1 / 25

Executive Branch Privacy Program

Executive Branch Privacy Program. Introduction to the West Virginia Executive Branch Privacy Policies. Education & the Arts Presented by Heather Butler, Privacy Coordinator, WVDCH May 2009. Welcome to the Privacy Program!. Privacy Program consists of six policies Notice Consent

evangeline-shepard
Download Presentation

Executive Branch Privacy Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Executive Branch Privacy Program Introduction to the West Virginia Executive Branch Privacy Policies Education & the Arts Presented by Heather Butler, Privacy Coordinator, WVDCH May 2009

  2. Welcome to the Privacy Program! • Privacy Program consists of six policies • Notice • Consent • Individual Rights • Minimum Necessary and Limited Use • Security Safeguards • Accountability • These all take effect on August 1, 2009 • Compliance is required for all Executive Branch Agencies, including Education & the Arts

  3. Why Have a Privacy Program? • The Privacy Program demonstrates our commitment to respecting people by protecting their information and using it properly • Our commitment extends to all our employees as well as our citizens, service providers and other business partners • The Privacy Program balances individual privacy with our legitimate needs to collect, use and disclose information for Agency business purposes

  4. Policies Govern “PII” • PII = personally identifiable information • PII is any information that can be used to identify, locate or contact a person • Includes obvious information, such as names and addresses, Social Security numbers • And less obvious information, such as email addresses, driver’s license numbers, credit card numbers • Even regulated information – Protected Health Information (PHI) is part of PII • Includes information about citizens, co-workers, vendors and employers – every person you encounter • Includes information in every format – computerized or paper

  5. Sensitive PII is a Subset of PII • Some PII is classified as “sensitive” • Sensitive PII (or SPII) consists of those elements of PII that require greater protection • All health information and medical records, including (but not limited to) PHI • Social Security numbers, driver’s license numbers • Financial account information, including bank account numbers and payment card information

  6. Privacy Program Summary • Policies regulate our collection, use, transfer and storage of PII • They provide for transparency, using privacy notice, and choice • They require that we respect individual rights of access and correction • They demonstrate our willingness to accommodate individual privacy concerns • They require us to answer questions and respond to complaints

  7. NOTICES • What is a Notice? • Why is it important? • Drafting privacy notice • Notice Required for EACH process. • Concept of “Layered Notices” • How are notices delivered”

  8. The Consent Policy • Reflects our commitment to giving people choice about how we collect, use and disclose their PII • Recognizes that sometimes choice isn’t possible • What is choice? - the ability to specify whether PII will be collected and/or how it will be used or disclosed • Opt in vs. opt out

  9. Consent PolicyHow the Consent Policy Works • Sometimes a person’s consent is required before you can use PII – if this is true, you must obtain consent • For example, our HIPAA Policy requires consent before a person’s PHI can be shared for fundraising • Sometimes you are required to collect PII – if this is true, you may use the PII even if the person objects • For example, our Communicable Diseases Policy mandates that you disclose some PHI for public health purposes • In most cases, consent is not required – if this is true, you may collect the PII, but you offer individuals choice wherever possible

  10. The Individual Rights Policy Demonstrates our commitment to • Collecting PII directly from the individual, where possible • Giving individuals the ability to access, copy and amend their PII • Answering questions about our use and handling of PII • Trying to address individual privacy concerns

  11. Individual Rights PolicyWhy is Access Important? • “Access” is the ability of a person to view the PII held by an organization • This ability is usually complemented by an ability to update the information • Access rights help ensure accuracy – this is especially important for PII used for substantive decision-making • They also improve accountability – by viewing the PII held, individuals can confirm that we are complying with the promises in our privacy notices

  12. Individual Rights Policy Respecting Access Rights • We have processes for evaluating access requests and providing access to PII • We also have a process for updating PII, if it’s not accurate • REFER REQUESTS TO PRIVACY COORDINATOR OR PRIVACY OFFICER

  13. The Minimum Necessary and Limited Use Principle • Demonstrates our commitment to only collecting the PII that we really need for Agency business • Requires us to give people choice when we collect PII that isn’t strictly necessary for the process at hand

  14. Minimum Necessary PolicyWhy is Min Necessary Important? • Demonstrates respect for privacy by addressing one of the most common concerns, “excessive” collection of PII • Forces us to think about the purposes for the processing – and the purposes for each element of PII that we request • Helps ensure we keep our privacy promises by limiting the opportunity for mission creep

  15. Minimum Necessary Policy Limit Collection of PII • Determine what elements of PII you really need for a process - e.g., the PII you must collect • If you wish to collect addition elements of PII, you MAY do so if: • You have a specific purpose for the PII, related to legitimate Agency business • That purpose is described in the privacy notice, AND • You offer individuals choice, so they can decline to provide the PII • You may not require an individual to provide more than the minimum necessary PII

  16. Minimum Necessary Policy Limit Collection of PII - Example • You run a state campground. To enable camping, you must collect the person’s name and payment information • You may collect an emergency contact, in case something bad happens • You may collect an email address, in case you send happy camper email newsletters • You may collect demographic data or conduct surveys, in case you want to know more about your customers and what they’d like from your campground • You cannot require emergency contacts, email addresses or survey responses – but you may certainly ask • Your privacy notice must address all the elements

  17. Minimum Necessary Policy Limit Disclosure of PII • When disclosing PII to third parties (such as vendors or other agencies), only disclose those elements of PII that are needed by the third party • Extract the required elements of PII, and don’t share anything else

  18. The Security Safeguards Policy • You cannot respect privacy unless you secure the PII • The Security Safeguards Policy requires each Agency to have appropriate controls to protect PII • We protect the PII from (i) anticipated threats or hazards, and (ii) unauthorized access, use or disclosure • We protect ALL PII, with special attention on sensitive PII • We protect PII in all formats – paper or computerized • We collaborate with the Office of Technology (OT) on information security requirements

  19. Security Safeguards Policy Comply with OT Policies • The most important requirement is that you follow all the OT security rules http://www.state.wv.us/ot/PDF/Document_center/SecurityPol0107.pdf • Take a few moments to review these rules and make sure you understand exactly how they apply to your daily activities • Ask questions if you aren’t sure! • Also review the Agency Acceptable Use Policy

  20. Security Safeguards Policy Security Incidents • A “Security Incident” is any incident that compromises the security, confidentiality, or integrity of PII (with or without SPII) • Unauthorized Disclosures of PII are always security incidents • Other examples: • Lost or stolen laptop or device (PDA, cell phone) • Lost or stolen storage media (memory stick, CD-ROM) • Lost or stolen paper records • Lost or compromised password or access card • Presence of viruses, spyware or other malicious code of a computer or devices

  21. Security Safeguards Policy Security Incidents • Even the very best organizations have security incidents • Workers in the best organizations watch for incidents and report them immediately • This allows the Privacy Officer and security teams to manage the risks and limit damage • Your job is to report all incidents to your manager, the Privacy Officer or the Helpdesk as soon as you become aware of a problem!

  22. The Accountability Policy • Everyone is responsible for privacy and security • Everyone has access to lots of PII and SPII – about your co-workers, citizens we serve, our business partners • It is your job to understand how the Privacy Policies apply to the PII you have • It is your job to forward questions and complaints to your manager or the Privacy Officer • It is also your job to tell us about any mistakes that might compromise or expose PII

  23. The Accountability Policy What It Means For You • Read the Policies – be sure your understand how they apply to your day-to-day activities • Ask questions – if you aren’t sure of something, ask you manager or the Privacy Officer • Don’t be afraid to say no – you have the power to question anything that doesn’t seem right! • Call the OT Helpdesk if you have any security questions • Report complaints, violations and mistakes IMMEDIATELY

  24. The Accountability Policy Names & Numbers to Know • OT Helpdesk (304) 558-1257 • Agency Privacy Officer WVDCH Heather Butler: (304) 558-0220 Education and the Arts Tiffany Redman: (304) 558-2440

  25. Questions & Comments

More Related