents, personal data has been lost, stolen, or compromised Most notable - In May of 2006, a theft of a laptop from a Federal employees home contained personal data involving 26.5 million veterans Dont allow yourself OR a member of your staff to be the next individual accused of carelessly handling personal data!
3 What is Privacy Data? Personally identifiable information such as: –Social Security Numbers –Home Addresses –Telephone Numbers Special Categories of Privacy Data: –Investigative Files –Employee Information (including OPF & medical information) –Security Clearance Files –Adverse Action Information
4 Privacy Data & DeCA We are extremely careful dealing with patron information, such as: –Social Security Numbers (check acceptance) –Credit Card Numbers –Debit Card Numbers –WIC Cards/Vouchers
5 Privacy Data & DeCA (contd) We must show the same concern when dealing with employees data by: –Avoiding improper sharing of information, such as spreading gossip that would embarrass or harm a person; for example: Did you know that Mary has a bad credit rating? –Utilizing e-mail properly to forward Privacy data; for example: Avoiding the use of Reply to All, unless appropriate; Obtaining the employees consent when sending out notices (i.e., loss of loved ones) containing home addresses, etc. –Failing to safeguard Privacy data in our cubicles, on our desks, and on our computers; for example: Leaving documents out in the open when away from your desk
6 Safeguarding Requirements Three Levels of Safeguards: –Administrative (FOUO/Privacy Act Markings, etc.) –Physical (Cabinets, drawers, folders, etc.) –Computer (Passwords, encryption, etc.) Individuals responsible for safeguards: –Individual users –Information Technology System Designers –Privacy Act System Managers –Privacy Act Officials As individuals, we must ALL do our best to proactively protect the privacy rights of all individuals, to include all employees and patrons
7 Marking Privacy Data Privacy Act data is to be handled as: For Official Use Only (FOUO) Mark Privacy Act data with a handling notice when it is created or received: –Privacy Act of 1974 Data; or –Privacy Act Data; or –For Official Use Only Place marks at the top and bottom of each page or screen Reminder: Before disseminating Privacy Act data, ensure that it carries the FOUO handling notice!
8 Storing Privacy Data Duty Hours –Cover or place in an out-of-sight location when those not authorized access enter the work space –Lock computers when leaving – even for brief periods –DO NOT share your password with ANYONE! After Duty Hours –If the building is locked or manned by security, place records containing Privacy information in closed drawers or cabinets –Special categories of Privacy data should be placed in LOCKED offices, drawers, or cabinets Reminder: Give Privacy Act information in the workplace the same degree of security you should for your OWN most sensitive personal/financial information at home!
9 Sharing Privacy Act Data Follow the need-to-know principle Inside DeCA, share only with those specific DeCA employees/contractors who need the data to perform official, assigned duties Outside of DeCA, share only with those individuals and entities that are listed in the Routine Use clause of the governing Privacy Act system notice and to whom the Privacy Act System Manager allows disclosures If you have doubts about sharing data, consult with your supervisor or your Privacy Officer
10 Removal of Privacy Data from Work Area NO Privacy data should be removed UNLESS necessary to perform your official duty Written consent from your immediate supervisor MUST be obtained and must identify the following: –Type/description of data –Reason for removal –Date and expected time for return When TDY, ensure that you secure records in the local DeCA facility OR secure them out of sight in the hotel or billeting facilities When teleworking, treat Privacy protected data the same way you would treat your most personal, sensitive information Questions about whether it is appropriate to grant authority? Contact your Privacy Officer, Deputy General Counsel Litigation/FOIA, or Senior Privacy Official, all located in the Office of General Counsel
11 Transporting Privacy Data Ground Mail: –You may double wrap using an inner and outer envelope if appropriate –Mark on the inner envelope that it contains Privacy Act data –Mark the outer envelope to the attention of an authorized recipient –Never indicate on the outer envelope that it contains Privacy data –Never use holey joes or messenger-type envelopes Handcarry: –Use envelopes or a Sensitive Unclassified Information cover sheet (DeCAF 30-34) to shield contents E-mail: –Announce in the opening line and in the last line of text that you are relaying Privacy Act data or FOUO material Facsimile: –Use a fax cover sheet –Make sure the cover sheet clearly indicates who it goes to and that the fax contains Privacy Act data –If the receiving fax machine is in a common area (or if you are uncertain), call ahead to make arrangements for receipt
12 Disposition/Inappropriate Disclosure Disposing of Privacy Data –When no longer required, Privacy Act data should be disposed of in a manner that renders the information unrecognizable or beyond reconstruction –Use any means that prevents/accomplishes the task and prevents inadvertent compromise –Refer to your Records Schedule for proper disposition of Agency records Reporting Inappropriate Disclosures –In the event that Privacy protected information is compromised or inappropriately/inadvertently released, immediately report it to your Privacy Act Officer –Agency must report to Department of Homeland Security within the hour. ERR ON THE SIDE OF CAUTION! If you are not certain whether an inadvertent release or an actual compromise has occurred, consult with your Privacy Officer.
13 Criminal Penalties for Noncompliance with the Privacy Act For knowingly and willfully disclosing Privacy Act data to any person not entitled to access For maintaining a System of Records without meeting the public notice requirements For knowingly and willfully requesting or obtaining records under false pretenses Individual employees charged with a misdemeanor criminal charge; may be fined up to $5,000
14 Civil Penalties for Noncompliance with the Privacy Act The Privacy Act also imposes civil penalties for: –Failing to comply with any Privacy Act provision or Agency rule that results in an adverse effect –Failing to maintain accurate, relevant, timely and complete data –Unlawfully refusing to amend a record –Unlawfully refusing to grant access to records Penalties include: –Payment of actual damages –Payment of reasonable attorneys fees Civil penalties are imposed on agencies, not individuals; however, Agency employees responsible for civil violations for which the Agency may be penalized are subject to administrative sanctions, such as removal from employment
15 If You Have Access to Personal Data... Protect the data at all times Do NOT share it with anyone unless: –The recipient is an employee/contractor who has a need for the record in the performance of their duties; or –The individual has given you written consent to disclose it Password protect personal data placed on: –Shared drives –Internet –Intranet Think about the likely results your actions (For example: If I do this, will I increase the risk of unauthorized access?)
16 Some useful pointers… NEVER leave a document containing privacy protected information unattended at the copier! Prior to faxing a document containing sensitive information, call the intended recipient to ensure prompt pickup! Be cognizant when printing privacy data; ensure you are selecting a printer that you have access to and ensure prompt retrieval! When sending emails, ensure recipient has a need to know; when sending personal notifications (such as a death in the family), remember to obtain permission before disseminating Make sure you use sealable opaque envelopes when routing personal data When opening mail, be sure to pay extra attention to any special instructions/restrictions on the outside of the envelope so you dont accidentally disclose personal information protected by the Privacy Act
17 Recognize Your Personal Responsibility Respect the privacy of others Take privacy protection seriously Alert your supervisor or other management official when you see personal data left unattended Report suspected Privacy compromises to your Privacy Officer Know the Privacy Act requirements Use COMMON SENSE! If you have any questions or concerns about your individual responsibilities concerning the Privacy Act, please contact the DeCA Privacy Officer!
18 Contact Information DeCA Privacy Officer Donna Williamson Office of General Counsel DSN 687-8777 (804) 734-8777 firstname.lastname@example.org