Safeguarding Personally Identifiable Information (PII) · Review & Report Under the Federal Information Security Management Act (FISMA) agencies must: Review PII holdings & report

DEFENSE PRIVACY & CIVIL LIBERTIES OFFICE

Safeguarding Personally Identifiable

Information (PII)

Samuel P. Jenkins

Director for Privacy

Defense Privacy and Civil Liberties Office


Purpose

The purpose of this presentation is to provide a

summary of the administrative, physical, and

technical safeguards that are applicable to

systems that collect, use, maintain, or

disseminate personally identifiable information

(PII).

2


Objectives

Upon completion of this presentation, you

should be able to:

Understand the role of safeguards that should be

applied to systems of records (SORs).

Explore the physical, technical, and administrative

safeguards for protecting PII.

Define the role of Privacy Impact Assessments and

SORNs in safeguarding PII.

3


The Privacy Act of 1974 requires agencies to:

Establish Rules of Conduct.

Establish Safeguards.

Maintain accurate, relevant, timely, and complete

information.

Privacy Act and Safeguards

4



Safeguards are used to protect agencies from

“reasonably anticipated threats.”

Threats may cause harm, embarrassment,

inconvenience, or unfairness.

Threats to personal information include:

Unauthorized access.

Unauthorized alteration.

Unauthorized disclosure.

5



Safeguards should be tailored to the:

Size and sensitivity of each system.

System-specific vulnerabilities.

Types of Safeguards:

Administrative.

Physical.

Technical.

6


Physical Safeguards

7


Physical Safeguards

Paper records should be stored in locked

cabinets.

Records being faxed or mailed should have a

coversheet.

Facilities handling PII should be access

controlled and hardware should be locked up.

Never leave files, storage media, or computers

unattended or in vehicles.

8


Physical Safeguards

Records Disposal – Retirement or deletion of a

record does not obviate need for safeguards.

Must render discarded info unrecognizable and

beyond reconstruction.

Destruction should be tailored to the time of media

involved.

○ Paper – burn, shred.

○ Electronic – overwrite, degauss incinerate.

9


Technical Safeguards

10


Security Requirements include:

Encryption.

Control Remote Access.

Time-Out Function.

Log and Verify.

Ensure Understanding of Responsibilities.


11



Ensure all emails with PII are encrypted and

that all recipients have a ‘need to know.’

Ensure records are access controlled.

PII on shared drives should only be accessible to

people with a ‘need to know’

Ensure Social Security numbers (including the

last 4) are not posted on public facing websites.

12


Administrative Safeguards

13


Admin Safeguards - Policies

Agencies must have policies in place for PII

handling, specifically defining:

Affected Individuals.

Affected Actions.

Consequences.

14


Agencies are responsible to ensure staff

handling PII are adequately trained:

Training must be commensurate with an individual’s

responsibilities.

Training will be a prerequisite before permitted

access to DoD systems.

Such training is mandatory for affected DoD

personnel and contractors.

Admin Safeguards - Training

15



Components shall ensure receipt of Privacy Act

training, such as:

Orientation Training.

Specialized Training.

Management Training.

Privacy Act Systems of Records Training.

16



Annual Refresher Training.

Provided to ensure continued understand of their

responsibilities.

All personnel with authorized access to PII shall

annually acknowledging their understanding.

17


DoD Components shall expand their training

materials and program to include specific

privacy and security awareness segments to

their training program(s).


18


Admin Safeguards – Breach Handling

Existing Requirements:

FISMA Requirements.

Incident Handling and Response Mechanism.

OMB M-07-16 modified breach reporting rules.

Modified Agency Reporting Requirements:

US-CERT Modification.

Develop and Publish a Routine Use.

○ Effective Response.

○ Disclosure of Information.

19


Admin Safeguards – Breach Handling

Breach Notification: Criteria to Consider:

Whether Breach Notification is Required.

Timeliness of the Notification.

Source of the Notification.

Contents of the Notification.

Means of Providing Notification.

Who Receives Notification: Public Outreach in

Response to a Breach.

20


Admin Safeguards – Review & Report

Under the Federal Information Security

Management Act (FISMA) agencies must:

Review PII holdings & report to Congress Annually.

Review and reduce the volume of PII.

Specifically, Agencies Must Reduce the Use of Social

Security Numbers.

○ Eliminate Unnecessary Use.

○ Explore Alternatives.

21


As part of FISMA privacy reporting, DoD

Components are required to:

Confirm that they have established, or are in the

process of establishing, PII review plans; or

Provide a schedule for periodically updating their

review of their holdings.

It is DoD policy that:

All automated systems containing PII are registered

in the Defense Information Technology Portfolio

Repository (DITPR).

Admin Safeguards – Review & Report

22


It is DoD policy that (continued):

Updates to OMB be designed so that:

○ IT systems with PII reviewed on same cycle as Defense

Information Assurance Certification and Accreditation

Process (DIACAP).

○ PIA/SORNs reviewed at least once every two years.

Components shall report results to DPCLO on

FISMA schedule.

Admin Safeguard – Review & Report

23


Privacy Impact Assessments (PIA)

& System of Records Notices

(SORN)

24


A Privacy Impact Assessment (PIA) is an

analysis of how information is handled to:

Ensure handling conforms to applicable legal,

regulatory, and policy requirements.

Determine the risks and effects of collecting, using,

maintaining, and disseminating PII in an electronic

information system, and

Mitigate potential privacy risks.

OMB 03-22 (9/26/2003), EGOV 208(b)

Admin Safeguards – PIAs & SORNs

25


When is a PIA Required when PII is collected

from:

Existing information systems and electronic collections

where a PIA has not previously been completed and

that collects PII about Federal personnel and

contractors.

New information systems or electronic collections:

○ Prior to developing or purchasing; and

○ When converting paper records to electronic systems.


26


A PIA is not required when the information

system or electronic collection:

Does not collect, maintain or disseminate personal

identifying information.

Is a National Security System (including systems that

process classified information).

Admin Safeguard – PIAs & SORNs

27



What is a SORN?

A SORN is a public notice of an agency’s intent to

collect & retrieve PII in a SOR.

SORNs include:

○ The safeguards that will be applied to the system.

○ The who, what, why, and where of the system.

○ Processes for access and correction of records.

A SORN must be published in the Federal Register

before a system can begin to collect PII.

28


PIA/SORN Essential Elements

Crosswalk

29


PIA/SORN Crosswalk

Privacy Impact Assessment (PIA)/

System of Record Notice (SORN) Essential Elements Crosswalk

PIA SORN

What privacy information is collected Categories of Records in the System

Why the information is collected Authority/Purpose(s)

What the intended uses are for the

information

Purposes(s)

With whom the information is shared Routine Uses

What opportunities individuals have to

decline to provide PII

Privacy Act Statement/Notification

procedure

How information is secured Safeguards

What privacy risks need to be addressed Narrative Statement/Probable or potential

effects on the privacy of individuals.

Whether a System of Records Notice (SORN) exists

(Not applicable)

30


PRIVACY IMPACT ASSESSMENT (PIA) DoD Information System/Electronic Collection Name:

DoD Component Name: SECTION 4: REVIEW AND APPROVAL SIGNATURES

Prior to the submission of the PIA for review and approval, the PIA must be coordinated by the Program Manager

or designee through the Information Assurance Manager and Privacy Representative at the local level.

Program Manager or Other Official Signature

(to be used at Component discretion)

Component Senior Information Assurance Officer Signature

or Designee

Component Privacy Officer Signature

Component CIO Signature

(Reviewing Official)

Source: DD Form 2930

PIA/SORN Crosswalk

31


Focused on meeting the

information

requirements of the

Agency while ensuring

the protection of the

rights of the individual

in the collection, use and

dissemination of PII.

Focused on

protecting the

information and

information systems

supporting the

operations and

assets of an

organization.

Privacy’s

success is

dependent on

establishment of

basic

foundation for

information

security.

PRIVACY SECURITY

NIST Draft Guide to Protecting the Confidentiality of (PII) (1/09)

Critical Privacy – Security Interface

32

PIA/SORN Crosswalk

32


Summary

You should now be able to:

Understand the role of safeguards that should be

applied to systems of records (SORs).

Explore the physical, technical, and administrative

safeguards for protecting PII.

Define the role of Privacy Impact Assessments and

SORNs in safeguarding PII.

33


Resources

DoD 5400.11-R, Department of Defense Privacy Program,

May 14, 2007.

OMB M-07-16, Safeguarding Against and Responding to

the Breach of Personally Identifiable Information, May 22,

2007.

DoD Implementation: Safeguarding Against and

Responding to the Breach of Personally Identifiable

Information (PII), June 5, 2009.

DD Form 2930, “Privacy Impact Assessment (PIA),” 2008.

OSD Memorandum 13798-10, “Social Security Numbers

Exposed on Public Facing & Open Government Websites.”


Congratulations!

35

PRINT GIVEN NAME SIGNATURE

COMPLETION DATE NAF EMPLOYEE ID NUMBER

Fill in the required information above and get this certificate to your Department Training Liaison

By signing and submitting this certificate, I certify that I have read and

understand the content in the training presentation.

No Nicknames

You have completed your

Personally Identifiable Information (PII) Training

Documents

Safeguarding Personally Identifiable Information (PII) · Review & Report Under the Federal Information Security Management Act (FISMA) agencies must: Review PII holdings & report