Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Impact Assessment (PIA) Training Presented by: Steve Muck Office of the DON CIO May 2012.

Published bySamuel Woods Modified over 8 years ago

Similar presentations

Presentation on theme: "Privacy Impact Assessment (PIA) Training Presented by: Steve Muck Office of the DON CIO May 2012."— Presentation transcript:

1 Privacy Impact Assessment (PIA) Training Presented by: Steve Muck Office of the DON CIO May 2012

2 2 PIA Requirements Federal Agency PIA Requirements Section 208 of the E-Government Act of 2002 requires all agencies to conduct PIAs for all new or substantially changed information systems that collect, maintain, or disseminate PII on the public OMB Memo M-10-23 of June 25, 2010 requires PIAs for third party websites that engage the public DoD PIA Requirements DoD Instruction 5400.16 expands coverage to include Federal personnel, contractors and foreign nationals employed at U.S. military facilities internationally

3 3 SSN Reduction Plan Phase I Navy and Marine Corps Forms Review Results Phase II IT System Review and DITPR-DON Program Changes Results Phase III Substitution of Electronic Data Interchange Personal Identifier (EDIPI/DoD ID Number) for SSN where possible Status/Milestones

4 4 SSN Reduction Phase 1 and 2 Results Number of official forms in DON Number of forms with SSNs Number of forms cancelled Number of forms that eliminated or substitute d the SSN Percent of forms that reduced the use of the SSN ~26,0008,8861,7902,10644 % Total Number of IT Systems in DITPR DON Number of IT Systems with SSNs Number of corrections to the DITPR DON data base Number of IT Systems that can Eliminate or Substitute the SSN Percent of IT Systems that can reduce the use of the SSN 1572205264525 % As of 21 Nov 2011

5 5 What is a PIA? “Privacy Impact Assessment (PIA)--is an analysis of how information is handled: (i)to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy (ii)to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system (iii)to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.” OMB 03-22 (9/26/2003), see EGOV 208(b)

6 6 Essential Elements of the PIA What privacy information is collected Why the information is collected What the intended uses are for the information With whom the information is shared What opportunities individuals have to decline to provide PII How information is secured Whether a System of Records Notice (SORN) exists or is required What privacy risks need to be addressed

7 7 When is a PIA * Required for DoD? When PII is collected, a PIA is required for: Existing DoD information systems and electronic collections where a PIA has not previously been completed to include systems that collect PII about Federal personnel and contractors New DoD information systems or electronic collections: Prior to developing or purchasing When converting paper-based records to electronic systems Contractor owned systems that collect PII on “Federal personnel, contractors and foreign nationals employed at U.S. military facilities internationally” Third Party Websites that engage the public Note: When DoD refers to PIAs they are only talking about “full-blown” PIAs for systems that “collect, maintain, use… PII.”

8 8 Highlights of OMB Guidance M-10-23 This Memorandum requires Federal agencies to take specific steps to protect individual privacy whenever they use third-party websites and applications to engage with the public. Scope : This Memorandum applies to any Federal agency use of third-party websites or applications to engage with the public for the purpose of implementing the principles of the Open Government Directive. The guidance also applies when an agency relies on a contractor (or other non-Federal entity) to operate a third-party website or application to engage with the public on the agency’s behalf.

9 9 Highlights of M-10-23 – Social Media PIA is required if agency makes PII available to the agency. Make PII Available: When any agency action causes PII to become available or accessible to the agency, whether or not the agency solicits or collects it. This is can include activities commonly referred to as “friending,” “following,” “liking,” joining a “group,” becoming a “fan” and comparable functions. PIA can cover multiple websites or applications that are functionally comparable and practices are substantially similar. If an agency’s use of a website or application raises distinct privacy risks, the agency should prepare a PIA that is exclusive to that website or application.

10 10 Adapted PIA Questions What is the specific purpose of the component’s use of the third- party website or application? List any PII that is likely to become available to the component through public use of the third-party website or application What is the component’s intended or expected use of PII? With whom will the component share PII? Describe if and how the component will maintain PII, and for how long Describe how the component will secure PII that it uses or maintains Describe what other privacy risks exist and how the component will mitigate those risks Describe whether the component’s activities will create or modify a “system of records” under the Privacy Act

11 11 When is a PIA not Required? When the DoD information system or electronic collection: Does not collect, maintain, use, and/or disseminate sensitive PII Is a National Security System (including systems that process classified information) However…

12 12 DON “Abbreviated” PIAs When the DoD information system or electronic collection: Does not collect, maintain, use, and/or disseminate sensitive PII (provide front page of template and check “NO”; Section 4 obtain Signature(s)); ensure DITPR-DON responses indicate system does not collect PII and SSNs. Collects only Internal Government Operations/Business Related PII (i.e., non-sensitive PII) (provide Front page and check “who”; Section 3, PII table, check Name and Other, list PII elements in text box; Section 4 Signature(s)); ensure DITPR-DON responses indicate system does collect PII, does not collect SSNs, that a PIA is not required, and that the reason given in the text box is: “A PIA is not required per DON CIO since the PII collected is Internal Government Operations (i.e., business related) or non-sensitive PII and the risk of harm to the individual or identity theft is consider extremely unlikely.” Note: DON CIO does not sign the abbreviated PIAs. Purpose is for Echelon II to review system and verify what information is in fact collected. NETWARCOM will accept these abbreviated PIAs for C&A process.

13 13 Sensitive and Non-Sensitive PII “Sensitive” PII which may cause harm to an individual if lost/compromised Financial information - bank account #, credit card #, bank routing # Medical Data - diagnoses, treatment, medical history Full Social Security Number - use of truncated SSN is better but still a risk National Security Personnel System (NSPS) - personnel ratings and pay pool information Place and date of birth Mother’s maiden name Passport # Numerous low risk PII elements aggregated and linked to a name “Non-sensitive” PII (Internal Government Operations/Business related PII) all releasable under FOIA or authorized use under DON policy Badge number Job title Pay grade Office phone number Office address Office email address * Lineal numbers Full name * Cautionary note: Growing problem with email phishing

14 14 PIA Template (DD Form 2930) Provides a more comprehensive tool than previous templates Detailed risk analysis questions In-depth PII table for selection of sensitive PII elements Technical, administrative and physical control list provided Interactive form with check boxes, radio buttons, and tables Digital signatures (PDF version) MS Word version also available (always use PDF version if at all possible)

15 15 DON CIO Website PIA Resources

16 16 DON CIO Inventory of Approved PIAs

17 17 “The Gouge” “The Gouge” - Navy Slang. The inside scoop, the skinny, the low down. The only information you need to know in a given situation, with nothing else to waste your time. We’ve taken a blank PIA Template and provided amplifying information to select questions and provided suggested responses based on what we’ve learned over the past several years. Following the Gouge as you complete your PIA will ensure that your PIA is as close to “review ready” as possible. The current Gouge is being updated and will be available on the DON CIO website at http://www.doncio.navy.mil/privacy under “PIA Resources”.http://www.doncio.navy.mil/privacy For Navy, identify and submit through your Echelon II/Headquarters PIA POC. For Marine Corps, submit through HQ C4.

18 18 “The Gouge” Things to consider as you complete your PIA: Ensure consistency between the DITPR-DON and your PIA responses (e.g., ATO, DITPR ID #, Public/Federal collection, PII/SSN collected, etc.). Always ensure that all of the PIA/PA/Privacy questions in the DITPR DON are answered and accurate. In the DITPR DON and in the PIA Template “Component” and “Component CIO” mean “DON” and “DON CIO” respectively. Ensure consistency between the SORN and your PIA responses (e.g., purpose, PII elements, authorities, etc.).

19 19 “The Gouge” Your “Authorities to Collect Information” in the PIA should not only match those in the SORN (which tend to be very broad), but should also include at least one additional authority that specifically “authorizes”, “establishes”, “cites”, etc. the IT System, specifically authorizing it to collect information. This could be a statute, instruction, directive, manual, memo, etc. When responding to questions in the template, remember that you’re concerned with protecting the PII that is collected, used, maintained and/or disseminated by this IT System. Don’t confuse your response with other information outside of the system unless necessary to the understanding of the purpose/operation of the system. If the source of the PII for your system isn’t the individual, many questions can simply be answered “PII is not collected from the individual”.

20 20 “The Gouge” The list of PII elements in Section 3 of the template, when linked to a name, have the potential to cause harm to an individual or increase the risk of identity theft. If the PII elements are work or business related, known as “Internal Government Operations” PII, list these elements in the text box provided and check “Other” in the Section 3. Use Section 3 and the list of PII elements collected as an opportunity to question the System Owner about whether their collection is necessary. The first four signature blocks are for use by the command/echelon completing and submitting the PIA. The last two signature blocks are used by OPNAV DNS- 36 (Privacy Act Program Branch) and DON CIO. Use the “Title” text box to provide your exact title if the preprinted information isn’t correct. The PIA template is a DoD Form used by the Services and other DoD agencies.

21 21 “The Gouge” If you have any questions, don’t hesitate to consult the PIA Resources on the DON CIO website, call your headquarters privacy rep, or the DON CIO Privacy Team. Be prompt with comment resolution!

22 22 Two New Changes Unique Project Identifier (UPI) –The UPI has recently changed to the Unique Investment Identifier (UII). –Instead of looking up the UPI in a table using the BIN, the UII is simply 007-00000XXXX where “XXXX” is the BIN. OMB Control Number –An OMB Control Number is required when a system collects PII on ten or more members of the public in a 12 month period. –Before a SORN or change to a SORN will be accepted by DoD for review and approval, the system must either have an OMB Control Number or you must provide the date when the OMB Control Number was requested. –Before your PIA can be approved by DON CIO you must have a SORN or provide the date when the SORN was sent to the DPCLO. –BLUF: the OMB Control Number controls approval of the SORN which in turn controls approval of the PIA.

23 23 Additional Things to Consider PIAs on NETWORKS, SERVERS, SWITCHES, LABORATORIES, BUILDINGS, etc. are not required. PIAs are required for the IT Systems that ride on a NETWORK, usually those registered in DITPR DON and/or DADMS. We do not require PIAs on spreadsheets, shared drives, “unstructured” data, etc. However, the PII collected must still be protected (i.e., marked properly, access restricted to only those with an official need to know, etc.) Focus on the IT System’s purpose - if the purpose of the system is not to collect PII, then a “full-blown” PIA is not required. When it’s possible to enter PII into a system whose purpose does not include the collection of PII (e.g., text boxes that allow entry of any form of data), a best practice would be to post a warning not to enter PII into the system. The warning could be in the form of a banner, a pop-up window, etc.

24 24 Last thoughts… Privacy and protection of PII are extremely important High visibility with OMB, NAVAUDIT and GAO, especially public collections DoD Instruction 5400.16, "DoD Privacy Impact Assessment (PIA) Guidance," located at: http://www.doncio.navy.mil/PolicyView.aspx?ID=892 DoD PIA Template FORM 2930, located at: http://www.doncio.navy.mil/ContentView.aspx?ID=810 New PIA Addendum – will provide justification for the collection of SSNs when applicable Investment Review Board DITPR-DON accuracy. New questions have been added to the DITPR DON related to SSN reduction. Ensure all questions are answered and if the continued collection of the SSN is required, a justification memo is provided/uploaded signed by a Flag/SES or individual given by direction signature authority.

25 System Of Record Notices

26 26 SORN Policy Privacy Act Requirements Privacy Act of 1974, as amended, 5 U.S.C. 552a, Public Law 93-579 requires all agencies to publish a “system of records notice” (SORN) in the Federal Register for any agency-maintained information technology (IT) system or paper file system that contains information on individuals and retrieves the information by a personal identifier.

27 27 Legal Authority for SORNs Federal OMB Memorandum 03-22, “Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002” DoD DoD Directive 5400.11-R. The Defense Privacy and Civil Liberties Office (DPCLO) implements the DoD Privacy Program. DON SECNAVINST 5211.5E. The Navy Privacy Act Program Office (DNS-36) implements the Navy Privacy Program.

28 28 Definition of a SORN 5 USC 552(a)(5) “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

29 29 Example Navy SORNs

30 30 Retrieval Practices SECNAVINST 5211.5E, section 19.b In order to trigger the SORN requirements of the Privacy Act, records must actually be retrieved by a personal identifier (name, SSN, date of birth, etc.). Accordingly, a record that contains information about an individual but IS NOT RETRIEVED by a personal identifier does not qualify as a system of records under the provisions of the Privacy Act. Mere collection of PII is not enough to trigger the SORN requirements of the Privacy Act, although it may be enough to trigger a privacy impact assessment (PIA).

31 31 SORN Content 1. System identifier 2. System name 3. System location 4. Categories of individuals covered by the system 5. Categories of records in the system 6. Authority for maintenance of the system 7. Purpose(s) 8. Routine uses 9. Storage 10. Retrievability 11. Safeguards 12. Retention and disposal 13. System manager(s) and address 14. Notification procedures 15. Record access procedures 16. Contesting record procedures 17. Record source categories 18. Exemptions claimed for the system

32 32 SORN Narrative Statement 1. System identifier and name 2. Responsible official 3. Purpose of establishing the system 4. Authority for maintenance of the system 5. Probable or potential effects on the privacy of individuals 6. Is the system, in whole or in part, being maintained by a contractor? 7. Steps taken to minimize risk of unauthorized access 8. Routine use compatibility 9. OMB information collection requirements 10. Supporting documentation 11. Name of IT system

33 33 Navy SORN Approval Process Step 1. The system manager/owner drafts the SORN and an accompanying narrative statement for review/approval by the command’s Privacy Program Manager. Step 2. Once the command’s Privacy Program Manager approves the SORN package, it is routed to DNS-36. (If the proponent is an echelon III command, the documents are first sent to the echelon II command’s Privacy Program Manager.) Step 3. Once DNS-36 reviews the package for duplicates of existing SORNs and conflicts with DON policy, it recommends approval to DPCLO. Step 4. Once DPCLO reviews and approves the package, it is routed to Congress and the Federal Register for publication.

34 34 Distinction between SORN and PIA Requirements A SORN is not a PIA. In most cases, a SORN and PIA will both be required when IT systems which collect PII (requiring a PIA) can also retrieve by personal identifier (requiring a SORN); however, in some cases only a PIA will be required. The PIA should be initiated at the beginning of system development and issued alongside the SORN. The PIA informs the drafting of the SORN. If an existing collection of information with a completed PIA and SORN updates or changes its technology, the PIA must be updated to analyze the new privacy impacts of the technology. The SORN covering the system must also be reviewed to ensure its continuing completeness and accuracy.

35 35 “The Gouge” The DoD PIA template (DD Form 2930) is a tool that asks a series of basic questions, including whether additional privacy analysis and documentation are required, such as a SORN. DD Form 2930 Section 2.d. Does the system or electronic collection have an existing SORN? PIA and SORN information should be consistent. DD Form 2930 Section 2.f. When a PIA is updated and one or more (usually more system-specific) authorities are added, the next time the SORN is updated, make sure these additional authorities are added to the SORN.

36 36 36 DON Privacy POCs STEVE MUCK DON CIO DON Privacy Team Lead Phone: (703) 695-1297 Email: steven.muck@navy.mil STEVE DAUGHETY DON CIO Phone: (703) 602-6393 Email: steve.daughety1.ctr@navy.mil ROBIN PATTERSON OPNAV DNS-36 DON Privacy Act Program Manager Phone: (202) 685-6545 Email: robin.patterson@navy.mil DEBORAH CONTAOI OPNAV DNS-36 Phone: (202) 685-6546 Email: teri.contaoi.ctr@navy.mil Vacant HQMC C4 CYBER SECURITY DIVISION PII/PIA Analyst Phone: (571) 256-8876 Email: XXX.XXX@hqmc.mil BARBARA FIGUEROA DON Forms Manager (DNS 51) Phone: (202) 433-2835 Email: barbara.figueroa@navy.mil LAURIE SOMERS HQMC Phone: (703) 6614-2951 Email: laurie.somers@hqmc.mil www.doncio.navy.mil/privacy

37 37 QUESTIONS? RRRRR

Download ppt "Privacy Impact Assessment (PIA) Training Presented by: Steve Muck Office of the DON CIO May 2012."

Similar presentations

June 27, 2005 Preparing your Implementation Plan.

June 27, 2005 Preparing your Implementation Plan.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Overview of the Privacy Act

Overview of the Privacy Act
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
EvalS Application User Guide version 1.0.1 - September 17, 2011.

EvalS Application User Guide version September 17, 2011.
Review Questions Business 205

Review Questions Business 205
Washington Headquarters Services Executive Services Directorate Information Management Division OMB Collection Number Paperwork Reduction Act – DoD Public.

Washington Headquarters Services Executive Services Directorate Information Management Division OMB Collection Number Paperwork Reduction Act – DoD Public.
U.S. Army Records Management & Declassification Agency Privacy Act/System of Records Policies.

U.S. Army Records Management & Declassification Agency Privacy Act/System of Records Policies.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Farm Service Agency Lender’s training for Electronic Submission of Guarantee Fees Implementation Date: September 23, 2009.

Farm Service Agency Lender’s training for Electronic Submission of Guarantee Fees Implementation Date: September 23, 2009.
1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.

1 The University of Texas at Tyler Protecting the Confidentiality of Social Security Numbers UTS165 Information Resources Use and Security Policy.
Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.

Defense Privacy Office 1 Budget Documentation and Justification Writing Class The Privacy Act of 1974: What Senior Leaders Need to Know.
SIU School of Medicine Identity Protection Act and Associated SIU Policy.

SIU School of Medicine Identity Protection Act and Associated SIU Policy.
Electronic Data Interchange (EDI)  Supervisor must file claims Electronically with EDI within 2 working day of employee notice  Filing Claims Electronically.

Electronic Data Interchange (EDI)  Supervisor must file claims Electronically with EDI within 2 working day of employee notice  Filing Claims Electronically.
ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.

ROLES & RESPONSIBILITIES PRIVACY ACT (PA) SYSTEMS OF RECORDS MANAGERS.
Data Validation Documentation for Enrollments. Learning Objectives As a result of this training you will be able to: Describe the data validation process.

Data Validation Documentation for Enrollments. Learning Objectives As a result of this training you will be able to: Describe the data validation process.
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
PRIVACY ACT Federal Workers’ Compensation Conference 2014 Department of Labor.

PRIVACY ACT Federal Workers’ Compensation Conference 2014 Department of Labor.

Similar presentations

Ads by Google