Presentation is loading. Please wait.

Presentation is loading. Please wait.

PRIVACY TRAINING 101 CIA-PPI-PII

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "PRIVACY TRAINING 101 CIA-PPI-PII"— Presentation transcript:

1 PRIVACY TRAINING 101 CIA-PPI-PII
What you Need to Know about Safeguarding Protected Personal Information and Personally Identifiable Information (PPI/PII) and the Confidentiality, Integrity and Availability (CIA) of Data

2 Purpose of this training:
To focus on the importance of PRIVACY and to ensure all personnel (military, civilian, contractor) are aware of the vital role that they must play in ensuring CIA and that PPI/PII is properly protected from unauthorized disclosure.

3 Protection of the Confidentiality, Integrity, and Availability (CIA) of USACC Information

4 Definitions Confidentiality: That data/information is accessible only to those authorized to have access." Integrity: Assurance that data and information are consistent and correct, not only from the origination point, but also when transferred to another point. Availability: The timely and reliable access to data services for authorized users. Availability ensures that information or resources are available when required, while protecting confidentiality ensuring the integrity of the data is maintained.

5 DEFINITIONS “PPI” stands for Protected Personal Information
“PII” stands for Personally Identifiable Information PPI and PII are interchangeable PPI/PII is: Information which can be used to identify a person uniquely and reliably, including but not limited to name, SSN, address, telephone #, address, mother’s maiden name

6 Current Issues Ignorance and apathy towards information/data CIA and associated guidance Lack of standard processes to handle sensitive information and not following established processes for handling information Lack of understanding of how the network and electronic filing can protect data and information Lack of training about proper handling of information/data

7 Policies, Regulations, and Memorandums
- OMB Memorandum M-07-16, Safeguarding Against and Responding to Breach of Personally Identifiable Information, May 22, 2007 - DoD Memorandum: Safeguarding Against and Responding to Breach of PII, 21 Sep, 2007 - DoD R: DoD Privacy Program, 14 May, 2007 DoD Directive , DoD Privacy Program, 8 May 2007 AR 25-55, DA FOIA Program, 1 Nov 1997 AR 380-5, DA Information Security Program, 29 Sep 2000 AR 25-2, Information Assurance, 24 Oct 2007 USACC Policy Memorandum 17, Protection of IT Equipment and Sensitive Data 15 May 2007

8 Personally Identifiable Information (PII)
PII, as set forth in DoD Directive , para E2.e and DoD R, para DL1.14, is defined as follows: “Personal Information. Information that identifies, links, relates, or is unique to, or describes him or her, e.g. a Social Security Number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security Number, data and place of birth, mother’s maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual).”

9 Why You Need to Know About Privacy:
We are collecting, maintaining, distributing and disposing of information about individuals--YOU! The law requires you to take precautions when collecting, maintaining, distributing and disposing of PPI/PII The Privacy Act of 1974 contains both civil and criminal penalties for non-compliance.

10 The Department of Veterans Affairs Breach
The VA loss of thousands of veterans’ records was well publicized, costly and brought PRIVACY to the forefront. This breach resulted in Presidential and Congressional interest in PRIVACY Office of Management & Budget (“OMB”) established working groups to address better protections, notification protocols, costs, and actions to be taken against employees

11 The Fallout OMB issued a Memorandum dated May 22, 2006, entitled “Safeguarding Personally Identifiable Information,” which directed agencies to provide training to all employees on their responsibilities to safeguard personally identifying information

12 The Fallout (Cont’d) OMB issued another Memorandum dated May 22, 2007, entitled “Safeguarding Against and Responding to the Breach of Personally Identifying Information” Both Memoranda require agencies to provide PRIVACY training to all employees

13 Your Role in PRIVACY You must understand the importance of ensuring that PPI/PII is properly protected You must get involved in identifying best practices for protecting PPI/PII You must be aware of the consequences for non-compliance

14 Privacy Act Requirements
Establish rules of conduct for collecting, maintaining, distributing, and disposing of personal information Publish Privacy Act system of records notices in the Federal Register for all approved collections of privacy information Ensure that we collect only data that is authorized by law & that we share information only with those who have a need-to-know

15 Privacy Act Requirements
Establish and apply data safeguards to protect information from unauthorized disclosure Allow individuals to review records about themselves for completeness and accuracy & to amend any factual information that is in error Keep record of disclosures made outside of DoD to authorized “routine users” described in the system notice

16 Examples of Personal Data Requiring Protection
Financial, credit and medical data Security clearance level Leave balances; types of leave used Home address & telephone numbers, personal address Social Security Number Mother’s maiden name; other names used

17 Examples of Personal Data Requiring Protection
Drug test results & fact of participation in rehabilitation program Family data Religion, race, national origin Performance ratings Names of employees who hold government-issued travel cards

18 The Loss of PPI/PII Can be embarrassing & cause emotional distress.
Can lead to identity theft, which is costly to the individual and to the Government Can impact our business practices & result in actions being taken against an employee Can erode confidence in the Government’s ability to protect information

19 DepSecDef Memorandum On June 15, 2005, the DepSecDef issued a Memorandum entitled, “Notifying Individuals When Personal Information is Lost, Stolen, or Compromised.” Requires DoD activities to notify individuals within 10 days after the loss or compromise of protected personal information is discovered

20 DepSecDef Memorandum Directs that notification advise individuals of:
what specific data was involved; the circumstances surrounding the loss, theft, or compromise; what protective steps the individual can take in response See also 32 C.F.R. §

21 Additional Breach Notification Procedures
Agencies must report all incidents involving PII to the U.S.-Computer Emergency Response Team (“US-CERT”) within ONE HOUR of discovery--32 C.F.R. § (1). DoD Components must report all incidents involving PII to the Senior Component Official for Privacy within 24 hours of discovering the breach--32 C.F.R. §

22 Additional Breach Notification Procedures
Senior Component Official for Privacy, or a designee, shall notify the Defense Privacy Office of the breach within 48 hours upon being notified of the breach--32 C.F.R. § (2). Submit report to the Defense Privacy Office detailing the specifics of the breach--32 C.F.R. § (2)(i) - (iv).

23 Collecting PPI/PII If you collect it--you must protect it!
If in doubt, leave it out! Do you really need the entire SSN or will the last 4 digits serve as a second qualifying identifier? Moving from a paper process to an electronic process requires you to identify any breach risks

24 Think PRIVACY When Safeguarding PII
Need to address whether collection & maintenance of all the information that we collect is “relevant and necessary,” and whether we can maintain “timely and accurate” information. The CIO may need to conduct a Privacy Impact Assessment (“PIA”) of electronic system to identify vulnerabilities.

25 Best Practices Think PRIVACY when considering the PII that you store on your computer, memory stick, PDA, etc. Think PRIVACY when you send/receive s that contain PII--are these messages properly marked? “FOR OFFICIAL USE ONLY-PRIVACY SENSITIVE-Any misuse or unauthorized access may result in both civil and criminal penalties.”

26 Best Practices Any messages that contain PII/PPI must contain the proper markings AND be ENCRYPTED! Any PII/PPI that is contained or maintained on “mobile” equipment (PDAs, memory sticks etc.) must be ENCRYPTED!

27 Best Practices Think PRIVACY when you create documents--do you need to include the entire SSN? Think PRIVACY when placing documents in public folders in Outlook and on public web sites. Think PRIVACY when disposing of PII--use cross-cut shredding, if possible

28 Your Responsibilities
Do NOT collect personal data without authorization. Do NOT distribute or release personal information to other employees unless they have an official need-to-know. Do NOT be afraid to challenge anyone who asks to see PA information. Do NOT maintain records longer than permitted.

29 Your Responsibilities
Do NOT destroy records before disposal requirements are met. Do NOT place unauthorized documents in PA systems of records. Do NOT commingle information about different individuals in the same file. Do NOT transmit personal data without ensuring that it is properly marked.

30 Your Responsibilities
Do NOT use interoffice envelopes to mail Privacy data. Do NOT place privacy data on shared drives, multi-access calendars, the Intra or Internet that can be accessed by individuals who do not have an official need-to-know. Do NOT hesitate to offer recommendations on how to better manage Privacy data.

31 Specific USACC Policies and Procedures

32 Leadership’s Responsibility for Data
Develop polices, procedures and standards to protect/safeguard information and data. Enforce the policies, procedures and standards through training and oversight Be an active participant in information CIA, e.g. walk the talk, set the example, and identify areas of improvement Ensure everyone receives initial orientation training and refresher training each year

33 Individual Responsibility for Data
Carefully consider the information you need to do your job, i.e. do you need SSNs, addresses, birthdates, etc. Know and understand polices, regulations, and guidance

34 Individual Responsibility for Data
If you must use sensitive information, determine who needs to see it and protect it accordingly. Set up a folder that allows only those that must have access to it and the level of access, e.g. Read/Write, or Read only. If sending sensitive information via , use the Encryption feature. When printing sensitive information on shared printers, pick up immediately and protect it. Delete any files containing sensitive information when they are no longer needed. Hard copies need to be shredded when no longer needed.

35 Identification of Creator/Modifier of Information
Every file has a log that indicates when it was created, when it was modified and the identity of the person. To ensure your identify is correctly listed, you must do the following: - Word: Open up a blank document. Go to Tools, then Options. Select the “User Information” tab. Type in your name and initials in the space provided. Hit OK. - Excel: Open up a blank document. Go to Tools, then Options. Select the “General” tab. Type in your name in the space provided. Hit OK. - PowerPoint: Open up a blank document. Go to Tools, then Options. Select the “General” tab. Find User Information. Type in your name and initials in the space provided. Hit OK.

36 Information Provided for the Weekly Blast, Public Site, Right Site, and Enterprise Portal
All information provided to any available distribution format must have the Director’s or Deputy’s approval Information containing personal or operational information may be published within the Enterprise Portal only. Within the enterprise portal the following data is prohibited SSNs Personal Medical Information Information that may be operationally or contractually sensitive or has a possibility of having a negative impact on the Army, USAAC, or USACC must be reviewed by PAO, Security, and SJA G6 will not accept information for posting to any of the above sites unless it is approved by the Director or Deputy

37 Files Created and Stored Locally Containing Personal Information
Any information containing personal information (electronic or hard copy) must be: Protected from unauthorized access Deleted when no longer needed Identify the person that created it Process for protecting from unauthorized access: Use the minimum personal information required Determine who needs to access the information, if anyone, other than yourself

38 Files Created and Stored Locally Containing Personal Information
If multiple people need to access (electronically): Create a folder Put in a work order with by name and level of access Once you receive information the folder has been created, put a test document in it and test Once the access test ensures the folder does restrict access, create the file and put it in the restricted folder.

39 Sending Files Containing Personal Information to Another Person
Sending any information containing personal information must be encrypted and digitally signed by the sender. The information should contain the minimal amount of Information possible to accomplish the task. If at all possible, stay away from SSNs. The instructions for BN users to be able to send and receive encrypted s is being drafted now. Basically it will require the person receiving the file and the person sending it to exchange Digitally signed s and saving the userid/certificates to their personal contacts.

Download ppt "PRIVACY TRAINING 101 CIA-PPI-PII"

Similar presentations

Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Mandatory training for all Users who have access to Privacy Act Data

Mandatory training for all Users who have access to Privacy Act Data
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.

Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Overview of the Privacy Act

Overview of the Privacy Act
Office of Health, Safety and Security

Office of Health, Safety and Security
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.

FAIR AND ACCURATE CREDIT TRANSACTIONS ACT (FACTA)- RED FLAG RULES University of Washington Red Flag Rules Protecting Against Identity Fraud.
Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System.

Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System.
Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.

Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

The Privacy Office U.S. Department of Homeland Security Washington, DC t: ; f: Safeguarding.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,

DATA SECURITY Social Security Numbers, Credit Card Numbers, Bank Account Numbers, Personal Health Information, Student and/or Staff Personal Information,
1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

1 Enterprise Security Your Information Security and Privacy Responsibilities © 2008 Providence Health & Services This information may be replicated for.

Similar presentations

Ads by Google