1 / 27

Privacy Act: System of Records Notices and Privacy Act Statements

TRICARE Management Activity. HEALTH AFFAIRS. Privacy Act: System of Records Notices and Privacy Act Statements. 2009 Data Protection Seminar TMA Privacy Office. TRICARE Management Activity. HEALTH AFFAIRS. Privacy Act: System of Records Notices and Privacy Act Statements.

odeda
Télécharger la présentation

Privacy Act: System of Records Notices and Privacy Act Statements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TRICARE Management Activity HEALTH AFFAIRS Privacy Act: System of Records Notices and Privacy Act Statements 2009 Data Protection Seminar TMA Privacy Office

  2. TRICARE Management Activity HEALTH AFFAIRS Privacy Act: System of Records Notices and Privacy Act Statements

  3. Privacy Act: System of Records Notices and Privacy Act StatementsPurpose The purpose of this presentation is to provide an overview of the Privacy Act and its various implementing regulations that protect the solicitation, collection, and use of individual information and the maintenance of such information in systems of records

  4. Privacy Act: System of Records Notices and Privacy Act Statements Objectives • Upon completion of this presentation, you should be able to: • Explain the scope of the Privacy Act and the rights it protects related to personally identifiable information (PII) • Identify the definition of System of Records Notice (SORN) • Identify the definition of Privacy Act Statement (PAS)

  5. Privacy Act: System of Records Notices and Privacy Act Statements Brief Overview of the Privacy Act of 1974 • Statutory Authority • Codified as 5 U.S.C. § 552(a), as implemented by Office of Management and Budget (OMB) Circular No. A-130 • DoD Regulatory Authority • DoD Directive 5400.11 • DoD 5400.11-R • Office of the Secretary of Defense (OSD) Administrative Instruction (AI) No. 81

  6. Privacy Act: System of Records Notices and Privacy Act Statements Purpose of the Privacy Act • To safeguard information that Federal records contain pertaining to individuals • To provide access to individuals to correct inaccuracies in their information • To balance individual privacy interests with the government’s need to maintain information about them • To provide remedies for wrongful disclosures

  7. Privacy Act: System of Records Notices and Privacy Act StatementsWhat the Privacy Act Protects • Examples of information the Privacy Act protects • Social Security Numbers (SSNs) • Home address • Home telephone • Date of birth (year included) • Personal medical information • Personal/private information (e.g., financial) • A personal identifier is something that identifies, relates, or is unique to an individual

  8. Privacy Act: System of Records Notices and Privacy Act Statements Records Containing Protected Information • Whenever a Federal agency maintains information about individuals and retrieves it using a personal identifier, the record system is a Privacy Act “system of records” • A record is any item, collection, or group of information about an individual that is stored • A system of records is a group of records under the control of a DoD Component where there is retrieval of individuals’ information by some identifying number, symbol, or other identifier assigned to the individual

  9. Privacy Act: System of Records Notices and Privacy Act Statements Disclosures and Exceptions • No agency shall disclose any record contained in a system of records by any means of communication without a written request or prior consent of the individual to whom the record pertains • Ten (10) exceptions exist permitting use/disclosure without individual consent. Examples include: • Routine use “for a purpose compatible to purpose of collection” • Systems of records that do not retrieve records using a personal identifier

  10. TRICARE Management Activity HEALTH AFFAIRS System of Records Notice

  11. Privacy Act: System of Records Notices and Privacy Act Statements System of Records Notices • The Privacy Act requires agencies to identify systems of records that allow for the collection of information retrieved using a personal identifier; and, to publish a SORN in the Federal Register of new or revised systems of record to provide an opportunity for interested persons to comment • This informs the general public of what data is being collected, the purpose and authority for such collection, and the rules agencies must follow in collecting and maintaining individual information

  12. Privacy Act: System of Records Notices and Privacy Act StatementsOn the Road to Compliance SORNs operate like an auto insurance policy by describing what is covered and how much protection is provided; and, just like an auto policy is required to operate a car, a SORN is required to operate a system of records

  13. System name Classification Location Authority for maintenance Purpose Uses and categories of users Policies and practices System manager Notification procedures Record access procedures Contest procedures Record source categories Exemptions claimed Privacy Act: System of Records Notices and Privacy Act StatementsSORN Elements

  14. Privacy Act: System of Records Notices and Privacy Act Statements On the Road to Compliance Just like an auto policy describes the owner’s information, address, coverage, etc., a SORN does much of the same by complying with Privacy Act requirements to provide important information about systems of records

  15. Privacy Act: System of Records Notices and Privacy Act StatementsThe Role of the TMA Privacy Office • Coordinate all SORN submissions for HA and TMA • Serve as the point of contact as for all new, altered, amended, changed, or deleted systems as appropriate (and for submission to OSD and Joint Staff (OSD/JS) for eventual publication as SORNs) • Coordinate with program/system managers to review policies, practices that apply to new or existing systems • Maintain the OSD specific inventory of SORNs for TMA

  16. Privacy Act: System of Records Notices and Privacy Act StatementsThe Role of Program Offices • Perform a risk assessment to analyze threats to and vulnerabilities of a computer system, and the potential impact of the loss of information • http://www.tricare.mil/tmaprivacy/SORWEBSampleRiskAssessment26Mar04.doc • Obtain and complete a system notice format certification document available through the OSD/JS Privacy Office • http://www.dod.mil/pubs/foi/privacy/System_Notice_Certification.xls

  17. Privacy Act: System of Records Notices and Privacy Act StatementsThe Role of Program Offices (continued) • Prepare a new or revised narrative statement • http://www.tricare.mil/tmaprivacy/SORWEBNarStatement.doc • Incorporate the changes and updates from the system format document and those in the narrative statement into a final SORN and submit it to the TMA Privacy Office for review at SORmail@tma.osd.mil • http://www.tricare.mil/tmaprivacy/SORWEB-InstructionsSystemNotice.doc

  18. TRICARE Management Activity HEALTH AFFAIRS Privacy Act Statements

  19. Privacy Act: System of Records Notices and Privacy Act StatementsPrivacy Act Statements • The Privacy Act requires that when an agency solicits information from an individual for a system of records that it must inform the individual in writing of the following: • Authority • Principal purpose • Routine uses • Whether disclosure is mandatory or voluntary

  20. Privacy Act: System of Records Notices and Privacy Act StatementsOn the Road to Compliance On the road to compliance, a Privacy Act Statement is just like the flashing stop sign on the side of a school bus, there are consequences to ignoring either

  21. Privacy Act: System of Records Notices and Privacy Act StatementsPenalties for Non-Compliance • Non-compliance with the Privacy Act carries misdemeanor criminal penalties and fines of up to $5000 for: • Soliciting or collecting individual data under false pretenses • Unauthorized disclosure without written permission or consent • Maintaining or collecting data for a system of records without meeting public notice requirements • There are also substantial civil penalties including awards for actual damages, payment of reasonable attorney fees, and removal from employment

  22. Privacy Act: System of Records Notices and Privacy Act StatementsSocial Security Number Solicitation • When soliciting personal information from an individual for inclusion in a system of records, and especially when an SSN is solicited/collected, a Privacy Act Statement must be provided • Note: The Privacy Act makes it unlawful to deny any benefit, right, or privilege provided by law because the individual refuses to disclose their SSN

  23. Privacy Act: System of Records Notices and Privacy Act Statements Safeguards • Personal information shall be collected, maintained, used, or disclosed, subject to appropriate safeguards • Administrative • Physical • Technical

  24. Privacy Act: System of Records Notices and Privacy Act Statements On the Road to Compliance Visibility matters. A stop sign is universally recognized because of it's shape and color; however it fails to provide its intended protection on the side of a bus if it is not extended, flashing, and otherwise prominently visible. The same is true with Privacy Act Statements; placement and visibility, are just as crucial to Privacy Act Statements as the information they convey

  25. Privacy Act: System of Records Notices and Privacy Act StatementsPlacement of Privacy Act Statements • On forms: At the top of the page immediately under the title • On surveys: At the beginning of the survey in a cover memo or attached directly to the survey • On web pages: Conspicuously placed, at or before the point of collection • For mass collections: In the largest print possible to promote visibility by all

  26. Privacy Act: System of Records Notices and Privacy Act StatementsSummary • You should now be able to: • Explain the scope of the Privacy Act and the rights it protects related to PII • Identify the definition of SORN • Identify the definition of PAS

  27. Privacy Act: System of Records Notices and Privacy Act StatementsResources • The Privacy Act of 1974, as amended (5 U.S.C § 552a) • OMB Circular No. A-130 • OMB Memorandum 99-05, and Attachment B • DoD Directive 5400.11 • DoD Regulation 5400.11-R • OSD Administrative Instruction No. 81 • SORN questions/comments: sormail@tma.osd.mil • Privacy Act questions/comments • DoD Privacy Office: www.defenselink.mil/privacy • TMA Privacy Office: privacymail@tma.osd.mil

More Related