430 likes | 805 Views
Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity Protection and Management Expo Orlando, Florida April 2011. Purpose.
E N D
Privacy Foundations Samuel P. Jenkins Director for Privacy Defense Privacy and Civil Liberties Office Identity Protection and Management Expo Orlando, Florida April 2011
Purpose The purpose of this presentation is to provide an overview of relevant Federal Privacy laws and DoD regulations. 2
Objectives • Upon completion of this presentation, you should be able to: • Explain the basic concepts of information privacy. • Describe key elements of foundational privacy laws and regulations. • Explain how privacy laws and regulations interrelate. 3
The Privacy Act of 1974 5 USC 522a 4
The Privacy Act *NIST Guide to Protecting the Confidentiality of (PII) (NIST SP 800-122, 4/10) 5
The Privacy Act • A code of fair information practices which mandates how Government agencies shall collect, maintain, use, and disseminate personally identifiable information (PII) about individuals that is maintained in systems of records (SOR). 6
The Privacy Act (continued) • Applies to: Executive Branch Agencies. • Implemented by: • DoDD 5400.11, “DoD Privacy Program.” • DoD 5400.11-R, “DoD Privacy Program.” 7
The Privacy Act (continued) • What is PII? • Information which can be used to distinguish or trace an individual’s identity. • Including name, social security number, date and place of birth, mother’s maiden name, biometric information. • Any other personal information which is linked or linkable to a specified individual. 8
The Privacy Act (continued) • What is a Record? • A collection or grouping of information about an individual that is maintained by a DoD Component. • What is a SOR? • A group of records which are under the control of a DoD Component that are retrieved by name, SSN, or other personal identifier 9
The Privacy Act (continued) • The DoD’s responsibility is to balance the government’s need to maintain information about individuals with the rights of individuals. 10
DoD SSN Use Reduction Plan • Purpose: To eliminate, when feasible, the use of Social Security numbers (SSNs). • Applicability: All uses of SSNs within the DoD, to include DoD data managed or maintained in contactor-owned, -managed, or -operated systems. 12
DoD SSN Use Reduction Plan (continued) • Implemented by: • Executive Order 9397 (SSN), as amended. • OMB Memorandum M-07-16. • DTM 07-015-USD(P&R). • USD(P&R) Memo, “Updated Plan for the Removal of SSNs from DoD ID Cards.” • DRAFT USD(P&R) DoDI 1000.hh. 13
DoD SSN Use Reduction Plan (continued) • USD(P&R) Memo, “Updated Plan for the Removal of SSNs from DoD ID Cards”: • DoD ID cards will no longer visibly display SSNs. • As of May 2011, replaced SSN with the DoD ID Number (formerly known as EDI-PI) and, when applicable, the DoD Benefits Number. • Beginning 2012, initiate removal of the SSN from the ID cards barcode. 14
DoD SSN Use Reduction Plan (continued) • DRAFT USD(P&R) DoDI 1000.hh, “Reducing Use of Social Security Numbers (SSNs) Within DoD.” • Each Component required to review systems and forms which collect SSN to determine if continued use is justified. • Systems or forms that do not fall under one of the approved 'use cases' will be required to develop and institute a plan to eliminate the use of the SSN. • Systems with an approved use case for SSN collection will require a signed memo documenting the requirement for such use. 15
Health Insurance Portability and Accountability Act (HIPAA) Public Law 104-91 16
HIPAA • Purpose: Improve the efficiency and effectiveness of the health care system by standardizing the electronic exchange of administrative and financial data. • Applicability: Covered entities • HIPAA defines a covered entity as: • A health care provider that conducts certain transactions in electronic form; • A health care clearinghouse; or • A health plan. 17
HIPAA (continued) • HIPAA Privacy Rule. • Establishes national standards to protect individuals’ medical records and other PHI. • Implemented by: • DoD 6025.18-R, “DoD Health Information Privacy Regulation.” 18
HIPAA (continued) • HIPAA Security Rule. • Establishes national standards to protect individuals’ electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. • Implemented by: • DoD 8580.02-R, “DoD Health Information Security Regulation.” 19
HIPAA (continued) • Protected Health Information (PHI) is: • Individually identifiable health information which is a subset of PII. • Created, received, or maintained by a covered entity. • Transmitted or maintained by electronic or any other form or medium, except as otherwise contained in employment records. 20
HIPAA (continued) Protected Information Covered Entity Non-Covered Entity Employer Fed Agency Joe Q. Public Hospital Privacy Act & HIPAA Privacy Act 21
Freedom of Information Act (FOIA) 5 USC 552 22
FOIA • Purpose: Inform the public of information while appropriately protecting government interests. • Applicability: Executive branch government agencies. • Implemented by: • DoDD 5400.7, “DoD Freedom of Information Act (FOIA) Program.” • DoD 5400.7-R, “DoD Freedom of Information Act Program.” 23
FOIA (continued) • Provides individuals with access to many types of records that are exempt from access under the Privacy Act. • Unlike those of the Privacy Act, FOIA procedures are available to non-resident foreign nationals. 24
E-Government Act of 2002 Public Law 107-347 25
E-Government Act • Purpose: Improve internet-based technology to make it easier for citizens and businesses to interact with the government. • Applicability: All executive branch departments and Federal agencies. 26
E-Government Act (continued) • Protects PII agencies collect, use, maintain, or disseminate within information technology systems. • Implemented by: • OMB and DoD Annual FISMA Guidance. • DoD CIO Memorandum, DoD Privacy Impact Assessment (PIA) Guidance. 27
E-Government Act - FISMA • Federal Information Security Management Act (FISMA) provides a framework to ensuring effectiveness of information security controls for Federal systems. • Implemented by: • DoD Directive 8500.1. • DoD Instruction 8500.2. • DoD Annual FISMA Guidance. 28
E-Government Act - FISMA (continued) • Applicability: • Federal government agencies’ information systems. • Information systems operated by contractors on behalf of federal agencies. • What it protects: • Federal information systems and related resources. 29
E-Government Act - FISMA (continued) From Report GAO-07-837 INFORMATION SECURITY, “Despite Reported Progress, Federal Agencies Need to Address Persistent Weaknesses ,“ July 2007. 30
E-Government Act - PIA (continued) • Privacy Impact Assessments (PIA). • An analysis of systems to identify privacy risks associated with the use of PII. • Web-page privacy policy. • Must include a machine-readable privacy policy. • Must be consistent with the Privacy Act. • Implemented by: • DoD Instruction 5400.16. 31
Paperwork Reduction Act Public Law 104-13 32
Paperwork Reduction Act • Purpose • Reduce the total amount of paperwork handled by the federal government and general public • Maximize utility of information • Agencies must ensure disclosure policies will honor any claims of confidentiality on forms 33
Paperwork Reduction Act (continued) • What it protects: Information created, collected, maintained, used, disseminated, or disposed. • Implemented by: • DoD 8910.1-M. 34
Records Management 36 CFR, Chapter 12 35
Records Management • Purpose: Supports the creation, maintenance and use, and disposition of records in order to document federal policies, operations, and transactions appropriately and economically. • Implemented by: • DoD WHS Administrative Instruction 15. 36
Records Management (continued) • Applicability: Federal agencies and Executive branch of the U.S. Government. • What it protects: All information, related to an agency’s business transaction, that is created, used, maintained, disseminated, or disposed of. 37
Integrating Different Laws • The challenge: • Laws with various purposes often govern the same data at different points in the systems development life cycle. • The solution: • Focus on the FIPPs. • Comply with Federal law and DoD Policy. • Consult your Privacy Office at the beginning of the SDLC. 39
Summary • You should now be able to: • State the purpose of each law, who it applies to, and what it protects. • Recognize that laws create standards and mandate compliance. • Identify how different laws relate to one another. • Discuss the FIPPs as it relates to the Defense Privacy Program. 40
Resources • Paperwork Reduction Act, Public Law 104-13, May 22, 1995. • DoD 8910.1-M, DoD Procedures for Management of Information Requirements, June 30, 1998. • Freedom of Information Act (FOIA), Public Law 89-554, July 4, 1966. • DoDD 5400.7, DoD Freedom of Information (FOIA) Act Program, October 28, 2005. • DoD 5400.7-R, DoD Freedom of Information Act Program, September 1998. • The Privacy Act of 1974, Public Law 93-579, December 31, 1974. 41
Resources (continued) • DoDD 5400.11, DoD Privacy Program, May 8, 2007. • DoD 5400.11-R, DoD Privacy Program, May 14, 2007. • Health Insurance Portability and Accountability Act of 1996, Public Law 104-91. • DoD 6025.18-R, DoD Health Information Privacy Regulation, January 2003. • DoD 8580.02-R, DoD Health Information Security Regulation, July 12, 2007. • E-Government Act of 2002, Public Law 107-347. • Federal Information Security Management Act (FISMA) of 2002. 42
Resources (continued) • DoD and OMB Annual FISMA Guidance. • DoDD 8500.1, Information Assurance, October 24, 2002. • DoDI 8500.2, Information Assurance Implementation, February 6, 2003. • DoD CIO Memorandum, DoD Privacy Impact Assessment (PIA) Guidance, October 28, 2005. • Office of Management and Budget Circular No. A-130, Revised, Management of Federal Information Resources, November 28, 2000. • DoDD 5015.2, DoD Records Management Program, March 6, 2000. 43