1 / 13

February 2009

Privacy Act Awareness Safeguarding of Personally Identifying Information a.k.a. Privacy Act Data – It is Your Duty !. February 2009. (Ms. Carolyn Bolen) (50 SCS/SCOK) (719) 567- 7406, DSN 560-7406). Overview. What is Personally Identifiable Information (PII)?

nina-nicholson
Download Presentation

February 2009

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Act AwarenessSafeguarding of Personally Identifying Information a.k.a. Privacy Act Data – It is Your Duty! February 2009 (Ms. Carolyn Bolen) (50 SCS/SCOK) (719) 567- 7406, DSN 560-7406)

  2. Overview • What is Personally Identifiable Information (PII)? • Who is responsible for protecting PII? • Sending PII over electronic mail • Placing PII on shared drives • Privacy and the Web • Tips for Avoiding Privacy Breaches • Reporting a PII Breach • Highly encouraged PII on-line training • Base Privacy Act Manager

  3. Personally Identifiable Information • Personally Identifiable Information (PII), as set forth in DoD Directive 5400.11, para E2.e and DoD 5400.11-R, para DL1.14, is defined as the follows: • Information about an individual that identifies, links relates, or is unique to, or describes him or her, e.g., a Social Security Number; age, military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security Number, date and place of birth, mother’s maiden name, and biometric records, including any other personal information which is linked or linkable to a specified individual)

  4. Who is responsible for protecting PII? • Maintaining information privacy is the responsibility of every federal employee, military member, and contractor who comes into contact with information in identifiable form. Protect information according to its sensitivity level. Consider the personal sensitivity of the information and the risk of disclosure, loss or alteration.

  5. Sending PII over electronic mail • Per AFI33-332 AFSPC Supplement, Privacy Act Program, para 7.3. • Exercise caution before transmitting personal information over e-mail to ensure it is adequately safeguarded. Some information may be so sensitive and personal that e-mail may not be the proper way to transmit it. When sending personal information over e-mail within DOD, ensure: • (1) there is an official need; • (2) all addressee(s) (including "cc" addressees) are authorized to receive it under the Privacy Act; and • (3) it is protected from unauthorized disclosure, loss, or alteration.

  6. Sending PII over electronic mail (cont’d) • Protection methods may include encryption or password protecting the information in a separate Word document. • When transmitting personal information over e-mail, add "FOUO" to the beginning of the subject line, followed by the subject, and apply the following statement at the beginning of the e-mail: "This e-mail contains FOR OFFICIAL USE ONLY (FOUO) information which must be protected under the Privacy Act and AFI 33-332." • Do not indiscriminately apply this statement to e-mails. Use it only in situations when you are actually transmitting personal information.

  7. Placing PII on shared drives • Per AFI33-332 AFSPC Supplement, Privacy Act Program, para 12.1.2. • Personal information should never be placed on shared drives for access by groups of individuals unless each person has an official need to know the information to perform their job. Add appropriate access controls to ensure access by only authorized individuals. Recall rosters are FOUO because they contain personal information and should be shared with small groups at the lowest levels for official purposes to reduce the number of people with access to such personal information. Commanders and supervisors should give consideration to those individuals with unlisted phone numbers, who do not want their number included on the office recall roster. In those instances, disclosure to the Commander or immediate supervisor, or deputy, should normally be sufficient.

  8. Privacy and the Web • Per AFI33-332 AFSPC Supplement, Privacy Act Program, para 12.8. • Do not post personal information on publicly accessible DOD web sites unless clearly authorized by law and implementing regulation and policy. Additionally, do not post personal information on .mil private web sites unless authorized by the local commander, for official purposes, and an appropriate risk assessment is performed. See AFI33-129 Transmission of Information Via the Internet.

  9. Tips for Avoiding Privacy Breaches • Take privacy protection seriously • Respect the privacy of others • Report to your supervisor or other management official when you see personal data left unattended • Know the Privacy Act requirements. Refer to the following governing publications for additional guidance: AFI33-332 AFSPC Supplement, Privacy Act Program, which implements DoDD 5400.11, DoD Privacy Program; and DoD 5400.11-R, DoD Privacy Program

  10. Reporting a PII Breach • Individual discovering incident: • Notifies Base Privacy Act Manager immediately • Reports incident to US CERT within one hour of discovery. Go to http://www.us-cert.gov, on the lower right side of the web page, under “Reporting”, click on “Report an Incident”. Complete the questionnaire and ensure you annotate the US CERT tracking number (needed for the PII Incident Report). • Immediately after the incident is reported to US CERT, provides preliminary incident report to the Base Commander and Base Privacy Act Manager. • Base Privacy Act Manager requests Base Commander to appoint investigating official to conduct PII investigation. • Within 24 hours, the Base Commander appoints an independent 3rd party to conduct PII investigation.

  11. Reporting a PII Breach (cont’d) • Investigator will: • Complete the investigation within 72 hours of appointment, prepares PII incident report and provides copy to Base Commander and Base Privacy Act Manager. • Base or Group Commander will: • Complete formal letter to the individual(s) whose information has been breached within 10 days of the incident.

  12. Highly Recommended PII On-line Training • DISA has created a great PII training tool located at: http://iase.disa.mil/eta/online-catalog.html (scroll down the page and it’s about the sixth course down) • This web-based training identifies what Personally Identifiable Information (PII) is and why it is important to protect PII. This training reviews a Department of Defense (DoD) organization's responsibilities for safeguarding PII and explains individual responsibilities for PII recognition and protection. Major legal, Federal, and DoD requirements for protecting PII are presented, to include the Privacy Act of 1974, E-Government Act of 2002, and the Federal Information Security Management Act, or FISMA.

  13. (Base Privacy Act Manager Your Base Privacy Act Manager is: Ms. Carolyn Bolen Ms. Carolyn Bolen, 50 SCS/SCOK, (719) 567- 7406, DSN 560-7406) Schriever.FOIA@schriever.af.mil

More Related