safeguarding pii n.
Skip this Video
Loading SlideShow in 5 Seconds..
Safeguarding PII PowerPoint Presentation
Download Presentation
Safeguarding PII

Loading in 2 Seconds...

play fullscreen
1 / 21

Safeguarding PII - PowerPoint PPT Presentation

  • Uploaded on

Safeguarding PII . Agenda. Why Privacy is Important Personally Identifiable Information Sensitive PII Handling PII in a DHS System Handling PII Extracted from a DHS System Handling PII Outside of a DHS System Privacy Incident Reporting. Why is Privacy Important?.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Safeguarding PII' - wyoming-mendoza

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Why Privacy is Important
  • Personally Identifiable Information
  • Sensitive PII
  • Handling PII in a DHS System
  • Handling PII Extracted from a DHS System
  • Handling PII Outside of a DHS System
  • Privacy Incident Reporting

The DHS Privacy OfficeNovember 16, 2014: slide 2

why is privacy important
Why is Privacy Important?
  • To earn and keep public trust
    • If the public no longer trusts DHS to protect their PII, we may find public support for DHS programs will erode.
  • To prevent identity theft
    • Identity thieves do not discriminate based on a person’s immigration status, and neither does DHS when protecting the PII it collects and maintains.
  • To prevent privacy incidents
    • Incidents are reported in national news, which erodes the public’s trust in those agencies, and are expensive to mitigate.
  • It’s the law.
    • Failure to follow these laws may result in civil or criminal penalties for you, your supervisors, and/or colleagues.

The DHS Privacy OfficeNovember 16, 2014: slide 3

personally identifiable information
Personally Identifiable Information

The DHS Privacy OfficeNovember 16, 2014: slide 4

sensitive pii
Sensitive PII
  • Potential for substantial harm, embarrassment, inconvenience, or unfairness to an individual
  • Single data elements
    • social security, driver's license, or financial account number
  • Combinations of data
    • citizenship or immigration status; medical information; ethnic, religious, sexual orientation; in conjunction with the identity of an individual
  • Context of data
    • a list of names of employees with poor performance ratings.

The DHS Privacy OfficeNovember 16, 2014: slide 5

handling pii in a dhs system
Handling PII in a DHS System
  • Only access what you need-to-know.
    • Do not browse
  • Only use PII for approved purposes.
    • Use should be compatible with purpose of the system
  • Protect against “shoulder surfing” and eavesdropping.
  • Only access systems using DHS equipment.
    • Including teleworkers

The DHS Privacy OfficeNovember 16, 2014: slide 6

handling spii extracts
Handling SPII Extracts
  • Obtain approval before extracting PII from a DHS system.
  • Secure portable media containing SPII. Carry on laptops when flying instead of checking and do not leave unattended in hotel room.
  • Encrypt SPII when transferred outside of DHS, such as to a non-DHS email address.
  • If extract is not part of system SOP, log and track the extract to ensure it is not lost.

The DHS Privacy OfficeNovember 16, 2014: slide 7

handling pii outside of a system
Handling PII Outside of a System
  • Check with the DHS Privacy Office and I&A counsel.
    • You may inadvertently create a privacy sensitive system that is out of compliance with law and policy.
      • Subject to civil, criminal, administrative penalties
  • Do not create duplicate, ancillary, “shadow,” or “under the radar” files with PII.
  • Only use DHS-approved forms (paper or electronic) to collect PII from 10 or more individuals.

The DHS Privacy OfficeNovember 16, 2014: slide 8

Privacy Incidents


Your Responsibilities


TJX Says Customer Data was Stolen

TSA Suffers Data Loss; Lawmakers Watch Closely

Think Your SSN is Secure? Think Again…

VA Sets Aside $20 Million to Handle Latest Data Breach

Cost of Privacy Incident: $90 to $130 Per Record Compromised

The DHS Privacy OfficeNovember 16, 2014: slide 10

privacy incidents
Privacy Incidents

Report any loss, theft, or unauthorized disclosures of PII to the Program Manager, Privacy POC, or ISSM.

  • Report as soon as suspected or confirmed.
  • Report whether intentional or inadvertent.
  • Report regardless of perceived risk.

Do not further compromise the information by forwarding or replying “to all.”

The DHS Privacy OfficeNovember 16, 2014: slide 11

what is a privacy incident
What is a Privacy Incident?

A suspected or confirmed:

  • loss of control
  • compromise
  • unauthorized disclosure
  • unauthorized acquisition
  • unauthorized access
  • or any other situation where persons other than authorized users and for an unauthorized purpose have access or potential access

To PII whether in hard copy or electronic form

privacy incident harms
Harm to Component/Department

Harm to individuals

Privacy Act – Ensure the security and confidentiality of records to protect against

Substantial harm




Risk of economic harm, identity theft, or fraud

Risk of harm to the security or integrity of the information system

Potential for blackmail, mental pain, or emotional distress

Disclosure of private facts

(OMB Memorandum 07-16)

Privacy Incident Harms
examples of privacy incidents
Examples of Privacy Incidents
  • Theft of a laptop containing rosters of emergency responders
  • Lost or stolen thumb drive or portable hard drive of PII
  • Shipper loses a package of employee applications
  • Loss of a hard drive with current and former DHS employee SSNs
  • Unauthorized access to personnel files
  • Employee roster posted on agency website, disclosing name, personal cell phone number, and home address
  • Email containing payroll information transmitted from government email account to a personal email account
  • Key logger gains access to a computer and its accounts
obligation to safeguard sensitive pii
Obligation to Safeguard Sensitive PII
  • Apply “Need to know” principle before disclosing PII to other personnel
  • Challenge requested need for PII before sharing
  • Limit PII to official use only
  • PII may only be collected for an authorized purpose
you must report privacy incidents
You Must Report Privacy Incidents

Employees and Contractors Must

  • Report all incidents involving PII, both suspected and confirmed, to your DHS Program Manager upon detection
  • If DHS Program Manager is not available, report to DHS Help Desk
why do privacy incidents occur
Why Do Privacy Incidents Occur?
  • Loss of control
    • PII data is emailed to unauthorized individuals
    • Physical equipment containing PII is lost or stolen
    • Paper records are mishandled either in mail or through incorrect disposal methods
  • Unauthorized access to sensitive systems
    • Hacker gains access to secure data system
    • Access permission is given to individuals without a “Need to Know”
  • Human Error
possible consequences
Possible Consequences

Disciplinary action for failure to comply with DHS security and privacy policies

Any person who knowingly and willfully discloses protected Privacy Act information in any manner to any person or agency not entitled to receive it, is subject to criminal and civil penalties under the Privacy Act

The Privacy Office

U.S. Department of Homeland SecurityWashington, DC 20528t: 703-235-0780; f:;

The DHS Privacy OfficeNovember 16, 2014: slide 21