1 / 26

Department of Commerce Privacy Awareness

Department of Commerce Privacy Awareness. Privacy protection includes the protection of the personal privacy rights of individuals from the unauthorized collection, maintenance, use, and disclosure of personal information about them.

hanae-ross
Télécharger la présentation

Department of Commerce Privacy Awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Department of CommercePrivacy Awareness

  2. Privacy protection includes the protection of the personal privacy rights of individuals from the unauthorized collection, maintenance, use, and disclosure of personal information about them. When DOC does collect personal information, we have a duty and responsibility to protect that information from misuse. Business identifiable information received by DOC must be similarly protected, in accordance with applicable laws. What is privacy protection?

  3. As a Commerce employee, you are responsible and accountable for knowing what constitutes personal information and business identifiable information; handling personal and business identifiable information; protecting personal and business identifiable information; and following all laws, rules, regulations, and Departmental policies regarding personal and business identifiable information. Your responsibilities to protect privacy

  4. The Department of Commerce has adopted the following privacy principles: Data Minimization – Commerce will collect the minimal amount of information necessary from individuals and businesses consistent with the Department’s mission and legal requirements. Transparency – Notice covering the purpose of the collection and use of personally identifiable information will be provided in a clear manner. Information collected will not be used for any other purpose unless authorized or mandated by law. Accuracy – Information collected will be maintained in a sufficiently accurate, timely, and complete manner to ensure that the interests of the individuals and businesses are protected. Security – Adequate physical and IT security measures will be implemented to ensure that the collection, use, and maintenance of personally identifiable information is properly safeguarded and the information is promptly destroyed in accordance with approved records control schedules. DOC privacy principles

  5. Privacy Act of 1974 Freedom of Information Act (FOIA) E-Government Act of 2002 Additional privacy laws regulate other areas, such as government access to bank and other financial records, identity theft, trade secrets, health records, and education records. The Trade Secrets Act (18 USC 1905) provides criminal penalties for the unauthorized disclosure by the government of confidential commercial information. Key privacy laws

  6. Regulates how federal agencies collect, maintain, use, and disclose individuals’ information maintained in a Privacy Act system of records. This includes information pertaining to federal employees as well as the public. Requires federal agencies to publish systems of records notices so that the public is aware of what Privacy Act records are being maintained and under what authority. Requires that information about individuals maintained in a Privacy Act system of records be accurate. Allows individuals to access and seek to amend their Privacy Act records. Privacy Act of 1974

  7. The FOIA allows public access to all agency records not protected from disclosure by a FOIA exemption. As a federal employee, certain government information about your employment may be disclosed, such as your position description, title, series, salary, and monetary award amounts. Freedom of Information Act (FOIA) and privacy

  8. FOIA provides two separate exemptions to protect individuals’ private information contained in agency records. Exemption (b)6 protects from disclosure information about individuals in "personnel and medical files and similar files" when the disclosure of such information "would constitute a clearly unwarranted invasion of personal privacy.“ Exemption (b)7(C) provides protection for personal information in law enforcement records. This exemption is the law enforcement counterpart to Exemption (b)6. FOIA personal privacy exemptions

  9. Exemption (b)4 protects from disclosure “trade secrets and commercial and financial information obtained from a person [that is] privileged and confidential”. “Commercial” is not confined to records that reveal “basic commercial operations” but includes any records [or information] in which the submitter has a “commercial interest” and can include information submitted by a nonprofit entity. FOIA exemption for commercial information

  10. Requires that every federal agency conduct a Privacy Impact Assessment on each of its information technology systems under development that will contain personally identifiable information. As a matter of policy, Commerce also requires that a Privacy Impact Assessment be conducted when developing systems that will contain business identifiable information. The purpose of the Privacy Impact Assessment is to ensure that there is no collection, storage, access, use, or dissemination of identifiable information from or about members of the general public and businesses that is not needed or authorized, and that identifiable information that is collected is adequately protected. E-Government Act of 2002

  11. OMB Memorandum M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, September 26, 2003, provides specific guidance to agencies for implementing the Privacy Provisions (Section 208) of the E-Government Act. The Department of Commerce IT Privacy Policy provides guidance for implementing Section 208 and protecting personal information in Commerce, and extends the same protection to business identifiable information. Other guidance

  12. Personal information is “any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” (Section 208 (d) of the E-Government Act of 2002). Examples include: Lists of the names of visitors to buildings or offices; Pay and personnel records; Photographs of individuals captured on surveillance cameras installed to ensure the security of buildings or locations; A biometric system that uses voice recognition technology to allow individuals access to certain controlled areas. What is personal information?

  13. Entering data into a time and attendance system; Processing a personnel action; Reviewing a performance award nomination file; Building a new database that is being filled with personal information; Searching an existing database for individuals that meet certain criteria; Receiving personal information from another agency; Entering information into an employee medical file. Where will you encounter personal information?

  14. Consider all personal information given to you either written or verbally as sensitive. Provide personal information only to those who have a “need to know.” Use personal information ONLY for official purposes. Provide access to an individual’s information only if you have specific authority to do so. Secure personal information with appropriate passwords and locks. How do you protect personal information (1)?

  15. Not all personal information is exempt from disclosure to the public, e.g., name, title, grade, and office phone number of federal employees. Contact your FOIA/PA Officer for guidance on personal information that may be released. When creating a new system or significantly modifying a legacy system that contains personal information, conduct a Privacy Impact Assessment and contact your Operating Unit FOIA/Privacy Act Officer. How do you protect personal information (2)?

  16. Under Commerce policy, business identifiable information consists of information that is defined in the FOIA as "trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential.” This information is exempt from automatic release under FOIA Exemption (b)4. “Commercial” is not confined to records that reveal basic commercial operations but includes any records [or information] in which the submitter has a commercial interest, and may include information submitted by a nonprofit entity. Business identifiable information (1)

  17. Not all business identifiable information is exempt from disclosure under, e.g., annual financial reports of public corporations. Contact your FOIA/PA Officer for guidance. Other terms for business identifiable information that must be protected from disclosure are: “confidential business information” “confidential commercial information” “proprietary information” Business identifiable information (2)

  18. Financial information provided in response to requests for economic census data; Business plans and marketing data provided to participate in trade development events; Commercial and financial information collected as part of export enforcement actions; Proprietary information provided in support of a grant application or related to a federal acquisition action; Financial records collected as part of an investigation. Examples of business identifiable information in Commerce

  19. Violations include: Requesting, obtaining, or using records under false pretenses Maintaining inaccurate Privacy Act records that result in adverse action Maintaining a Privacy Act system of records that has not been disclosed in a published notice Failure to conduct a Privacy Impact Assessment when required Disclosing business identifiable information, that is protected from disclosure, in violation of the Trade Secrets Act or other laws and regulations Penalties for violations could include: DOC disciplinary action Civil action against DOC and/or the employee Criminal prosecution of the employee Examples of privacy violations

  20. Your office has been investigating an incident that involves a Commerce employee who is being disciplined. You want to share all the details in the case file with your buddy over lunch. Can you gossip about what’s in the file? ANSWER: No. You need to keep all information provided to you private and only give it to those who “need to know”. Your buddy doesn’t “need to know.” Scenario

  21. A Commerce OIG inspector comes to your office and asks to see the case file of an employee who is being investigated so that he or she may conduct an official progress review of the investigation. Do you hand over these records? ANSWER: Yes, but first ask to see the inspector’s credentials. The inspector “needs to know” the information you have in order to complete his or her official investigation. Scenario

  22. Your office has decided to enter into a contract with a private sector company that maintains databases with personal information to test a new modeling system that can be used to identify violators of export controls. This is a new system. You will be accessing their information and storing the results in your computer system. Do you need a Privacy Impact Assessment and/or a Systems of Records Notice (SORN)? ANSWER: Yes, you need both. Contact your Operating Unit FOIA/Privacy Act Officer to ensure that an SORN has been completed. Privacy Impact Assessments and SORNs should be completed prior to the signing of a contract so that privacy may be fully considered. In fact, potential contractors should address privacy issues in their proposals to DOC. Scenario

  23. In your position as an economist, you receive from corporations proprietary data and other confidential business identifiable information that is provided solely for the purpose of developing national economic and statistical reports that do not include identifiable information. May you use the information received to pick stocks? ANSWER: No. You are responsible for protecting business identifiable information from unauthorized release or misuse. Using the information to further your personal financial interests could result in disciplinary action. Scenario

  24. A citizen calls you at your desk and asks for a copy of “everything DOC has on me.” She says if you don’t give the information to her, she’s going to take this all the way to the Supreme Court. What do you do? ANSWER: Inform the individual that she may send a FOIA or PA request electronically to Efoia@doc.gov or by mail or fax (202-219-8979). More information is at http://www.osec.doc.gov/omo/FOIA/FOIAWEBSITE.htm. Scenario

  25. It is your responsibility to protect personal information and business identifiable information that is exempt from disclosure. Think before you disclose. Consider all personal information given to you as sensitive. Protect business identifiable information in a similar manner as personal information. Rules for protecting personal information and business identifiable information

  26. Brenda Dolan, DOC FOIA/Privacy Act Officer, bdolan1@doc.gov, 202-482-3258 Your operating unit FOIA/PA Officer. See list at http://www.osec.doc.gov/omo/FOIA/docbureaus.htm For IT privacy, records management, E-Government Act, and Privacy Impact Assessment issues: Dan Rooney, drooney@doc.gov, 202-482-0517 Questions?

More Related