Presentation on theme: "Department of Commerce Privacy Awareness"— Presentation transcript:
1 Department of Commerce Privacy Awareness Welcome to Privacy Awareness Training. I am Dan Rooney, the Commerce Records and Forms Management Officer, and I will be briefing you. This module should take approximately 20 minutes.
2 What is privacy protection? Privacy protection includes the protection of the personal privacy rights of individuals from the unauthorized collection, maintenance, use, and disclosure of personal information about them.When DOC does collect personal information, we have a duty and responsibility to protect that information from misuse.Business identifiable information received by DOC must be similarly protected, in accordance with applicable laws.Rapid advancements in computer technology make it possible to store and retrieve vast amounts of data of all kinds quickly and efficiently. These advancements have raised concerns about the impact of information technology, or IT, systems on the privacy of individuals and businesses. The Department of Commerce is committed to protecting identifiable information collected from individuals and businesses to the extent permitted by law. Privacy protection includes ensuring that personal information is not collected, maintained, used, or disclosed without proper authority. If personal information is collected, Commerce has an affirmative responsibility to ensure that it is not misused. As a matter of policy, Commerce has also determined that business identifiable information should be protected in a similar manner.
3 Your responsibilities to protect privacy As a Commerce employee, you are responsible and accountable forknowing what constitutes personal information and business identifiable information;handling personal and business identifiable information;protecting personal and business identifiable information; andfollowing all laws, rules, regulations, and Departmental policies regarding personal and business identifiable information.The Department of Commerce must rely on its employees to ensure that personal and business identifiable information received and maintained by Commerce is protected. The purpose of this training is to ensure that you are able to identify identifiable information that must be protected and have the knowledge and understanding of the applicable laws, rules, regulations, and policies so that you can follow them in your daily work.
4 DOC privacy principles The Department of Commerce has adopted the following privacy principles:Data Minimization – Commerce will collect the minimal amount of information necessary from individuals and businesses consistent with the Department’s mission and legal requirements.Transparency – Notice covering the purpose of the collection and use of personally identifiable information will be provided in a clear manner. Information collected will not be used for any other purpose unless authorized or mandated by law.Accuracy – Information collected will be maintained in a sufficiently accurate, timely, and complete manner to ensure that the interests of the individuals and businesses are protected.Security – Adequate physical and IT security measures will be implemented to ensure that the collection, use, and maintenance of personally identifiable information is properly safeguarded and the information is promptly destroyed in accordance with approved records control schedules.The Department has adopted four privacy principles to serve as guides for the collection, maintenance, use, and disclosure of identifiable information. These principles reflect the Department’s stewardship responsibility for the information entrusted to it.
5 Key privacy laws Privacy Act of 1974 Freedom of Information Act (FOIA) E-Government Act of 2002Additional privacy laws regulate other areas, such as government access to bank and other financial records, identity theft, trade secrets, health records, and education records.The Trade Secrets Act (18 USC 1905) provides criminal penalties for the unauthorized disclosure by the government of confidential commercial information.Among the federal laws and guidance that relate to the protection of privacy for individuals and businesses, the key privacy laws are the Privacy Act of 1974, the Freedom of Information Act, and Section 208 of the E-Government Act. Other laws protect the privacy or confidentiality of health records, trade secrets, heath records, education records, and other personal and business identifiable information.
6 Privacy Act of 1974Regulates how federal agencies collect, maintain, use, and disclose individuals’ information maintained in a Privacy Act system of records. This includes information pertaining to federal employees as well as the public.Requires federal agencies to publish systems of records notices so that the public is aware of what Privacy Act records are being maintained and under what authority.Requires that information about individuals maintained in a Privacy Act system of records be accurate.Allows individuals to access and seek to amend their Privacy Act records.The Privacy Act of 1974 regulates the Federal Government’s collection, use, maintenance, and dissemination of information about individuals. It provides broad protection to individuals by requiring that federal agencies publish system of records notices so that the public is aware of what Privacy Act records are being maintained and under what authority; requires that the information be accurate; and allows individuals to access their personal information and seek to amend or correct it.
7 Freedom of Information Act (FOIA) and privacy The FOIA allows public access to all agency records not protected from disclosure by a FOIA exemption.As a federal employee, certain government information about your employment may be disclosed, such as your position description, title, series, salary, and monetary award amounts.The Freedom of Information Act, or FOIA, allows public access to all agency records not protected from disclosure by one of the exemptions specified in the Act. Although the FOIA protects personal information, certain government information about federal employees, such as position description and salary, may be disclosed because it has been determined that the public has a right to this information.
8 FOIA personal privacy exemptions FOIA provides two separate exemptions to protect individuals’ private information contained in agency records.Exemption (b)6 protects from disclosure information about individuals in "personnel and medical files and similar files" when the disclosure of such information "would constitute a clearly unwarranted invasion of personal privacy.“Exemption (b)7(C) provides protection for personal information in law enforcement records. This exemption is the law enforcement counterpart to Exemption (b)6.In conformity with the Privacy Act, FOIA includes two exemptions that protect personal information. The first is very broad and exempts from disclosure any personal information that “would constitute a clearly unwarranted invasion of personal privacy”. The second exemption has the same effect as the first except that it applies specifically to law enforcement records.
9 FOIA exemption for commercial information Exemption (b)4 protects from disclosure “trade secrets and commercial and financial information obtained from a person [that is] privileged and confidential”.“Commercial” is not confined to records that reveal “basic commercial operations” but includes any records [or information] in which the submitter has a “commercial interest” and can include information submitted by a nonprofit entity.In conformity with the Trade Secrets Act, FOIA protects from disclosure trade secrets and commercial and financial information obtained from a person that is privileged and confidential. The term “commercial” is broadly defined, and a person may be a corporation, sole proprietor, or nonprofit entity.
10 E-Government Act of 2002Requires that every federal agency conduct a Privacy Impact Assessment on each of its information technology systems under development that will contain personally identifiable information.As a matter of policy, Commerce also requires that a Privacy Impact Assessment be conducted when developing systems that will contain business identifiable information.The purpose of the Privacy Impact Assessment is to ensure that there is no collection, storage, access, use, or dissemination of identifiable information from or about members of the general public and businesses that is not needed or authorized, and that identifiable information that is collected is adequately protected.Section 208, Privacy Provisions, of the E-Government Act establishes procedures to ensure the privacy of personal information in electronic records. It requires that every federal agency conduct a Privacy Impact Assessment, or PIA, on each of its IT systems under development that will contain personally identifiable information. As a matter of policy, Commerce requires that a PIA also be conducted for IT systems under development that will contain business identifiable information. In both cases, the requirement applies to new systems or systems that are being substantially modified, not to existing or “legacy” systems. The PIA provides a systemic process and evidence that privacy concerns were addressed and that adequate privacy protections were incorporated into the system development.
12 What is personal information? Personal information is “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” (Section 208 (d) of the E-Government Act of 2002). Examples include:Lists of the names of visitors to buildings or offices;Pay and personnel records;Photographs of individuals captured on surveillance cameras installed to ensure the security of buildings or locations;A biometric system that uses voice recognition technology to allow individuals access to certain controlled areas.Personal information is “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” The examples shown are only a few of the kinds of records that contain personal information. Employees should be constantly aware of the nature of the information they are working with on a daily basis to ensure that it they take effective steps to protect it from anyone, including other employees, who do not have a need to know the information.
13 Where will you encounter personal information? Entering data into a time and attendance system;Processing a personnel action;Reviewing a performance award nomination file;Building a new database that is being filled with personal information;Searching an existing database for individuals that meet certain criteria;Receiving personal information from another agency;Entering information into an employee medical file.You may encounter personal information in many different circumstances and settings. Remain conscious and aware of the fact that you are working with personal information and take steps to ensure that it is adequately protected.
14 How do you protect personal information (1)? Consider all personal information given to you either written or verbally as sensitive.Provide personal information only to those who have a “need to know.”Use personal information ONLY for official purposes.Provide access to an individual’s information only if you have specific authority to do so.Secure personal information with appropriate passwords and locks.This and the following slide indicate steps that you can take to protect personal information. However, before you can take these steps, you must first sensitize yourself to automatically identify personal information when you encounter it and to become conscious that it requires specialized handling. For example, do not dispose of documents with personal information in the trash can or recycling bin. These records must be disposed of in a “burn bag” or by shredding.
15 How do you protect personal information (2)? Not all personal information is exempt from disclosure to the public, e.g., name, title, grade, and office phone number of federal employees.Contact your FOIA/PA Officer for guidance on personal information that may be released.When creating a new system or significantly modifying a legacy system that contains personal information, conduct a Privacy Impact Assessment and contact your Operating Unit FOIA/Privacy Act Officer.If you have any questions about which records require privacy protection, ask your supervisor or a senior person in your office or contact your operating unit FOIA/Privacy Act Officer.
17 Business identifiable information (2) Not all business identifiable information is exempt from disclosure under, e.g., annual financial reports of public corporations. Contact your FOIA/PA Officer for guidance.Other terms for business identifiable information that must be protected from disclosure are:“confidential business information”“confidential commercial information”“proprietary information”Not all business identifiable information is exempt from disclosure. Examples include annual financial reports of public corporations and similar public documents. Your FOIA/Privacy Act Office can provide additional guidance. Other terms for business identifiable information that must be protected from disclosure are confidential business information, confidential commercial information, and proprietary information.
18 Examples of business identifiable information in Commerce Financial information provided in response to requests for economic census data;Business plans and marketing data provided to participate in trade development events;Commercial and financial information collected as part of export enforcement actions;Proprietary information provided in support of a grant application or related to a federal acquisition action;Financial records collected as part of an investigation.The Department of Commerce collects and maintains a vast amount of business identifiable information that is provided with the condition that it not be released in an identifiable form. This slide identifies examples of business identifiable information in Commerce. The Census Bureau, Bureau of Industry and Security, Bureau of Economic Analysis, and the U.S. Patent and Trademark Office are among the Commerce operating units that collect and maintain business identifiable information.
19 Examples of privacy violations Violations include:Requesting, obtaining, or using records under false pretensesMaintaining inaccurate Privacy Act records that result in adverse actionMaintaining a Privacy Act system of records that has not been disclosed in a published noticeFailure to conduct a Privacy Impact Assessment when requiredDisclosing business identifiable information, that is protected from disclosure, in violation of the Trade Secrets Act or other laws and regulationsPenalties for violations could include:DOC disciplinary actionCivil action against DOC and/or the employeeCriminal prosecution of the employeeFailure to protect the personal privacy rights of individuals could have a serious adverse impact on the individual citizen and expose the Federal Government and the offending employee to legal liability. An individual injured by the public release of personal information may sue the federal agency and the employee personally for damages. In addition, the agency may take disciplinary action against an employee for a privacy violation, including those that do not involve the release of personal information but are administrative in nature.
20 ScenarioYour office has been investigating an incident that involves a Commerce employee who is being disciplined. You want to share all the details in the case file with your buddy over lunch.Can you gossip about what’s in the file?ANSWER: No. You need to keep all information provided to you private and only give it to those who “need to know”. Your buddy doesn’t “need to know.”This and the following few slides present some common situations where privacy awareness and good judgment are necessary. This first scenario involves a very common human foible, the desire to gossip. In this case, the information comes from an official case file and you learned about the incident as part of your official duties. It is a privacy violation to share the information with your buddy, even if you are not sharing the underlying case file. Additionally, this is not “harmless” gossip and sharing it could harm the employee’s standing in the office and be very hurtful if he or she were to learn that others were aware of the disciplinary action.
21 ScenarioA Commerce OIG inspector comes to your office and asks to see the case file of an employee who is being investigated so that he or she may conduct an official progress review of the investigation.Do you hand over these records?ANSWER: Yes, but first ask to see the inspector’s credentials. The inspector “needs to know” the information you have in order to complete his or her official investigation.In this case, there is an official request, and the inspector has a need to know. You have an obligation to provide the records.
22 ScenarioYour office has decided to enter into a contract with a private sector company that maintains databases with personal information to test a new modeling system that can be used to identify violators of export controls. This is a new system. You will be accessing their information and storing the results in your computer system.Do you need a Privacy Impact Assessment and/or a Systems of Records Notice (SORN)?ANSWER: Yes, you need both. Contact your Operating Unit FOIA/Privacy Act Officer to ensure that an SORN has been completed. Privacy Impact Assessments and SORNs should be completed prior to the signing of a contract so that privacy may be fully considered. In fact, potential contractors should address privacy issues in their proposals to DOC.The requirement for a System of Records Notice is rooted in the Privacy Act of 1974 and is long standing. The requirement for a Privacy Impact Assessment, or PIA, is more recent, resulting from the E-Government Act of In Commerce, PIAs must be developed for new or substantially modified IT systems that contain personal information or business identifiable information.
23 ScenarioIn your position as an economist, you receive from corporations proprietary data and other confidential business identifiable information that is provided solely for the purpose of developing national economic and statistical reports that do not include identifiable information.May you use the information received to pick stocks?ANSWER: No. You are responsible for protecting business identifiable information from unauthorized release or misuse. Using the information to further your personal financial interests could result in disciplinary action.You may not use confidential business information that you receive in your official capacity to pick stocks or for any personal financial gain. You are responsible for ensuring that the information is not misused by you, family members, or anyone else. To act otherwise could result in disciplinary action.
24 ScenarioA citizen calls you at your desk and asks for a copy of “everything DOC has on me.” She says if you don’t give the information to her, she’s going to take this all the way to the Supreme Court.What do you do?ANSWER: Inform the individual that she may send a FOIA or PA request electronically to or by mail or fax ( ). More information is atAny request for records should be directed to the your operating unit FOIA/Privacy Act Officer or the Commerce FOIA/Privacy Act Officer, especially one as broad as the example on this slide. Requests sent to will be logged and transmitted to the appropriate operating unit FOIA/Privacy Act Officer for processing.
25 Rules for protecting personal information and business identifiable information It is your responsibility to protect personal information and business identifiable information that is exempt from disclosure.Think before you disclose.Consider all personal information given to you as sensitive.Protect business identifiable information in a similar manner as personal information.Remember these simple rules: First, you are responsible for protecting personal and business identifiable information that has been entrusted to your care. Second, always be aware of what is personal or business identifiable information so that you do not disclose it inadvertently. Third, consider all personal information as sensitive, regardless of how innocuous or unimportant it may seem. What you think of as unimportant may be sensitive to the individual concerned. Fourth, protect business identifiable information as though it were personal information.
26 Questions?Brenda Dolan, DOC FOIA/Privacy Act Officer,Your operating unit FOIA/PA Officer. See list atFor IT privacy, records management, E-Government Act, and Privacy Impact Assessment issues: Dan Rooney,If you have any questions about this training, please contact me. My contact information is on the slide. Also on the slide is contact information for the Commerce and operating unit FOIA/Privacy Act Officers. They can provide information and respond to questions about the FOIA and Privacy Act. Thank you for your attention. I hope that you have found this training useful and informative.