6740.Privacy Act Brief
advertisement
DPCLO ABOUT THE OFFICE: The mission of the Defense Privacy and Civil Liberties Office (DPCLO) is to implement the Department of Defense’s Privacy and Civil Liberties programs through advice, monitoring, official reporting, and training. PACOM Conference 1 DPCLO STRUCTURE Michael L. Rhodes Senior Agency Official for Privacy Civil Liberties Officer Director A&M Michael E. Reheuser Director, DPCLO Deputy Civil Liberties Officer Samuel P. Jenkins Director for Privacy PACOM Conference 2 DPCLO The Program is based on the Privacy Act of 1974, as amended (5 U.S.C. 552a), as implemented by Office of Management and Budget (OMB) (OMB Circular A-130) and DoD regulatory authority (DoD Directive 5400.11 and DoD 5400.11-R), and is intended to provide a comprehensive framework regulating how and when the Department collects, maintains, uses, or disseminates personal information on individuals. The purpose of the Program is to balance the information requirements and needs of the Department against the privacy interests and concerns of the individual. PACOM Conference 3 DPCLO Civil Liberties Program seeks to ensure the protection of Civil Liberties of DoD personnel. Public Law 110-53, “Implementing Recommendations of the 9/11 Commission Act of 2007” Civil Liberties defined: The right of individuals to exercise constitutionally guaranteed freedoms without government interference. They declare what the government cannot do. Examples of civil liberties: Freedom of speech, religion, press, assembly Right to a speedy and impartial jury trial Right to due process and equal protection under the law Freedom from unreasonable search and seizure Freedom to petition the government PACOM Conference 4 DPCLO PACOM Conference 5 PRIVACY ACT OVERVIEW The Basic Concepts of the Act Privacy Act Training presented by Samuel P. Jenkins, Director for Privacy Defense Privacy and Civil Liberties Office 11 January 2011 Presentation Outline • • History of the Privacy Act Overview of the Privacy Act o Policy Objectives o Safeguards o Applicability o Definitions Privacy Act 101 • Privacy Act Provisions o o o o o 7 Conditions of Disclosure Accounting of Disclosures Individual’s Rights of Access and Amendment Agency Requirements Civil and Criminal Penalties History of the Privacy Act Intent • The Privacy Act of 1974, Public Law 93-579, was created in response to concerns about how the use of computerized databases impacts individuals’ privacy rights. • The Act, which became effective 27 September 1975, and has been called a code of fair information practices, attempts to strike a balance between the Governments right to maintain information on individuals and the individuals right to have his or her privacy protected against unwarranted intrusions. Privacy Act 101 8 History of the Privacy Act Code of Fair Information Practice • Code of fair information practice for automated personal data systems o o o o o Privacy Act 101 Collection limitation. There must be no personal data record keeping systems whose very existence is secret. Disclosure. There must be a way for an individual to find out what information about him is in a record and how it is used. Secondary usage. There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent. Record correction. There must be a way for an individual to correct or amend a record of identifiable information about him. Security. Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data. 9 The Privacy Act of 1974 Policy Objectives • • • • To restrict disclosure of personally identifiable records maintained by agencies. To grant individuals increased rights of access to agency records maintained on themselves. To grant individuals the right to seek amendment of agency records maintained on themselves upon a showing that the records are not accurate, relevant, timely, or complete. To establish a code of "fair information practices" which requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records. Privacy Act 101 10 The Privacy Act of 1974 Safeguards • Requires government agencies to show an individual any records kept on him or her • Requires agencies to follow “fair information practices” • Places restrictions on how agencies can share an individual’s data • Allows individuals to sue the government for violations of the Act Privacy Act 101 11 The Privacy Act of 1974 Applicability • U.S. citizens and aliens admitted for permanent residence. • Executive departments, military departments, independent regulatory agencies, and governmentcontrolled corporations • Systems of records, i.e., any group of records where information is retrieved by the name of the individual or by an individual identifier. Privacy Act 101 12 Definitions (1 of 7) • Personally Identifiable Information. Information which can be used to identify a person uniquely and reliably, including but not limited to name, date of birth, social security number, address, telephone number, e-mail address, mother’s maiden name, etc. Privacy Act 101 13 Definitions (2 of 7) • Agency. An agency that promulgates rules in accordance with notice and comment rulemaking. Privacy Act 101 14 Definitions (3 of 7) • Individual. A citizen of the United States or an alien lawfully admitted for permanent residence. Privacy Act 101 15 Definitions (4 of 7) • Maintain. Includes maintain, collect, use or disseminate. Privacy Act 101 16 Definitions (5 of 7) • Record. Any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual , such as a finger or voice print or photograph. Privacy Act 101 17 Definitions (6 of 7) • System of Records. A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. 5 U.S.C. § 552a(a)(5). Privacy Act 101 18 Definitions (7 of 7) • Routine Use. With respect to the disclosure of a record, the use of each record for a purpose which is compatible with the purpose for which it was collected. 5 U.S.C. §552a (a)(7) Privacy Act 101 19 Exceptions to the No Disclosure to Third Parties Without Consent Rule 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. Need To Know Disclosure Required By The Freedom Of Information Act (FOIA) Routine Use Disclosure To Census Disclosure To An Individual Who Has Provided Adequate Written Assurance That The Record Will Be Used Solely For Statistical Research Disclosure To The National Archives And Records Administration Disclosure To Another Agency For Civil Or Criminal Law Enforcement Activity Disclosure Under Emergency Circumstances Disclosure To Either House Of Congress Disclosure To The General Accounting Office Disclosure Mandated By Court Order Of Competent Jurisdiction Disclosure To A Consumer Reporting Agency In Accordance With The Debt Collection Act Privacy Act 101 20 Consent Defined as: 1. To permit, approve, or agree; comply or yield. 2. Permission, approval, or agreement; compliance; acquiescence. 3. Agreement in sentiment, opinion, a course of action, etc. Privacy Act 101 21 Conditions of Disclosure (1 of 4) • General Disclosure Prohibition: o “No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” Privacy Act 101 22 Conditions of Disclosure (2 of 4) • “Need to Know” Within Agency o This exception permits disclosure absent consent of the individual who is the subject of the record for: − The disclosure to officers and employees of the agency which maintains the record who have a need to know in the performance of their duties. 552a(b)(1) PACOM Conference 23 Conditions of Disclosure (3 of 4) Disclosures made under the Freedom of Information Act. o If information must be released under FOIA, it must also be released under the Privacy Act. No discretionary disclosures are allowed. Discretionary FOIA releases may not be made without an individual's consent, unless there is another applicable exception, such as "routine use." Information that is protected under the Privacy Act is generally protected under FOIA. FOIA cannot be used to deny an individual information about him/herself. The agency must be in receipt of an actual FOIA request for the information. Only information that is not subject to a FOIA exemption (usually (b)(6) or (b)(7)(C)) will be required to be released. o o o o PACOM Conference 24 Conditions of Disclosure (4 of 4) • Disclosure for a “Routine Use.” o Disclosure is authorized pursuant to routine use published in the Federal Register, compatible with the purpose for which it is collected. Routine use must be published in the Federal Register and include categories of users and the purpose of the use and must be compatible with the purpose for which the information was collected. o Agencies may always disclose records indicating a possible violation of law to law enforcement agencies for investigation/prosecution, regardless of the purpose for collection. o Agencies cannot include responses to subpoenas as routine use, since there is an exception for court orders which has been interpreted to exclude subpoenas. Privacy Act 101 25 Accounting of Disclosures (1 of 2) • An agency must keep accurate accounts of when and to whom it has disclosed personal records, including o Name and address of the person or agency to whom the disclosure is made, and o Date, nature and purpose of each disclosure. • An accounting is not required for intra-agency (need-to-know) or FOIA disclosures. • The accounting of disclosures must be kept for five years or the life of the record, whichever is longer. Privacy Act 101 26 Accounting of Disclosures (2 of 2) • Unless the records were shared for law enforcement purposes, the accounts of the disclosure should be available to the data subject upon request. • If an agency makes corrections or notations of dispute to any record, the agency must inform any person or agency to whom it has disclosed the original information, if an accounting of disclosures was made. Privacy Act 101 27 Individual’s Right of Access (1 of 2) • The Privacy Act permits only an "individual" to seek access to only his own "record," and only if that record is maintained by the agency within a "system of records • Upon request an individual may allow a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion, except that the agency may require the individual to furnish a written statement authorizing discussion of that individual's record in the accompanying person's presence. Privacy Act 101 28 Individual’s Right of Access (2 of 2) • An individual's access request for his own record maintained in a system of records should be processed under both the Privacy Act and the FOIA, regardless of the statute(s) cited in the request. • The accounting of disclosures must be kept for five years or the life of the record, whichever is longer. • Unless the records were shared for law enforcement purposes, the accounts of the disclosure should be available to the data subject upon request. PACOM Conference 29 Individual’s Right of Amendment (1 of 2) • • An individual has the right to request amendment to his record. The agency must acknowledge receipt in writing, and promptly, i.e., within 10 working days of receipt of the amendment request o o Privacy Act 101 Make the requested correction, or Inform the individual of refusal of the request and provide a reason for the refusal, the agency’s procedure for a review of the refusal by the head of the agency and the name and business address of that official 30 Individual’s Right of Amendment (2 of 2) • The agency must permit an individual who disagrees with its refusal to amend his record to request review of such refusal, and not later than 30 working days from the date the individual requests such review, the agency must complete it. • If the reviewing official also refuses to make the amendment, the individual must be permitted to file with the agency a concise statement setting forth the reasons for disagreement with the agency. The individual's statement of disagreement must be included with any subsequent disclosure of the record. Privacy Act 101 31 Agency Requirements (1 of 10) • Maintain only information about an individual that is relevant and necessary to accomplish a legal purpose of the agency. • Collect information to the greatest extent practicable directly from the subject individual if that information may have an adverse effect upon that individual. Privacy Act 101 32 Agency Requirements (2 of 10) • When collecting information from the individual, include the following on the collection form or on a separate form that can be retained by the individual (popularly referred to as the Privacy Act Statement) o o o o o Privacy Act 101 The authority which authorizes the solicitation of the information Whether disclosure of such information is mandatory or voluntary The principal purpose or purposes for which the information is intended to be used The routine uses which may be made of the information, and The effects on the individual, if any, of not providing all or any part of the requested information. 33 Agency Requirements (3 of 10) • Publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records. The system of records notice shall include 1. 2. 3. 4. 5. Privacy Act 101 The name and location of the system The categories of individuals on whom records are maintained in the system The categories of records maintained in the system Each routine use of the records contained in the system, including the categories of users and the purpose of such use The policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records 34 Agency Requirements (4 of 10) 6. The title and business address of the agency official who is responsible for the system of records 7. The agency procedures whereby an individual can be notified at his request if the system of records contains a record pertaining to him 8. The agency procedures whereby an individual can be notified at his request how he can gain access to any record pertaining to him contained in the system of records, and how he can contest its contents; and 9. The categories of sources of records in the system. Privacy Act 101 35 Agency Requirements (5 of 10) • Maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination. • Except in the case of FOIA releases, make reasonable efforts to assure that records are accurate, complete, timely, and relevant for agency purposes prior to disseminating any record about an individual to any person other than an agency. Privacy Act 101 36 Agency Requirements (6 of 10) • Maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity. • Make reasonable efforts to serve notice on an individual when any record on such individual is made available to any person under compulsory legal process when such process becomes a matter of public record. Privacy Act 101 37 Agency Requirements (7 of 10) • Establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of this section, including any other rules and procedures adopted pursuant to this section and the penalties for noncompliance. • Establish appropriate administrative, technical and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. Privacy Act 101 38 Agency Requirements (8 of 10) • At least 30 days prior to publication of information under a routine use(s) from a system of records, publish in the Federal Register notice of any new use or intended use of the information in the system, and provide an opportunity for interested persons to submit written data, views, or arguments to the agency. Privacy Act 101 39 Agency Requirements (9 of 10) • An agency that maintains a system of records "shall promulgate rules, in accordance with notice and comment rulemaking. 1. 2. 3. Privacy Act 101 Establish procedures whereby an individual can be notified in response to his request if any system of records named by the individual contains a record pertaining to him. Define reasonable times, places, and requirements for identifying an individual who requests his record or information pertaining to him before the agency shall make the record or information available to the individual. Establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including special procedures, if deemed necessary, for the disclosure to an individual of medical records, including psychological records pertaining to him. 40 Agency Requirements (10 of 10) 4. Establish procedures for reviewing a request from an individual concerning the amendment of any record or information pertaining to the individual, for making a determination on the request, for an appeal within the agency of an initial adverse agency determination, and for whatever additional means may be necessary for each individual to be able to exercise fully his rights under the Act. 5. Establish fees to be charged, if any, to any individual for making copies of his record, excluding the cost of any search for and review of the record. Privacy Act 101 41 Penalties for Non-compliance • Civil Remedies o o • The cost of actual damages suffered ($1000 minimum) Costs and reasonable attorney’s fees. Criminal Penalties o Charge of a misdemeanor o Maximum fine of $5,000 Privacy Act 101 42 Resources Privacy Act of 1974 Federal Register July 9, 1975 Privacy Act Implementation-Guidelines and Responsibilities DOJ Overview of the Privacy Act of 1974, 2010 edition OMB Circular A-130 Various OMB Memoranda Section 208 – E-Gov Act Federal Acquisition Regulations Privacy Act 101 43 Questions Privacy Act 101 44 Safeguarding PII United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Samuel P. Jenkins, Director for Privacy Defense Privacy and Civil Liberties Office January 11-13, 2011 Safeguarding PII Agenda: DoD 5400.11-R Appendix 1 OMB M-07-16 Requirements Privacy Impact Assessments (PIA) Safeguarding PII 46 Safeguarding PII DoD 5400.11-R Appendix 1 Safeguarding PII 47 DoD 5400.11-R Appendix 1 – Safeguarding PII Risk Management and Safeguarding Standards • • • • The sensitivity of the data being processed, stored and accessed. The installation environment. The risk of exposure. The cost of the safeguard under consideration. Safeguarding PII 48 DoD 5400.11-R Appendix 1 – Safeguarding PII (cont’d.) Minimum Administrative Safeguards • • • • Label or designate media products. Mark and protect all computer products containing classified data. Mark and protect all computer products containing “For Official Use Only” material. Ensure that safeguards for protected information stored at secondary sites are appropriate. Safeguarding PII 49 DoD 5400.11-R Appendix 1 – Safeguarding PII (cont’d.) Physical Safeguards • For all unclassified facilities, areas, and devices that process information subject to this Regulation • Develop access procedures • Safeguard on-line devices • Dispose of paper records Safeguarding PII 50 DoD 5400.11-R Appendix 1 – Safeguarding PII (cont’d) Technical Safeguards • Components are to ensure that all PII not explicitly cleared for public release is protected according to Confidentially Level Sensitive, as established in DoD Instruction 8500.2. • Encrypt unclassified personal information in accordance with current Information Assurance (IA) policies and procedures, as issued. • Ensure that personal information is not inadvertently disclosed as residue when transferring magnetic media between activities. Safeguarding PII 51 DoD 5400.11-R Appendix 1 – Safeguarding PII (cont’d) Special Procedures • Prepare and submit for publication all system notices and amendments and alterations thereto. • Identify required controls and individuals authorized access to PII and maintain updates to the access authorizations. • When required, ensure Privacy Impact Assessments are prepared consistent with the requirements of Section 3501 of title 44, U.S.C. Safeguarding PII 52 DoD 5400.11-R Appendix 1 – Safeguarding PII (cont’d) Record Disposal • Dispose of records subject to this Regulation so as to prevent compromise. • Magnetic tapes or other magnetic medium may be cleared by degaussing, overwriting, or erasing. • Do not use respliced waste computer products containing personal data. Safeguarding PII 53 Safeguarding PII OMB M-07-16 Requirements Safeguarding PII 54 Safeguarding PII OMB M-07-16 OMB M-07-16 implemented new PII safeguarding requirements. These requirements were implemented throughout DoD in the June 5, 2009 Memorandum “Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII)”. Safeguarding PII 55 OMB M-07-16 Requirements Attachment 1. Safeguarding PII A. Current Requirements 1. Privacy Requirements a. Establish Rules of Conduct b. Establish Safeguards c. Maintain accurate, relevant, timely, and complete information Safeguarding PII 56 OMB M-07-16 Requirements Attachment 1. Safeguarding PII (cont’d.) 2. Security Requirements a. Assign an impact level to all information and information systems b. Implement minimum security requirements and controls c. Certify and accredit information systems d. Train employees Safeguarding PII 57 OMB M-07-16 Requirements Attachment 1. Safeguarding PII (cont’d.) B. Privacy Requirements 1. Review and Reduce the Volume of Personally Identifiable Information a. Review Current Holdings 2. Reduce the Use of Social Security Numbers a. Eliminate Unnecessary Use b. Explore Alternatives Safeguarding PII 58 OMB M-07-16 Requirements Attachment 1. Safeguarding PII (cont’d.) C. Security Requirements Encryption Control Remote Access Time-Out Function Log and Verify Ensure Understanding of Responsibilities Safeguarding PII 59 Safeguarding PII Privacy Impact Assessments (PIA) Safeguarding PII 60 Safeguarding PII Privacy Threshold Assessment (PTA) DHS uses Privacy Threshold Assessments (PTA) to determine if a PIA is necessary. DoD practice is to perform a PIA. Safeguarding PII 61 Safeguarding PII What is a PIA? A “Privacy Impact Assessment (PIA)--is an analysis of how information is handled: to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy, to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system, and to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks.” OMB 03-22 (9/26/2003), EGOV 208(b) Safeguarding PII 62 Safeguarding PII When is a PIA Required? When PII is collected, a PIA is required for: Existing information systems and electronic collections where a PIA has not previously been completed to include systems that collect PII about Federal personnel and contractors. New information systems or electronic collections: Prior to developing or purchasing, and when converting paper-based records to electronic systems. Safeguarding PII 63 Safeguarding PII When is a PIA not Required? When the information system or electronic collection: Does not collect, maintain or disseminate personal identifying information Is a National Security System (including systems that process classified information) Safeguarding PII 64 Safeguarding PII PIA/SORN Essential Elements Crosswalk Safeguarding PII 65 Safeguarding PII Privacy Impact Assessment (PIA)/ System of Record Notice (SORN) Essential Elements Crosswalk PIA SORN What privacy information is collected Categories of Records in the System Why the information is collected Authority/Purpose(s) What the intended uses are for the information Purposes(s) With whom the information is shared Routine Uses What opportunities individuals have to decline to provide PII Privacy Act Statement/Notification procedure How information is secured Safeguards What privacy risks need to be addressed Narrative Statement/Probable or potential effects on the privacy of individuals. Whether a System of Records Notice (SORN) exists (Not applicable) Safeguarding PII 66 Safeguarding PII PRIVACY IMPACT ASSESSMENT (PIA) DoD Information System/Electronic Collection Name: DoD Component Name: SECTION 4: REVIEW AND APPROVAL SIGNATURES Prior to the submission of the PIA for review and approval, the PIA must be coordinated by the Program Manager or designee through the Information Assurance Manager and Privacy Representative at the local level. Program Manager or Other Official Signature (to be used at Component discretion) Component Senior Information Assurance Officer Signature or Designee Component Privacy Officer Signature Component CIO Signature (Reviewing Official) Source: DD Form 2930 Safeguarding PII 67 Safeguarding PII Critical Privacy – Security Interface PRIVACY Focused on meeting the information requirements of the Agency while ensuring the protection of the rights of the individual in the collection, use and dissemination of PII. SECURITY Privacy’s success is dependent on establishment of basic foundation for information security. Focused on protecting the information and information systems supporting the operations and assets of an organization. NIST Draft Guide to Protecting the Confidentiality of (PII) (1/09) Safeguarding PII 68 Resources DoD 5400.11-R, Department of Defense Privacy Program, May 14, 2007. OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007. DoD Implementation: Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII), June 5, 2009. DD Form 2930, “Privacy Impact Assessment (PIA),” 2008. Safeguarding PII 69 FISMA Privacy Reporting Requirements United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for Privacy, Defense Privacy & Civil Liberties Office January 2011 FISMA and Privacy Reporting Requirements Agenda: Federal Information Security Management Act (FISMA) – Division of Responsibilities FISMA Purpose The Reporting Requirements as found in the OMB A-130, Appendix I The eleven questions that report on annual Agency Privacy Program Oversight FISMA Annual Report to Congress PACOM Conference 71 FISMA and Privacy Reporting Requirements Federal Information Security Management Act (FISMA) – Division of Responsibilities PACOM Conference 72 FISMA and Privacy Reporting Requirements From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007. PACOM Conference 73 FISMA and Privacy Reporting Requirements Federal Information Security Management Act - Purpose PACOM Conference 74 FISMA and Privacy Reporting Requirements Origin of FISMA: The E-Government Act (Public Law 107-347) passed by the 107th Congress and signed into law by the President in December 2002. Recognized the importance of information security to the economic and national security interests of the United States. PACOM Conference 75 FISMA and Privacy Reporting Requirements Title III of the E-Government Act, entitled the Federal Information Security Management Act of 2002 (FISMA) requires: Each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (ClingerCohen Act), explicitly emphasizes a risk-based policy for costeffective security. PACOM Conference 76 FISMA and Privacy Reporting Requirements In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to: Plan for security Ensure that appropriate officials are assigned security responsibility Periodically review the security controls in their information systems Authorize system processing prior to operations and, periodically, thereafter PACOM Conference 77 FISMA and Privacy Reporting Requirements In June 2005, OMB issued memo M-05-15, “FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management” which: Initiated a number of questions regarding agency’s privacy program (Section D of the report) Senior Agency Official for Privacy. These questions related, in part, to agency implementation of the privacy provisions of the EGovernment Act of 2002. PACOM Conference 78 FISMA and Privacy Reporting Requirements In April 2010, OMB issued memo M-10-15 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management ” which formed a comprehensive context for security and privacy of Federal information across government to include: The number of each type of privacy reviews conducted during the last fiscal year; Information about the advice-formal written policies, procedures, guidance, or interpretations of privacy requirements. PACOM Conference 79 FISMA and Privacy Reporting Requirements OMB memo M-10-15 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management” (Continued) The number of written complaints for each type of privacy issue allegation received to include: Process and procedural issues (consent, collection, and appropriate notice); Redress issues (non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters); or Operational issues (inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or corrections); For each type of privacy issue received for alleged privacy violations, the number of complaints the agency referred to another agency with jurisdiction. PACOM Conference 80 FISMA and Privacy Reporting Requirements OMB and Annual FISMA Reporting: Senior Agency Official for Privacy (SAOP) Questions PACOM Conference 81 FISMA and Privacy Reporting Requirements Assignment of Responsibilities. OMB Circular No. A-130, “Management of Federal Information Resources,” November 28, 2000, Appendix 1.3.a. states: All Federal Agencies. In addition…the head of each agency shall ensure that the reviews are conducted as often as specified in the accompanying chart. (next slide) Prepare to report to the Director, OMB, the results of such reviews and the corrective action taken to resolve problems uncovered. PACOM Conference 82 FISMA and Privacy Reporting Requirements OMB Circular No. A-130 Appendix 1. , Privacy Reviews Requirement Periodicity 1. Matching Programs Review annually 2. Recordkeeping Practices. Biennially 3. Privacy Act Training Biennially 4. Violations Biennially 5. Systems of Records Notices. Biennially 6. Section (m) Contracts. Every two years a random sample of agency contracts. 7. Routine Use Disclosures Every four years 8. Exemption of Systems of Records Every four years PACOM Conference 83 FISMA and Privacy Reporting Requirements Question 1: Information Security Systems Identify the number of agency and contractors systems that contain Federal information in identifiable form The number of agency and contractor systems for which a Privacy Impact Assessment (PIA) is required under the E-Gov Act and; Identify the number of agency and contractor systems covered by an existing PIA. Identify the number of systems for which a system of records notice (SORN) is required under the Privacy Act and; Identify the number of systems for which a current SORN has been published in the Federal Register. PACOM Conference 84 FISMA and Privacy Reporting Requirements Question 2: Links to PIAs and SORNS Provide the URL of the centrally located page on the agency web site listing working links to agency PIAs. Provide the URL of the centrally located page on the agency web site listing working links to the published SORNs. PACOM Conference 85 FISMA and Privacy Reporting Requirements Question 3: Senior Agency Official for Privacy (SAOP) Responsibilities Can your agency demonstrate through documentation that the privacy official: (Yes or No) Participates in all agency information privacy compliance activities (i.e., privacy policy as well as IT information policy); Participates in evaluating the privacy implications of legislative, regulatory, and other policy proposals, as well as testimony and comments under OMB Circular A-19; Participates in assessing the impact of the agency’s use of technology on privacy and the protection of personal information? PACOM Conference 86 FISMA and Privacy Reporting Requirements Question 4: Information Privacy Training and Awareness Does your agency have: A policy to ensure that all personnel (employees, contractors, etc.) with access to Federal data are generally familiar with information privacy laws, regulations and policies, and understand the ramifications of inappropriate access and disclosure? A program for job-specific and comprehensive information privacy training for all personnel (employees, contractors, etc.) directly involved in the administration of personal information or information technology systems, or with significant information security responsibilities? PACOM Conference 87 FISMA and Privacy Reporting Requirements Question 5: Does the agency have a written policy or process for each of the following? PIA Practices: Determining whether a PIA is needed Conducting a PIA Evaluating changes in technology or business practices that are identified during the PIA process Ensuring systems owners, privacy officials, and IT experts participate in conducting the PIA Making PIAs available to the public as required by law and OMB policy Monitoring the agency’s systems and practices to determine when and how PIAs should be updated Assessing the quality and thoroughness of each PIA and performing reviews to ensure that appropriate standards for PIA are maintained PACOM Conference 88 FISMA and Privacy Reporting Requirements Question 5: Does the agency have a written policy or process for each of the following? Web Privacy Practices: Determining circumstances where the agency’s webbased activities warrant additional consideration of privacy implications Making appropriate updates and ensuring continued compliance with stated web privacy policies Requiring machine-readability of public-facing agency web sites (i.e. use of P3P) PACOM Conference 89 FISMA and Privacy Reporting Requirements Question 6: Reviews Mandated by Privacy Act of 1974, the E-Government Act of 2002, and the Federal Agency Data Mining Reporting Act of 2007. Indicate which reviews were conducted in the last year for the following: Requires a Check Mark Requires a Number Section M Contracts Exemptions Records Practices Matching Programs Routine Uses System of Records Training Privacy Act, (e)(3) Statements Violations: Civil Action and Remedial Action Privacy Impact Assessments and Updates Data Mining Impact Assessment PACOM Conference 90 FISMA and Privacy Reporting Requirements Question 7: Written Privacy Complaints Indicate the number of written complaints for each type of privacy issue received by the SAOP or others at the agency Process and Procedural -- consent, collection, and appropriate notice Redress -- non-Privacy Act inquiries seeking resolution of difficulties or concerns about privacy matters Operational -- inquiries regarding Privacy Act matters not including Privacy Act requests for access and/or correction Referrals – complaints referred to another agency with jurisdiction PACOM Conference 91 FISMA and Privacy Reporting Requirements Question 8: Policy Compliance Review Does the agency have current documentation demonstrating review of compliance with information privacy laws, regulations, and policies? Can the agency provide documentation of planned, in progress, or completed corrective actions necessary to remedy deficiencies identified in compliance reviews? PACOM Conference 92 FISMA and Privacy Reporting Requirements Question 8: Policy Compliance Review (Continued) Does the agency: Use technologies that enable continuous auditing of compliance with stated privacy policies and practices? Coordinate with the agency's Inspector General on privacy program oversight? PACOM Conference 93 FISMA and Privacy Reporting Requirements Question 9: Information About Advice Provided by the SAOP (Yes or No) Indicate if the SAOP has provided formal written advice or guidance in each of the listed categories, and briefly describe the advice or guidance if applicable. The categories are: Agency policies, orders, directives, or guidance governing agency handling of personally identifiable information’ Written Agreements (either Interagency or with NonFederal Entities) pertaining to information sharing, computer matching, and similar issues PACOM Conference 94 FISMA and Privacy Reporting Requirements Question 9: Information About Advice Provided by the SAOP (Yes or No) (Continued ) Categories continued: The agency’s practices for conducting, preparing, and releasing SORNs and PIAs Reviews or feedback outside of the SORN and PIA process (e.g. formal written advice in the context of budgetary or programmatic activities or planning) Privacy Training (either stand-alone or included with training on related issues) Provide the number of employees (or contractors) who participated in the training. PACOM Conference 95 FISMA and Privacy Reporting Requirements Question 10: Agency Use of Persistent Tracking Technology Indicate Yes or No for each item below: Does the agency use web management and customization technologies on any web site or application? Does the agency annually review the use of web management and customization technologies to ensure compliance with all laws, regulations, and OMB guidance? Can the agency demonstrate, with documentation, the continued justification for, and approval to use, web management and customization technologies? Can the agency provide the notice language or citation for the web privacy policy that informs visitors about the use of web management and customization technologies? PACOM Conference 96 FISMA and Privacy Reporting Requirements Question 11: Privacy Points of Contact Information Please provide the names, phone numbers, and e-mail addresses of the following officials: Agency Head Chief Privacy Officer Chief Information Officer Privacy Advocate Agency Inspector General Privacy Act Officer Chief Information Security Officer Reviewing Official for PIAs Senior Agency Official for Privacy POC for URL links provided in question #2 PACOM Conference 97 FISMA and Privacy Reporting Requirements Federal Information Security Management Act (FISMA) Privacy Reporting at the Agency Level PACOM Conference 98 FISMA and Privacy Reporting Requirements Conclusion: Our Agency Annual FISMA Reporting to OMB. From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007. PACOM Conference 99 Resources OMB Memorandum M-10-15, of April 21, 2010 “FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management.” Office of Management and Budget Circular No. A-130, November 28, 2000 “Management of Federal Information Resources” Federal Information Security Management Act of 2002 (Pub. L. 107347). OMB Memorandum M-07-16, of May 22, 2007 “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” FY 2008 Report to Congress on Implementation of The Federal Information Security Management Act of 2002. GAO Report 07-837: INFORMATION SECURITY, Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses, July 2007. PACOM Conference 100 Questions? PACOM Conference 101 SSN Reduction United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Samuel P. Jenkins, Director for Privacy Defense Privacy and Civil Liberties Office January 11-13, 2011 SSN Reduction SSNs are ubiquitous, used in all aspects of an individual’s personal and professional life. SSNs are often collected unnecessarily, Its pervasiveness makes it dangerous if lost, stolen, or compromised The SSN is an ‘easy’ identifier System Managers often want to collect the SSN ‘in case it’s needed’ Systems sometimes collect the SSN in order to retrieve records from other systems which use the SSN. It’s Not All About Social Security Numbers (SSNs) SSNs are high profile, but not the only concerns. Have to think about all Personally Identifiable Information and collect only what is REALLY needed! This is about protecting ourselves, the organization and reducing the liability for both. SSN Reduction 103 Authorities Authorities: OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 22, 2007, Reduction of the Use of Social Security Numbers. Directive-Type Memorandum (DTM) 07-015-USD(P&R), March 28, 2008 - DoD Social Security Number (SSN) Reduction Plan; DoD Instruction is in development Purpose: It is DoD’s goal to reduce or eliminate the use of SSN wherever possible. SSN Reduction 104 Questions SSN Reduction 105 Compliance Reporting - FISMA - Section 803 - Component Quarterly Reports Compliance Reporting Purpose: To periodically review agency’s implementation procedures, policies, and guidelines relating to efforts to protect the Nation against terrorism. Due Date: Quarterly - To DPO by the 15th of the month following the end of quarter. If the 15th falls on a weekend, submit by COB the next work day. PACOM Conference 107 Compliance Reporting The “Section 803 Report” Report shall include information on the discharge of each of the functions of the officer concerned, including: - Information on the number and types of reviews undertaken; - The type of advice provided and the response given to such advice; - The number and nature of the complaints received by the department, agency, or element concerned for alleged violations; and - A summary of the disposition of such complaints, the reviews and inquiries conducted, and the impact of the activities of such officer. PACOM Conference 108 Compliance Reporting PACOM Conference 109 Where Does It All Go FISMA Report – DoD CIO, IG and DPO inputs are drafted into one DoD Report submitted to Congress. Section 803 Report – To eight different committees of Congress. Public posting. Breach Report – Information provided to DoD Senior Privacy Official weekly. May share breach report with the Secretary of Defense. PACOM Conference 110 Resources Authority: National Security Intelligence Reform Act (Public Law 110-53, Section 803) PACOM Conference 111 Questions? PACOM Conference 112 Breach Management United States Pacific Command (USPACOM) FOIA & Privacy Act Conference Presented by Samuel P. Jenkins, Director for Privacy, Defense Privacy & Civil Liberties Office January 2011 Breach Reporting Use DPO Lost, Stolen, or Compromised Personally Identifiable Information Breach report form Timeline: 1 hour to the United States Computer Emergency Readiness Team (US-CERT) 24 hours to Senior Component Privacy Official 48 hours to Defense Privacy & Civil Liberties Office (DPCLO) 10 working days for individual notification If individual notification is delayed, the Deputy Secretary of Defense is informed by DPCLO . PACOM Conference 114 Breach Reporting What happens when a Breach Report is submitted to DPCLO? DPCLO compiles all reports and submits summary to SAOP Component Privacy Official submits breach report (initial and/or follow-up) DPCLO enters report information into database to find root causes and problem areas PACOM Conference 115 OMB M-07-16 Requirements Attachment 2. Incident Reporting Existing Requirements A. 1. FISMA Requirements 2. Incident Handling and Response Mechanism Modified Agency Reporting Requirements B. 1. US-CERT Modification 2. Develop and Publish a Routine Use a. Effective Response b. Disclosure of Information Safeguarding PII 116 OMB M-07-16 Requirements Attachment 3. External Breach Notification Background A. 1. Harm 2. Requirement 3. Threshold Questions 4. Chilling Effects of Notices Safeguarding PII 117 OMB M-07-16 Requirements Attachment 3. External Breach Notification (cont’d.) New Requirement B. 1. Whether Breach Notification is Required 2. Timeliness of the Notification 3. Source of the Notification 4. Contents of the Notification Safeguarding PII 118 OMB M-07-16 Requirements Attachment 3. External Breach Notification (cont’d.) New Requirement (cont’d.) B. 5. Means of Providing Notification 6. Who Receives Notification: Public Outreach in Response to a Breach Safeguarding PII 119 OMB M-07-16 Requirements Attachment 4. Rules and Consequences New Requirement: Rules and Consequences Policy A. 1. Affected Individuals 2. Affected Actions 3. Consequences Safeguarding PII 120 DoD Implementation Of OMB Requirements Part III. Review of PII Holdings As part of this year's instructions for FISMA privacy reporting, DoD Components will be required to: Confirm that they have established, or are in the process of establishing, PII review plans; Provide a schedule by which they will periodically update their review of their holdings following the initial review. Safeguarding PII 121 DoD Implementation Of OMB Requirements Part III. Review of PII Holdings (cont’d) It shall be DoD policy that: A. DITPR identifies all Components' automated systems containing PlI. B. Updates to OMB designed so that: 1) IT systems with PII reviewed on same cycle as DIACAP. 2) PIA SORNs reviewed at least once every two years. C. Components shall report results to DPO on FISMA schedule. Safeguarding PII 122 DoD Implementation Of OMB Requirements Part IV. Incident Reporting and Handling Requirements A. Agency Reporting Requirements B. External Breach Notification Requirements C. Timeliness of the Notification Safeguarding PII 123 DoD Implementation Of OMB Requirements Part IV. Incident Reporting and Handling Requirements (cont’d.) D. Source of the Notification E. Contents of the Notification F. Means of Providing Notification G. Who Receives Notification Safeguarding PII 124 Breach Management - Laptops Physical security Car break-ins Leaving laptops unattended in public locations Thefts at personal residences or offices Technical safeguards Encryption CAC-enabled Password protection PACOM Conference 125 Breach Management – Personal Equipment Breaches have involved the use of personal hard drives, laptops and thumb drives. Only the use of DoD authorized equipment is permitted. DoD issued equipment. Contractor furnished equipment where it has been certified that technical requirements have been met. Specific language must be in contract. Authorized for official business purposes only. PACOM Conference 126 Breach Management – Media Sanitation Ensure paper records containing PII are removed from file cabinets prior to disposal or warehousing. Work with your IT POC to ensure all computers and other devices (e.g., blackberries, copiers and printers) that may contain PII are routinely wiped prior to disposal. To understand more about media sanitization read NIST SP 800-88. PACOM Conference 127 Where Does It All Go Breach Report – Information provided to DoD Senior Privacy Official weekly. May share breach report with the Secretary of Defense. FISMA Report – DoD CIO, IG and DPO inputs are drafted into one DoD Report submitted to Congress. SSN Reduction Report –Input into the annual FISMA Report submitted to Congress. SORNs/Training Report – To OMB Director (DoD IG Interest item). Section 803 Report – To eight different committees of Congress. Public posting. PACOM Conference 128 Resources Authorities: OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, May 2, 2007; Parts I and IV, of the DoD Memorandum, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, June 5, 2009 DoD 5400.11, DoD Privacy Program, May 8, 2007; DoD 5400.11-R Chapter 10, Department of Defense Privacy Program, May 14, 2007 and; DA&M Memorandum, Safeguarding Personally Identifiable Information, June 15, 2006 Purpose: To alert the appropriate authorities when a loss, theft, or compromise of information occurs in the Department Due Date: IAW the 1-24-48 (10) timeline… PACOM Conference 129 Questions? PACOM Conference 130 SYSTEMS OF RECORDS NOTICES (SORNS) Privacy Act Training presented by Samuel P. Jenkins, Director for Privacy Defense Privacy and Civil Liberties Office 11 January 2011 Agenda Definitions Responsibilities: Privacy Officials Privacy Offices Types of SORNS Guidelines Questions Handouts System of Records Notices 132 Definitions PERSONALLY IDENTIFIABLE INFORMATION (PII) PII refers to information which can be used to distinguish or trace an individual’s identity, such as their name, Social Security Number (SSN), biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. System of Records Notices 133 Definitions SYSTEM OF RECORDS: Record Group of Records Under the control of an Agency Retrieved by name, SSN, or other personal identifier. SYSTEM OF RECORDS NOTICE (SORN): Serves to notify the public (i.e. individuals): Is published in the Federal Register Authorizes the collection and use of PII System of Records Notices 134 Responsibilities PRIVACY OFFICIALS: Execute the organization’s Privacy Program Ensure: Ensure that Privacy Act records are properly described Undeclared systems of records are identified Provide Privacy Act Statements Biennial SORN reviews and updates are completed Submit new SORNs and updates to the Defense Privacy and Civil Liberties Office System of Records Notices 135 Responsibilities (con’t) Privacy Offices: Work in collaboration with System Managers Ensure: Component SORNs are submitted to Component Privacy Officials Implement appropriate procedures and safeguards for all systems maintained under their purview All personnel with access to each system are aware of their responsibilities under the Privacy Act. Coordination of biennial reviews on SORNs with system managers within their purview System of Records Notices 136 Types of SORNS Addition New system of records Alteration Significant changes to an existing system of records Amendment Minor/administrative changes to a system of records Deletion may be due to decommissioned system or covered under another notice System of Records Notices 137 SORN Categories 1. 2. 3. 4. 5. 6. 7. 8. 9. System identifier System name System location Categories of individuals covered by the system Categories of records in the system Authority for maintenance of the system Purpose(s) Routine uses Storage 10. 11. 12. 13. 14. 15. 16. 17. 18. Retrievability Safeguards Retention and disposal System manager(s) and address Notification procedures Record access procedures Contesting record procedures Record source categories Exemptions claimed for the system System of Records Notices 138 Privacy Act System of Records Notice System Identifier: “DHA 04” The Component Privacy Office will assign the notice number. 1. 2. Example: “DHA” - The letters “DHA” indicate “Defense Human Resource Activity,” records under the Office of the Secretary of Defense; The number “04” represents the publication series number related to the subject matter; and System Name: If changes are needed please ensure that it identifies the system‘s general purpose. This field is limited to 55 characters. System of Records Notices 139 System of Records Notice (con’t) 3. System Location: The complete mailing address of each location where the record system is maintained must appear in this caption. Spell out office names. For geographically or organizationally decentralized system locations, “indicate that the official mailing addresses are published as an appendix to the Component's compilation of system of records notices”. Do not use office symbols, web links, or Post Office boxes. i.e., Office of the Secretary of Defense, Director of Readiness, Programming and Assessment, 4000 Defense Pentagon, Washington, DC 20301-4000. System of Records Notices 140 System of Records Notice (con’t) Categories of Individuals Covered by the System: Identify in clear, non-technical terms, individual’s records being maintained. 4. living person who is a citizen of the U.S. alien lawfully admitted for permanent residence. Avoid using broad descriptions like “all DoD personnel” unless that is truly accurate. Corporations, partnerships, sole proprietorships, professional groups, businesses, and other commercial entities are not “individuals”. Example: “Department of Defense civilian employees; contractors; Active Duty services personnel; and civilian employees from other federal agencies.” System of Records Notices 141 System of Records Notice (con’t) 5. Categories of Records in the System: Describe in clear plain language, all categories of records and items of PII in the system. Do not identify source documents used to collect data. Provide the public with detailed information about the PII contained in the SORN. If your system of records notice covers a database, print out the data elements to verify the PII and records maintained. Do not use overly broad terms or identify forms unless accompanied by a brief explanation. System of Records Notices 142 System of Records Notice (con’t) 6. Authority for Maintenance of the System: A Federal law or Executive Order of the President that must authorize the collection and maintenance of a system of records. Cite the specific law or Executive Order that authorizes the maintenance of the system. Cite the DoD directive/instruction or Departmental Regulation(s) that authorizes the Privacy Act system of records. This is especially Important when using general statutory grants of authority statute (“internal housekeeping”) as the primary authority. Always include titles with the citations. System of Records Notices 143 System of Records Notice (con’t) 7. Purpose(s): List the specific purposes for establishing and maintaining the system of records by your activity. For example: The purpose of the system of records is to provide a single central facility within the Department of Defense to assess manpower trends, support personnel and readiness functions, to perform longitudinal statistical analyses, identify current and former DoD civilian and military personnel for purposes of detecting fraud and abuse of pay and benefit programs. Also used as a management tool for statistical analysis, tracking, reporting, evaluating program effectiveness and conducting research. System of Records Notices 144 System of Records Notice (con’t) 8. Routine Use(s): Routine uses shall be written as follows: "To the user and what they do with the information (purpose/objective)”. List all non-DoD agencies and entities including private sector entities that will routinely provide access to the data or be given the data upon request. List the specific activity or element within the agency/entity which the Record may be disclosed. For example: “To the Veterans Administration” or “To State and local health agencies”. For each routine use identified, include a statement as to the purpose or purposes for which the record is to be released. Do not use general statements, such as “To other federal agencies as required” or “To any other appropriate federal agency”. For example: To the Department of Veterans Affairs for the purpose of using the information in benefit determinations. System of Records Notices 145 System of Records Notice (con’t) 9. Storage: State the medium in which the records are maintained. Example: “Maintained in paper files and on electronic storage media”. 10. Retrievability: State how the agency retrieves the records Example: Name, Social Security Number (SSN), or by fingerprints. System of Records Notices 146 System of Records Notice (con’t) Safeguards: 11. Identify the system safeguards. Describe safeguards fully without compromising system security. Describe the facility/building safeguards, then the room, then the computer/file cabinet. Indicate the personnel getting access to the information. Example: “Records are maintained in a controlled facility. Physical entry is restricted by the use of locks, guards, and is accessible only to authorized personnel. Access to records is limited to person(s) with an official “need-to-know” who are responsible for servicing the record in performance of their official duties. Persons are properly screened and cleared for access. Access to computerized data is role-based and further restricted by passwords, which are changed periodically”. System of Records Notices 147 System of Records Notice (con’t) Retention and Disposal: 12. Use the National Archives and Records Administration (NARA) approved disposition. If records are eventually to be destroyed, state the method of destruction (e.g., shredding, burning, pulping, etc.,). If, and only if, your activity has sent for NARA approval of the disposition scheduled, the following can be used until the Agency receives an approved disposition: “Disposition pending (treat records as permanent until the National Archives and Records Administration has approved the retention and disposition schedule.“ - http://www.archives.gov/ System of Records Notices 148 System of Records Notice (con’t) 13. System Manager(s) and Address: List the position title and duty address of the system manager. Please do not Include names or phone numbers. Example: “Policy Official, Commander, Military Service Base, 1234 Virginia Ave, Virginia Beach, VA XXXXX-XXXX.” 14. Notification Procedures: The entry should read as follows: “Individuals seeking to determine whether this system of records contains information about themselves should address written inquiries to the Director, Office of Personnel,1234 Virginia Ave, Virginia Beach, VA XXXXX-XXXX. Specify the information the requester must submit. Example: Written request must include full name, military status, Social Security Number (SSN), and date of birth. System of Records Notices 149 System of Records Notice (con’t) 15. Records Access Procedures: The entry should read as follows "Individuals seeking access to information about themselves contained in this system should address written inquiries to the Freedom of Information Act Office, Defense Component Agency, XXX MacDill Lane, Washington DC XXXXX-XXXX.” Individuals should provide their full name, current address, telephone number and Social Security Number (SSN). 16. Contesting Records Procedures: The standard language to use is “The DoD Component Name rules for accessing records, and for contesting contents and appealing initial agency determinations are contained in DoD Component Regulation ; XX CFR part 222; or may be obtained from the system manager.” System of Records Notices 150 System of Records Notice (con’t) 17. Record Source Categories: Show categories of individuals or other information sources for the system. Describe where the information maintained in the system is obtained from (source documents and other agencies). Describe the record sources in general terms. Example: “From individual’s, DoD records, law enforcement agencies, etc.” System of Records Notices 151 System of Records Notice (con’t) 18. Exemptions Claimed for the System Types of Exemptions: Access (subsection 552a(d)(5) General (subsection 552a(j)) Specific exemptions (subsection552(k)) Exemptions: If no exemption has been established for the system indicate "None". System of Records Notices 152 Guidelines Remember the audience Correct simple errors Write in a manner the public understands Spell check Explain Acronyms Spell out acronyms the first time Cite Legal Authorities Statutes, DoD Regulations, E.O. 9397 (SSN), as amended System of Records Notices 153 Resources Privacy Act of 1974 DoDD 5400.11, DoD Privacy Program DoD 5400.11-R, DoD Privacy Program Various OMB Memoranda Section 208- E-Gov Act Federal Acquisition Regulations System of Records Notices 154 Questions System of Records Notices 155 Privacy Act Implementation Challenges Social Security Number Use Reduction (2 of 2) Review existing and new forms Submit annual report with FISMA report Crosscheck system inventories and systems of records notices Reporting and Notification 156 Privacy Act Implementation Challenges Web 2.0 "Web 2.0 is fundamentally social, treating the individual at the center of the universe as opposed to groups or organizations, and then basing communication and information paths on social relationships between individuals.” Roundtable Topics Stowe Boyd, DoD Web 2.0 Guidance Forum 157 Privacy Act Implementation Challenges Web 2.0 Concerns Roundtable Topics Favorite target of hackers Posting inappropriate content Offensive language PII (posting own or someone else’s) National security Personnel must ensure information posted to official social networking site is approved for public use Continuous monitoring is imperative 158 Privacy Act Implementation Challenges Identity Theft Constant threat to our organization Enforce awareness among personnel Report all breaches to DPO Conduct risk analysis to determine next steps in individual notification FTC Identity Theft Site http://www.ftc.gov/bcp/edu/microsites/idtheft/ Roundtable Topics 159 Privacy Act Implementation Challenges Contractor Oversight (1 of 2) When an agency provides by contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of Section (m) to apply to such system, and Any such contractor and any employee of such contractor shall be considered to be employees of an agency. Roundtable Topics 160 Privacy Act Implementation Challenges Contractor Oversight (2 of 2) FAR 52.224-1 Privacy Act Notification http://www.defenselink.mil/privacy/files/sites_of_interest/FAR _52_224_1.pdf FAR 52.224-2 Privacy Act http://www.defenselink.mil/privacy/files/sites_of_interest/FAR _52_224_2.pdf DFAR Part 224 - Protection of Privacy and Freedom of Information http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/dfars /dfars224.htm Roundtable Topics 161 Resources Privacy Act of 1974 Federal Register July 9, 1975 Privacy Act Implementation-Guidelines and Responsibilities DOJ Overview of the Privacy Act of 1974, 2010 edition OMB Circular A-130 Various OMB Memoranda Section 208 – E-Gov Act Federal Acquisition Regulations Roundtable Topics 162 Questions Roundtable Topics 163
