1 / 49

Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop. Implementing Security to Protect Privacy November 2005. Welcome & Introductions. Debra Reiger, State Information Security Officer Joanne McNabb, California Office of Privacy Protection Lester Chan,, California Office of HIPAA Implementation.

marilu
Download Presentation

Data Classification & Privacy Inventory Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Classification & Privacy Inventory Workshop Implementing Security to Protect Privacy November 2005

  2. Welcome & Introductions • Debra Reiger,State Information Security Officer • Joanne McNabb,California Office of Privacy Protection • Lester Chan,,California Office of HIPAA Implementation

  3. Workshop Agenda • Welcome & Introductions - Debra Reiger • Information Privacy & Security - Joanne McNabb • Introduction to State Policy on Data Classification - Debra Reiger • Break • Protected Health Information - Lester Chan • Conducting a Privacy Inventory - Joanne McNabb • Workshop Exercise - Lester Chan

  4. Information Privacy & Security • Privacy: Individual’s interest in controlling the handling of his/her personal information • Security: Organization’s interest in protecting information assets from unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or use • Information security is essential to privacy protection.

  5. “Personal information is like toxic waste – Managing it requires a high level of skill and training.” -Phil Agre, Technology and Privacy in a New Landscape

  6. Why Protect Personal Information • Law and Policy • Information Practices Act, HIPAA • Data Classification, Encryption (soon) • Risk Reduction • SAM • Security breach notification law (Civil Code § 1798.29) – Cost of notification $1-$25 per notice • Identity Theft • > 9 Million victims and $52.6 Billion in 2004

  7. Protecting Personal Information • Classifydata and identify records systems containing personal identifying information. • Locate records needing special protection: • Notice-Triggering Personal Information • Health Information (Protected or Electronic) • Protect with appropriate security measures • Administrative, Technical, Physical

  8. State Policy on Classifying Data Classification of Information

  9. Introduction • State policy requires that we identify and classify our data and protect it appropriately. • See SAM Sections 4840-4845 • Automated files and databases are essential public resources. • We are the protectors of the public’s information. • We must first classify and locate data before we can properly protect it.

  10. Information Protection • Give appropriate protection from unauthorized: • Use • Access • Disclosure • Modification • Loss • Deletion

  11. Information Classifications • Public Information • Confidential Information

  12. Public Information • Information not exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws

  13. Confidential Information • Information exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws

  14. Sensitive & Personal Info • Sensitive and personal information may occur in public and/or confidential records. • Files and databases containing sensitive and/or personal information require special precautions to prevent inappropriate disclosure.

  15. Sensitive Information • Requires special precautions to protect from: • Unauthorized use • Access • Disclosure • Modification • Loss • Deletion

  16. Sensitive Information • May be either • Public, or • Confidential. • Requires a higher than normal assurance of accuracy and completeness. • Key factor is integrity. • Typical records are agency financial transactions and regulatory actions.

  17. Personal Information • Identifies or describes an individual • Must be protected from inappropriate • Access • Use • Disclosure • Must also be accessible to data subjects upon request

  18. Personal Information • Identifies or describes an individual: • Name • Home address • Home phone • etc. • Sub-types of Personal Information: • Notice-Triggering Personal Information • Medical Information • Protected Health Information • Electronic Health Information

  19. Notice-Triggering Personal Info • Name plus specific items or personal information: • Social Security Number • Driver’s license/I.D. card number • Financial Account Number • Requires notifying individuals if it is acquired by an unauthorized person.

  20. Protected Health Information HIPAA Covered Entities

  21. Protected Health Information • Individually identifiable information created, received, or maintained by health care payers, providers, health plans or contractors, in electronic or physical form. • State and federal laws require special precautions to protect from unauthorized use, access, or disclosure.

  22. Electronic Health Information • Individually identifiable health information transmitted by electronic media or maintained in electronic media

  23. Electronic Health Information • Health plans, clearinghouses or providers must ensure the privacy and security of electronic protected health information from unauthorized use, access or disclosure

  24. Current Information • Assess current systems for protected health information in physical (paper) and electronic form. • Include personal information in the data classification portion of risk analysis and risk management • Risk analysis and risk management are required of HIPAA covered entities

  25. Future Data Systems • Be aware of these data classifications as more data is created, maintained or transmitted. • Plan for protecting your data during the system design phase. • Collect data that you have the authority and need to collect.

  26. Conducting a Privacy Inventory Where is your data? Where is your personal data?

  27. Privacy Inventory Process • ISO/PO gets management support. • Each division/program identifies “Privacy Contact.” • ISO/PO explains process to Privacy Contacts. • Privacy Contacts complete Privacy Inventory Worksheet. • ISO/PO/Program implement appropriate safeguards. • ISO/PO conduct ongoing privacy awareness training for users (more on this later).

  28. Overview of Worksheet • Part I: Records System Inventory • Part II: Privacy Practices Inventory

  29. Part I of Inventory Worksheet • Records Systems Containing Personal Information • Start with Records Inventory for Records Retention Schedule • List only Records Systems containing personal information

  30. 1. Records System • Group of records maintained for official purposes • Same as “Records Series” in Records Retention Handbook: Group of related records under a single filing category that deal with particular subject

  31. Personal Information • Information that describes an individual, including name, home address, home phone, etc. – defined in Civil Code 1798.3 • Information on clients, consumers, applicants, licensees, employees, contractors – everyone

  32. 2. Description of Records • Examples • Applications for general contractor’s license • Personnel records of current employees • Case records of recipients of in-home supportive service, past and present • Consumer complaints

  33. 3. Sources of Records • Examples: • Subject supplies information on application form • Schools provide information on transcripts. • DOJ provides information from criminal history records

  34. 4. Owner and Location • Owner: Department/Division/Program that collects and maintains the records • Location: Agency name and address where original records system is located • Contact: Name, title, business contact information of agency official responsible for records system

  35. 5. Authority • Citation of regulation or statute authorizing agency to collect and maintain records system

  36. 6. Media of Records System • Medium of “original” records system: electronic, paper, tape • Additional media on which records are stored or used: • PC • Laptop • Other portable device or medium

  37. 7. Type of Personal Information • Objective: Identify records systems containing personal information needing special protections • Notice-triggering personal information (name plus SSN, DL/State ID number, financial account number) • Health/medical information • Other personal information (Home Address, MMN, DOB, etc.)

  38. 8. Confidential or Sensitive Info • Does the records system contain any confidential or sensitive information (other than personal information)? • Confidential: Exempt from PRA • Sensitive: For example, network configuration, agency bank records

  39. 9. Routine Uses & Disclosures • Purposes for which records were created • Uses and users • Disclosures outside agency that collects and maintains records system

  40. Part II of Inventory Worksheet • Privacy Practices • Checklist of major practices per IPA, Government Code, etc. • Optional – but good way to start to build privacy awareness

  41. 1. Privacy Policy Statement • Is your agency’s privacy policy statement posted in your office(s)? • Is it posted on your Web site(s)? • Government Code 11019.9

  42. 2. Rules of Conduct • Does your program/agency have written rules of conduct for handling records containing personal information? • Civil Code 1798.20 • If so, attach copy to Worksheet.

  43. 3. Access Guidelines • Does your program/agency have regulations or guidelines telling individuals how they can access their own records? • Civil Code 1798.34 – 1798.44 • If so, attach copy to Worksheet.

  44. 4. Notice on Collection • How do you provide notice (of authority, uses, disclosures, access procedures, etc.) when collecting personal information? • Civil Code 1798.17 • Printed on paper forms • On online forms • Other

  45. 5. Public Records Act Disclosures • Do you have written procedures for responding to PRA requests? • How do you protect personal information in public records? • If so, attach copy to Worksheet.

  46. 6. Retention & Destruction • Is this records system listed in your Records Retention Schedule?

  47. 7. Incident Notification Procedures • Does the program/division/department have written procedures for notification of privacy/security incidents? • For example, lost/stolen laptop containing (possibly notice-triggering) personal information: Report as information security incident, not property theft

  48. Privacy Awareness • Privacy Inventory raises awareness of privacy vulnerabilities and protection requirements • Ongoing awareness training for all users is essential • Coming soon from COPP

  49. End of Presentation • Questions • Comments

More Related