1 / 29

2013 Annual PII Training Certificate

2013 Annual PII Training Certificate. This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding PII. I also understand that I may be subject to disciplinary actions for failure to properly protect and safeguard PII data.

yuri
Télécharger la présentation

2013 Annual PII Training Certificate

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2013 Annual PII Training Certificate This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding PII. I also understand that I may be subject to disciplinary actions for failure to properly protect and safeguard PII data. _________________________________ _________________ Name Date

  2. Privacy Act Personally Identifiable Information (PII) Training

  3. Questions this Module Will Answer … • What is Personally-Identifiable Information (PII)? • What are your roles and responsibilities regarding the Privacy Act? • What often causes PII loss or compromise? • What are the potential costs? • How can you prevent losing or compromising PII? • How should you handle, protect and dispose of PII? • What should you do if PII is lost or compromised? PMT | Apr 2013 | v 0.1 | Privacy Act

  4. You Are Responsible for … • Ensuring you complete PII training annually • Abiding by protocols when collecting, maintaining, destroying, or disseminating personal information • Periodically reviewing shared devices for compliance • Practicing Limited Access Principles • Ensuring that contracts include privacy clauses FAR 52-224-1 and 52.224-2 and that contract language addresses how data is to be disposed at the end of the contract • Identifying the Privacy Act System of Records Notice (SORN) and following the rules set in the notice PMT | Apr 2013 | v 0.1 | Privacy Act

  5. What is the Privacy Act? • The Privacy Act of 1974, as amended by 5 U.S.C. 552a, regulates the collection, use, safeguarding, and disposition of personal information in government-wide systems of records PMT | Apr 2013 | v 0.1 | Privacy Act

  6. Personally Identifiable Information (PII) • PII refers to information that can be used to distinguish or trace an individual’s identity • PII needs to be protected and released only on a need-to-know basis • Two Types • Sensitive • Non-Sensitive PMT | Apr 2013 | v 0.1 | Privacy Act

  7. Sensitive PII Sensitive PII is information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual Sensitive PII elements include, but are not limited to: PMT | Apr 2013 | v 0.1 | Privacy Act

  8. Non-Sensitive PII Non-Sensitive PII is information, that could be sensitive to an employee; could also be information that is needed to do the business of the agency Non-Sensitive PII elements include but are not limited to: PMT | Apr 2013 | v 0.1 | Privacy Act

  9. What Is a System of Records Notice? • Before DON can use a system of records to collect and maintain information on an individual it must publish a Privacy Act System of Records Notice (SORN) in the Federal Register • Informs the general public of what data will be collected, its purpose, and on who’s authority • Sets the rules the DON will follow in collecting and maintaining personal data PMT | Apr 2013 | v 0.1 | Privacy Act

  10. What Is a Privacy Act System of Records ? A Privacy Act system of records is "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual” Government-Wide Examples DON Examples Equal Employment Opportunity in the Federal Government Complaint and Appeal Records (EEOC/GOVT) General Personnel Records (OPM/GOVT-1) Organization Management and Locator System (NM05000-2) Time and Attendance Feeder Records (NM07421-1) Employee Relations (NM12771-2) The DON Chief Information Officer lists over 150 DON Privacy Act system of records www.doncio.navy.mil PMT | Apr 2013 | v 0.1 | Privacy Act

  11. Why Protect? • Regulations • To prevent unauthorized uses • To protect against Identity Theft • To avoid compromise • To avoid loss • Protects business practices It’s the right thing to do! PMT | Apr 2013 | v 0.1 | Privacy Act

  12. How to Protect PII? • Question individuals who request PII data • Assure Need-to-Know • Safeguard personal data • Maintain close control of data • Store data out-of-sight • Take steps to properly destroy data • Lock offices • Lock cabinets • Use DD2923 cover sheet PMT | Apr 2013 | v 0.1 | Privacy Act

  13. How to Protect Email? Email • Encrypt all email containing PII and FOUO data • Ensure PKI certificate has been published to the Global Address Listing (GAL)/Microsoft Outlook so email can be encrypted • Use the recommended warning statement in email when sending PII data: FOR OFFICIAL USE ONLY - PRIVACY SENSITIVE - Any misuse or unauthorized disclosure can result in both civil and/or criminal penalties. • Statement should be at the top of email message • FOUO should be present in the subject box of the email • Statement should only be used in email that contain sensitive data • Should not be used as a blanket statement PMT | Apr 2013 | v 0.1 | Privacy Act

  14. How to Protect Muster/Recall Rosters? Muster/Recall Rosters • Access on a need-to-know basis • Shall never contain SSN’s • Only contain names (abbreviated), addresses, and telephone numbers • Use Cover Sheet • FOUO/Privacy Statement • Do NOT hang muster/recall cards around your neck • If lost have a way for someone who finds it to return or destroy PMT | Apr 2013 | v 0.1 | Privacy Act

  15. How to Protect When Faxing? Faxing – Per Department of the Navy GENADMIN message 171625ZFEB2012 • Use of Fax Machines to send SSN’s and other PII by DON Personnel is PROHIBITED except when: • Another more secure means of transmitting is not practical • A process outside of DON control requires faxing such as: • DFAS, • TRICARE, • Defense Manpower Data Center (DMDC) • In cases where operational necessity requires expeditious handling PMT | Apr 2013 | v 0.1 | Privacy Act

  16. Additional Protection Info When Faxing • When sending a fax utilize a Privacy Act Cover Sheet and verify receipt •  External customers such as service veterans, Air Force and Army personnel, dependents, and retirees may continue to fax documents containing PII to DON activities but shall be strongly encourage to use an alternative means such as: • USPS • Scanning and transmit using a secure means PMT | Apr 2013 | v 0.1 | Privacy Act

  17. How to Protect Outlook Calendar/Cell Phone? • Shared Outlook Calendar • Do not post • Type of leave taking • Where you are on travel • Birthdays • Keep personal and work calendar separate • Cell phone • Initials • Last name and first initial • Last name only PMT | Apr 2013 | v 0.1 | Privacy Act

  18. Disposal and Reducing Risk • Cross cut shred documents with PII • Place only shredded PII into recycling • Use caution when copying documents with PII • Posters available on RFCC COI • Faxing • Copying • Shredding https://mynavair.navair.navy.mil/portal/server.pt/community/privacy_act/1176/privacy_act_resources/57552 PMT | Apr 2013 | v 0.1 | Privacy Act

  19. Not Protecting PII • If PII is: • Lost • Stolen • Compromised • You will need to take action! • Does it need to be reported? • Can you define the data and who it belonged to? • Is it a Breach? PMT | Apr 2013 | v 0.1 | Privacy Act

  20. Breach • A PII breach is the loss of control, unauthorized disclosure, or unauthorized access of personal information, or the compromise of privacy-sensitive information. • It could be: • Loss of device which houses PII data (lap top, cell phone, PDA, hard drives, portable storage device, etc.) • IT System being hacked • Email containing PII data sent unencrypted outside of our control • PII data in recycling (not shredded) • PII data left out in open areas (cubes, printers, faxes) PMT | Apr 2013 | v 0.1 | Privacy Act

  21. What Makes A Breach Reportable? • Will the lost or stolen data lead to harm, embarrassment, or identity theft? • Is the likelihood high that PII will be or has been used by unauthorized individuals? • Was the data unprotected? • Could there have been a disclosure of private facts? • Could there be an unwarranted exposure of PII leading to humiliation or loss of self-esteem? • Could there be a potential for blackmail? PMT | Apr 2013 | v 0.1 | Privacy Act

  22. Causes of PII Loss or Compromise Human error Stolen laptops Unprotected PII sent using email or by fax Posting PII on bulletin or check-in/out boards Lost portable storage devices Using inappropriate methods for disposing of documents containing PII Posting PII in public folders, on internal websites (e.g., MyNAVAIR), or on the Internet PMT | Apr 2013 | v 0.1 | Privacy Act

  23. Impact of a Breach Emotionally stressful Embarrassing Facilitates identity theft Compromises business practices Results in disciplinary action against the offender Erodes confidence in the Government’s ability to protect PII information PMT | Apr 2013 | v 0.1 | Privacy Act

  24. Examples of Breaches DON has reported the following types of breaches: • Stolen lap top • Unencrypted emails • Resumes in recycling • Navy copiers erroneously sold before hard drives sanitized • Employee downloaded PII to unencrypted CD • A Sailor and his civilian girlfriend were allegedly attempting to steal the identity of multiple staff members • Missing hard drives PMT | Apr 2013 | v 0.1 | Privacy Act

  25. PII Violations • Violations which may lead to criminal penalties include: • Collecting data without meeting the Federal Register publication requirement (SORN) • Sharing data with unauthorized individuals • Acting under false pretenses or facilitating those acting under false pretenses Penalties for violating the Privacy Act include a misdemeanor charge with jail time of up to one year and fines of up to $5,000 PMT | Apr 2013 | v 0.1 | Privacy Act

  26. What Should You Do If PII Is Breached? • Notify your immediate supervisor and the Site Privacy Act Coordinator • Gather the following information for reporting purposes: • Date of breach • Circumstances • What was lost • Number of employees affected • Mitigation Seek additional assistance from your Site Privacy Act Coordinator as needed PMT | Apr 2013 | v 0.1 | Privacy Act

  27. Summary • Recognize the difference between Sensitive and Non-Sensitive PII • Actively voice and demonstrate your support to protect PII • Protect, DON’T collect! • Collecting PII in a system requires a SORN • Properly handle, protect, and dispose of PII • Take action to report and mitigate situations where PII may have been lost or compromised PMT | Apr 2013 | v 0.1 | Privacy Act

  28. 2013 Annual PII Training Certificate This is to certify that I have received my 2013 annual PII training. I understand that I am responsible for safeguarding PII. I also understand that I may be subject to disciplinary actions for failure to properly protect and safeguard PII data. _________________________________ _________________ Name Date

  29. Privacy Act Personnel Management Training for New Supervisors

More Related