Presentation on theme: "Department of Commerce Privacy Awareness. August 1, 2005 2 What is privacy protection? Privacy protection includes the protection of the personal privacy."— Presentation transcript:
Department of Commerce Privacy Awareness
August 1, What is privacy protection? Privacy protection includes the protection of the personal privacy rights of individuals from the unauthorized collection, maintenance, use, and disclosure of personal information about them. When DOC does collect personal information, we have a duty and responsibility to protect that information from misuse. Business identifiable information received by DOC must be similarly protected, in accordance with applicable laws.
August 1, Your responsibilities to protect privacy As a Commerce employee, you are responsible and accountable for knowing what constitutes personal information and business identifiable information; handling personal and business identifiable information; protecting personal and business identifiable information; and following all laws, rules, regulations, and Departmental policies regarding personal and business identifiable information.
August 1, DOC privacy principles The Department of Commerce has adopted the following privacy principles: Data Minimization – Commerce will collect the minimal amount of information necessary from individuals and businesses consistent with the Departments mission and legal requirements. Transparency – Notice covering the purpose of the collection and use of personally identifiable information will be provided in a clear manner. Information collected will not be used for any other purpose unless authorized or mandated by law. Accuracy – Information collected will be maintained in a sufficiently accurate, timely, and complete manner to ensure that the interests of the individuals and businesses are protected. Security – Adequate physical and IT security measures will be implemented to ensure that the collection, use, and maintenance of personally identifiable information is properly safeguarded and the information is promptly destroyed in accordance with approved records control schedules.
August 1, Key privacy laws Privacy Act of 1974 Freedom of Information Act (FOIA) E-Government Act of 2002 Additional privacy laws regulate other areas, such as government access to bank and other financial records, identity theft, trade secrets, health records, and education records. The Trade Secrets Act (18 USC 1905) provides criminal penalties for the unauthorized disclosure by the government of confidential commercial information.Trade Secrets Act
August 1, Privacy Act of 1974 Regulates how federal agencies collect, maintain, use, and disclose individuals information maintained in a Privacy Act system of records. This includes information pertaining to federal employees as well as the public. Requires federal agencies to publish systems of records notices so that the public is aware of what Privacy Act records are being maintained and under what authority. Requires that information about individuals maintained in a Privacy Act system of records be accurate. Allows individuals to access and seek to amend their Privacy Act records.
August 1, Freedom of Information Act (FOIA) and privacy The FOIA allows public access to all agency records not protected from disclosure by a FOIA exemption. As a federal employee, certain government information about your employment may be disclosed, such as your position description, title, series, salary, and monetary award amounts.
August 1, FOIA personal privacy exemptions FOIA provides two separate exemptions to protect individuals private information contained in agency records. Exemption (b)6 protects from disclosure information about individuals in "personnel and medical files and similar files" when the disclosure of such information "would constitute a clearly unwarranted invasion of personal privacy. Exemption (b)7(C) provides protection for personal information in law enforcement records. This exemption is the law enforcement counterpart to Exemption (b)6.
August 1, FOIA exemption for commercial information Exemption (b)4 protects from disclosure trade secrets and commercial and financial information obtained from a person [that is] privileged and confidential. Commercial is not confined to records that reveal basic commercial operations but includes any records [or information] in which the submitter has a commercial interest and can include information submitted by a nonprofit entity.
August 1, E-Government Act of 2002 Requires that every federal agency conduct a Privacy Impact Assessment on each of its information technology systems under development that will contain personally identifiable information. As a matter of policy, Commerce also requires that a Privacy Impact Assessment be conducted when developing systems that will contain business identifiable information. The purpose of the Privacy Impact Assessment is to ensure that there is no collection, storage, access, use, or dissemination of identifiable information from or about members of the general public and businesses that is not needed or authorized, and that identifiable information that is collected is adequately protected.
August 1, What is personal information? Personal information is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. (Section 208 (d) of the E-Government Act of 2002). Examples include: Lists of the names of visitors to buildings or offices; Pay and personnel records; Photographs of individuals captured on surveillance cameras installed to ensure the security of buildings or locations; A biometric system that uses voice recognition technology to allow individuals access to certain controlled areas.
August 1, Where will you encounter personal information? Entering data into a time and attendance system; Processing a personnel action; Reviewing a performance award nomination file; Building a new database that is being filled with personal information; Searching an existing database for individuals that meet certain criteria; Receiving personal information from another agency; Entering information into an employee medical file.
August 1, How do you protect personal information (1)? Consider all personal information given to you either written or verbally as sensitive. Provide personal information only to those who have a need to know. Use personal information ONLY for official purposes. Provide access to an individuals information only if you have specific authority to do so. Secure personal information with appropriate passwords and locks.
August 1, How do you protect personal information (2)? Not all personal information is exempt from disclosure to the public, e.g., name, title, grade, and office phone number of federal employees. Contact your FOIA/PA Officer for guidance on personal information that may be released. When creating a new system or significantly modifying a legacy system that contains personal information, conduct a Privacy Impact Assessment and contact your Operating Unit FOIA/Privacy Act Officer.
August 1, Business identifiable information (1) Under Commerce policy, business identifiable information consists of information that is defined in the FOIA as "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential. This information is exempt from automatic release under FOIA Exemption (b)4. Commercial is not confined to records that reveal basic commercial operations but includes any records [or information] in which the submitter has a commercial interest, and may include information submitted by a nonprofit entity.
August 1, Business identifiable information (2) Not all business identifiable information is exempt from disclosure under, e.g., annual financial reports of public corporations. Contact your FOIA/PA Officer for guidance. Other terms for business identifiable information that must be protected from disclosure are: confidential business information confidential commercial information proprietary information
August 1, Examples of business identifiable information in Commerce Financial information provided in response to requests for economic census data; Business plans and marketing data provided to participate in trade development events; Commercial and financial information collected as part of export enforcement actions; Proprietary information provided in support of a grant application or related to a federal acquisition action; Financial records collected as part of an investigation.
August 1, Examples of privacy violations Violations include: Requesting, obtaining, or using records under false pretenses Maintaining inaccurate Privacy Act records that result in adverse action Maintaining a Privacy Act system of records that has not been disclosed in a published notice Failure to conduct a Privacy Impact Assessment when required Disclosing business identifiable information, that is protected from disclosure, in violation of the Trade Secrets Act or other laws and regulations Penalties for violations could include: DOC disciplinary action Civil action against DOC and/or the employee Criminal prosecution of the employee
August 1, Scenario Your office has been investigating an incident that involves a Commerce employee who is being disciplined. You want to share all the details in the case file with your buddy over lunch. Can you gossip about whats in the file? ANSWER: No. You need to keep all information provided to you private and only give it to those who need to know. Your buddy doesnt need to know.
August 1, Scenario A Commerce OIG inspector comes to your office and asks to see the case file of an employee who is being investigated so that he or she may conduct an official progress review of the investigation. Do you hand over these records? ANSWER: Yes, but first ask to see the inspectors credentials. The inspector needs to know the information you have in order to complete his or her official investigation.
August 1, Scenario Your office has decided to enter into a contract with a private sector company that maintains databases with personal information to test a new modeling system that can be used to identify violators of export controls. This is a new system. You will be accessing their information and storing the results in your computer system. Do you need a Privacy Impact Assessment and/or a Systems of Records Notice (SORN)? ANSWER: Yes, you need both. Contact your Operating Unit FOIA/Privacy Act Officer to ensure that an SORN has been completed. Privacy Impact Assessments and SORNs should be completed prior to the signing of a contract so that privacy may be fully considered. In fact, potential contractors should address privacy issues in their proposals to DOC.
August 1, Scenario In your position as an economist, you receive from corporations proprietary data and other confidential business identifiable information that is provided solely for the purpose of developing national economic and statistical reports that do not include identifiable information. May you use the information received to pick stocks? ANSWER: No. You are responsible for protecting business identifiable information from unauthorized release or misuse. Using the information to further your personal financial interests could result in disciplinary action.
August 1, Scenario A citizen calls you at your desk and asks for a copy of everything DOC has on me. She says if you dont give the information to her, shes going to take this all the way to the Supreme Court. What do you do? ANSWER: Inform the individual that she may send a FOIA or PA request electronically to or by mail or fax ( ). More information is at
August 1, Rules for protecting personal information and business identifiable information It is your responsibility to protect personal information and business identifiable information that is exempt from disclosure. Think before you disclose. Consider all personal information given to you as sensitive. Protect business identifiable information in a similar manner as personal information.
August 1, Questions? Brenda Dolan, DOC FOIA/Privacy Act Officer, Your operating unit FOIA/PA Officer. See list at For IT privacy, records management, E-Government Act, and Privacy Impact Assessment issues: Dan Rooney,