Download presentation
Presentation is loading. Please wait.
Published byAugusta Paul Modified over 9 years ago
1
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity Protection and Management Expo Orlando, Florida April 2011
2
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Purpose The purpose of this presentation is to provide an overview of relevant Federal Privacy laws and DoD regulations. 2
3
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Objectives Upon completion of this presentation, you should be able to: Explain the basic concepts of information privacy. Describe key elements of foundational privacy laws and regulations. Explain how privacy laws and regulations interrelate. 3
4
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE The Privacy Act of 1974 5 USC 522a 4
5
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Fair Information Practice Principles (FIPPs)* Notice/Awareness There must be no personal data record keeping systems whose very existence is kept secret. Choice/Consent There must be a way for an individual to find out what information is in their file and how it is being used. Access/Participation There must be a way for an individual to correct information in his or her record. Integrity/Security Any organization creating, maintaining, using or dissemination personally identifiable information must ensure the reliability of the data for its intended use and must take precautions to prevent misuse. Enforcement/Redress There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent. *NIST Guide to Protecting the Confidentiality of (PII) (NIST SP 800-122, 4/10) The Privacy Act 5
6
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE The Privacy Act A code of fair information practices which mandates how Government agencies shall collect, maintain, use, and disseminate personally identifiable information (PII) about individuals that is maintained in systems of records (SOR). 6
7
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE The Privacy Act (continued) Applies to: Executive Branch Agencies. Implemented by: DoDD 5400.11, “DoD Privacy Program.” DoD 5400.11-R, “DoD Privacy Program.” 7
8
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE The Privacy Act (continued) What is PII? Information which can be used to distinguish or trace an individual’s identity. ○ Including name, social security number, date and place of birth, mother’s maiden name, biometric information. Any other personal information which is linked or linkable to a specified individual. 8
9
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE The Privacy Act (continued) What is a Record? A collection or grouping of information about an individual that is maintained by a DoD Component. What is a SOR? A group of records which are under the control of a DoD Component that are retrieved by name, SSN, or other personal identifier 9
10
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE The Privacy Act (continued) The DoD’s responsibility is to balance the government’s need to maintain information about individuals with the rights of individuals. 10
11
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE DoD SSN Use Reduction Plan 11
12
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE DoD SSN Use Reduction Plan Purpose: To eliminate, when feasible, the use of Social Security numbers (SSNs). Applicability: All uses of SSNs within the DoD, to include DoD data managed or maintained in contactor-owned, - managed, or -operated systems. 12
13
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Implemented by: Executive Order 9397 (SSN), as amended. OMB Memorandum M-07-16. DTM 07-015-USD(P&R). USD(P&R) Memo, “Updated Plan for the Removal of SSNs from DoD ID Cards.” DRAFT USD(P&R) DoDI 1000.hh. DoD SSN Use Reduction Plan (continued) 13
14
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE USD(P&R) Memo, “Updated Plan for the Removal of SSNs from DoD ID Cards”: DoD ID cards will no longer visibly display SSNs. As of May 2011, replaced SSN with the DoD ID Number (formerly known as EDI-PI) and, when applicable, the DoD Benefits Number. Beginning 2012, initiate removal of the SSN from the ID cards barcode. DoD SSN Use Reduction Plan (continued) 14
15
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE DRAFT USD(P&R) DoDI 1000.hh, “Reducing Use of Social Security Numbers (SSNs) Within DoD.” Each Component required to review systems and forms which collect SSN to determine if continued use is justified. Systems or forms that do not fall under one of the approved 'use cases' will be required to develop and institute a plan to eliminate the use of the SSN. Systems with an approved use case for SSN collection will require a signed memo documenting the requirement for such use. DoD SSN Use Reduction Plan (continued) 15
16
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Health Insurance Portability and Accountability Act (HIPAA) Public Law 104-91 16
17
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE HIPAA Purpose: Improve the efficiency and effectiveness of the health care system by standardizing the electronic exchange of administrative and financial data. Applicability: Covered entities HIPAA defines a covered entity as: A health care provider that conducts certain transactions in electronic form; A health care clearinghouse; or A health plan. 17
18
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE HIPAA (continued) HIPAA Privacy Rule. Establishes national standards to protect individuals’ medical records and other PHI. Implemented by: DoD 6025.18-R, “DoD Health Information Privacy Regulation.” 18
19
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE HIPAA (continued) HIPAA Security Rule. Establishes national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. Implemented by: DoD 8580.02-R, “DoD Health Information Security Regulation.” 19
20
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE HIPAA (continued) Protected Health Information (PHI) is: Individually identifiable health information which is a subset of PII. Created, received, or maintained by a covered entity. Transmitted or maintained by electronic or any other form or medium, except as otherwise contained in employment records. 20
21
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE HIPAA (continued) Joe Q. Public Hospital Employer Fed Agency 21
22
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Freedom of Information Act (FOIA) 5 USC 552 22
23
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE FOIA Purpose: Inform the public of information while appropriately protecting government interests. Applicability: Executive branch government agencies. Implemented by: DoDD 5400.7, “DoD Freedom of Information Act (FOIA) Program.” DoD 5400.7-R, “DoD Freedom of Information Act Program.” 23
24
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE FOIA (continued) Provides individuals with access to many types of records that are exempt from access under the Privacy Act. Unlike those of the Privacy Act, FOIA procedures are available to non-resident foreign nationals. 24
25
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE E-Government Act of 2002 Public Law 107-347 25
26
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE E-Government Act Purpose: Improve internet-based technology to make it easier for citizens and businesses to interact with the government. Applicability: All executive branch departments and Federal agencies. 26
27
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE E-Government Act (continued) Protects PII agencies collect, use, maintain, or disseminate within information technology systems. Implemented by: OMB and DoD Annual FISMA Guidance. DoD CIO Memorandum, DoD Privacy Impact Assessment (PIA) Guidance. 27
28
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE E-Government Act - FISMA Federal Information Security Management Act (FISMA) provides a framework to ensuring effectiveness of information security controls for Federal systems. Implemented by: DoD Directive 8500.1. DoD Instruction 8500.2. DoD Annual FISMA Guidance. 28
29
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE E-Government Act - FISMA (continued) Applicability: Federal government agencies’ information systems. Information systems operated by contractors on behalf of federal agencies. What it protects: Federal information systems and related resources. 29
30
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE E-Government Act - FISMA (continued) From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses,“ July 2007. 30
31
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE E-Government Act - PIA (continued) Privacy Impact Assessments (PIA). An analysis of systems to identify privacy risks associated with the use of PII. Web-page privacy policy. Must include a machine-readable privacy policy. Must be consistent with the Privacy Act. Implemented by: DoD Instruction 5400.16. 31
32
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Paperwork Reduction Act Public Law 104-13 32
33
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Paperwork Reduction Act Purpose Reduce the total amount of paperwork handled by the federal government and general public Maximize utility of information Agencies must ensure disclosure policies will honor any claims of confidentiality on forms 33
34
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Paperwork Reduction Act (continued) What it protects: Information created, collected, maintained, used, disseminated, or disposed. Implemented by: DoD 8910.1-M. 34
35
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Records Management 36 CFR, Chapter 12 35
36
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Records Management Purpose: Supports the creation, maintenance and use, and disposition of records in order to document federal policies, operations, and transactions appropriately and economically. Implemented by: DoD WHS Administrative Instruction 15. 36
37
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Records Management (continued) Applicability: Federal agencies and Executive branch of the U.S. Government. What it protects: All information, related to an agency’s business transaction, that is created, used, maintained, disseminated, or disposed of. 37
38
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Integrating Different Laws 38
39
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Integrating Different Laws The challenge: Laws with various purposes often govern the same data at different points in the systems development life cycle. The solution: Focus on the FIPPs. Comply with Federal law and DoD Policy. Consult your Privacy Office at the beginning of the SDLC. 39
40
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Summary You should now be able to: State the purpose of each law, who it applies to, and what it protects. Recognize that laws create standards and mandate compliance. Identify how different laws relate to one another. Discuss the FIPPs as it relates to the Defense Privacy Program. 40
41
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Resources Paperwork Reduction Act, Public Law 104-13, May 22, 1995. DoD 8910.1-M, DoD Procedures for Management of Information Requirements, June 30, 1998. Freedom of Information Act (FOIA), Public Law 89-554, July 4, 1966. DoDD 5400.7, DoD Freedom of Information (FOIA) Act Program, October 28, 2005. DoD 5400.7-R, DoD Freedom of Information Act Program, September 1998. The Privacy Act of 1974, Public Law 93-579, December 31, 1974. 41
42
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Resources (continued) DoDD 5400.11, DoD Privacy Program, May 8, 2007. DoD 5400.11-R, DoD Privacy Program, May 14, 2007. Health Insurance Portability and Accountability Act of 1996, Public Law 104-91. DoD 6025.18-R, DoD Health Information Privacy Regulation, January 2003. DoD 8580.02-R, DoD Health Information Security Regulation, July 12, 2007. E-Government Act of 2002, Public Law 107-347. Federal Information Security Management Act (FISMA) of 2002. 42
43
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Resources (continued) DoD and OMB Annual FISMA Guidance. DoDD 8500.1, Information Assurance, October 24, 2002. DoDI 8500.2, Information Assurance Implementation, February 6, 2003. DoD CIO Memorandum, DoD Privacy Impact Assessment (PIA) Guidance, October 28, 2005. Office of Management and Budget Circular No. A-130, Revised, Management of Federal Information Resources, November 28, 2000. DoDD 5015.2, DoD Records Management Program, March 6, 2000. 43
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.