Date post: | 19-Jan-2016 |
Category: |
Documents |
Upload: | hilary-black |
View: | 213 times |
Download: | 0 times |
1
2013 Annual PII Training Certificate
This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding PII. I also understand that I may be subject to disciplinary actions for failure to properly protect and safeguard PII data.
_________________________________ _________________
Name Date
Privacy Act
Personally Identifiable Information (PII) Training
PMT | Apr 2013 | v 0.1 | Privacy Act 3
Questions this Module Will Answer …
• What is Personally-Identifiable Information (PII)?• What are your roles and responsibilities regarding the
Privacy Act?• What often causes PII loss or compromise? • What are the potential costs?• How can you prevent losing or compromising PII?• How should you handle, protect and dispose of PII?• What should you do if PII is lost or compromised?
PMT | Apr 2013 | v 0.1 | Privacy Act 4
You Are Responsible for …
• Ensuring you complete PII training annually• Abiding by protocols when collecting, maintaining,
destroying, or disseminating personal information• Periodically reviewing shared devices for compliance• Practicing Limited Access Principles• Ensuring that contracts include privacy clauses FAR 52-
224-1 and 52.224-2 and that contract language addresses how data is to be disposed at the end of the contract
• Identifying the Privacy Act System of Records Notice (SORN) and following the rules set in the notice
PMT | Apr 2013 | v 0.1 | Privacy Act 5
What is the Privacy Act?
• The Privacy Act of 1974, as amended by 5 U.S.C. 552a, regulates the collection, use, safeguarding, and disposition of personal information in government-wide systems of records
PMT | Apr 2013 | v 0.1 | Privacy Act 6
Personally Identifiable Information (PII)
• PII refers to information that can be used to distinguish or trace an individual’s identity• PII needs to be protected and released only on a
need-to-know basis• Two Types– Sensitive–Non-Sensitive
PMT | Apr 2013 | v 0.1 | Privacy Act 7
Sensitive PIISensitive PII is information, which if lost, compromised,
or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or
unfairness to an individual
• Name or other names used• Social security number; any form• Driver’s license/numbers;
Citizenship, legal status, gender, race/ethnicity• Date of Birth/Place of birth• Personal email/mailing and
home address
• Security clearance• Spouse/Child information; marital
status• Emergency contact information• Financial information•Medical/Disability information•Military records• Biometric data
Sensitive PII elements include, but are not limited to:
PMT | Apr 2013 | v 0.1 | Privacy Act 8
Non-Sensitive PII
Non-Sensitive PII is information, that could be sensitive to an employee; could also be information that is
needed to do the business of the agencyNon-Sensitive PII elements include but are not limited to:
• Pay grade and/or salary• Performance ratings• Leave being used (LA/LS/LWOP)• Business related data• Business card• Phone directory of agency
•Office location• Business telephone number• Business email address• Badge number•Other information that is not
releasable to the public
PMT | Apr 2013 | v 0.1 | Privacy Act 9
What Is a System of Records Notice?
• Before DON can use a system of records to collect and maintain information on an individual it must publish a Privacy Act System of Records Notice (SORN) in the Federal Register– Informs the general public of what data will be
collected, its purpose, and on who’s authority– Sets the rules the DON will follow in collecting and
maintaining personal data
PMT | Apr 2013 | v 0.1 | Privacy Act 10
What Is a Privacy Act System of Records ?
A Privacy Act system of records is "a group of any records under the control of any agency from which information is retrieved by
the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual”
The DON Chief Information Officer lists over 150 DON Privacy Act system of records www.doncio.navy.mil
Equal Employment Opportunity in the Federal Government
Complaint and Appeal Records (EEOC/GOVT)
General Personnel Records (OPM/GOVT-1)
Government-Wide Examples
Organization Management and Locator System (NM05000-2)Time and Attendance Feeder
Records (NM07421-1)Employee Relations (NM12771-2)
DON Examples
PMT | Apr 2013 | v 0.1 | Privacy Act 11
Why Protect?
• Regulations• To prevent unauthorized uses• To protect against Identity Theft• To avoid compromise• To avoid loss• Protects business practices
It’s the right thing to do!
PMT | Apr 2013 | v 0.1 | Privacy Act 12
How to Protect PII?
• Question individuals who request PII data• Assure Need-to-Know• Safeguard personal data• Maintain close control of data• Store data out-of-sight• Take steps to properly destroy data• Lock offices• Lock cabinets• Use DD2923 cover sheet
PMT | Apr 2013 | v 0.1 | Privacy Act 13
How to Protect Email?
Email• Encrypt all email containing PII and FOUO data• Ensure PKI certificate has been published to the Global Address
Listing (GAL)/Microsoft Outlook so email can be encrypted• Use the recommended warning statement in email when sending
PII data: FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE - Any
misuse or unauthorized disclosure can result in both civil and/or criminal penalties.
– Statement should be at the top of email message– FOUO should be present in the subject box of the email– Statement should only be used in email that contain sensitive
data– Should not be used as a blanket statement
PMT | Apr 2013 | v 0.1 | Privacy Act 14
How to Protect Muster/Recall Rosters?
Muster/Recall Rosters– Access on a need-to-know basis– Shall never contain SSN’s– Only contain names
(abbreviated), addresses, and telephone numbers
– Use Cover Sheet– FOUO/Privacy Statement– Do NOT hang muster/recall
cards around your neck– If lost have a way for someone
who finds it to return or destroy
PMT | Apr 2013 | v 0.1 | Privacy Act 15
How to Protect When Faxing?
Faxing – Per Department of the Navy GENADMIN message 171625ZFEB2012• Use of Fax Machines to send SSN’s and other PII by
DON Personnel is PROHIBITED except when:– Another more secure means of transmitting is not
practical– A process outside of DON control requires faxing such as:
• DFAS, • TRICARE, • Defense Manpower Data Center (DMDC)
– In cases where operational necessity requires expeditious handling
PMT | Apr 2013 | v 0.1 | Privacy Act 16
Additional Protection Info When Faxing
• When sending a fax utilize a Privacy Act Cover Sheet and verify receipt
• External customers such as service veterans, Air Force and Army personnel, dependents, and retirees may continue to fax documents containing PII to DON activities but shall be strongly encourage to use an alternative means such as:– USPS– Scanning and transmit using a secure means
PMT | Apr 2013 | v 0.1 | Privacy Act 17
How to Protect Outlook Calendar/Cell Phone?
• Shared Outlook Calendar–Do not post• Type of leave taking•Where you are on travel• Birthdays
–Keep personal and work calendar separate• Cell phone
• Initials• Last name and first initial• Last name only
PMT | Apr 2013 | v 0.1 | Privacy Act 18
Disposal and Reducing Risk
• Cross cut shred documents with PII• Place only shredded PII into recycling • Use caution when copying documents with PII• Posters available on RFCC COI– Faxing– Copying– Shredding
https://mynavair.navair.navy.mil/portal/server.pt/community/privacy_act/1176/privacy_act_resources/57552
PMT | Apr 2013 | v 0.1 | Privacy Act 19
Not Protecting PII
• If PII is:– Lost– Stolen–Compromised
• You will need to take action!–Does it need to be reported?–Can you define the data and who it belonged to?– Is it a Breach?
PMT | Apr 2013 | v 0.1 | Privacy Act 20
Breach
• A PII breach is the loss of control, unauthorized disclosure, or unauthorized access of personal information, or the compromise of privacy-sensitive information. • It could be:– Loss of device which houses PII data (lap top, cell
phone, PDA, hard drives, portable storage device, etc.)– IT System being hacked– Email containing PII data sent unencrypted outside of
our control– PII data in recycling (not shredded)– PII data left out in open areas (cubes, printers, faxes)
PMT | Apr 2013 | v 0.1 | Privacy Act 21
What Makes A Breach Reportable?
• Will the lost or stolen data lead to harm, embarrassment, or identity theft?• Is the likelihood high that PII will be or has been
used by unauthorized individuals?• Was the data unprotected?• Could there have been a disclosure of private facts?• Could there be an unwarranted exposure of PII
leading to humiliation or loss of self-esteem? • Could there be a potential for blackmail?
PMT | Apr 2013 | v 0.1 | Privacy Act 22
Causes of PII Loss or Compromise
Human error
Unprotected PII sent using email or by fax
Lost portable storage devices
Stolen laptops
Posting PII on bulletin or check-in/out boards
Using inappropriate methods for disposing of documents containing PII
Posting PII in public folders, on internal websites (e.g., MyNAVAIR), or on the Internet
PMT | Apr 2013 | v 0.1 | Privacy Act 23
Impact of a Breach
Embarrassing
Facilitates identity theft
Compromises business practices
Erodes confidence in the Government’s ability to protect PII information
Results in disciplinary action against the offender
Emotionally stressful
PMT | Apr 2013 | v 0.1 | Privacy Act 24
Examples of Breaches
DON has reported the following types of breaches:– Stolen lap top
– Unencrypted emails
– Resumes in recycling
– Navy copiers erroneously sold before hard drives sanitized
– Employee downloaded PII to unencrypted CD
– A Sailor and his civilian girlfriend were allegedly attempting to steal the identity of multiple staff members
– Missing hard drives
PMT | Apr 2013 | v 0.1 | Privacy Act 25
PII Violations
• Violations which may lead to criminal penalties include:– Collecting data without meeting the
Federal Register publication requirement (SORN)
– Sharing data with unauthorized individuals
– Acting under false pretenses or facilitating those acting under false pretenses
Penalties for violating the Privacy Act include a misdemeanor charge with jail time of up to one year and fines of up to $5,000
PMT | Apr 2013 | v 0.1 | Privacy Act 26
What Should You Do If PII Is Breached?
• Notify your immediate supervisor and the Site Privacy Act Coordinator• Gather the following information for
reporting purposes:– Date of breach– Circumstances– What was lost– Number of employees affected– Mitigation
Seek additional assistance from your Site Privacy Act Coordinator as needed
PMT | Apr 2013 | v 0.1 | Privacy Act 27
Summary
• Recognize the difference between Sensitive and Non-Sensitive PII• Actively voice and demonstrate your support
to protect PII• Protect, DON’T collect! • Collecting PII in a system requires a SORN• Properly handle, protect, and dispose of PII• Take action to report and mitigate situations
where PII may have been lost or compromised
28
2013 Annual PII Training Certificate
This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding PII. I also understand that I may be subject to disciplinary actions for failure to properly protect and safeguard PII data.
_________________________________ _________________
Name Date
Privacy Act
Personnel Management Trainingfor New Supervisors