Presentation is loading. Please wait.

Presentation is loading. Please wait.

Data Classification & Privacy Inventory Workshop

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Data Classification & Privacy Inventory Workshop"— Presentation transcript:

1 Data Classification & Privacy Inventory Workshop
Data Classification and Privacy Inventory Workshop Data Classification & Privacy Inventory Workshop Implementing Security to Protect Privacy November 2005 State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

2 Welcome & Introductions
Data Classification and Privacy Inventory Workshop Welcome & Introductions Debra Reiger, State Information Security Officer Joanne McNabb, California Office of Privacy Protection Lester Chan,, California Office of HIPAA Implementation State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

3 Data Classification and Privacy Inventory Workshop
Workshop Agenda Welcome & Introductions - Debra Reiger Information Privacy & Security - Joanne McNabb Introduction to State Policy on Data Classification - Debra Reiger Break Protected Health Information - Lester Chan Conducting a Privacy Inventory - Joanne McNabb Workshop Exercise - Lester Chan State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

4 Information Privacy & Security
Data Classification and Privacy Inventory Workshop Information Privacy & Security Privacy: Individual’s interest in controlling the handling of his/her personal information Security: Organization’s interest in protecting information assets from unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use Information security is essential to privacy protection. State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

5 Data Classification and Privacy Inventory Workshop
“Personal information is like toxic waste – Managing it requires a high level of skill and training.” -Phil Agre, Technology and Privacy in a New Landscape This is where you come in. Phil Agre, Prof. of Information Studies, UCLA. State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

6 Why Protect Personal Information
Law and Policy Information Practices Act, HIPAA Data Classification, Encryption (soon) Risk Reduction SAM Security breach notification law (Civil Code § ) – Cost of notification $1-$25 per notice Identity Theft > 9 Million victims and $52.6 Billion in 2004

7 Protecting Personal Information
Classify data and identify records systems containing personal identifying information. Locate records needing special protection: Notice-Triggering Personal Information Health Information (Protected or Electronic) Protect with appropriate security measures Administrative, Technical, Physical

8 State Policy on Classifying Data
Classification of Information

9 Introduction State policy requires that we identify and classify our data and protect it appropriately. See SAM Sections Automated files and databases are essential public resources. We are the protectors of the public’s information. We must first classify and locate data before we can properly protect it.

10 Information Protection
Give appropriate protection from unauthorized: Use Access Disclosure Modification Loss Deletion

11 Information Classifications
Public Information Confidential Information

12 Public Information Information not exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws

13 Confidential Information
Information exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws

14 Sensitive & Personal Info
Data Classification and Privacy Inventory Workshop Sensitive & Personal Info Sensitive and personal information may occur in public and/or confidential records. Files and databases containing sensitive and/or personal information require special precautions to prevent inappropriate disclosure. State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

15 Sensitive Information
Requires special precautions to protect from: Unauthorized use Access Disclosure Modification Loss Deletion

16 Sensitive Information
May be either Public, or Confidential. Requires a higher than normal assurance of accuracy and completeness. Key factor is integrity. Typical records are agency financial transactions and regulatory actions.

17 Personal Information Identifies or describes an individual
Must be protected from inappropriate Access Use Disclosure Must also be accessible to data subjects upon request

18 Personal Information Identifies or describes an individual:
Name Home address Home phone etc. Sub-types of Personal Information: Notice-Triggering Personal Information Medical Information Protected Health Information Electronic Health Information

19 Notice-Triggering Personal Info
Name plus specific items or personal information: Social Security Number Driver’s license/I.D. card number Financial Account Number Requires notifying individuals if it is acquired by an unauthorized person.

20 Protected Health Information
HIPAA Covered Entities

21 Protected Health Information
Individually identifiable information created, received, or maintained by health care payers, providers, health plans or contractors, in electronic or physical form. State and federal laws require special precautions to protect from unauthorized use, access, or disclosure.

22 Electronic Health Information
Individually identifiable health information transmitted by electronic media or maintained in electronic media

23 Electronic Health Information
Health plans, clearinghouses or providers must ensure the privacy and security of electronic protected health information from unauthorized use, access or disclosure

24 Current Information Assess current systems for protected health information in physical (paper) and electronic form. Include personal information in the data classification portion of risk analysis and risk management Risk analysis and risk management are required of HIPAA covered entities

25 Future Data Systems Be aware of these data classifications as more data is created, maintained or transmitted. Plan for protecting your data during the system design phase. Collect data that you have the authority and need to collect.

26 Conducting a Privacy Inventory
Where is your data? Where is your personal data?

27 Privacy Inventory Process
Data Classification and Privacy Inventory Workshop Privacy Inventory Process ISO/PO gets management support. Each division/program identifies “Privacy Contact.” ISO/PO explains process to Privacy Contacts. Privacy Contacts complete Privacy Inventory Worksheet. ISO/PO/Program implement appropriate safeguards. ISO/PO conduct ongoing privacy awareness training for users (more on this later). State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

28 Overview of Worksheet Part I: Records System Inventory
Part II: Privacy Practices Inventory

29 Part I of Inventory Worksheet
Data Classification and Privacy Inventory Workshop Part I of Inventory Worksheet Records Systems Containing Personal Information Start with Records Inventory for Records Retention Schedule List only Records Systems containing personal information State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

30 1. Records System Group of records maintained for official purposes
Same as “Records Series” in Records Retention Handbook: Group of related records under a single filing category that deal with particular subject

31 Personal Information Information that describes an individual, including name, home address, home phone, etc. – defined in Civil Code Information on clients, consumers, applicants, licensees, employees, contractors – everyone

32 2. Description of Records
Examples Applications for general contractor’s license Personnel records of current employees Case records of recipients of in-home supportive service, past and present Consumer complaints

33 3. Sources of Records Examples:
Subject supplies information on application form Schools provide information on transcripts. DOJ provides information from criminal history records

34 4. Owner and Location Owner: Department/Division/Program that collects and maintains the records Location: Agency name and address where original records system is located Contact: Name, title, business contact information of agency official responsible for records system

35 5. Authority Citation of regulation or statute authorizing agency to collect and maintain records system

36 6. Media of Records System
Medium of “original” records system: electronic, paper, tape Additional media on which records are stored or used: PC Laptop Other portable device or medium

37 7. Type of Personal Information
Objective: Identify records systems containing personal information needing special protections Notice-triggering personal information (name plus SSN, DL/State ID number, financial account number) Health/medical information Other personal information (Home Address, MMN, DOB, etc.)

38 8. Confidential or Sensitive Info
Does the records system contain any confidential or sensitive information (other than personal information)? Confidential: Exempt from PRA Sensitive: For example, network configuration, agency bank records

39 9. Routine Uses & Disclosures
Purposes for which records were created Uses and users Disclosures outside agency that collects and maintains records system

40 Part II of Inventory Worksheet
Data Classification and Privacy Inventory Workshop Part II of Inventory Worksheet Privacy Practices Checklist of major practices per IPA, Government Code, etc. Optional – but good way to start to build privacy awareness State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

41 1. Privacy Policy Statement
Is your agency’s privacy policy statement posted in your office(s)? Is it posted on your Web site(s)? Government Code

42 2. Rules of Conduct Does your program/agency have written rules of conduct for handling records containing personal information? Civil Code If so, attach copy to Worksheet.

43 3. Access Guidelines Does your program/agency have regulations or guidelines telling individuals how they can access their own records? Civil Code – If so, attach copy to Worksheet.

44 4. Notice on Collection How do you provide notice (of authority, uses, disclosures, access procedures, etc.) when collecting personal information? Civil Code Printed on paper forms On online forms Other

45 5. Public Records Act Disclosures
Do you have written procedures for responding to PRA requests? How do you protect personal information in public records? If so, attach copy to Worksheet.

46 6. Retention & Destruction
Is this records system listed in your Records Retention Schedule?

47 7. Incident Notification Procedures
Does the program/division/department have written procedures for notification of privacy/security incidents? For example, lost/stolen laptop containing (possibly notice-triggering) personal information: Report as information security incident, not property theft

48 Data Classification and Privacy Inventory Workshop
Privacy Awareness Privacy Inventory raises awareness of privacy vulnerabilities and protection requirements Ongoing awareness training for all users is essential Coming soon from COPP State Information Security Office, California Office of Privacy Protection, California Office of HIPAA Implementation

49 End of Presentation Questions Comments

Download ppt "Data Classification & Privacy Inventory Workshop"

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.

1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
DOCUMENTATION Missouri Medicaid Audit and Compliance Provider Certification Review Materials.

DOCUMENTATION Missouri Medicaid Audit and Compliance Provider Certification Review Materials.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Helping you protect your customers against fraud Division of Finance and Corporate Securities.

Helping you protect your customers against fraud Division of Finance and Corporate Securities.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.

Computers, Freedom and Privacy April 23, 2004 Identity Theft: Addressing the Problem in California Joanne McNabb, Chief CA Office of Privacy Protection.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
MINNESOTA GOVERNMENT DATA PRACTICES ACT How the law affects University employees and recordkeeping Susan McKinney Records & Information Management.

MINNESOTA GOVERNMENT DATA PRACTICES ACT How the law affects University employees and recordkeeping Susan McKinney Records & Information Management.
Security Controls – What Works

Security Controls – What Works
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Informed Consent and HIPAA Tim Noe Coordinating Center.

Informed Consent and HIPAA Tim Noe Coordinating Center.

Similar presentations

Ads by Google