Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | augusta-paul |
View: | 219 times |
Download: | 3 times |
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Privacy Foundations
Samuel P. JenkinsDirector for Privacy
Defense Privacy and Civil Liberties Office
Identity Protection and Management Expo
Orlando, Florida
April 2011
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Purpose
The purpose of this presentation is to provide an overview of relevant Federal Privacy laws and DoD regulations.
2
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Objectives
Upon completion of this presentation, you should be able to:Explain the basic concepts of
information privacy.
Describe key elements of foundational privacy laws and regulations.
Explain how privacy laws and regulations interrelate.
3
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
The Privacy Act of 19745 USC 522a
4
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Fair Information Practice Principles (FIPPs)*
Notice/Awareness There must be no personal data record keeping systems whose very existence is kept secret.
Choice/Consent There must be a way for an individual to find out what information is in their file and how it is being used.
Access/Participation There must be a way for an individual to correct information in his or her record.
Integrity/Security Any organization creating, maintaining, using or dissemination personally identifiable information must ensure the reliability of the data for its intended use and must take precautions to prevent misuse.
Enforcement/Redress There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent.
*NIST Guide to Protecting the Confidentiality of (PII) (NIST SP 800-122, 4/10)
The Privacy Act
5
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
The Privacy Act A code of fair information practices
which mandates how Government agencies shall collect, maintain, use, and disseminate personally identifiable information (PII) about individuals that is maintained in systems of records (SOR).
6
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
The Privacy Act (continued)
Applies to: Executive Branch Agencies.
Implemented by:DoDD 5400.11, “DoD Privacy Program.”
DoD 5400.11-R, “DoD Privacy Program.”
7
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
The Privacy Act (continued)
What is PII?Information which can be used to
distinguish or trace an individual’s identity.
○ Including name, social security number, date and place of birth, mother’s maiden name, biometric information.
Any other personal information which is linked or linkable to a specified individual.
8
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
The Privacy Act (continued)
What is a Record?A collection or grouping of
information about an individual that is maintained by a DoD Component.
What is a SOR?A group of records which are under
the control of a DoD Component that are retrieved by name, SSN, or other personal identifier
9
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
The Privacy Act (continued)
The DoD’s responsibility is to balance the government’s need to maintain information about individuals with the rights of individuals.
10
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
DoD SSN Use Reduction Plan
11
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
DoD SSN Use Reduction Plan
Purpose: To eliminate, when feasible, the use of Social Security numbers (SSNs).
Applicability: All uses of SSNs within the DoD, to include DoD data managed or maintained in contactor-owned, -managed, or -operated systems.
12
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Implemented by:Executive Order 9397 (SSN), as
amended.
OMB Memorandum M-07-16.
DTM 07-015-USD(P&R).
USD(P&R) Memo, “Updated Plan for the Removal of SSNs from DoD ID Cards.”
DRAFT USD(P&R) DoDI 1000.hh.
DoD SSN Use Reduction Plan (continued)
13
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
USD(P&R) Memo, “Updated Plan for the Removal of SSNs from DoD ID Cards”:
DoD ID cards will no longer visibly display SSNs.
As of May 2011, replaced SSN with the DoD ID Number (formerly known as EDI-PI) and, when applicable, the DoD Benefits Number.
Beginning 2012, initiate removal of the SSN from the ID cards barcode.
DoD SSN Use Reduction Plan (continued)
14
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
DRAFT USD(P&R) DoDI 1000.hh, “Reducing Use of Social Security Numbers (SSNs) Within DoD.”
Each Component required to review systems and forms which collect SSN to determine if continued use is justified.
Systems or forms that do not fall under one of the approved 'use cases' will be required to develop and institute a plan to eliminate the use of the SSN.
Systems with an approved use case for SSN collection will require a signed memo documenting the requirement for such use.
DoD SSN Use Reduction Plan (continued)
15
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Health Insurance Portability and
Accountability Act (HIPAA)
Public Law 104-91
16
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
HIPAA
Purpose: Improve the efficiency and effectiveness of the health care system by standardizing the electronic exchange of administrative and financial data.
Applicability: Covered entities HIPAA defines a covered entity as:
A health care provider that conducts certain transactions in electronic form;
A health care clearinghouse; orA health plan.
17
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
HIPAA (continued)
HIPAA Privacy Rule.Establishes national standards to protect
individuals’ medical records and other PHI.
Implemented by:DoD 6025.18-R, “DoD Health Information
Privacy Regulation.”
18
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
HIPAA (continued)
HIPAA Security Rule.Establishes national standards to protect
individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity.
Implemented by:DoD 8580.02-R, “DoD Health Information
Security Regulation.”
19
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
HIPAA (continued)
Protected Health Information (PHI) is:Individually identifiable health
information which is a subset of PII.
Created, received, or maintained by a covered entity.
Transmitted or maintained by electronic or any other form or medium, except as otherwise contained in employment records.
20
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
HIPAA (continued)
Joe Q. Public
HospitalEmployer
Fed Agency
21
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Freedom of Information Act (FOIA)5 USC 552
22
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
FOIA
Purpose: Inform the public of information while appropriately protecting government interests.
Applicability: Executive branch government agencies.
Implemented by:DoDD 5400.7, “DoD Freedom of
Information Act (FOIA) Program.”
DoD 5400.7-R, “DoD Freedom of Information Act Program.”
23
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
FOIA (continued)
Provides individuals with access to many types of records that are exempt from access under the Privacy Act.
Unlike those of the Privacy Act, FOIA procedures are available to non-resident foreign nationals.
24
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
E-Government Act of 2002
Public Law 107-347
25
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
E-Government Act
Purpose: Improve internet-based technology to make it easier for citizens and businesses to interact with the government.
Applicability: All executive branch departments and Federal agencies.
26
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
E-Government Act (continued)
Protects PII agencies collect, use, maintain, or disseminate within information technology systems.
Implemented by:OMB and DoD Annual FISMA
Guidance.DoD CIO Memorandum, DoD Privacy
Impact Assessment (PIA) Guidance.
27
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
E-Government Act - FISMA
Federal Information Security Management Act (FISMA) provides a framework to ensuring effectiveness of information security controls for Federal systems.
Implemented by: DoD Directive 8500.1.
DoD Instruction 8500.2.
DoD Annual FISMA Guidance.
28
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
E-Government Act - FISMA (continued)
Applicability:Federal government agencies’
information systems.
Information systems operated by contractors on behalf of federal agencies.
What it protects: Federal information systems and
related resources.
29
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
E-Government Act - FISMA (continued)
From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007.
30
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
E-Government Act - PIA (continued)
Privacy Impact Assessments (PIA).An analysis of systems to identify privacy
risks associated with the use of PII. Web-page privacy policy.
Must include a machine-readable privacy policy.
Must be consistent with the Privacy Act. Implemented by:
DoD Instruction 5400.16.
31
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Paperwork Reduction Act
Public Law 104-13
32
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Paperwork Reduction Act
PurposeReduce the total amount of paperwork
handled by the federal government and general public
Maximize utility of information Agencies must ensure disclosure
policies will honor any claims of confidentiality on forms
33
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Paperwork Reduction Act (continued)
What it protects: Information created, collected, maintained, used, disseminated, or disposed.
Implemented by:DoD 8910.1-M.
34
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Records Management36 CFR, Chapter 12
35
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Records Management
Purpose: Supports the creation, maintenance and use, and disposition of records in order to document federal policies, operations, and transactions appropriately and economically.
Implemented by:DoD WHS Administrative Instruction
15.
36
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Records Management (continued)
Applicability: Federal agencies and Executive branch of the U.S. Government.
What it protects: All information, related to an agency’s business transaction, that is created, used, maintained, disseminated, or disposed of.
37
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Integrating Different Laws
38
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Integrating Different Laws
The challenge:Laws with various purposes often
govern the same data at different points in the systems development life cycle.
The solution:Focus on the FIPPs.
Comply with Federal law and DoD Policy.
Consult your Privacy Office at the beginning of the SDLC.
39
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Summary
You should now be able to:State the purpose of each law, who it
applies to, and what it protects.
Recognize that laws create standards and mandate compliance.
Identify how different laws relate to one another.
Discuss the FIPPs as it relates to the Defense Privacy Program.
40
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Resources Paperwork Reduction Act, Public Law 104-13, May
22, 1995.
DoD 8910.1-M, DoD Procedures for Management of Information Requirements, June 30, 1998.
Freedom of Information Act (FOIA), Public Law 89-554, July 4, 1966.
DoDD 5400.7, DoD Freedom of Information (FOIA) Act Program, October 28, 2005.
DoD 5400.7-R, DoD Freedom of Information Act Program, September 1998.
The Privacy Act of 1974, Public Law 93-579, December 31, 1974.
41
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Resources (continued)
DoDD 5400.11, DoD Privacy Program, May 8, 2007.
DoD 5400.11-R, DoD Privacy Program, May 14, 2007.
Health Insurance Portability and Accountability Act of 1996, Public Law 104-91.
DoD 6025.18-R, DoD Health Information Privacy Regulation, January 2003.
DoD 8580.02-R, DoD Health Information Security Regulation, July 12, 2007.
E-Government Act of 2002, Public Law 107-347.
Federal Information Security Management Act (FISMA) of 2002.
42
DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE
Resources (continued)
DoD and OMB Annual FISMA Guidance.
DoDD 8500.1, Information Assurance, October 24, 2002.
DoDI 8500.2, Information Assurance Implementation, February 6, 2003.
DoD CIO Memorandum, DoD Privacy Impact Assessment (PIA) Guidance, October 28, 2005.
Office of Management and Budget Circular No. A-130, Revised, Management of Federal Information Resources, November 28, 2000.
DoDD 5015.2, DoD Records Management Program, March 6, 2000.
43