Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Privacy Act of 1974: An Introduction The Privacy Act of 1974: An Introduction September 2010 For Official Use Only 0.

Published byGeorge Whitehead Modified over 8 years ago

Similar presentations

Presentation on theme: "The Privacy Act of 1974: An Introduction The Privacy Act of 1974: An Introduction September 2010 For Official Use Only 0."— Presentation transcript:

1 The Privacy Act of 1974: An Introduction The Privacy Act of 1974: An Introduction September 2010 For Official Use Only 0

2 The Privacy Act of 1974: An Introduction Lesson 1: Introduction 1

3 The Privacy Act of 1974: An Introduction Lesson 1: Introduction Welcome Course overview Trainer introductions 2

4 The Privacy Act of 1974: An Introduction Lesson 1: Introduction Participant Introductions Now it’s time to introduce ourselves Name Number of years with the Department of Defense (DoD) Current job, agency, or component Responsibilities 3

5 The Privacy Act of 1974: An Introduction Lesson 1: Introduction Course Goals To raise awareness of the need to safeguard the personally identifiable information (PII) held by the Department of Defense To raise awareness of the penalties associated with Privacy Act violations 4

6 The Privacy Act of 1974: An Introduction Lesson 1: Introduction Course Objectives After completing this course, you will be able to: Identify the policy objectives associated with the Privacy Act of 1974 Identify concepts and definitions associated with personally identifiable information (PII) Identify the nondisclosure rule and its 12 exceptions Identify safeguards and best practices that help ensure the protection of PII Identify the penalties for noncompliance with the Privacy Act of 1974 5

7 The Privacy Act of 1974: An Introduction Lesson 1: Introduction Course Structure 1. Introduction 2. The Privacy Act of 1974 Policy Objectives 3. Concepts and Definitions Associated With PII 4. Conditions of Disclosure 5. Safeguarding PII 6. Penalties for Noncompliance with the Privacy Act 7. Scenario Exercise: Putting It All Together 8. Course Summary 6

8 The Privacy Act of 1974: An Introduction Lesson 2: The Privacy Act of 1974 Policy Objectives 7

9 The Privacy Act of 1974: An Introduction Lesson 2: The Privacy Act of 1974 Policy Objectives Lesson Objective Upon completion of this lesson, you will be able to: Identify the policy objectives associated with the Privacy Act of 1974 8

10 The Privacy Act of 1974: An Introduction Lesson 2: The Privacy Act of 1974 Policy Objectives Code of Fair Information Practice Principles In 1972, the Advisory Committee on Automated Personal Data Systems explored the impact of computerized record-keeping on individuals and proposed a Code of Fair Information Practice Principles (FIPPs). FIPPs evolved into 8 generally accepted principles. These principles formed the basis for all subsequent codes and laws related to information collection, especially the Privacy Act of 1974. 9

11 The Privacy Act of 1974: An Introduction Lesson 2: The Privacy Act of 1974 Policy Objectives Fair Information Practice Principles The 8 generally accepted principles identified in the Code for Automated Personal Data Systems are: 1. Collection limitation 2. Data quality 3. Purpose specification 4. Use limitation 5. Security safeguards 6. Openness 7. Individual participation 8. Accountability 10

12 The Privacy Act of 1974: An Introduction Lesson 2: The Privacy Act of 1974 Policy Objectives Inception of the Privacy Act of 1974 Congress turned its attention to the issue of data stored in insecure data banks in June 1974. The Senate Judiciary Committee's Subcommittee on Constitutional Rights discovered that billions of records were stored within Federal Government computers. Individuals did not know the information was being collected and had no recourse to review or correct it. 11

13 The Privacy Act of 1974: An Introduction Lesson 2: The Privacy Act of 1974 Policy Objectives Objectives of the Privacy Act To restrict disclosure of personally identifiable records maintained by agencies To grant individuals increased rights of access to agency records maintained on themselves To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete To establish basic requirements for agencies to comply with standards for collection, use, maintenance, and dissemination of records 12

14 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII 13 Lesson 3: Concepts and Definitions Associated with PII

15 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Lesson Objective After completing this lesson, you will be able to: Identify concepts and definitions associated with personally identifiable information (PII) 14

16 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Definitions Personally identifiable information (PII) is information about an individual that identifies, links to, relates to, is unique to, or describes him or her. 15

17 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Protected Health Information (PHI) is a subset of personally identifiable information. Examples of PHI are a medical diagnosis; lab results; X-rays; and the date, time, and location of medical appointments. 16

18 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects the privacy of individuals' PHI from inappropriate disclosure. 17

19 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. A single item or collection of items of PII maintained by an agency is called a record. Records are grouped into a collection for a specific purpose by an agency. When a personal identifier is used to retrieve records from such a collection, it is called a system of records (SOR). 18

20 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. A system of records notice (SORN) is a description of the contents of an existing or planned system of records. A SORN states the purpose and authority by which the information in the system of records is collected, and identifies what data the agency intends to collect, how the data will be used and safeguarded, who will have access, and other details. 19

21 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Routine use is the disclosure of a record outside the DoD for a use that is compatible with the purpose for which the information was collected and maintained by the DoD. The routine use must be included in the published system notice for the system of records involved. 20

22 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Need-to-know is the authorized, official need to have access to information that is protected under the Privacy Act based on assigned duties and responsibilities. The need-to-know test is satisfied when the requester can establish either of the following: 1.The information is needed for official business 2.The information is required by law 21

23 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Definitions, cont. Responsibility to share information was met within DoD on December 28, 2007, through the addition of a “Blanket Routine Use,” which allows the sharing of a record consisting of or relating to: – Terrorism information – Homeland security information – Law enforcement information Responsibility to share information does not circumvent the need-to-know. 22

24 The Privacy Act of 1974: An Introduction Lesson 3: Concepts and Definitions Associated with PII Sharing Information Appropriately 23

25 The Privacy Act of 1974: An Introduction Lesson 4: Conditions of Disclosure 24 Lesson 4: Conditions of Disclosure

26 The Privacy Act of 1974: An Introduction Lesson 4: Conditions of Disclosure Lesson Objective After completing this lesson, you will be able to: Identify the nondisclosure rule Identify the 12 exceptions to the nondisclosure rule 25

27 The Privacy Act of 1974: An Introduction Lesson 4: Conditions of Disclosure General Disclosure Prohibition "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains." — 5 U.S.C. § 552a(b) There are 12 exceptions to this nondisclosure rule. 26

28 The Privacy Act of 1974: An Introduction Lesson 4: Conditions of Disclosure The following 3 slides list conditions in which it is acceptable to disclose PII from a Privacy Act record to a third party: 1. To employees with a legitimate need-to-know 2. When the FOIA requires release 3. For a "routine use" identified in the system of records notice (SORN) that has been published in the Federal Register 27 Exceptions to the Nondisclosure Rule

29 The Privacy Act of 1974: An Introduction Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. 4. To the Census Bureau for purpose of conducting the census 5. For statistical research and reporting in which individuals will not be identified 6. To the National Archives and Records Administration 28

30 The Privacy Act of 1974: An Introduction Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. 7. To civil or criminal law enforcement under U.S. control 8. For compelling circumstances affecting the health or safety of the individual 9. To either House of Congress 29

31 The Privacy Act of 1974: An Introduction Lesson 4: Conditions of Disclosure Exceptions to the Nondisclosure Rule, cont. 10. To the Comptroller General 11. Pursuant to a court order (a subpoena signed by a judge) 12. To a consumer reporting agency in accordance with the Debt Collection Act 30

32 The Privacy Act of 1974: An Introduction Lesson 5: Safeguarding PII 31 Lesson 5: Safeguarding PII

33 The Privacy Act of 1974: An Introduction Lesson 5: Safeguarding PII Lesson Objective After completing this lesson, you will be able to: Identify safeguards and best practices that help ensure the protection of PII 32

34 The Privacy Act of 1974: An Introduction Lesson 5: Safeguarding PII Administrative Safeguards 1. Verify that e-mail distribution lists are only for those with a need-to-know. 2. Validate the use of the information against the purpose of collection in the SORN. 3. Ensure that the component privacy officer reviews/updates the SORN. 33

35 The Privacy Act of 1974: An Introduction Lesson 5: Safeguarding PII Administrative Safeguards, cont. 4. Beware of the surrounding environment when engaging in conversation involving PII. 5. Ensure that telephone conversations are private. 6. Check that information containing PII is necessary for the task. As a policy under the Privacy Act, ask whether a task can be completed without the PII. 34

36 The Privacy Act of 1974: An Introduction Lesson 5: Safeguarding PII Administrative Safeguards, cont. 7. Do not take PII out of the office unless required by your official duties and approved by an appropriate authority. 8. Mark hard copies of PII using prescribed markings such as “Sensitive” and cover with a coversheet or folder. 9. Consult the component privacy officer before the creation of a System of Record (SOR) or information collection. The privacy officer will determine whether a SORN needs to be created to notify the public. 35

37 The Privacy Act of 1974: An Introduction Lesson 5: Safeguarding PII Technical Safeguards 1. Use encryption for e- mails that include PII. 2. Use only DoD-approved software. 3. Use cover sheets, confirm fax numbers, and obtain transmission confirmation when faxing 4. Do not use flash ("thumb") drives. 36

38 The Privacy Act of 1974: An Introduction Lesson 5: Safeguarding PII Physical Safeguards 1. Use locks to secure PII/PHI when stored. 2. Dispose of records according to established standards in the SORN or procedures established by the National Archives and Records Administration. 3. Establish physical safeguards that protect information against reasonably identifiable threats that could result in unauthorized access or alteration. 4. Test safeguards to ensure that they perform as intended. 37

39 The Privacy Act of 1974: An Introduction Best Practices Do not use information that was previously collected for a new use without informing the public by altering an existing SORN or creating a new one. Do not use a subset of existing data for a new purpose. Do not maintain data collections in secret. Do not use data from websites such as Wikipedia instead of authoritative Government sources. Do not keep PII in an unapproved spreadsheet. 38 Lesson 5: Safeguarding PII

40 The Privacy Act of 1974: An Introduction Best Practices, cont. Collect information directly from the individual to the greatest extent practical. Verify that data retrieved are accurate, complete, relevant, and timely (up-to-date). Ensure that information is from the authorized official source. 39 Lesson 5: Safeguarding PII

41 The Privacy Act of 1974: An Introduction Lesson 6: Penalties for Noncompliance with the Privacy Act 40 Lesson 6: Penalties for Noncompliance with the Privacy Act

42 The Privacy Act of 1974: An Introduction Lesson Objective After completing this lesson, you will be able to: Identify the penalties for noncompliance with the Privacy Act of 1974 41 Lesson 6: Noncompliance and Penalties for Noncompliance with the Privacy Act

43 The Privacy Act of 1974: An Introduction Noncompliance with the Privacy Act Individuals may be criminally liable if they knowingly and willfully: Disclose privacy data to any person not entitled to access Maintain a system of records without meeting public notice requirements Obtain or request records under false pretenses 42 Lesson 6: Penalties for Noncompliance with the Privacy Act

44 The Privacy Act of 1974: An Introduction Noncompliance with the Privacy Act, cont. Courts may award civil penalties against the Agency for: Improperly/unlawfully refusing to amend a record Improperly/unlawfully refusing to grant access to a record Failure to maintain accurate, relevant, timely, and complete information Failure to comply with any Privacy Act provision or agency rule that results in an adverse effect on the subject of the record 43 Lesson 6: Penalties for Noncompliance with the Privacy Act

45 The Privacy Act of 1974: An Introduction Lesson 6: Penalties for Noncompliance with the Privacy Act Penalties for Noncompliance Criminal penalties: (Applies to the individual employee) A misdemeanor charge Maximum fine of $5,000 44

46 The Privacy Act of 1974: An Introduction Lesson 6: Penalties for Noncompliance with the Privacy Act Penalties for Noncompliance, cont. Civil penalties: (Applies to the agency not the employee) The cost of actual damages suffered ($1,000 minimum) Costs and reasonable attorney's fees 45

47 The Privacy Act of 1974: An Introduction Lesson 7: Scenario Exercise: Putting It All Together 46 Lesson 7: Scenario Exercise: Putting It All Together

48 The Privacy Act of 1974: An Introduction Lesson Objective After completing this lesson, you will be able to: Identify errors in handling PII and demonstrate awareness of the appropriate action to take in managing PII 47 Lesson 7: Scenario Exercise: Putting It All Together

49 The Privacy Act of 1974: An Introduction Lesson 7: Scenario Exercise: Putting It All Together Scenario The scenario that you are about to read is based in part on a real situation. You will read the scenario and answer questions about the appropriate actions to take. 48

50 The Privacy Act of 1974: An Introduction Scenario Questions Does this e-mail contain personally identifiable information? Is this information protected under the Privacy Act? Does Judy have a need-to-know this information? Have the appropriate technical safeguards been applied in the transmittal of this e-mail? Is this a breach? If so, who should Judy report it to? 49 Lesson 7: Scenario Exercise: Putting It All Together

51 The Privacy Act of 1974: An Introduction Lesson 8: Course Summary 50 Lesson 8: Course Summary

52 The Privacy Act of 1974: An Introduction Key Points from the Course Agency responsibilities: The Privacy Act of 1974 sets forth objectives for Federal agencies that maintain records with personally identifiable information. Summarized, these are: – Agencies must restrict disclosure of personally identifiable records – Individuals have rights of access to agency records about themselves – Individuals can seek amendment of agency records about themselves 51 Lesson 8: Course Summary

53 The Privacy Act of 1974: An Introduction Key Points from the Course, cont. Agencies should abide by a Code of Fair Information Practice Principles that requires agencies to comply with standards for collection, maintenance, and dissemination of records. Safeguards: DoD employees and contractors must practice administrative, physical, and technical safeguards to protect PII from misuse or use without permission. 52 Lesson 8: Course Summary

54 The Privacy Act of 1974: An Introduction Course Objectives Reviewed You should now be able to: Identify the policy objectives associated with the Privacy Act of 1974 Identify concepts and definitions associated with personally identifiable information (PII) Identify the nondisclosure rule and its 12 exceptions Identify safeguards and best practices that help ensure the protection of PII Identify the penalties for noncompliance with the Privacy Act of 1974 53 Lesson 8: Course Summary

55 The Privacy Act of 1974: An Introduction Additional Resources You may also consult one of the following resources on privacy found at http://dpclo.defense.gov.http://dpclo.defense.gov DoDD 5400.11, "DoD Privacy Program," May 8, 2007 DoD 5400.11-R, "Department of Defense Privacy Program," May 14, 2007 54 Lesson 8: Course Summary

Download ppt "The Privacy Act of 1974: An Introduction The Privacy Act of 1974: An Introduction September 2010 For Official Use Only 0."

Similar presentations

PRIVACY ACT OF 1974 OVERVIEW. FAIR INFORMATION PRACTICES The Privacy Act is primarily concerned with fair information practices. The Privacy Act is primarily.

PRIVACY ACT OF 1974 OVERVIEW. FAIR INFORMATION PRACTICES The Privacy Act is primarily concerned with fair information practices. The Privacy Act is primarily.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Protect Our Students Protect Ourselves

Protect Our Students Protect Ourselves
Mandatory training for all Users who have access to Privacy Act Data

Mandatory training for all Users who have access to Privacy Act Data
Overview of the Privacy Act

Overview of the Privacy Act
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.

HIPAA Privacy Training Your Name Here. © 2004 MHM Resources Inc.2 HIPAA Background Health Insurance Portability and Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010.

Health Insurance Portability and Accountability Act (HIPAA) Presented by: APS Healthcare Southwestern PA Health Care Quality Unit (HCQU) December 2010.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

Similar presentations

Ads by Google