PRIVACY TRAINING 101PRIVACY TRAINING 101CIA-PPI-PIICIA-PPI-PII

What you Need to Know about What you Need to Know about Safeguarding Protected Personal Safeguarding Protected Personal Information and Personally Information and Personally Identifiable Information (PPI/PII) Identifiable Information (PPI/PII) and the Confidentiality, Integrity and the Confidentiality, Integrity and Availability (CIA) of Dataand Availability (CIA) of Data

Purpose of this training:Purpose of this training:

To focus on the importance of PRIVACY To focus on the importance of PRIVACY and to ensure all personnel (military, and to ensure all personnel (military, civilian, contractor) are aware of the civilian, contractor) are aware of the vital role that they must play in vital role that they must play in ensuring CIA and that PPI/PII is ensuring CIA and that PPI/PII is properly protected from unauthorized properly protected from unauthorized disclosure.disclosure.

Protection of the Protection of the Confidentiality, Integrity, and Confidentiality, Integrity, and

Availability (CIA) of USACC Availability (CIA) of USACC InformationInformation

DefinitionsDefinitions

Confidentiality: That data/information is accessible only to those authorized to have access."

Integrity: Assurance that data and information are consistent and correct, not only from the origination point, but also when transferred to another point.

Availability: The timely and reliable access to data services for authorized users. Availability ensures that information or resources are available when required, while protecting confidentiality ensuring the integrity of the data is maintained.

DEFINITIONSDEFINITIONS

““PPI” stands for Protected Personal PPI” stands for Protected Personal InformationInformation

““PII” stands for Personally Identifiable PII” stands for Personally Identifiable InformationInformation

PPI and PII are interchangeablePPI and PII are interchangeable PPI/PII is: Information which can be used PPI/PII is: Information which can be used

to identify a person uniquely and reliably, to identify a person uniquely and reliably, including but not limited to name, SSN, including but not limited to name, SSN, address, telephone #, e-mail address, address, telephone #, e-mail address, mother’s maiden namemother’s maiden name

Current IssuesCurrent Issues

1. Ignorance and apathy towards information/data CIA and associated guidance

2. Lack of standard processes to handle sensitive information and not following established processes for handling information

3. Lack of understanding of how the network and electronic filing can protect data and information

4. Lack of training about proper handling of information/data

Policies, Regulations, and Memorandums- OMB Memorandum M-07-16, Safeguarding Against and Responding to Breach of Personally Identifiable Information, May 22, 2007- DoD Memorandum: Safeguarding Against and Responding to Breach of PII, 21 Sep, 2007- DoD 5400.11-R: DoD Privacy Program, 14 May, 2007-DoD Directive 5400.11, DoD Privacy Program, 8 May 2007-AR 25-55, DA FOIA Program, 1 Nov 1997-AR 380-5, DA Information Security Program, 29 Sep 2000-AR 25-2, Information Assurance, 24 Oct 2007-USACC Policy Memorandum 17, Protection of IT Equipment and Sensitive Data 15 May 2007

Personally Identifiable Information (PII)

PII, as set forth in DoD Directive 5400.11, para E2.e and DoD 5400.11-R, para DL1.14, is defined as follows: “Personal Information. Information that identifies, links, relates, or is unique to, or describes him or her, e.g. a Social Security Number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security Number, data and place of birth, mother’s maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual).”

Why You Need to Know Why You Need to Know About Privacy:About Privacy: We are collecting, maintaining, We are collecting, maintaining,

distributing and disposing of information distributing and disposing of information about individuals--YOU!about individuals--YOU!

The law requires you to take precautions The law requires you to take precautions when collecting, maintaining, when collecting, maintaining, distributing and disposing of PPI/PII distributing and disposing of PPI/PII

The Privacy Act of 1974 contains both The Privacy Act of 1974 contains both civil and criminal penalties for non-civil and criminal penalties for non-compliance.compliance.

The Department of The Department of Veterans Affairs BreachVeterans Affairs Breach

The VA loss of thousands of veterans’ The VA loss of thousands of veterans’ records was well publicized, costly and records was well publicized, costly and brought PRIVACY to the forefront.brought PRIVACY to the forefront.

This breach resulted in Presidential This breach resulted in Presidential and Congressional interest in PRIVACYand Congressional interest in PRIVACY

Office of Management & Budget Office of Management & Budget (“OMB”) established working groups to (“OMB”) established working groups to address better protections, notification address better protections, notification protocols, costs, and actions to be protocols, costs, and actions to be taken against employeestaken against employees

The FalloutThe Fallout

OMB issued a Memorandum dated May OMB issued a Memorandum dated May 22, 2006, entitled “Safeguarding 22, 2006, entitled “Safeguarding Personally Identifiable Information,” Personally Identifiable Information,” which directed agencies to provide which directed agencies to provide training to all employees on their training to all employees on their responsibilities to safeguard personally responsibilities to safeguard personally identifying informationidentifying information

The Fallout (Cont’d)The Fallout (Cont’d)

OMB issued another Memorandum OMB issued another Memorandum dated May 22, 2007, entitled dated May 22, 2007, entitled “Safeguarding Against and Responding “Safeguarding Against and Responding to the Breach of Personally Identifying to the Breach of Personally Identifying Information”Information”

Both Memoranda require agencies to Both Memoranda require agencies to provide PRIVACY training to all provide PRIVACY training to all employeesemployees

Your Role in PRIVACYYour Role in PRIVACY

You must understand the importance You must understand the importance of ensuring that PPI/PII is properly of ensuring that PPI/PII is properly protectedprotected

You must get involved in identifying You must get involved in identifying best practices for protecting PPI/PIIbest practices for protecting PPI/PII

You must be aware of the You must be aware of the consequences for non-complianceconsequences for non-compliance

Privacy Act Privacy Act RequirementsRequirements

Establish rules of conduct for collecting, Establish rules of conduct for collecting, maintaining, distributing, and disposing of maintaining, distributing, and disposing of personal informationpersonal information

Publish Privacy Act system of records notices in Publish Privacy Act system of records notices in the the Federal Register Federal Register for all approved collections for all approved collections of privacy informationof privacy information

Ensure that we collect only data that is Ensure that we collect only data that is authorized by law & that we share information authorized by law & that we share information only with those who have a need-to-knowonly with those who have a need-to-know

Privacy Act Privacy Act RequirementsRequirements Establish and apply data safeguards to protect Establish and apply data safeguards to protect

information from unauthorized disclosureinformation from unauthorized disclosure

Allow individuals to review records about Allow individuals to review records about themselves for completeness and accuracy & themselves for completeness and accuracy & to amend any factual information that is in to amend any factual information that is in errorerror

Keep record of disclosures made outside of Keep record of disclosures made outside of DoD to authorized “routine users” described in DoD to authorized “routine users” described in the system noticethe system notice

Examples of Personal Examples of Personal Data Requiring Data Requiring ProtectionProtection Financial, credit and medical dataFinancial, credit and medical data Security clearance levelSecurity clearance level Leave balances; types of leave usedLeave balances; types of leave used Home address & telephone numbers, Home address & telephone numbers,

personal e-mail addresspersonal e-mail address Social Security NumberSocial Security Number Mother’s maiden name; other names Mother’s maiden name; other names

usedused

Examples of Personal Examples of Personal Data Requiring Data Requiring ProtectionProtection Drug test results & fact of participation Drug test results & fact of participation

in rehabilitation programin rehabilitation program Family dataFamily data Religion, race, national originReligion, race, national origin Performance ratingsPerformance ratings Names of employees who hold Names of employees who hold

government-issued travel cardsgovernment-issued travel cards

The Loss of PPI/PIIThe Loss of PPI/PII

Can be embarrassing & cause emotional Can be embarrassing & cause emotional distress.distress.

Can lead to identity theft, which is costly Can lead to identity theft, which is costly to the individual and to the Governmentto the individual and to the Government

Can impact our business practices & Can impact our business practices & result in actions being taken against an result in actions being taken against an employeeemployee

Can erode confidence in the Can erode confidence in the Government’s ability to protect Government’s ability to protect informationinformation

DepSecDef MemorandumDepSecDef Memorandum

On June 15, 2005, the DepSecDef On June 15, 2005, the DepSecDef issued a Memorandum entitled, issued a Memorandum entitled, “Notifying Individuals When Personal “Notifying Individuals When Personal Information is Lost, Stolen, or Information is Lost, Stolen, or Compromised.”Compromised.”– Requires DoD activities to notify Requires DoD activities to notify

individuals within 10 days after the loss or individuals within 10 days after the loss or compromise of protected personal compromise of protected personal information is discoveredinformation is discovered

DepSecDef MemorandumDepSecDef Memorandum

Directs that notification advise Directs that notification advise individuals of:individuals of:– what specific data was involved;what specific data was involved;– the circumstances surrounding the loss, the circumstances surrounding the loss,

theft, or compromise; theft, or compromise; – what protective steps the individual can what protective steps the individual can

take in responsetake in response SeeSee alsoalso 32 C.F.R. 32 C.F.R. § 310.50§ 310.50

Additional Breach Additional Breach Notification ProceduresNotification Procedures

Agencies must report all incidents Agencies must report all incidents involving PII to the U.S.-Computer involving PII to the U.S.-Computer Emergency Response Team (“US-CERT”) Emergency Response Team (“US-CERT”) within ONE HOUR of discovery--32 C.F.R. within ONE HOUR of discovery--32 C.F.R. § § 310.50(1).310.50(1).

DoD Components must report all incidents DoD Components must report all incidents involving PII to the Senior Component involving PII to the Senior Component Official for Privacy within 24 hours of Official for Privacy within 24 hours of discovering the breach--32 C.F.R. discovering the breach--32 C.F.R. § 310.50.§ 310.50.

Additional Breach Additional Breach Notification ProceduresNotification Procedures

Senior Component Official for Privacy, Senior Component Official for Privacy, or a designee, shall notify the Defense or a designee, shall notify the Defense Privacy Office of the breach within 48 Privacy Office of the breach within 48 hours upon being notified of the hours upon being notified of the breach--32 C.F.R. breach--32 C.F.R. § 310.50(2).§ 310.50(2).

Submit report to the Defense Privacy Submit report to the Defense Privacy Office detailing the specifics of the Office detailing the specifics of the breach--32 C.F.R. § 310.50(2)(i) - (iv).breach--32 C.F.R. § 310.50(2)(i) - (iv).

Collecting PPI/PIICollecting PPI/PII

If you collect it--you must protect it!If you collect it--you must protect it! If in doubt, leave it out! Do you really If in doubt, leave it out! Do you really

need the entire SSN or will the last 4 need the entire SSN or will the last 4 digits serve as a second qualifying digits serve as a second qualifying identifier?identifier?

Moving from a paper process to an Moving from a paper process to an electronic process requires you to electronic process requires you to identify any breach risksidentify any breach risks

Think PRIVACY When Think PRIVACY When Safeguarding PIISafeguarding PII Need to address whether collection & Need to address whether collection &

maintenance of all the information that maintenance of all the information that we collect is “relevant and necessary,” we collect is “relevant and necessary,” and whether we can maintain “timely and whether we can maintain “timely and accurate” information.and accurate” information.

The CIO may need to conduct a The CIO may need to conduct a Privacy Impact Assessment (“PIA”) of Privacy Impact Assessment (“PIA”) of electronic system to identify electronic system to identify vulnerabilities.vulnerabilities.

Best PracticesBest Practices

Think PRIVACY when considering the Think PRIVACY when considering the PII that you store on your computer, PII that you store on your computer, memory stick, PDA, etc.memory stick, PDA, etc.

Think PRIVACY when you send/receive Think PRIVACY when you send/receive e-mails that contain PII--are these e-mails that contain PII--are these messages properly marked?messages properly marked?

““FOR OFFICIAL USE ONLY-PRIVACY FOR OFFICIAL USE ONLY-PRIVACY SENSITIVE-Any misuse or unauthorized SENSITIVE-Any misuse or unauthorized access may result in both civil and access may result in both civil and criminal penalties.”criminal penalties.”

Best PracticesBest Practices

Any email messages that contain Any email messages that contain PII/PPI must contain the proper PII/PPI must contain the proper markings AND be ENCRYPTED!markings AND be ENCRYPTED!

Any PII/PPI that is contained or Any PII/PPI that is contained or maintained on “mobile” equipment maintained on “mobile” equipment (PDAs, memory sticks etc.) must be (PDAs, memory sticks etc.) must be ENCRYPTED!ENCRYPTED!

Best PracticesBest Practices

Think PRIVACY when you create Think PRIVACY when you create documents--do you need to include the documents--do you need to include the entire SSN?entire SSN?

Think PRIVACY when placing Think PRIVACY when placing documents in public folders in Outlook documents in public folders in Outlook and on public web sites.and on public web sites.

Think PRIVACY when disposing of PII--Think PRIVACY when disposing of PII--use cross-cut shredding, if possibleuse cross-cut shredding, if possible

Your ResponsibilitiesYour Responsibilities

Do NOT collect personal data without Do NOT collect personal data without authorization.authorization.

Do NOT distribute or release personal Do NOT distribute or release personal information to other employees unless information to other employees unless they have an official need-to-know.they have an official need-to-know.

Do NOT be afraid to challenge anyone Do NOT be afraid to challenge anyone who asks to see PA information.who asks to see PA information.

Do NOT maintain records longer than Do NOT maintain records longer than permitted.permitted.

Your ResponsibilitiesYour Responsibilities

Do NOT destroy records before Do NOT destroy records before disposal requirements are met.disposal requirements are met.

Do NOT place unauthorized documents Do NOT place unauthorized documents in PA systems of records.in PA systems of records.

Do NOT commingle information about Do NOT commingle information about different individuals in the same file.different individuals in the same file.

Do NOT transmit personal data without Do NOT transmit personal data without ensuring that it is properly marked.ensuring that it is properly marked.

Your ResponsibilitiesYour Responsibilities

Do NOT use interoffice envelopes to Do NOT use interoffice envelopes to mail Privacy data.mail Privacy data.

Do NOT place privacy data on shared Do NOT place privacy data on shared drives, multi-access calendars, the Intra drives, multi-access calendars, the Intra or Internet that can be accessed by or Internet that can be accessed by individuals who do not have an official individuals who do not have an official need-to-know.need-to-know.

Do NOT hesitate to offer Do NOT hesitate to offer recommendations on how to better recommendations on how to better manage Privacy data.manage Privacy data.

Specific USACC Policies and Procedures

Leadership’s Leadership’s Responsibility for DataResponsibility for Data Develop polices, procedures and standards to

protect/safeguard information and data.

Enforce the policies, procedures and standards through training and oversight

Be an active participant in information CIA, e.g. walk the talk, set the example, and identify areas of improvement

Ensure everyone receives initial orientation training and refresher training each year

Individual Responsibility Individual Responsibility for Datafor Data

Carefully consider the information you need to do your job, i.e. do you need SSNs, addresses, birthdates, etc.

Know and understand polices, regulations, and guidance

Individual Responsibility for DataIndividual Responsibility for Data

If you must use sensitive information, determine who needs to see it and protect it accordingly. Set up a folder that allows only those that must

have access to it and the level of access, e.g. Read/Write, or Read only.

If sending sensitive information via email, use the Encryption feature.

When printing sensitive information on shared printers, pick up immediately and protect it.

Delete any files containing sensitive information when they are no longer needed. Hard copies need to be shredded when no longer needed.

Every file has a log that indicates when it was created, when it was modified and the identity of the person.

To ensure your identify is correctly listed, you must do the following:

- Word: Open up a blank document. Go to Tools, then Options. Select the “User Information” tab. Type in your name and initials in the space provided. Hit OK.

- Excel: Open up a blank document. Go to Tools, then Options. Select the “General” tab. Type in your name in the space provided. Hit OK.

- PowerPoint: Open up a blank document. Go to Tools, then Options. Select the “General” tab. Find User Information. Type in your name and initials in the space provided. Hit OK.

Identification of Creator/Modifier of Information

All information provided to any available distribution format must have the Director’s or Deputy’s approval Information containing personal or operational information may be published within the Enterprise Portal only. Within the enterprise portal the following data is prohibited

SSNs Personal Medical Information

Information that may be operationally or contractually sensitive or has a possibility of having a negative impact on the Army, USAAC, or USACC must be reviewed by PAO, Security, and SJA G6 will not accept information for posting to any of the above sites unless it is approved by the Director or Deputy

Information Provided for the Weekly Blast, Public Site, Right Site, and Enterprise Portal

Any information containing personal information (electronic or hard copy) must be: Protected from unauthorized access Deleted when no longer needed Identify the person that created it

Process for protecting from unauthorized access: Use the minimum personal information required Determine who needs to access the

information, if anyone, other than yourself

Files Created and Stored Locally Containing Personal Information

If multiple people need to access (electronically): Create a folder Put in a work order with by name and level of

access Once you receive information the folder has

been created, put a test document in it and test Once the access test ensures the folder does

restrict access, create the file and put it in the restricted folder.

Files Created and Stored Locally Containing Personal Information

Sending any information containing personal informationmust be encrypted and digitally signed by the sender.

The information should contain the minimal amount of Information possible to accomplish the task. If at all possible, stay away from SSNs.

The instructions for BN users to be able to send and receive encrypted emails is being drafted now. Basically it will require the person receiving the file and the person sending it to exchange Digitally signed emails and saving the userid/certificates to their personal contacts.

Sending Files Containing Personal Information to Another Person