PERSONALLY IDENTIFIABLE INFORMATON (PII)

Similar documents
SECURITY OF CLASSIFIED MATERIALS B STUDENT HANDOUT

PRIVACY IMPACT ASSESSMENT (PIA) For the

Subj: BUREAU OF NAVAL PERSONNEL PRIVACY PROGRAM AND ESTABLISHMENT OF THE BUREAU OF NAVAL PERSONNEL PRIVACY CADRE

System of Records Notice (SORN) Checklist

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

SECURITY OF CLASSIFIED MATERIALS W130119XQ STUDENT HANDOUT

(Example: F011 AF AFMC A (Contractor Flight Operations))

Student Guide: Controlled Unclassified Information

HIPAA Training

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

PRIVACY IMPACT ASSESSMENT (PIA) For the

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

PROTECTING CONTROLLED UNCLASSIFIED INFORMATION (CUI)

The Privacy & Security of Protected Health Information

SECTION 1: IS A PIA REQUIRED?

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

PRIVACY IMPACT ASSESSMENT (PIA) For the

This instruction was revised to include USTRANSCOM civil liberties program.

From: Commanding Officer/Leader, United States Navy Band

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

UNITED STATES MARINE CORPS MARINE CORPS INSTALLATIONS EAST PSC BOX CAMP LEJEUNE NC

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, D,C,

PRIVACY IMPACT ASSESSMENT (PIA) For the

Advanced HIPAA Communications and University Relations

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

PRIVACY IMPACT ASSESSMENT (PIA) For the

HIPAA and HITECH: Privacy and Security of Protected Health Information

PRIVACY IMPACT ASSESSMENT (PIA) For the

FCSRMC 2017 HIPAA PRESENTATION

PRIVACY IMPACT ASSESSMENT (PIA) For the

Department of Defense DIRECTIVE. SUBJECT: Unauthorized Disclosure of Classified Information to the Public

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

HIPAA Privacy Training for Non-Clinical Workforce

PRIVACY IMPACT ASSESSMENT (PIA) For the

UNITED STATES MARINE CORPS LEGAL SERVICE SUPPORT TEAM POSTAL SERVICE CENTER 8007 CHERRY POINT, NORTH CAROLINA

Chapter 9 Legal Aspects of Health Information Management

Compliance with Personal Health Information Protection Act

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

PRIVACY INCIDENT RESPONSE, NOTIFICATION, AND REPORTING PROCEDURES FOR PERSONALLY IDENTIFIABLE INFORMATION (PII)

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

August Initial Security Briefing Job Aid

Department of Defense INSTRUCTION. DoD Unclassified Controlled Nuclear Information (UCNI)

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the. Department of Defense Consolidated Cancer Registry (CCR) System. Defense Health Agency (DHA)

Compliance Program, Code of Conduct, and HIPAA

PRIVACY IMPACT ASSESSMENT (PIA) For the

For Official Use Only/Limited Distribution. Monthly Report to Congress of Data Breaches Apr 5 - May 2, 2010

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY BREACH GUIDELINES

Mandatory Reporting and Breach Notification Changes to PHIPA and what you need to know


PRIVACY IMPACT ASSESSMENT (PIA) For the

MCCP Online Orientation

DATA PROTECTION POLICY

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

Department of Defense INSTRUCTION. Office of the Inspector General of the Department of Defense Access to Records and Information

Department of Defense

PRIVACY IMPACT ASSESSMENT (PIA) For the

IVAN FRANKO HOME Пансіон Ім. Івана Франка

Initial Security Briefing

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

PRIVACY IMPACT ASSESSMENT (PIA) For the

Working with Information Governance INFORMATION GOVERNANCE REFRESHER TRAINING WORK BOOK

DUTIES OF A CUSTODIAN

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the. Business Information Management System (BIMS)

Information Privacy and Security

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

Health Information Privacy Policies and Procedures

Department of the Army Privacy Impact Assessment (PIA) Guide

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

Department of Defense INSTRUCTION. Data Submission Requirements for DoD Civilian Personnel: Foreign National (FN) Civilians

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

Strengthening Regulations Governing Use of Portable Media. Captain Stuart C. Smith Jr. Major Amy B. Irvin

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

A general review of HIPAA standards and privacy practices 2016

Reporting a Privacy Breach to the Commissioner

Department of Defense INSTRUCTION

Data Breach Notification Guide Policies and Procedures

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

Title: HIPAA PRIVACY ADMINISTRATIVE

PRIVACY IMPACT ASSESSMENT (PIA) For the

Department of Defense INSTRUCTION

PRIVACY IMPACT ASSESSMENT (PIA) For the

Transcription:

PERSONALLY IDENTIFIABLE INFORMATON (PII) 1

PII - REFERENCES DOD 5400.11-R, DoD Privacy Act Program, May 07 OSD Memo, Subj: Safeguarding Against and Responding to the Breach of Personally Identifiable Information, Sep 07 Fort Benning Policy Memo 25-54-3, dated 29 Sep 10, Subj: Fort Benning Policy for Safeguarding and Reporting Personally Identifiable Information (PII) IMCOM PA Website: https://www.us.army.mil/suite/portal/index.jsp;jsessionid=7454c4c5361e50 44B0F81AA68743AA37.appd06_3 DA PA Website: http://www.rmda.belvoir.army.mil/rmdaxml/rmda/privacyactprog- Guidance.asp 2

COURSE OBJECTIVE - PII DEFINE PII DEFINE PII BREACHES KNOW REPORTING PROCEDURES IN CASE OF LOSS OF PII KNOW PROPER DISPOSAL OF PII 3

WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII) PII Is Any Information Which Can Be Used To Distinguish Or Trace An Individual s Identity. PII Is Any Personal Information Which Is Linked Or Linkable To A Specified Individual PII Can Be Hard Copy Or Electronic Records Stored Within Data Bases Or Other Applications On Computers, Laptops, And Personal Electronic Devices Such As Blackberries. 4

WHAT ARE SOME EXAMPLES OF PII BREACHES? Lost or Stolen Mobile Computing Devices (Laptop, Blackberry, Etc.) that Contained PII Posting PII On Public-facing Websites Successful Network Intrusions Anytime Persons Gain Access To PII Without An Official Need To Know: - On Intra-agency Websites - Through Bulletin Boards In Common Areas - By Distributing PII In Hardcopy Or Electronic Form - Improper Disposal Of PII 5

OTHER EXAMPLES OF PII WHEN LINKED TO AN INDIVIDUAL Security Clearance Level Leave Balances; Types Of Leave Used Addresses And Telephone Numbers Social Security Number Drug Test Results Family Data Performance Ratings Medical Condition And Treatment Information 6

WHY DOES THE DEPARTMENT OF THE ARMY (DA) COLLECT PII INFORMATION? DA Collects PII For Several Reasons: 1. To hire You 2. To pay You 3. To locate You 4. To educate You 5. To provide services to You 7

WHEN TO PROVIDE A PRIVACY ACT STATEMENT (PA) Provide a PA statement either in writing or orally to the subject of the record when collecting Personally Identifiable Information (PII) from the individual if the collected information will go in a system of records notice (SORN). A list of SORNS is located at http://privacy.defense.gov/notices/index.shtml The PA statement is to be given regardless of how you collect or record the answers. A sign may be displayed in areas where people routinely furnish PA/PII information. A copy of the PA statement only has to be provided to the person from whom the information is collected if requested. Do NOT ask the person to sign the PA statement. 8

WHAT ARE SOME OF YOUR RESPONSIBILITIES WITH RESPECT TO PII? Be able to recognize PII and safeguard it. - PII does not have to be from a Privacy Act System of Records Only share PII with authorized personnel. Be aware of local physical and technical procedures for safeguarding PII. Only acquire and use PII as authorized. 9

E-MAIL Safeguards To Protect PII Email Correspondence: Subject line will be clearly marked Privacy Act or FOUO Use DoD CAC Automated Information Systems (AIS) encryption and digital signature so that information, if compromised, is unusable by unauthorized individuals. 10

WHY IS IT IMPORTANT TO SAFEGUARD PII? Unauthorized recipients may fraudulently use the information (identity theft). Damage to the victim can affect their good name, credit, job opportunities, and could even result in criminal charges and arrest. Resolution is costly and time consuming. See Video on IMCOM PA Website for further information. As a Government employee you can personally suffer criminal or civil charges and penalties for failure to protect PII. 11

COLLECTING PII If you collect it, you must protect it!! If in doubt, leave it out!! Do you really need the entire SSN or would the last 4 digits do? 12

DOES PA/PII APPLY TO CONTRACTORS? YES!! Employees of Government Contractors working for a Federal Agency are subject to the Privacy Act as far as working with Government information is concerned, and must comply with all of its provisions. 13

WHO IS AUTHORIZED TO RECEIVE PII Congress, FOIA, Law Enforcement, DOD Employees with official need to know to perform official Government duties. Other disclosures may be permitted depending on the description of the record system. If unsure, do not release! 14

PROPER DISPOSAL OF PII Disposal Methods May Include Burning, Melting, Shredding, Chemical Decomposition, Etc. Recycling Is Acceptable, But Only If The Documents Are Properly Protected While In The Destruction Bin, Protected In Transit And Destroyed By One Of The Above Destruction Methods. 15

PROPER DISPOSAL OF COMPUTER HARD DISK DRIVES Directorates, Units and Staff Offices are responsible for ensuring all computer hard drives are purged before reuse in a different environment, with a different classification level of data or with a different need-to-know authorization of users. Computer Hard Drives are on the following equipment: Copiers FAX Machines Peripherals Electronic Typewriters Word Processing Systems Contact Network Enterprise Command (NEC) at Benn.doim.ia.team@ conus.army.mil for approved methods of destruction of the hard drives. 16

WHAT IS A BREACH OF PII? A breach of PII is the actual or possible loss of control, unauthorized disclosure or unauthorized access of personal information to persons other than those with an authorized need-to-know in order to perform official government duties. 17

WHAT IMPACT DOES THE LOSS OF PII HAVE FOR DA? Can erode confidence in the government s ability to protect information Can impact our business practices Can lead to major legal action 18

WHAT ARE THE MAJOR IMPLICATIONS FOR AFFECTED DA PERSONNEL? Can be embarrassing. Can cause emotional stress. Can lead to identity theft which can be costly to both the individual and the government. 19

WHAT ARE THE MAJOR IMPLICATIONS FOR THE INDIVIDUAL(S) RESPONSIBLE FOR THE LOSS/COMPROMISE? Can result in disciplinary actions. Can result in civil or criminal actions being taken against the employee. Can result in costly fines and imprisonment. 20

WHAT MUST YOU DO IF A BREACH OF PII OCCURS? (REPORTING PROCEDURES) WITHIN ONE HOUR OF DISCOVERY THE PERSON DISCOVERING THE INCIDENT WILL: REPORT INCIDENTS WHETHER SUSPECTED OR CONFIRMED TO US-CERT.GOV BY FILLING OUT THE REPORT AT http://www.us-cert.gov NOTIFY THE ARMY LEADERSHIP AND FORT BENNING PRIVACY ACT OFFICE BY SENDING AN E-MAIL CONTAINING INFORMATION ON NEXT SLIDE TO: https://www.rmda.army.mil/privacy/foia-incidentreport1.asp BENN.DHR.FOIA/ProjectOfficer@conus.army.mil 21

WHAT MUST YOU DO IF A BREACH OF PII OCCURS? (REPORTING PROCEDURES) COMMANDER S CRITICAL INFORMATION REQUIREMENT FORMAT FOR PII REPORTING: ORGANIZATION IN WHICH PII BREACH OCCURRED TYPE OF INCIDENT DATE/TIMEGROUP OF THE INCIDENT LOCATION PERSONNEL INVOLVED SUMMARY OF INCIDENT REMARKS PUBLICITY OFFICIAL REPORTING POC 22

WHAT YOU MUST DO IF A BREACH OF PII OCCURS? (REPORTING PROCEDURES) THE DIRECTOR OR COMMANDER OF THE ORGANIZATION POSSESSING OR RESPONSIBLE FOR SAFEGUARDING THE PII AT THE TIME OF THE INCIDENT MUST NOTIFY THE AFFECTED INDIVIDUALS AS SOON AS POSSIBLE, BUT NLT 10 DAYS AFTER THE BREACH/COMPROMISE IS DISCOVERED. SAMPLE NOTIFICATION LETTERS ARE AVAILABLE AT: https://www.rmda.army.mil/privacy/docs/samplenotificationletter.pdf A COPY OF THE LETTER WILL BE E-MAILED TO: BENN.DHR.FOIA/PROJECTOFFICER@CONUS.ARMY.MIL 23

PII CONCLUSION - DO ONLY COLLECT PII THAT IS NECESSARY TO ACCOMPLISH AN OFFICIAL BUSINESS FUNCTION PROVIDE A PRIVACY ACT (PA) STATEMENT WHEN REQUESTING PA INFORMATION PII NOT CURRENTLY BEING WORKED WITH WILL BE SECURED IN A LOCKED CABINET MAINTAIN & APPLY ESTABLISHED SAFEGUARDING PROCEDURES ALLOW INDIVIDUALS TO REVIEW AND OBTAIN RECORDS ABOUT THEMSELVES UNLESS THE RECORDS ARE EXEMPT FROM MANDATORY DISCLOSURE 24

PII CONCLUSION - DO NOT DO NOT COLLECT PII WITHOUT PROPER AUTHORIZATION DO NOT PLACE PII ON SHARED DRIVES, MULTI- ACCESS CALENDARS, OR THE INTRANET UNLESS ALL USERS HAVE A VALID NEED TO KNOW IN ORDER TO PERFORM OFFICIAL DUTIES DO NOT PLACE PII ON INTERNET PUBLIC FACING WEBSITES 25

CERTIFICATE OF INITIAL/ANNUAL REFRESHER TRAINING This is to certify that I have received initial/annual refresher training on my privacy and security responsibilities. I understand that I am responsible for safeguarding personally identifiable information that I may have access to incident to performing official duties. I also understand that I may be subject to disciplinary action for failure to properly safeguard personally identifiable information, for improperly using or disclosing such information, and for failure to report any known or suspected loss or the unauthorized disclosure of such information. (Signature) (Date) (Print Name) (DoD Component/Office) 26

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback