1 Data Classification & Privacy Inventory Workshop Data Classification and Privacy Inventory WorkshopData Classification & Privacy Inventory WorkshopImplementing Security to Protect PrivacyNovember 2005State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
2 Welcome & Introductions Data Classification and Privacy Inventory WorkshopWelcome & IntroductionsDebra Reiger, State Information Security OfficerJoanne McNabb, California Office of Privacy ProtectionLester Chan,, California Office of HIPAA ImplementationState Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
3 Data Classification and Privacy Inventory Workshop Workshop AgendaWelcome & Introductions - Debra ReigerInformation Privacy & Security - Joanne McNabbIntroduction to State Policy on Data Classification - Debra ReigerBreakProtected Health Information - Lester ChanConducting a Privacy Inventory - Joanne McNabbWorkshop Exercise - Lester ChanState Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
4 Information Privacy & Security Data Classification and Privacy Inventory WorkshopInformation Privacy & SecurityPrivacy: Individual’s interest in controlling the handling of his/her personal informationSecurity: Organization’s interest in protecting information assets from unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or useInformation security is essential to privacy protection.State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
5 Data Classification and Privacy Inventory Workshop “Personal information is like toxic waste – Managing it requires a high level of skill and training.”-Phil Agre, Technology and Privacy in a New LandscapeThis is where you come in.Phil Agre, Prof. of Information Studies, UCLA.State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
6 Why Protect Personal Information Law and PolicyInformation Practices Act, HIPAAData Classification, Encryption (soon)Risk ReductionSAMSecurity breach notification law (Civil Code § ) – Cost of notification $1-$25 per noticeIdentity Theft> 9 Million victims and $52.6 Billion in 2004
7 Protecting Personal Information Classify data and identify records systems containing personal identifying information.Locate records needing special protection:Notice-Triggering Personal InformationHealth Information (Protected or Electronic)Protect with appropriate security measuresAdministrative, Technical, Physical
8 State Policy on Classifying Data Classification of Information
9 IntroductionState policy requires that we identify and classify our data and protect it appropriately.See SAM SectionsAutomated files and databases are essential public resources.We are the protectors of the public’s information.We must first classify and locate data before we can properly protect it.
10 Information Protection Give appropriate protection from unauthorized:UseAccessDisclosureModificationLossDeletion
11 Information Classifications Public InformationConfidential Information
12 Public InformationInformation not exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws
13 Confidential Information Information exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws
14 Sensitive & Personal Info Data Classification and Privacy Inventory WorkshopSensitive & Personal InfoSensitive and personal information may occur in public and/or confidential records.Files and databases containing sensitive and/or personal information require special precautions to prevent inappropriate disclosure.State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
15 Sensitive Information Requires special precautions to protect from:Unauthorized useAccessDisclosureModificationLossDeletion
16 Sensitive Information May be eitherPublic, orConfidential.Requires a higher than normal assurance of accuracy and completeness.Key factor is integrity.Typical records are agency financial transactions and regulatory actions.
17 Personal Information Identifies or describes an individual Must be protected from inappropriateAccessUseDisclosureMust also be accessible to data subjects upon request
18 Personal Information Identifies or describes an individual: NameHome addressHome phoneetc.Sub-types of Personal Information:Notice-Triggering Personal InformationMedical InformationProtected Health InformationElectronic Health Information
19 Notice-Triggering Personal Info Name plus specific items or personal information:Social Security NumberDriver’s license/I.D. card numberFinancial Account NumberRequires notifying individuals if it is acquired by an unauthorized person.
20 Protected Health Information HIPAA Covered Entities
21 Protected Health Information Individually identifiable information created, received, or maintained by health care payers, providers, health plans or contractors, in electronic or physical form.State and federal laws require special precautions to protect from unauthorized use, access, or disclosure.
22 Electronic Health Information Individually identifiable health information transmitted by electronic media or maintained in electronic media
23 Electronic Health Information Health plans, clearinghouses or providers must ensure the privacy and security of electronic protected health information from unauthorized use, access or disclosure
24 Current InformationAssess current systems for protected health information in physical (paper) and electronic form.Include personal information in the data classification portion of risk analysis and risk managementRisk analysis and risk management are required of HIPAA covered entities
25 Future Data SystemsBe aware of these data classifications as more data is created, maintained or transmitted.Plan for protecting your data during the system design phase.Collect data that you have the authority and need to collect.
26 Conducting a Privacy Inventory Where is your data? Where is your personal data?
27 Privacy Inventory Process Data Classification and Privacy Inventory WorkshopPrivacy Inventory ProcessISO/PO gets management support.Each division/program identifies “Privacy Contact.”ISO/PO explains process to Privacy Contacts.Privacy Contacts complete Privacy Inventory Worksheet.ISO/PO/Program implement appropriate safeguards.ISO/PO conduct ongoing privacy awareness training for users (more on this later).State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
28 Overview of Worksheet Part I: Records System Inventory Part II: Privacy Practices Inventory
29 Part I of Inventory Worksheet Data Classification and Privacy Inventory WorkshopPart I of Inventory WorksheetRecords Systems Containing Personal InformationStart with Records Inventory for Records Retention ScheduleList only Records Systems containing personal informationState Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
30 1. Records System Group of records maintained for official purposes Same as “Records Series” in Records Retention Handbook: Group of related records under a single filing category that deal with particular subject
31 Personal InformationInformation that describes an individual, including name, home address, home phone, etc. – defined in Civil CodeInformation on clients, consumers, applicants, licensees, employees, contractors – everyone
32 2. Description of Records ExamplesApplications for general contractor’s licensePersonnel records of current employeesCase records of recipients of in-home supportive service, past and presentConsumer complaints
33 3. Sources of Records Examples: Subject supplies information on application formSchools provide information on transcripts.DOJ provides information from criminal history records
34 4. Owner and LocationOwner: Department/Division/Program that collects and maintains the recordsLocation: Agency name and address where original records system is locatedContact: Name, title, business contact information of agency official responsible for records system
35 5. AuthorityCitation of regulation or statute authorizing agency to collect and maintain records system
36 6. Media of Records System Medium of “original” records system: electronic, paper, tapeAdditional media on which records are stored or used:PCLaptopOther portable device or medium
37 7. Type of Personal Information Objective: Identify records systems containing personal information needing special protectionsNotice-triggering personal information (name plus SSN, DL/State ID number, financial account number)Health/medical informationOther personal information (Home Address, MMN, DOB, etc.)
38 8. Confidential or Sensitive Info Does the records system contain any confidential or sensitive information (other than personal information)?Confidential: Exempt from PRASensitive: For example, network configuration, agency bank records
39 9. Routine Uses & Disclosures Purposes for which records were createdUses and usersDisclosures outside agency that collects and maintains records system
40 Part II of Inventory Worksheet Data Classification and Privacy Inventory WorkshopPart II of Inventory WorksheetPrivacy PracticesChecklist of major practices per IPA, Government Code, etc.Optional – but good way to start to build privacy awarenessState Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation
42 2. Rules of ConductDoes your program/agency have written rules of conduct for handling records containing personal information?Civil CodeIf so, attach copy to Worksheet.
43 3. Access GuidelinesDoes your program/agency have regulations or guidelines telling individuals how they can access their own records?Civil Code –If so, attach copy to Worksheet.
44 4. Notice on CollectionHow do you provide notice (of authority, uses, disclosures, access procedures, etc.) when collecting personal information?Civil CodePrinted on paper formsOn online formsOther
45 5. Public Records Act Disclosures Do you have written procedures for responding to PRA requests?How do you protect personal information in public records?If so, attach copy to Worksheet.
46 6. Retention & Destruction Is this records system listed in your Records Retention Schedule?
47 7. Incident Notification Procedures Does the program/division/department have written procedures for notification of privacy/security incidents?For example, lost/stolen laptop containing (possibly notice-triggering) personal information: Report as information security incident, not property theft
48 Data Classification and Privacy Inventory Workshop Privacy AwarenessPrivacy Inventory raises awareness of privacy vulnerabilities and protection requirementsOngoing awareness training for all users is essentialComing soon from COPPState Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation