DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy...

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE

Privacy Foundations

Samuel P. JenkinsDirector for Privacy

Defense Privacy and Civil Liberties Office

Identity Protection and Management Expo

Orlando, Florida

April 2011


Purpose

The purpose of this presentation is to provide an overview of relevant Federal Privacy laws and DoD regulations.

2


Objectives

Upon completion of this presentation, you should be able to:Explain the basic concepts of

information privacy.

Describe key elements of foundational privacy laws and regulations.

Explain how privacy laws and regulations interrelate.

3


The Privacy Act of 19745 USC 522a

4


Fair Information Practice Principles (FIPPs)*

Notice/Awareness There must be no personal data record keeping systems whose very existence is kept secret.

Choice/Consent There must be a way for an individual to find out what information is in their file and how it is being used.

Access/Participation There must be a way for an individual to correct information in his or her record.

Integrity/Security Any organization creating, maintaining, using or dissemination personally identifiable information must ensure the reliability of the data for its intended use and must take precautions to prevent misuse.

Enforcement/Redress There must be a way for an individual to prevent personal information obtained for one purpose from being used for another purpose without his or her consent.

*NIST Guide to Protecting the Confidentiality of (PII) (NIST SP 800-122, 4/10)

The Privacy Act

5


The Privacy Act A code of fair information practices

which mandates how Government agencies shall collect, maintain, use, and disseminate personally identifiable information (PII) about individuals that is maintained in systems of records (SOR).

6


The Privacy Act (continued)

Applies to: Executive Branch Agencies.

Implemented by:DoDD 5400.11, “DoD Privacy Program.”

DoD 5400.11-R, “DoD Privacy Program.”

7



What is PII?Information which can be used to

distinguish or trace an individual’s identity.

○ Including name, social security number, date and place of birth, mother’s maiden name, biometric information.

Any other personal information which is linked or linkable to a specified individual.

8



What is a Record?A collection or grouping of

information about an individual that is maintained by a DoD Component.

What is a SOR?A group of records which are under

the control of a DoD Component that are retrieved by name, SSN, or other personal identifier

9



The DoD’s responsibility is to balance the government’s need to maintain information about individuals with the rights of individuals.

10


DoD SSN Use Reduction Plan

11


DoD SSN Use Reduction Plan

Purpose: To eliminate, when feasible, the use of Social Security numbers (SSNs).

Applicability: All uses of SSNs within the DoD, to include DoD data managed or maintained in contactor-owned, -managed, or -operated systems.

12


Implemented by:Executive Order 9397 (SSN), as

amended.

OMB Memorandum M-07-16.

DTM 07-015-USD(P&R).

USD(P&R) Memo, “Updated Plan for the Removal of SSNs from DoD ID Cards.”

DRAFT USD(P&R) DoDI 1000.hh.

DoD SSN Use Reduction Plan (continued)

13


USD(P&R) Memo, “Updated Plan for the Removal of SSNs from DoD ID Cards”:

DoD ID cards will no longer visibly display SSNs.

As of May 2011, replaced SSN with the DoD ID Number (formerly known as EDI-PI) and, when applicable, the DoD Benefits Number.

Beginning 2012, initiate removal of the SSN from the ID cards barcode.


14


DRAFT USD(P&R) DoDI 1000.hh, “Reducing Use of Social Security Numbers (SSNs) Within DoD.”

Each Component required to review systems and forms which collect SSN to determine if continued use is justified.

Systems or forms that do not fall under one of the approved 'use cases' will be required to develop and institute a plan to eliminate the use of the SSN.

Systems with an approved use case for SSN collection will require a signed memo documenting the requirement for such use.


15


Health Insurance Portability and

Accountability Act (HIPAA)

Public Law 104-91

16


HIPAA

Purpose: Improve the efficiency and effectiveness of the health care system by standardizing the electronic exchange of administrative and financial data.

Applicability: Covered entities HIPAA defines a covered entity as:

A health care provider that conducts certain transactions in electronic form;

A health care clearinghouse; orA health plan.

17


HIPAA (continued)

HIPAA Privacy Rule.Establishes national standards to protect

individuals’ medical records and other PHI.

Implemented by:DoD 6025.18-R, “DoD Health Information

Privacy Regulation.”

18


HIPAA (continued)

HIPAA Security Rule.Establishes national standards to protect

individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity.

Implemented by:DoD 8580.02-R, “DoD Health Information

Security Regulation.”

19


HIPAA (continued)

Protected Health Information (PHI) is:Individually identifiable health

information which is a subset of PII.

Created, received, or maintained by a covered entity.

Transmitted or maintained by electronic or any other form or medium, except as otherwise contained in employment records.

20


HIPAA (continued)

Joe Q. Public

HospitalEmployer

Fed Agency

21


Freedom of Information Act (FOIA)5 USC 552

22


FOIA

Purpose: Inform the public of information while appropriately protecting government interests.

Applicability: Executive branch government agencies.

Implemented by:DoDD 5400.7, “DoD Freedom of

Information Act (FOIA) Program.”

DoD 5400.7-R, “DoD Freedom of Information Act Program.”

23


FOIA (continued)

Provides individuals with access to many types of records that are exempt from access under the Privacy Act.

Unlike those of the Privacy Act, FOIA procedures are available to non-resident foreign nationals.

24


E-Government Act of 2002

Public Law 107-347

25


E-Government Act

Purpose: Improve internet-based technology to make it easier for citizens and businesses to interact with the government.

Applicability: All executive branch departments and Federal agencies.

26


E-Government Act (continued)

Protects PII agencies collect, use, maintain, or disseminate within information technology systems.

Implemented by:OMB and DoD Annual FISMA

Guidance.DoD CIO Memorandum, DoD Privacy

Impact Assessment (PIA) Guidance.

27


E-Government Act - FISMA

Federal Information Security Management Act (FISMA) provides a framework to ensuring effectiveness of information security controls for Federal systems.

Implemented by: DoD Directive 8500.1.

DoD Instruction 8500.2.

DoD Annual FISMA Guidance.

28


E-Government Act - FISMA (continued)

Applicability:Federal government agencies’

information systems.

Information systems operated by contractors on behalf of federal agencies.

What it protects: Federal information systems and

related resources.

29


E-Government Act - FISMA (continued)

From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007.

30


E-Government Act - PIA (continued)

Privacy Impact Assessments (PIA).An analysis of systems to identify privacy

risks associated with the use of PII. Web-page privacy policy.

Must include a machine-readable privacy policy.

Must be consistent with the Privacy Act. Implemented by:

DoD Instruction 5400.16.

31


Paperwork Reduction Act

Public Law 104-13

32


Paperwork Reduction Act

PurposeReduce the total amount of paperwork

handled by the federal government and general public

Maximize utility of information Agencies must ensure disclosure

policies will honor any claims of confidentiality on forms

33


Paperwork Reduction Act (continued)

What it protects: Information created, collected, maintained, used, disseminated, or disposed.

Implemented by:DoD 8910.1-M.

34


Records Management36 CFR, Chapter 12

35


Records Management

Purpose: Supports the creation, maintenance and use, and disposition of records in order to document federal policies, operations, and transactions appropriately and economically.

Implemented by:DoD WHS Administrative Instruction

15.

36


Records Management (continued)

Applicability: Federal agencies and Executive branch of the U.S. Government.

What it protects: All information, related to an agency’s business transaction, that is created, used, maintained, disseminated, or disposed of.

37


Integrating Different Laws

38


Integrating Different Laws

The challenge:Laws with various purposes often

govern the same data at different points in the systems development life cycle.

The solution:Focus on the FIPPs.

Comply with Federal law and DoD Policy.

Consult your Privacy Office at the beginning of the SDLC.

39


Summary

You should now be able to:State the purpose of each law, who it

applies to, and what it protects.

Recognize that laws create standards and mandate compliance.

Identify how different laws relate to one another.

Discuss the FIPPs as it relates to the Defense Privacy Program.

40


Resources Paperwork Reduction Act, Public Law 104-13, May

22, 1995.

DoD 8910.1-M, DoD Procedures for Management of Information Requirements, June 30, 1998.

Freedom of Information Act (FOIA), Public Law 89-554, July 4, 1966.

DoDD 5400.7, DoD Freedom of Information (FOIA) Act Program, October 28, 2005.

DoD 5400.7-R, DoD Freedom of Information Act Program, September 1998.

The Privacy Act of 1974, Public Law 93-579, December 31, 1974.

41


Resources (continued)

DoDD 5400.11, DoD Privacy Program, May 8, 2007.

DoD 5400.11-R, DoD Privacy Program, May 14, 2007.

Health Insurance Portability and Accountability Act of 1996, Public Law 104-91.

DoD 6025.18-R, DoD Health Information Privacy Regulation, January 2003.

DoD 8580.02-R, DoD Health Information Security Regulation, July 12, 2007.

E-Government Act of 2002, Public Law 107-347.

Federal Information Security Management Act (FISMA) of 2002.

42


Resources (continued)

DoD and OMB Annual FISMA Guidance.

DoDD 8500.1, Information Assurance, October 24, 2002.

DoDI 8500.2, Information Assurance Implementation, February 6, 2003.

DoD CIO Memorandum, DoD Privacy Impact Assessment (PIA) Guidance, October 28, 2005.

Office of Management and Budget Circular No. A-130, Revised, Management of Federal Information Resources, November 28, 2000.

DoDD 5015.2, DoD Records Management Program, March 6, 2000.

43

Date post:	25-Dec-2015
Category:	Documents
Upload:	augusta-paul
View:	219 times
Download:	3 times

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE Privacy Foundations Samuel P. Jenkins Director for Privacy...

Documents