PRESS “F5” ON YOUR KEY BOARD TO PROPERLY START THIS TRAINING MODULE PRESS “F5” ON YOUR KEY BOARD TO PROPERLY START THIS TRAINING MODULE. Then, click the arrow at the bottom right of this slide to begin the training module.
Defense Security Cooperation Agency FY 2014 Privacy Training Sponsored by the Office of General Counsel
Annual Training Requirements This training is required by DoD 5400.11, DoD 5400.11-R, DoD Privacy Program, and OSD Administrative Instruction 81. Note, 100% compliance with the annual Privacy training requirement is expected from all civilian, military, and contractor personnel with DSCA, the Regional Centers and Field Activities. Staff must complete the “Automated Proof of Training” slide at the end of this module to ensure the Office of General Counsel receives proof that you have met the requirement. You should also print a copy of your certificate of completion for your records.
Overview of the Privacy Act of 1974
What is the Privacy Act of 1974? The Privacy Act of 1974 is a Federal statute enacted by Congress to provide U.S. citizens and lawfully admitted aliens who are permanent residents with the right to privacy in records that are maintained and used by Federal agencies. The Privacy Act does not apply to deceased persons, but under certain circumstances, may apply to the relatives of the deceased. By establishing the Privacy Act, Congress intended to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from a Federal agency’s collection, maintenance, use, and disclosure of personal information about them.
What does the Privacy Act require of Federal agencies? (continued) The Privacy Act requires federal agency to: Maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by law; Collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations involving the individual’s rights, benefits, privileges under Federal programs. Maintain all records which are used by the agency in making any determination about any individual with accuracy, relevance, timeliness and completeness as is reasonably necessary to ensure fairness to the individual in the determination. Prior to disseminating any record about an individual to any person other than an agency, except for disclosures under the FOIA, make reasonable efforts to ensure that records are accurate, complete, timely, and relevant for agency purposes.
What does the Privacy Act require of Federal agencies? (continued) Maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless otherwise authorized by law, the subject individual, or law enforcement activity. Make reasonable efforts to serve notice on an individual when any record on the individual is made available under compulsory legal process. This notice is only required when the process becomes a matter of public record. Establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, including guidance to such person regarding the provisions of the Privacy Act, other applicable rules and procedures, and penalties for noncompliance.
What does the Privacy Act Require of Federal agencies? (continued) Establish appropriate administrative, technical and physical safeguards to ensure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. Permit the individual, upon a written request, to review agency records that are maintained about them; and request an amendment of agency records upon showing that the records about them are not accurate, relevant, timely, or complete.
What does the Privacy Act require of Federal agencies? (continued) PRIVACY ACT STATEMENT When an agency solicits personal information from an individual for a system of records, the Privacy Act requires agencies to tell the individual in writing of: The statute or executive order of the President that authorizes the agency to solicit the information. The principal purposes for which the information is intended to be used. How the information will be used. Whether the disclosure of the information is mandatory or voluntary, and the effects, if any, on the individual for not providing all or any part of the information.
What does the Privacy Act require of Federal agencies? (continued) PRIVACY ACT STATEMENT When an agency requests an individual to disclose his or her social security number (SSN), Section 7 of the Privacy Act provides that it shall be unlawful to deny any individual any right, benefit, or privilege provided by law because the individual refuses to disclose his or her SSN. IMPORTANT NOTE: The expanded use of SSNs, in any form, is unacceptable within the Department. DoD Components are now instructed to evaluate their use of SSNs and to eliminate all unnecessary collections of SSNs that do not meet one or more of the 12 acceptable uses, as outlined in DoDI 1000.30, "Reduction of Social Security Number (SSN) Use Within DoD," August 1, 2012. The new instruction also establishes policy and assigns responsibilities for SSN use reduction in DoD.
Can an agency disclose records about an individual? No, Federal agencies must not disclose any “record” which is contained in a “system of records” to any person, except at the written request or prior written consent of the person to whom the record relates. However, there are exceptions for certain disclosures within the Government, including routine disclosures required by law. The Defense Privacy and Civil Liberties (DPCLO) publishes a list of DoD blanket routine uses on its website at www.dpclo.defense.gov/privacy /sorns/ blanket_routine_uses.html.
What is a record? The Privacy Act defines a “record” as any item, collection, or grouping of information about an individual that is maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the name, or identifying number, symbol, or other identifying particular assigned to the individual such as a finger or voice print or a photograph. In the Privacy Act community, the term used to describe these identifiers is called, personally identifiable information (PII).
How does DoD define PII? DoD 55400.11-R, “Department of Defense Privacy Program,” defines PII as information about an individual that identifies, links, relates or is unique to, or describes him or her (e.g., a Social Security Number, age, military rank, civilian grade, marital status, race, salary, home/office phone numbers, other demographic, biometric, personnel, medical and financial information, etc.), when linked to a record that is maintained in a “system of records.”
What is a system of records? A “system of records” is as a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Examples of a “system of records” may include the following: Electronic systems funded by DSCA for data management, including systems maintained in a commercial environment Applications such as Microsoft Access or Excel used to create databases or spreadsheets Paper or physical records maintained in file cabinets or drawers Because of the retrieval requirement, some system of records may not be subject to the Privacy Act. However, staff should consult DSCA/OGC Privacy Act Officials to determine the applicability of the requirement.
Can I maintain a system of records in connection with my official duties? Yes. However, to maintain a “system of records,” the Privacy Act requires Federal agencies to publish a notice for public comment in the Federal Register which describes, among other things, the existence, uses, and legal authority for the collection of each new or significantly revised system of records. DoD Privacy Program regulation states, “the system notice must be published in the Federal Register before a Component begins to operate the system (e.g., collect or use the information).
Do I have to publish a notice in the Federal Register if the data collected will not invade an individual’s personal privacy? A notice must be published in the Federal Register if you “retrieve” an individual’s information by a personal identifier linked only to them, regardless of whether or not the information will cause an invasion of personal privacy. If you believe your collection (paper or electronic) is a system of records within the meaning of the Privacy Act, and you do not have a published system notice in the Federal Register, please contact DSCA/OGC Privacy Act Officials so that we may assist you and the agency with complying with the reporting requirement .
ADDITIONAL INFORMATION YOU SHOULD KNOW
Your collection may also trigger the following Federal requirements apart from the Privacy Act: Section 208 of the E-Gov Act of 2002 requires an agency Chief Information Officer (CIO) to ensure that a privacy impact assessment (PIA) is conducted and reviewed for applicable IT systems, including privacy notices on government websites and privacy policies in machine readable formats. Federal Information Security Management Act (FISMA) requires an agency to provide information security protections for IT systems appropriate with risk and magnitude of harm. Paperwork Reduction Act (PRA) requires an agency to seek and obtain OMB approval before undertaking a collection of information for ten or more members of the public. Chapter 31 of Title 44 U.S.C., requires an agency to ensure efficient and effective records management. Note, there are also DoD issuances that coincide with each of these Federal requirements.
Who is responsible for ensuring the Privacy Act requirements and other the Federal requirements associated with the data collection are met? You should immediately contact your designated DSCA officials for Privacy, Information Assurance (electronic collection only), Records Management and DoD Internal/External Information Collections for assistance with meeting the requirements. The System/Program Manager is responsible for ensuring that all Federal requirements are completed for the electronic or paper collections. OSD/JS Privacy Office
PERSONALLY IDENTIFIABLE INFORMATION (PII) SAFEGUARDING PERSONALLY IDENTIFIABLE INFORMATION (PII)
What can I do to safeguard PII? STORING PII During Duty Hours Cover with DD 2923 (Privacy Act Cover Sheet) or place in an out-of- sight location when those who do not have authorized access enter the work space. Use filtering devices on computer screens to blacken the view. Lock computers when leaving – even for brief periods of time. After Duty Hours If the building is locked or manned by security, place records in locked or unlocked drawer or cabinet. Special categories of Privacy data should be placed in locked receptacles.
What can I do to safeguard PII? (continued) SHARING PII Follow the “need-to-know” principle. Share only with those specific DoD employees who need the data to perform their official duties. If the System Manager has granted you authority to make disclosures outside DoD: Share only with those individuals and entities listed under the DoD blanket routine uses published on DPCLO’s public website. If you have doubts about sharing data, consult with the System Manager or DSCA/OGC Privacy Act Officials.
What can I do to safeguard PII? (continued) TRANSPORTING PII Using E-mail Do not send PII to your personal email account (e.g., Yahoo, gmail, hotmail, or to any other “commercial” email address). Send emails only to recipients with a need-to-know. Ensure emails contain “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE” in the subject line. Ensure emails contain the warning language, “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE: Any misuse or unauthorized disclosure of this information may result in both civil and criminal penalties” in the body of the email. Digitally sign and encrypt all emails containing PII. Using Fax Machine Ensure the document is properly marked “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE.” Ensure you have the correct fax number. Have someone stand-by at the receiving end of the fax.
What can I do to safeguard PII? (continued) TRANSPORTING PII Using Ground Mail Ensure the envelope is addressed to an authorized recipient and properly marked “FOR OFFICIAL USE ONLY – PRIVACY SENSITIVE.” Double wrap by putting the initially sealed envelope in a second sealed, unmarked envelope addressed to the authorized recipient. Hand Carrying Cover with DD 2923 (Privacy Act Cover Sheet) to shield personal content(s). This cover sheet is publicly available on the internet.
What can I do to safeguard PII? (continued) DISPOSING of PII A disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction. Disposal methods may include the following: Burning Melting Chemical decomposition Pulping Pulverizing Shredding Mutilation Degaussing Delete/Empty Recycle Bin
PRIVACY BREACH
What is a privacy breach? A breach is a loss of control, unauthorized disclosure, or unauthorized access of personal information when individuals other than authorized users gain access to such information an other than authorized purpose.
Should I attempt to contain the breach? Absolutely yes! If you are able to stop or contain the breach, you should immediately take necessary actions to prevent or limit potential harm to the affected individual(s).
What should I do in the event of a privacy breach? Upon becoming aware of the loss, theft, or improper disclosure of personal information (paper or electronic), you must report the incident to: Your Supervisor/Manager immediately; Electronic only: The United States Computer Emergency Readiness Team (US CERT) within one hour of discovery at https://forms.us- cert.gov/report/; and DSCA/OGC Privacy Officials within 24 hours at DSCA-OGC-PII- BreachNotification@dsca.mil. Note, your notice should contain information, in accordance with Chapter 10.6.1.2. of DoD Directive 5400.11-R, “DoD Privacy Program,” May 14, 2007.
PENALTIES
Are there any penalties for violating the Privacy Act? Yes. The Privacy Act provides for both criminal and civil penalties for noncompliance. Criminal Penalties If any officer or employee of a government agency knowingly and willfully discloses personally identifiable information will be found guilty of a misdemeanor and fined a maximum of $5,000. Also, if any agency employee or official willfully maintains a system of records without disclosing its existence and relevant details as specified above can be fined a maximum of $5,000. The same misdemeanor penalty (and $5,000 maximum fine) can be applied to anyone, including contractor personnel, who knowingly and willfully requests an individual's record from an agency under false pretenses.
Are there any penalties for violating the Privacy Act? (continued) CIVIL PENALTIES If an agency refuses to allow an individual access to his or her records and/or to amend an individual's record upon request, the individual can sue in civil court to have the records produced and /or amended. The court can also make the Government pay the individual reasonable attorney's fees or other litigation costs. If an agency has violated any other section of the Privacy Act, and a court finds that the violation is "intentional or willful," the court can make the Government pay to the individual actual damages suffered as a result of the violation (but in no case shall a person entitled to recovery receive less than the sum of $1,000), along with costs and reasonable attorney's fees.
Contact Information Please direct all privacy related matters to your DSCA/OGC Privacy Act Officials at (703) 604-0295.
You have completed the FY 2014 Privacy Act Training Module! To ensure you receive credit for meeting this annual requirement, click the link below to complete the automated email notification as well as obtain a copy of your certificate for your records. (CLICK HERE)