PRIVACY TRAINING 101
CIA-PPI-PII
What you Need to Know about
Safeguarding Protected Personal
Information and Personally Identifiable
Information (PPI/PII) and the
Confidentiality, Integrity and Availability
(CIA) of Data
Purpose of this training:

To focus on the importance of PRIVACY and
to ensure all personnel (military, civilian,
contractor) are aware of the vital role that
they must play in ensuring CIA and that
PPI/PII is properly protected from
unauthorized disclosure.
Protection of the Confidentiality,
Integrity, and Availability (CIA) of
USACC Information
Definitions
Confidentiality: That data/information is accessible
only to those authorized to have access."
Integrity: Assurance that data and information are
consistent and correct, not only from the origination
point, but also when transferred to another point.
Availability: The timely and reliable access to data
services for authorized users. Availability ensures
that information or resources are available when
required, while protecting confidentiality ensuring
the integrity of the data is maintained.
DEFINITIONS




“PPI” stands for Protected Personal
Information
“PII” stands for Personally Identifiable
Information
PPI and PII are interchangeable
PPI/PII is: Information which can be used
to identify a person uniquely and reliably,
including but not limited to name, SSN,
address, telephone #, e-mail address,
mother’s maiden name
Current Issues
1. Ignorance and apathy towards information/data CIA
and associated guidance
2. Lack of standard processes to handle sensitive
information and not following established processes
for handling information
3. Lack of understanding of how the network and
electronic filing can protect data and information
4. Lack of training about proper handling of
information/data
Policies, Regulations, and
Memorandums
- OMB Memorandum M-07-16, Safeguarding Against and
Responding to Breach of Personally Identifiable
Information, May 22, 2007
- DoD Memorandum: Safeguarding Against and
Responding to Breach of PII, 21 Sep, 2007
- DoD 5400.11-R: DoD Privacy Program, 14 May, 2007
-DoD Directive 5400.11, DoD Privacy Program, 8 May
2007
-AR 25-55, DA FOIA Program, 1 Nov 1997
-AR 380-5, DA Information Security Program, 29 Sep
2000
-AR 25-2, Information Assurance, 24 Oct 2007
-USACC Policy Memorandum 17, Protection of IT
Equipment and Sensitive Data 15 May 2007
Personally Identifiable Information (PII)
PII, as set forth in DoD Directive 5400.11, para E2.e and DoD
5400.11-R, para DL1.14, is defined as follows:
“Personal Information. Information that identifies, links,
relates, or is unique to, or describes him or her, e.g. a Social
Security Number; age; military rank; civilian grade; marital
status; race; salary; home/office phone numbers; other
demographic, biometric, personnel, medical, and financial
information, etc. Such information is also known as personally
identifiable information (i.e., information which can be used to
distinguish or trace an individual’s identity, such as their name,
Social Security Number, data and place of birth, mother’s
maiden name, biometric records, including any other personal
information which is linked or linkable to a specified
individual).”
Why You Need to Know
About Privacy:



We are collecting, maintaining, distributing
and disposing of information about
individuals--YOU!
The law requires you to take precautions
when collecting, maintaining, distributing
and disposing of PPI/PII
The Privacy Act of 1974 contains both civil
and criminal penalties for non-compliance.
The Department of Veterans
Affairs Breach



The VA loss of thousands of veterans’
records was well publicized, costly and
brought PRIVACY to the forefront.
This breach resulted in Presidential and
Congressional interest in PRIVACY
Office of Management & Budget (“OMB”)
established working groups to address
better protections, notification protocols,
costs, and actions to be taken against
employees
The Fallout

OMB issued a Memorandum dated May 22,
2006, entitled “Safeguarding Personally
Identifiable Information,” which directed
agencies to provide training to all employees
on their responsibilities to safeguard
personally identifying information
The Fallout (Cont’d)


OMB issued another Memorandum dated
May 22, 2007, entitled “Safeguarding
Against and Responding to the Breach of
Personally Identifying Information”
Both Memoranda require agencies to
provide PRIVACY training to all employees
Your Role in PRIVACY



You must understand the importance of
ensuring that PPI/PII is properly protected
You must get involved in identifying best
practices for protecting PPI/PII
You must be aware of the consequences for
non-compliance
Privacy Act Requirements



Establish rules of conduct for collecting, maintaining,
distributing, and disposing of personal information
Publish Privacy Act system of records notices in the
Federal Register for all approved collections of privacy
information
Ensure that we collect only data that is authorized by
law & that we share information only with those who
have a need-to-know
Privacy Act Requirements



Establish and apply data safeguards to protect
information from unauthorized disclosure
Allow individuals to review records about
themselves for completeness and accuracy & to
amend any factual information that is in error
Keep record of disclosures made outside of DoD to
authorized “routine users” described in the system
notice
Examples of Personal Data
Requiring Protection






Financial, credit and medical data
Security clearance level
Leave balances; types of leave used
Home address & telephone numbers,
personal e-mail address
Social Security Number
Mother’s maiden name; other names used
Examples of Personal Data
Requiring Protection





Drug test results & fact of participation in
rehabilitation program
Family data
Religion, race, national origin
Performance ratings
Names of employees who hold governmentissued travel cards
The Loss of PPI/PII




Can be embarrassing & cause emotional
distress.
Can lead to identity theft, which is costly to the
individual and to the Government
Can impact our business practices & result in
actions being taken against an employee
Can erode confidence in the Government’s
ability to protect information
DepSecDef Memorandum

On June 15, 2005, the DepSecDef issued a
Memorandum entitled, “Notifying Individuals
When Personal Information is Lost, Stolen,
or Compromised.”
– Requires DoD activities to notify individuals
within 10 days after the loss or compromise of
protected personal information is discovered
DepSecDef Memorandum

Directs that notification advise individuals of:
– what specific data was involved;
– the circumstances surrounding the loss, theft, or
compromise;
– what protective steps the individual can take in
response

See also 32 C.F.R. § 310.50
Additional Breach
Notification Procedures


Agencies must report all incidents involving
PII to the U.S.-Computer Emergency
Response Team (“US-CERT”) within ONE
HOUR of discovery--32 C.F.R. § 310.50(1).
DoD Components must report all incidents
involving PII to the Senior Component
Official for Privacy within 24 hours of
discovering the breach--32 C.F.R. § 310.50.
Additional Breach
Notification Procedures


Senior Component Official for Privacy, or a
designee, shall notify the Defense Privacy
Office of the breach within 48 hours upon
being notified of the breach--32 C.F.R. §
310.50(2).
Submit report to the Defense Privacy Office
detailing the specifics of the breach--32
C.F.R. § 310.50(2)(i) - (iv).
Collecting PPI/PII



If you collect it--you must protect it!
If in doubt, leave it out! Do you really need
the entire SSN or will the last 4 digits serve
as a second qualifying identifier?
Moving from a paper process to an
electronic process requires you to identify
any breach risks
Think PRIVACY When
Safeguarding PII


Need to address whether collection &
maintenance of all the information that we
collect is “relevant and necessary,” and
whether we can maintain “timely and
accurate” information.
The CIO may need to conduct a Privacy
Impact Assessment (“PIA”) of electronic
system to identify vulnerabilities.
Best Practices



Think PRIVACY when considering the PII
that you store on your computer, memory
stick, PDA, etc.
Think PRIVACY when you send/receive emails that contain PII--are these messages
properly marked?
“FOR OFFICIAL USE ONLY-PRIVACY
SENSITIVE-Any misuse or unauthorized
access may result in both civil and criminal
penalties.”
Best Practices


Any email messages that contain PII/PPI
must contain the proper markings AND be
ENCRYPTED!
Any PII/PPI that is contained or maintained
on “mobile” equipment (PDAs, memory
sticks etc.) must be ENCRYPTED!
Best Practices



Think PRIVACY when you create
documents--do you need to include the
entire SSN?
Think PRIVACY when placing documents in
public folders in Outlook and on public web
sites.
Think PRIVACY when disposing of PII--use
cross-cut shredding, if possible
Your Responsibilities




Do NOT collect personal data without
authorization.
Do NOT distribute or release personal
information to other employees unless they
have an official need-to-know.
Do NOT be afraid to challenge anyone who
asks to see PA information.
Do NOT maintain records longer than
permitted.
Your Responsibilities




Do NOT destroy records before disposal
requirements are met.
Do NOT place unauthorized documents in
PA systems of records.
Do NOT commingle information about
different individuals in the same file.
Do NOT transmit personal data without
ensuring that it is properly marked.
Your Responsibilities



Do NOT use interoffice envelopes to mail
Privacy data.
Do NOT place privacy data on shared drives,
multi-access calendars, the Intra or Internet
that can be accessed by individuals who do
not have an official need-to-know.
Do NOT hesitate to offer recommendations
on how to better manage Privacy data.
Specific USACC Policies and
Procedures
Leadership’s Responsibility
for Data
 Develop polices, procedures and standards to
protect/safeguard information and data.
 Enforce the policies, procedures and
standards through training and oversight
 Be an active participant in information CIA,
e.g. walk the talk, set the example, and
identify areas of improvement
 Ensure everyone receives initial orientation
training and refresher training each year
Individual Responsibility for
Data
 Carefully consider the information you need
to do your job, i.e. do you need SSNs,
addresses, birthdates, etc.
 Know and understand polices, regulations,
and guidance
Individual Responsibility for Data

If you must use sensitive information, determine who
needs to see it and protect it accordingly.
 Set up a folder that allows only those that must
have access to it and the level of access, e.g.
Read/Write, or Read only.
 If sending sensitive information via email, use the
Encryption feature.
 When printing sensitive information on shared
printers, pick up immediately and protect it.

Delete any files containing sensitive information when
they are no longer needed. Hard copies need to be
shredded when no longer needed.
Identification of Creator/Modifier of
Information
 Every file has a log that indicates when it was created,
when it was modified and the identity of the person.
 To ensure your identify is correctly listed, you must do
the following:
- Word: Open up a blank document. Go to Tools, then Options. Select
the “User Information” tab. Type in your name and initials in the space
provided. Hit OK.
- Excel: Open up a blank document. Go to Tools, then Options. Select
the “General” tab. Type in your name in the space provided. Hit OK.
- PowerPoint: Open up a blank document. Go to Tools, then Options.
Select the “General” tab. Find User Information. Type in your name and
initials in the space provided. Hit OK.
Information Provided for the Weekly
Blast, Public Site, Right Site, and
Enterprise Portal

All information provided to any available distribution format
must have the Director’s or Deputy’s approval
 Information containing personal or operational information
may be published within the Enterprise Portal only.
 Within the enterprise portal the following data is prohibited
 SSNs
 Personal Medical Information
 Information that may be operationally or contractually
sensitive or has a possibility of having a negative impact on the
Army, USAAC, or USACC must be reviewed by PAO, Security,
and SJA
 G6 will not accept information for posting to any of the
above sites unless it is approved by the Director or Deputy
Files Created and Stored Locally
Containing Personal Information
 Any information containing personal
information (electronic or hard copy) must be:
 Protected from unauthorized access
 Deleted when no longer needed
 Identify the person that created it
 Process for protecting from unauthorized
access:
 Use the minimum personal information required
 Determine who needs to access the
information, if anyone, other than yourself
Files Created and Stored Locally
Containing Personal Information
 If multiple people need to access
(electronically):




Create a folder
Put in a work order with by name and level of
access
Once you receive information the folder has
been created, put a test document in it and test
Once the access test ensures the folder does
restrict access, create the file and put it in the
restricted folder.
Sending Files Containing Personal
Information to Another Person
Sending any information containing personal information
must be encrypted and digitally signed by the sender.


The information should contain the minimal amount of
Information possible to accomplish the task. If at all
possible, stay away from SSNs.
The instructions for BN users to be able to send and
receive encrypted emails is being drafted now.
Basically it will require the person receiving the file and
the person sending it to exchange Digitally signed
emails and saving the userid/certificates to their
personal contacts.