1 / 61

Defense Security Cooperation Agency DSCA

. Training RequirementsThis training is required by DoD 5400.11, DoD 5400.11-R, DoD Privacy Program, and OSD Administrative Instruction 81. Note, this training has been modified from its original form.All civilian and military personnel employed with DSCA (headquarters), Regional Centers and

vlad
Télécharger la présentation

Defense Security Cooperation Agency DSCA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Defense Security Cooperation Agency (DSCA) FY 2012 Privacy Act Training

    2. Training Requirements This training is required by DoD 5400.11, DoD 5400.11-R, DoD Privacy Program, and OSD Administrative Instruction 81. Note, this training has been modified from its original form. All civilian and military personnel employed with DSCA (headquarters), Regional Centers and Field Activities are required to complete this training. Contractor personnel must also complete this training module. In order to receive credit for completion of this training, employees must complete the “Automated Proof of Training” slide provided at the end of the course to ensure the Office of General Counsel receives the self-generating email notification. This training module will take approximately 30 minutes to complete.

    3. What is the Privacy Act of 1974? The Privacy Act of 1974 is a federal statute enacted by Congress to provide individuals, U.S. citizens and lawfully admitted aliens who are permanent residents, with the right to privacy in records that are maintained and used by Federal agencies. The Privacy Act does not apply to deceased persons, but under certain circumstances, may apply to the relatives of the deceased. By establishing the Privacy Act, Congress intended to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from a federal agency’s collection, maintenance, use, and disclosure of personal information about them.

    4. What does the Privacy Act Require of Federal Agencies? Federal agencies must not disclose any “record” which is contained in a “system of records” to any person, except at the written request or prior written consent of the person to whom the record relates. However, there are exceptions for certain disclosures within the Government, including routine disclosures required by law.

    5. What does the Privacy Act Require of Federal Agencies? (continued) The Privacy Act defines a “record” as any item, collection, or grouping of information about an individual that is maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and that contains the name, or identifying number, symbol, or other identifying particular assigned to the individual (e.g., finger or voice print or a photograph). A “system of records” is defined as a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. Note, because of the retrieval requirement, some system of records may not be subject to Privacy Act.

    6. What does the Privacy Act Require of Federal Agencies? (continued) Publish a system of records notice (SORN) in the Federal Register explaining the existence, character, and uses of any new or revised system of records; Maintain in its records only information about a person that is relevant and necessary to accomplish a purpose of the agency required by law; Keep information about a person that is accurate, relevant, timely, and complete; Allow the person, upon a written request, to review agency records that are maintained about them; and Permit the person to seek an amendment of agency records upon showing that the record(s) about them are not accurate, relevant, timely, or complete.

    7. What does the Privacy Act Require of Federal Agencies? (continued) Other major provisions of the Privacy Act require federal agencies to: Provide legal remedies, both civil and criminal, for violations of the Privacy Act; and Provide adequate safeguards to protect the records from unauthorized access and disclosure.

    8. What are some examples of data protected by the Privacy Act? Personally identifiable information (PII) is an example of data protected by the Privacy Act. PII data include: Full Names Full Face Photographs Home Address Driver’s License Number Biometric Data (e.g., finger or voice print, iris scan, DNA, etc.) Date of birth DoD 55400.11-R, “Department of Defense Privacy Program,” defines PII as information about an individual that identifies, links, relates or is unique to, or describes him or her (e.g., a Social Security Number, age, military rank, civilian grade, marital status, race, salary, home/office phone numbers, other demographic, biometric, personnel, medical and financial information, etc., when linked to a record that is maintained in a System of Records.

    9. QUESTION 1 1. Information about an individual that identifies, relates to or is unique to the individual (e.g., Social Security Number (SSN), medical history, biometrics, date of birth, home address/telephone number) is called? Select an answer below. a) Individual b) Routine Use c) Personally Identifiable Information (PII) d) Records

    10. QUESTION 1 INCORRECT! Individual defined for purposes of the Privacy Act is a living person who is a citizen of the U.S., or an alien lawfully admitted for permanent residence. CLICK HERE TO TRY AGAIN

    11. QUESTION 1 INCORRECT! Routine Use is the release of information outside the agency for a purpose compatible with the purpose for which the information is collected. CLICK HERE TO TRY AGAIN

    12. QUESTION 1 CORRECT! Personally Identifiable Information is information about an individual that identifies, relates or is unique to, or describes him or her (e.g., SSN, medical history, biometrics, date of birth, home address/telephone number).

    13. QUESTION 1 INCORRECT! Records are any item collection or grouping of information, whatever the storage media, about an individual that is maintained by the DoD Component. CLICK HERE TO TRY AGAIN

    14. QUESTION 2 Which of the following is not PII? Select an answer below. a) Date and Place of Birth b) Criminal History and Biometric Records c) SSN and Financial Transactions d) Official Office Address

    15. QUESTION 2 INCORRECT! Date and Place of Birth are examples of PII. CLICK HERE TO TRY AGAIN

    16. QUESTION 2 INCORRECT! Criminal History and Biometric Records are examples of PII. CLICK HERE TO TRY AGAIN

    17. QUESTION 2 INCORRECT! SSN and Financial Transactions are examples of PII. CLICK HERE TO TRY AGAIN

    18. QUESTION 2 CORRECT! Official Office Address. An individual’s official office address is not PII. However, there may be security issues independent of the Privacy Act that restrict disclosure of such information.

    19. Can I collect personal information to carry out my duties? As an employee with the federal government or employee of a federal contract, you must collect only personal information that is relevant and necessary to accomplish an authorized agency function. Prior to your collection, you should contact your Privacy Act Official as you may be required to complete the following: 1) System of Records Notice (SORN) A SORN informs the public of what information is being collected, including but not limited to, the purpose and authority for the collection. This advance public notice must be given before a federal agency begins to collect personal information for a new system of records. This is done by publication in the Federal Register to provide an opportunity for interested persons to comment. Note, your collection may be covered under an existing Government-wide, departmental or agency SORN and my not require the publishing of a new SORN.

    20. Can I collect personal information to carry out my duties? (continued) 2) Privacy Act Statement The Privacy Act requires that, when an agency solicits personal information from an individual for a system of records, it must tell the individual in writing: a) The statute or executive order of the President that authorizes the agency to solicit the information; b) The principal purposes for which the information is intended to be used; c) How the information will be used outside of DoD; and d) Whether the disclosure of the information is mandatory or voluntary, and the effects, if any, on the individual for not providing the information.

    21. Can I collect personal information to carry out my duties? (continued) Social Security Number (SSN) Solicitation Section 7 of the Privacy Act provides that it shall be unlawful to deny any individual any right, benefit, or privilege provided by law because the individual refuses to disclose his or her SSN. When an agency requests an individual to disclose his or her SSN, a Privacy Act Statement must be provided. Directive-Type Memorandum (DTM) 07-015-USD(P&R), “DoD Social Security Number (SSN) Reduction Plan,” March 28, 2008, establishes DoD policy in the use of the SSN and guidance for reducing its unnecessary use.

    22. QUESTION 3 3. A System of Records Notice (SORN) is: Select an answer below. a) a notice received in the mail. b) a notice that is published in the Federal register by a federal agency that informs the public of the types of personal information being collected, including but not limited to the purpose and authority for the collection. c) a system where notices are kept in safe location. d) None of the above

    23. QUESTION 3 INCORRECT! A notice received in the mail is not called a System of Records Notice (SORN). CLICK HERE TO TRY AGAIN

    24. QUESTION 3 CORRECT! A notice that is published in the Federal register by a federal agency that informs the public of the types of personal information being collected, including but not limited to the purpose and authority for the collection.

    25. QUESTION 3 INCORRECT! A system where notices are kept in safe location is not called a System of Records Notice (SORN). However, a SORN does describes how records will be maintained and safeguarded against improper release. CLICK HERE TO TRY AGAIN

    26. QUESTION 3 INCORRECT! It’s not “none of the above.” CLICK HERE TO TRY AGAIN

    27. What can I do to safeguard PII? PII must always be treated as "FOR OFFICIAL USE ONLY" and must be marked accordingly. This applies not only to conventional records but also to electronic (including email) transmissions and faxes, which must contain the cautionary marking "For Official Use Only – Privacy Sensitive: Any misuse or unauthorized disclosure may result in both civil and criminal penalties.” Do not share PII with staff who do not have a “need-to-know” to carry out their official duties. When emailing any information that includes PII, the email must be encrypted. PII may not be sent to personal email accounts. Records containing PII should be stored in filing cabinets or other containers so as to prevent unauthorized access.

    28. What can I do to safeguard PII? (continued) Storing PII During Duty Hours Cover with DD 2923 (Privacy Act Cover Sheet) or place in an out-of-sight location when those who do not have authorized access enter the work space. Use filtering devices on computer screens to blacken the view. Lock computers when leaving – even for brief periods of time. After Duty Hours If the building is locked or manned by security, place records in locked or unlocked drawer or cabinet. Special Categories of Privacy data should be placed in locked receptacles.

    29. QUESTION 4 4. What option below is not an adequate way of storing PII duty hours? Select an answer below. a) Leaving paperwork on the desk b) Covering paperwork with DD Form 2923 (Privacy Act Cover Sheet) when those who are not authorized to view enter the area or when leaving the area. c) Locking computer when leaving d) Using filter devices on computer screens to blacken view

    30. QUESTION 4 CORRECT! Leaving paperwork on the desk does not adequately protect PII.

    31. QUESTION 4 INCORRECT! Covering paperwork with DD 2923 (Privacy Act Cover Sheet) when those who are not authorized to view enter the area or when leaving the area is an adequate protection of PII. CLICK HERE TO TRY AGAIN

    32. QUESTION 4 INCORRECT! Locking computer when leaving adequately protects PII. CLICK HERE TO TRY AGAIN

    33. QUESTION 4 INCORRECT! Using filter devices on computer screens to blacken view adequately protects PII. CLICK HERE TO TRY AGAIN

    34. What can I do to safeguard PII? (continued) Sharing PII Follow the “need-to-know” principle. Share only with those specific DoD employees who need the data to perform their official duties. If the Privacy Act System Manager has granted you authority to make disclosures outside DoD: Share only with those individuals and entities outside DoD that are listed in the “Routine Use” clause located in the SORN. If you have doubts about sharing data, consult with the System Manager or your Privacy Act Official.

    35. QUESTION 5 5. If you have doubts about sharing PII, who should you consult? Select an answer below. a) Your cubicle mate b) An Attorney c) Your Supervisor d) Privacy Act Officer or Privacy Act System Manager

    36. QUESTION 5 INCORRECT! While the person sitting next to you is knowledgeable about many things, this is not the best person from who to seek Privacy Act advice. CLICK HERE TO TRY AGAIN

    37. QUESTION 5 b. NOT QUITE! CLICK HERE TO TRY AGAIN

    38. QUESTION 5 c. NOT QUITE! CLICK HERE TO TRY AGAIN

    39. QUESTION 5 CORRECT! You should consult either the Privacy Act Officer or the Privacy Act System Manager if you have doubts about sharing PII. Your Privacy Act POC information is located at the end of this module.

    40. What can I do to safeguard PII? (continued) Transporting PII Using E-mail Use Common Access Card procedures. Announce in the opening line of text that you are relaying FOUO material. Encrypt the e-mail before sending. Do not send PII to a personal, home or commercial email address Hand Carrying Cover with DD 2923 (Privacy Act Cover Sheet) to shield contents. These sheets are available on the internet. Using Ground Mail Use kraft or white envelopes. You may double wrap using an inner and outer envelope if you deem it appropriate. Mark the envelope to the attention of an authorized recipient. Never use “holey joes” or messenger-type envelopes. Never indicate on the outer envelope that it contains privacy data.

    41. QUESTION 6 6. When transporting or sending PII. What should you not do? Select an answer below. a) Mail – in a white envelope b) Encrypt the email c) Send PII to a personal email account d) Cover with DD 2923 (Privacy Act Cover Sheet), hand carry and give to the recipient

    42. QUESTION 6 INCORRECT! You should mail PII in a white envelope. CLICK HERE TO TRY AGAIN

    43. QUESTION 6 INCORRECT! You should encrypt the email. CLICK HERE TO TRY AGAIN

    44. QUESTION 6 CORRECT! You should never transmit PII to a personal email account. This is a reportable privacy breach.

    45. QUESTION 6 INCORRECT! You should always cover with DD Form 2923 when you hand carry documents to the recipient. CLICK HERE TO TRY AGAIN

    46. What can I do to safeguard PII? (continued) Disposing of PII Use any means that prevents inadvertent compromise. A disposal method is considered adequate if it renders the information unrecognizable or beyond reconstruction. Disposal methods may include Burning Melting Chemical decomposition Pulping Pulverizing Shredding Mutilation Degaussing Delete/Empty Recycle Bin

    47. QUESTION 7 7. Disposal methods may include all but… .? Select an answer below. a) Burn bag/shredding when available b) Melting c) Tear in half and throw in garbage can d) Degaussing

    48. QUESTION 7 INCORRECT! Burn Bag/shredding when available is a method of disposing of PII. CLICK HERE TO TRY AGAIN

    49. QUESTION 7 INCORRECT! Melting is a way of disposing PII. CLICK HERE TO TRY AGAIN

    50. QUESTION 7 CORRECT! Tearing in half and throwing in a garbage can is not a way to dispose of PII. This method isn’t shredding or mutilation sufficient to make the PII unrecognizable.

    51. QUESTION 7 INCORRECT! Degaussing is a method of disposing of PII. This refers to erasure of data stored on magnetic media such as hard drive, compact disks and magnetic tapes. CLICK HERE TO TRY AGAIN

    52. What can I do to safeguard PII? (continued) Safeguarding Requirements Three Levels of Safeguards are Required Administrative Physical Technical These individuals are responsible for establishing safeguards Information Technology System Designers System Managers Privacy Act Official These individuals are responsible for seeing that safeguards are applied YOU!

    53. QUESTION 8 8. Which person is responsible for establishing safeguard? Select an answer below. a) The President of the United States b) You c) Information Technology System Designers d) Your Supervisor

    54. QUESTION 8 INCORRECT! While the President of the United States is concerned about the Privacy Act, the President does not establish safeguards. CLICK HERE TO TRY AGAIN

    55. QUESTION 8 INCORRECT! You may be responsible for many things, but usually, you are not responsible for establishing safeguards. CLICK HERE TO TRY AGAIN

    56. QUESTION 8 CORRECT! Information Technology System Designers are responsible for establishing safeguards.

    57. QUESTION 8 INCORRECT! Your supervisor is responsible for many things, but establishing safeguards for the protection of PII is not one of them. CLICK HERE TO TRY AGAIN

    58. Are there any penalties for violating the Privacy Act? Yes. The Privacy Act provides for both criminal and civil penalties for noncompliance. Criminal Penalties If any officer or employee of a government agency knowingly and willfully discloses personally identifiable information will be found guilty of a misdemeanor and fined a maximum of $5,000. Also, if any agency employee or official willfully maintains a system of records without disclosing its existence and relevant details as specified above can be fined a maximum of $5,000. The same misdemeanor penalty (and $5,000 maximum fine) can be applied to anyone, including contractor personnel, who knowingly and willfully requests an individual's record from an agency under false pretenses.

    59. Are there any penalties for violating the Privacy Act? (continued) CIVIL PENALTIES If an agency refuses to allow an individual access to his or her records and/or to amend an individual's record upon request, the individual can sue in civil court to have the records produced and /or amended. The court can also make the Government pay the individual reasonable attorney's fees or other litigation costs. If an agency has violated any other section of the Privacy Act, and a court finds that the violation is "intentional or willful," the court can make the Government pay to the individual actual damages suffered as a result of the violation (but in no case shall a person entitled to recovery receive less than the sum of $1,000), along with costs and reasonable attorney's fees.

    60. What is my privacy role and responsibility? Do not collect PII unless you are authorized to do so. Complete annual privacy (YOU ARE ALMOST DONE WITH THIS MODULE!), information protection and data security training, as required. Adhere to privacy, information protection and data security policies and procedures. Limit access to records containing personal data to that which is required to carry out your official duties. Do not distribute or share personal information to individuals who do not have a need for access. Limit the disclosure of PII to that which is necessary and relevant to perform your official duties and for other legally mandated or authorized purposes. Prevent unnecessary disclosure of personal information in information systems, programs, electronic formats such as emails and hardcopy documents by adhering to proper safeguarding measures.

    61. What is my privacy role and responsibility? (continued) Safeguard records and information systems containing PII, and upon becoming aware of the loss, theft, or improper disclosure of personal information, immediately report the incident to: Your Supervisor Your Privacy Act Official(s) at DSCA/OGC US-CERT Incident Reporting System by completing the questionnaire at https://forms.us-cert.gov/report/. Note, this action should be done within one hour after discovery, so please complete immediately.

    62. Contact Information If you have any questions or concerns, please contact your Privacy Act Officials located within DSCA/OGC at (703) 604-0295 or (703) 604-6588. PLEASE CLICK HERE TO COMPLETE THIS TRAINING

More Related