Presentation on theme: "Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know."— Presentation transcript:
Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know
Defense Privacy & Civil Liberties Office 2 Purpose of this Brief This brief was designed to provide DoD senior leadership an overview of the requirements and responsibilities under the Privacy Act of 1974, the Computer Matching Act of 1988, and various privacy related Office of Management and Budget circulars and memoranda.
Defense Privacy & Civil Liberties Office 3 Privacy Act of 1974 Purpose: The Privacy Act (5 U.S.C. § 552a, as amended) establishes records management responsibilities for Privacy Act Systems of Records collections and safeguards. Applicability: The following criteria must be met to apply the Privacy Act Personally identifiable information pertaining to United States citizens and permanent resident aliens, Collected and/or maintained by U.S. Executive Branch agencies, and Maintained in a system of records; retrieved by a personal identifier, i.e., Name, SSN, etc. The Privacy Act of 1974 was created in response to concerns about how the use of personal data might impact an individual’s privacy rights
Defense Privacy & Civil Liberties Office 4 Key Terminology Personally Identifiable Information (PII) Information which can be used to distinguish or trace an identity to a specific individual such as name, Social Security Number (SSN), date and place of birth, mother’s maiden name, biometric records and other personal information linked to an individual. Systems of Records Any group of records where information is retrieved by the name of the individual or by a personal identifier. System of Records Notice (SORN) A notice published in the Federal Register informing the public that an agency is collecting and maintaining personal information which is retrieved by name or identifier assigned to the individual. The intended use of the information collected must be noted.
Defense Privacy & Civil Liberties Office 5 PII in DoD What are some examples of PII? Name Date and Place of Birth Personal Financial Information Social Security Number Mother’s Maiden Name Biometrics, such as, fingerprints, retina scans and DNA When is PII protected by the Privacy Act? Information collected by a federal agency and retrieved by a personal identifier are considered PII and protected under the Act. When are records not covered under the Privacy Act? Records retrieved by means other than identifiers Aggregated data without personal identifiers are not PII
Defense Privacy & Civil Liberties Office 6 Agency Requirements What are the agencies’ responsibilities when collecting information on individuals? 1. Collect only the minimum amount of information necessary to accomplish an authorized purpose. 2. Maintain only information about an individual that is complete, accurate, timely and relevant. 3.Whenever collecting personal information directly from an individual, provide the individual with a Privacy Act Statement informing him or her Whether the provision of the information is voluntary or mandatory, The purpose for which the information is intended, Any routine uses of the information, and The effects, if any, of not providing all or any part of the requested information
Defense Privacy & Civil Liberties Office 7 Agency Requirements (cont’d) 4. Ensure accurate and up-to-date systems of records notices (SORNs) are published in the Federal Register. When is a SORN required? Any group of records where information is retrieved by name, SSN or other personal identifier requires the publication of a SORN. System owners must work with their Component Privacy Office to develop a SORN for a newly created system of records or when an existing system of records has significantly changed or is discontinued. Can a SORN apply to more than one system? Yes, a SORN may be applicable to multiple systems if the data was used for the same purpose and other categories of the SORN descriptors are identical.
Defense Privacy & Civil Liberties Office 8 PII Protection The DoD has a continuing affirmative responsibility to safeguard PII in its possession and to prevent its loss, theft, or compromise. Here are some strategies to use in safeguarding PII: Whenever possible, collect information directly from the individual Closely evaluate holdings and collections of PII, especially SSNs Apply the “need to know” principle. Only disclose PII if needed for the performance of official duties Provide Privacy Act Statements whenever PII is collected from the individual Ensure all personnel are trained on the protection of PII Establish and monitor procedures to ensure the information collected is accurate, relevant, timely, complete and the minimum amount necessary for the purpose collected
Defense Privacy & Civil Liberties Office 9 Blanket Routine Uses of PII in DoD Law Enforcement Disclosure when requesting information Disclosure of requested information Congressional Inquiries Private Relief Legislation Disclosures required by international agreements Disclosure to state and local taxing authorities Disclosure to the office of personnel management Disclosure to the department of Justice for Litigation Disclosure to Military Banking Facilities Disclosure of information to the General Services Administration Disclosure of information to the national archives and records administration Disclosure to the Merit Systems Protection Board Counterintelligence purposes Routine uses are disclosures of a record to parties outside DoD “for a purpose which is compatible with the purpose for which it was collected”. Blanket Routine Uses allow disclosure from any applicable DoD System of Records. While DoD blanket routine uses are standard for most SORNs, they do not always match the purpose for the collection. Additionally, there are exceptions to disclosure without consent. See DoD 5400.11-R, May 14, 2007 Appendix 3.
Defense Privacy & Civil liberties Office 10 Breach Management What is a Breach? A breach is an incident that results in an actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for an other than authorized purpose where one or more individuals will be adversely affected. What are the Reporting and Notification Requirements? Upon Suspicion of or Awareness of an Actual Breach Report To: U.S. Computer Emergency Readiness Team (US-CERT) Within 1 hour of discovering that a breach of PII has occurred. Senior DoD Component Privacy Official Within 24 hours Defense Privacy and Civil Liberties OfficeWithin 48 hours Notify:Affected Individuals As soon as possible but no later than 10 working days after a breach is discovered and the identities of the individuals are ascertained. If records containing PII are lost, stolen or compromised, the potential exists that the records may be used for unlawful purposes, such as identity theft.
Defense Privacy & Civil Liberties Office 11 When do I need a Computer Matching Agreement? A computer matching agreement is needed when there is computer to computer matching with another federal agency. The matching must be necessary to determine eligibility for a federal benefit or compliance with federal benefit program requirements. Computer Matching Agreements The Computer Matching and Privacy Protection Act of 1988 amended the Privacy Act to protect individuals from adverse effects of computer matching activities. This affords individuals the opportunity to receive notice and to refute adverse information before having a benefit denied or terminated. Only the Defense Privacy & Civil Liberties Office may initiate and administer DoD Computer Matching Agreements.
Defense Privacy & Civil Liberties Office 12 Disclosure of PII to Other Agencies and Third Parties There are 12 exceptions to general disclosure prohibition 1.To an agency employee who normally maintains the record and needs it in the performance of duty; (need-to-know) 2.Disclosures made under the Freedom of Information Act; 3.Disclosures for a routine use published in the Federal Register; 4.Discloser is to Census Bureau for purposes of a Census survey; 5.Used for statistical research or reporting, and the record is transferred without individually identifying data; 6.Disclosure to the National Archives and Records Administration as a record of historical value; 7.Disclosure to another agency or to any governmental entity within or under the control of the United States for a civil or criminal law enforcement activity," and if the record is provided in response to a written request by the head of the agency; 8.When "compelling circumstances" affecting someone's health or safety. The person whose health or safety is affected is sent a notification of the disclosure; 9.Disclosure to either house of Congress, or any committee, subcommittee or joint committee; 10.Disclosure to the Comptroller General in the course of the duties of the General Accounting Office; 11.Pursuant to a court order signed by a Judge; 12.Disclosure to a consumer reporting agency IAW the Debt Collection Act. General Disclosure Prohibition: “No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.”
Defense Privacy & Civil Liberties Office 13 Accounting of Disclosures An agency must keep accurate accounts of when and to whom it has disclosed personal records. 1.The accounting must include name and address of the person or agency to whom the disclosure is made, and date, nature and purpose of each disclosure. 2.An accounting is not required for intra- agency (need-to-know) or FOIA disclosures. 3.The accounting of disclosures must be kept for five years or the life of the record, whichever is longer. 4.Unless the records were shared for law enforcement purposes, the accounts of the disclosure should be available to the data subject upon request. 5.If an agency makes corrections or notations of dispute to any record, the agency must inform any person or agency to whom it has disclosed the original information, if an accounting of disclosures was made. An accounting allows individuals to learn to whom records about themselves have been disclosed.
Defense Privacy & Civil Liberties Office 14 Trigger Points Indicating Privacy Act Considerations In general, if you answer “yes” to any of these questions, consult your Component Privacy Official for potential Privacy Act requirements. Are you collecting PII? Are you retrieving information from that collection of PII by a personal identifier, e.g., name, social security number? Are you unable to identify a published system of records notice (http://dpclo.defense.gov/privacy/SORNS/sorns.html) that correlates with the purpose(s) and use(s) for your collection?http://dpclo.defense.gov/privacy/SORNS/sorns.html Are you creating a collection of PII by merging information from two or more existing information systems? Are you conducting a computerized comparison of Federal automated systems with Federal records?
Defense Privacy & Civil Liberties Office 15 Privacy Act Resources DoDD 5400.11, “DoD Privacy Program”, May 8, 2007 DoD 5400.11-R,“Department of Defense Privacy Program”, May 14, 2007 DoD Memorandum, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information”, June 5, 2009 DPCLO website http://dpclo.defense.gov/privacy.htmlhttp://dpclo.defense.gov/privacy.html NIST SP 800.122
Defense Privacy Office 16 Budget Documentation and Justification Writing Class Should You Have Any Additional Questions Regarding Privacy Act Matters in DoD, Please Contact Your Component Privacy Official or: Defense Privacy & Civil Liberties Office 1901 South Bell Street, Suite 920 Arlington, VA 22202 (703) 607-2943 firstname.lastname@example.org