Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding.

Published byHester Dalton Modified over 9 years ago

Similar presentations

Presentation on theme: "The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding."— Presentation transcript:

1 The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 privacy@dhs.gov; www.dhs.gov/privacy Safeguarding PII

2 The DHS Privacy Office May 14, 2015: slide 2 Agenda Why Privacy is Important Personally Identifiable Information Sensitive PII Handling PII in a DHS System Handling PII Extracted from a DHS System Handling PII Outside of a DHS System Privacy Incident Reporting

3 The DHS Privacy Office May 14, 2015: slide 3 Why is Privacy Important? To earn and keep public trust –If the public no longer trusts DHS to protect their PII, we may find public support for DHS programs will erode. To prevent identity theft –Identity thieves do not discriminate based on a person’s immigration status, and neither does DHS when protecting the PII it collects and maintains. To prevent privacy incidents –Incidents are reported in national news, which erodes the public’s trust in those agencies, and are expensive to mitigate. It’s the law. –Failure to follow these laws may result in civil or criminal penalties for you, your supervisors, and/or colleagues.

4 The DHS Privacy Office May 14, 2015: slide 4 Personally Identifiable Information

5 The DHS Privacy Office May 14, 2015: slide 5 Potential for substantial harm, embarrassment, inconvenience, or unfairness to an individual Single data elements –social security, driver's license, or financial account number Combinations of data –citizenship or immigration status; medical information; ethnic, religious, sexual orientation; in conjunction with the identity of an individual Context of data –a list of names of employees with poor performance ratings. Sensitive PII

6 The DHS Privacy Office May 14, 2015: slide 6 Handling PII in a DHS System Only access what you need-to- know. –Do not browse Only use PII for approved purposes. –Use should be compatible with purpose of the system Protect against “shoulder surfing” and eavesdropping. Only access systems using DHS equipment. –Including teleworkers

7 The DHS Privacy Office May 14, 2015: slide 7 Handling SPII Extracts Obtain approval before extracting PII from a DHS system. Secure portable media containing SPII. Carry on laptops when flying instead of checking and do not leave unattended in hotel room. –Encrypt SPII when transferred outside of DHS, such as to a non-DHS email address. –If extract is not part of system SOP, log and track the extract to ensure it is not lost.

8 The DHS Privacy Office May 14, 2015: slide 8 Handling PII Outside of a System Do not create duplicate, ancillary, “shadow,” or “under the radar” files with PII. Only use DHS-approved forms (paper or electronic) to collect PII from 10 or more individuals. Check with the DHS Privacy Office and I&A counsel. –You may inadvertently create a privacy sensitive system that is out of compliance with law and policy. –Subject to civil, criminal, administrative penalties

9 Privacy Incidents and Your Responsibilities

10 The DHS Privacy Office May 14, 2015: slide 10 TJX Says Customer Data was Stolen TSA Suffers Data Loss; Lawmakers Watch Closely VA Sets Aside $20 Million to Handle Latest Data Breach Cost of Privacy Incident: $90 to $130 Per Record Compromised Think Your SSN is Secure? Think Again…

11 The DHS Privacy Office May 14, 2015: slide 11 Privacy Incidents Report any loss, theft, or unauthorized disclosures of PII to the Program Manager, Privacy POC, or ISSM. –Report as soon as suspected or confirmed. –Report whether intentional or inadvertent. –Report regardless of perceived risk. Do not further compromise the information by forwarding or replying “to all.”

12 What is a Privacy Incident? A suspected or confirmed: –loss of control –compromise –unauthorized disclosure –unauthorized acquisition –unauthorized access –or any other situation where persons other than authorized users and for an unauthorized purpose have access or potential access To PII whether in hard copy or electronic form

13 Privacy Incident Harms Harm to Component/Department Harm to individuals Privacy Act – Ensure the security and confidentiality of records to protect against –Substantial harm –Embarrassment –Inconvenience –Unfairness –Risk of economic harm, identity theft, or fraud –Risk of harm to the security or integrity of the information system –Potential for blackmail, mental pain, or emotional distress –Disclosure of private facts (OMB Memorandum 07-16)

14 Examples of Privacy Incidents Theft of a laptop containing rosters of emergency responders Lost or stolen thumb drive or portable hard drive of PII Shipper loses a package of employee applications Loss of a hard drive with current and former DHS employee SSNs Unauthorized access to personnel files Employee roster posted on agency website, disclosing name, personal cell phone number, and home address Email containing payroll information transmitted from government email account to a personal email account Key logger gains access to a computer and its accounts

15 Your examples ?

16 Obligation to Safeguard Sensitive PII Apply “Need to know” principle before disclosing PII to other personnel Challenge requested need for PII before sharing Limit PII to official use only PII may only be collected for an authorized purpose

17 You Must Report Privacy Incidents Employees and Contractors Must Report all incidents involving PII, both suspected and confirmed, to your DHS Program Manager upon detection If DHS Program Manager is not available, report to DHS Help Desk

18 Why Do Privacy Incidents Occur? Loss of control –PII data is emailed to unauthorized individuals –Physical equipment containing PII is lost or stolen –Paper records are mishandled either in mail or through incorrect disposal methods Unauthorized access to sensitive systems –Hacker gains access to secure data system –Access permission is given to individuals without a “Need to Know” Human Error

19 Possible Consequences Disciplinary action for failure to comply with DHS security and privacy policies Any person who knowingly and willfully discloses protected Privacy Act information in any manner to any person or agency not entitled to receive it, is subject to criminal and civil penalties under the Privacy Act

20

21 The DHS Privacy Office May 14, 2015: slide 21 The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 privacy@dhs.gov; www.dhs.gov/privacy

Download ppt "The Privacy Office U.S. Department of Homeland Security Washington, DC 20528 t: 703-235-0780; f: 703-235-0442 Safeguarding."

Similar presentations

HIPAA Health Insurance Portability and Accountability Act of 1996

HIPAA Health Insurance Portability and Accountability Act of 1996
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
Overview of the Privacy Act

Overview of the Privacy Act
Office of Health, Safety and Security

Office of Health, Safety and Security
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
June 04, 2013 Robin Thomas, NC III, Presenter. PRIVACY BREACHES A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or.

June 04, 2013 Robin Thomas, NC III, Presenter. PRIVACY BREACHES A privacy breach is an unauthorized disclosure of PHI/PCI violating either Federal or.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,

PRIVACY BREACHES A “breach of the security of the system”: –Is the “unauthorized acquisition of computerized data that compromises the security, confidentiality,
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
VIU Workshop: Creating a Culture of Privacy Awareness June 12, 2013 By Justin Hodkinson OIPC Policy Analyst/Investigator Office of the Information & Privacy.

VIU Workshop: Creating a Culture of Privacy Awareness June 12, 2013 By Justin Hodkinson OIPC Policy Analyst/Investigator Office of the Information & Privacy.
PII Breach Management and Risk Assessment

PII Breach Management and Risk Assessment
Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System.

Protecting the Confidentiality of Social Security Numbers Business Procedures Memorandum 66 Revised November 1, 2006 The University of Texas System.
Critical Data Management Indiana University HR Summit April 24, 2014.

Critical Data Management Indiana University HR Summit April 24, 2014.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.

Similar presentations

Ads by Google