Safeguarding PII (PowerPoint download) by tlyaappjdlag


									Safeguarding PII

  The Privacy Office
    U.S. Department of Homeland Security
    Washington, DC 20528
    t: 703-235-0780; f: 703-235-0442;
• Why Privacy is Important
• Personally Identifiable Information
• Sensitive PII
• Handling PII in a DHS System
• Handling PII Extracted from a DHS
• Handling PII Outside of a DHS System
• Privacy Incident Reporting

    The DHS Privacy Office
    October 14, 2011: slide 2
 Why is Privacy Important?
• To earn and keep public trust
   –   If the public no longer trusts DHS to protect their PII, we may
       find public support for DHS programs will erode.
• To prevent identity theft
   –   Identity thieves do not discriminate based on a person’s
       immigration status, and neither does DHS when protecting
       the PII it collects and maintains.
• To prevent privacy incidents
   –   Incidents are reported in national news, which erodes the
       public’s trust in those agencies, and are expensive to
• It’s the law.
   –   Failure to follow these laws may result in civil or criminal
       penalties for you, your supervisors, and/or colleagues.

        The DHS Privacy Office
        October 14, 2011: slide 3
Personally Identifiable Information

   The DHS Privacy Office
   October 14, 2011: slide 4
Sensitive PII
• Potential for substantial harm,
  embarrassment, inconvenience, or
  unfairness to an individual
• Single data elements
   – social security, driver's license, or financial
     account number
• Combinations of data
   – citizenship or immigration status; medical
     information; ethnic, religious, sexual orientation;
     in conjunction with the identity of an individual
• Context of data
   – a list of names of employees with poor
     performance ratings.

      The DHS Privacy Office
      October 14, 2011: slide 5
Handling PII in a DHS System
                              • Only access what you need-to-
                                – Do not browse
                              • Only use PII for approved
                                – Use should be compatible with
                                  purpose of the system
                              • Protect against “shoulder
                                surfing” and eavesdropping.
                              • Only access systems using DHS
                                – Including teleworkers
  The DHS Privacy Office
  October 14, 2011: slide 6
 Handling SPII Extracts
• Obtain approval before extracting PII from a
  DHS system.
• Secure portable media containing SPII. Carry
  on laptops when flying instead of checking
  and do not leave unattended in hotel room.
                                 – Encrypt SPII when
                                   transferred outside of DHS,
                                   such as to a non-DHS email
                                 – If extract is not part of
                                   system SOP, log and track
                                   the extract to ensure it is
                                   not lost.
     The DHS Privacy Office
     October 14, 2011: slide 7
  Handling PII Outside of a System
• Check with the DHS Privacy Office and I&A counsel.
   – You may inadvertently create a privacy sensitive system
     that is out of compliance with law and policy.
      – Subject to civil, criminal, administrative penalties
• Do not create duplicate, ancillary,
  “shadow,” or “under the radar” files
  with PII.
• Only use DHS-approved forms (paper
  or electronic) to collect PII from 10
  or more individuals.

       The DHS Privacy Office
       October 14, 2011: slide 8
 Privacy Incidents
Your Responsibilities
                                        TJX Says Customer Data was Stolen

TSA Suffers Data Loss; Lawmakers Watch Closely

  The DHS Privacy Office
  October 14, 2011: slide 10
Privacy Incidents
Report any loss, theft, or unauthorized disclosures of PII
  to the Program Manager, Privacy POC, or ISSM.

   – Report as soon as suspected or confirmed.
   – Report whether intentional or inadvertent.
   – Report regardless of perceived risk.

Do not further compromise the information by forwarding
  or replying “to all.”

    The DHS Privacy Office
    October 14, 2011: slide 11
What is a Privacy Incident?

A suspected or confirmed:
   –   loss of control
   –   compromise
   –   unauthorized disclosure
   –   unauthorized acquisition
   –   unauthorized access
   –   or any other situation where persons other than authorized
       users and for an unauthorized purpose have access or potential
To PII whether in hard copy or electronic form
Privacy Incident Harms

    • Harm to                       – Risk of economic harm,
      Component/Department            identity theft, or fraud
    • Harm to individuals
                                    – Risk of harm to the
•   Privacy Act – Ensure the          security or integrity of the
    security and confidentiality      information system
    of records to protect against   – Potential for blackmail,
    – Substantial harm                mental pain, or emotional
    – Embarrassment                   distress
    – Inconvenience                 – Disclosure of private facts
    – Unfairness                        (OMB Memorandum 07-16)
Examples of Privacy Incidents
•   Theft of a laptop containing rosters of emergency responders
•   Lost or stolen thumb drive or portable hard drive of PII
•   Shipper loses a package of employee applications
•   Loss of a hard drive with current and former DHS employee SSNs
•   Unauthorized access to personnel files
• Employee roster posted on agency website, disclosing name,
  personal cell phone number, and home address
• Email containing payroll information transmitted from government
  email account to a personal email account
• Key logger gains access to a computer and its accounts
Your examples

Obligation to Safeguard Sensitive PII

• Apply “Need to know”
  principle before disclosing PII
  to other personnel
• Challenge requested need for
  PII before sharing

• Limit PII to official use only

• PII may only be collected for
  an authorized purpose
You Must Report Privacy Incidents

Employees and Contractors Must
  • Report all incidents involving PII, both suspected and
    confirmed, to your DHS Program Manager upon

  • If DHS Program Manager is not available, report to
    DHS Help Desk
 Why Do Privacy Incidents Occur?
• Loss of control
   – PII data is emailed to unauthorized individuals
   – Physical equipment containing PII is lost or stolen
   – Paper records are mishandled either in mail or
     through incorrect disposal methods
• Unauthorized access to sensitive systems
   – Hacker gains access to secure data system
   – Access permission is given to individuals without a
     “Need to Know”
• Human Error
Possible Consequences

Disciplinary action for failure to comply with DHS
  security and privacy policies

Any person who knowingly and willfully discloses
  protected Privacy Act information in any
  manner to any person or agency not entitled to
  receive it, is subject to criminal and civil
  penalties under the Privacy Act
             The Privacy Office
   U.S. Department of Homeland Security
             Washington, DC 20528
       t: 703-235-0780; f: 703-235-0442;

The DHS Privacy Office
October 14, 2011: slide 21

To top