Introduction to the West Virginia Executive Branch Privacy Policies Executive Branch Privacy Program Education & the Arts Presented by Heather Butler, Privacy Coordinator, WVDCH May 2009

Welcome to the Privacy Program! Privacy Program consists of six policies Notice Consent Individual Rights Minimum Necessary and Limited Use Security Safeguards Accountability These all take effect on August 1, 2009 Compliance is required for all Executive Branch Agencies, including Education & the Arts

Why Have a Privacy Program? The Privacy Program demonstrates our commitment to respecting people by protecting their information and using it properly Our commitment extends to all our employees as well as our citizens, service providers and other business partners The Privacy Program balances individual privacy with our legitimate needs to collect, use and disclose information for Agency business purposes

Policies Govern “PII” PII = personally identifiable information PII is any information that can be used to identify, locate or contact a person Includes obvious information, such as names and addresses, Social Security numbers And less obvious information, such as addresses, driver’s license numbers, credit card numbers Even regulated information – Protected Health Information (PHI) is part of PII Includes information about citizens, co-workers, vendors and employers – every person you encounter Includes information in every format – computerized or paper

Sensitive PII is a Subset of PII Some PII is classified as “sensitive” Sensitive PII (or SPII) consists of those elements of PII that require greater protection All health information and medical records, including (but not limited to) PHI Social Security numbers, driver’s license numbers Financial account information, including bank account numbers and payment card information

Privacy Program Summary Policies regulate our collection, use, transfer and storage of PII They provide for transparency, using privacy notice, and choice They require that we respect individual rights of access and correction They demonstrate our willingness to accommodate individual privacy concerns They require us to answer questions and respond to complaints

NOTICES What is a Notice? Why is it important? Drafting privacy notice Notice Required for EACH process. Concept of “Layered Notices” How are notices delivered”

The Consent Policy Reflects our commitment to giving people choice about how we collect, use and disclose their PII Recognizes that sometimes choice isn’t possible What is choice? - the ability to specify whether PII will be collected and/or how it will be used or disclosed Opt in vs. opt out

Consent Policy How the Consent Policy Works Sometimes a person’s consent is required before you can use PII – if this is true, you must obtain consent For example, our HIPAA Policy requires consent before a person’s PHI can be shared for fundraising Sometimes you are required to collect PII – if this is true, you may use the PII even if the person objects For example, our Communicable Diseases Policy mandates that you disclose some PHI for public health purposes In most cases, consent is not required – if this is true, you may collect the PII, but you offer individuals choice wherever possible

The Individual Rights Policy Demonstrates our commitment to Collecting PII directly from the individual, where possible Giving individuals the ability to access, copy and amend their PII Answering questions about our use and handling of PII Trying to address individual privacy concerns

Individual Rights Policy Why is Access Important? “Access” is the ability of a person to view the PII held by an organization This ability is usually complemented by an ability to update the information Access rights help ensure accuracy – this is especially important for PII used for substantive decision-making They also improve accountability – by viewing the PII held, individuals can confirm that we are complying with the promises in our privacy notices

Individual Rights Policy Respecting Access Rights We have processes for evaluating access requests and providing access to PII We also have a process for updating PII, if it’s not accurate REFER REQUESTS TO PRIVACY COORDINATOR OR PRIVACY OFFICER

The Minimum Necessary and Limited Use Principle Demonstrates our commitment to only collecting the PII that we really need for Agency business Requires us to give people choice when we collect PII that isn’t strictly necessary for the process at hand

Minimum Necessary Policy Why is Min Necessary Important? Demonstrates respect for privacy by addressing one of the most common concerns, “excessive” collection of PII Forces us to think about the purposes for the processing – and the purposes for each element of PII that we request Helps ensure we keep our privacy promises by limiting the opportunity for mission creep

Minimum Necessary Policy Limit Collection of PII Determine what elements of PII you really need for a process - e.g., the PII you must collect If you wish to collect addition elements of PII, you MAY do so if: You have a specific purpose for the PII, related to legitimate Agency business That purpose is described in the privacy notice, AND You offer individuals choice, so they can decline to provide the PII You may not require an individual to provide more than the minimum necessary PII

Minimum Necessary Policy Limit Collection of PII - Example You run a state campground. To enable camping, you must collect the person’s name and payment information You may collect an emergency contact, in case something bad happens You may collect an address, in case you send happy camper newsletters You may collect demographic data or conduct surveys, in case you want to know more about your customers and what they’d like from your campground You cannot require emergency contacts, addresses or survey responses – but you may certainly ask Your privacy notice must address all the elements

Minimum Necessary Policy Limit Disclosure of PII When disclosing PII to third parties (such as vendors or other agencies), only disclose those elements of PII that are needed by the third party Extract the required elements of PII, and don’t share anything else

The Security Safeguards Policy You cannot respect privacy unless you secure the PII The Security Safeguards Policy requires each Agency to have appropriate controls to protect PII We protect the PII from (i) anticipated threats or hazards, and (ii) unauthorized access, use or disclosure We protect ALL PII, with special attention on sensitive PII We protect PII in all formats – paper or computerized We collaborate with the Office of Technology (OT) on information security requirements

Security Safeguards Policy Comply with OT Policies The most important requirement is that you follow all the OT security rules Take a few moments to review these rules and make sure you understand exactly how they apply to your daily activities Ask questions if you aren’t sure! Also review the Agency Acceptable Use Policy

Security Safeguards Policy Security Incidents A “Security Incident” is any incident that compromises the security, confidentiality, or integrity of PII (with or without SPII) Unauthorized Disclosures of PII are always security incidents Other examples: Lost or stolen laptop or device (PDA, cell phone) Lost or stolen storage media (memory stick, CD-ROM) Lost or stolen paper records Lost or compromised password or access card Presence of viruses, spyware or other malicious code of a computer or devices

Security Safeguards Policy Security Incidents Even the very best organizations have security incidents Workers in the best organizations watch for incidents and report them immediately This allows the Privacy Officer and security teams to manage the risks and limit damage Your job is to report all incidents to your manager, the Privacy Officer or the Helpdesk as soon as you become aware of a problem!

The Accountability Policy Everyone is responsible for privacy and security Everyone has access to lots of PII and SPII – about your co-workers, citizens we serve, our business partners It is your job to understand how the Privacy Policies apply to the PII you have It is your job to forward questions and complaints to your manager or the Privacy Officer It is also your job to tell us about any mistakes that might compromise or expose PII

The Accountability Policy What It Means For You Read the Policies – be sure your understand how they apply to your day-to-day activities Ask questions – if you aren’t sure of something, ask you manager or the Privacy Officer Don’t be afraid to say no – you have the power to question anything that doesn’t seem right! Call the OT Helpdesk if you have any security questions Report complaints, violations and mistakes IMMEDIATELY

The Accountability Policy Names & Numbers to Know OT Helpdesk (304) Agency Privacy Officer WVDCH Heather Butler: (304) Education and the Arts Tiffany Redman: (304)

Questions & Comments