Post on 21-Jan-2016
description
Data Classification & Privacy Inventory Workshop
Implementing Security to Protect Privacy
November 2005
2
Welcome & Introductions
Debra Reiger, State Information Security OfficerJoanne McNabb, California Office of Privacy ProtectionLester Chan,, California Office of HIPAA Implementation
3
Workshop Agenda
Welcome & Introductions - Debra ReigerInformation Privacy & Security - Joanne McNabbIntroduction to State Policy on Data Classification - Debra ReigerBreakProtected Health Information - Lester ChanConducting a Privacy Inventory - Joanne McNabbWorkshop Exercise - Lester Chan
4
Information Privacy & Security
Privacy: Individual’s interest in controlling the handling of his/her personal informationSecurity: Organization’s interest in protecting information assets from unauthorized acquisition, damage, disclosure, manipulation, modification, loss, or useInformation security is essential to privacy protection.
5
“Personal information is like toxic waste – Managing it requires a high level of skill and training.”
-Phil Agre, Technology and Privacy in a New Landscape
6
Why Protect Personal Information
Law and Policy Information Practices Act, HIPAA Data Classification, Encryption (soon)
Risk Reduction SAM Security breach notification law (Civil Code §
1798.29) – Cost of notification $1-$25 per notice
Identity Theft > 9 Million victims and $52.6 Billion in 2004
7
Protecting Personal Information
1. Classify data and identify records systems containing personal identifying information.
2. Locate records needing special protection:
Notice-Triggering Personal Information Health Information (Protected or Electronic)
3. Protect with appropriate security measures
Administrative, Technical, Physical
State Policy on Classifying Data
Classification of Information
9
Introduction
State policy requires that we identify and classify our data and protect it appropriately.
See SAM Sections 4840-4845
Automated files and databases are essential public resources.
We are the protectors of the public’s information.
We must first classify and locate data before we can properly protect it.
10
Information Protection
Give appropriate protection from unauthorized: Use Access Disclosure Modification Loss Deletion
11
Information Classifications
Public InformationConfidential Information
12
Public Information
Information not exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws
13
Confidential Information
Information exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws
14
Sensitive & Personal Info
Sensitive and personal information may occur in public and/or confidential records.Files and databases containing sensitive and/or personal information require special precautions to prevent inappropriate disclosure.
15
Sensitive Information
Requires special precautions to protect from: Unauthorized use Access Disclosure Modification Loss Deletion
16
Sensitive Information
May be either Public, or Confidential.
Requires a higher than normal assurance of accuracy and completeness.Key factor is integrity.Typical records are agency financial transactions and regulatory actions.
17
Personal Information
Identifies or describes an individualMust be protected from inappropriate Access Use Disclosure
Must also be accessible to data subjects upon request
18
Personal Information
Identifies or describes an individual: Name Home address Home phone etc.
Sub-types of Personal Information: Notice-Triggering Personal Information Medical Information
Protected Health Information Electronic Health Information
19
Notice-Triggering Personal Info
Name plus specific items or personal information: Social Security Number Driver’s license/I.D. card number Financial Account Number
Requires notifying individuals if it is acquired by an unauthorized person.
Protected Health Information
HIPAA Covered Entities
21
Protected Health Information
Individually identifiable information created, received, or maintained by health care payers, providers, health plans or contractors, in electronic or physical form.State and federal laws require special precautions to protect from unauthorized use, access, or disclosure.
22
Electronic Health Information
Individually identifiable health information transmitted by electronic media or maintained in electronic media
23
Electronic Health Information
Health plans, clearinghouses or providers must ensure the privacy and security of electronic protected health information from unauthorized use, access or disclosure
24
Current Information
Assess current systems for protected health information in physical (paper) and electronic form.Include personal information in the data classification portion of risk analysis and risk management Risk analysis and risk management are
required of HIPAA covered entities
25
Future Data Systems
Be aware of these data classifications as more data is created, maintained or transmitted.Plan for protecting your data during the system design phase.Collect data that you have the authority and need to collect.
Conducting a Privacy Inventory
Where is your data? Where is your personal data?
27
Privacy Inventory Process
1. ISO/PO gets management support.2. Each division/program identifies “Privacy
Contact.” ISO/PO explains process to Privacy Contacts.
3. Privacy Contacts complete Privacy Inventory Worksheet.
4. ISO/PO/Program implement appropriate safeguards.
5. ISO/PO conduct ongoing privacy awareness training for users (more on this later).
28
Overview of Worksheet
Part I: Records System Inventory
Part II: Privacy Practices Inventory
29
Part I of Inventory Worksheet
Records Systems Containing Personal Information Start with Records Inventory for
Records Retention Schedule List only Records Systems containing
personal information
30
1. Records System
Group of records maintained for official purposesSame as “Records Series” in Records Retention Handbook: Group of related records under a single filing category that deal with particular subject
31
Personal Information
Information that describes an individual, including name, home address, home phone, etc. – defined in Civil Code 1798.3Information on clients, consumers, applicants, licensees, employees, contractors – everyone
32
2. Description of Records
Examples Applications for general contractor’s
license Personnel records of current employees Case records of recipients of in-home
supportive service, past and present Consumer complaints
33
3. Sources of Records
Examples: Subject supplies information on
application form Schools provide information on
transcripts. DOJ provides information from criminal
history records
34
4. Owner and Location
1. Owner: Department/Division/Program that collects and maintains the records
2. Location: Agency name and address where original records system is located
3. Contact: Name, title, business contact information of agency official responsible for records system
35
5. Authority
Citation of regulation or statute authorizing agency to collect and maintain records system
36
6. Media of Records System
1. Medium of “original” records system: electronic, paper, tape
2. Additional media on which records are stored or used:
PC Laptop Other portable device or medium
37
7. Type of Personal Information
Objective: Identify records systems containing personal information needing special protections Notice-triggering personal information
(name plus SSN, DL/State ID number, financial account number)
Health/medical information Other personal information (Home
Address, MMN, DOB, etc.)
38
Does the records system contain any confidential or sensitive information (other than personal information)? Confidential: Exempt from PRA Sensitive: For example, network
configuration, agency bank records
8. Confidential or Sensitive Info
39
9. Routine Uses & Disclosures
Purposes for which records were createdUses and usersDisclosures outside agency that collects and maintains records system
40
Part II of Inventory Worksheet
Privacy Practices Checklist of major practices per IPA,
Government Code, etc. Optional – but good way to start to
build privacy awareness
41
1. Privacy Policy Statement
Is your agency’s privacy policy statement posted in your office(s)?Is it posted on your Web site(s)? Government Code 11019.9
42
2. Rules of Conduct
Does your program/agency have written rules of conduct for handling records containing personal information? Civil Code 1798.20
If so, attach copy to Worksheet.
43
3. Access Guidelines
Does your program/agency have regulations or guidelines telling individuals how they can access their own records? Civil Code 1798.34 – 1798.44
If so, attach copy to Worksheet.
44
4. Notice on Collection
How do you provide notice (of authority, uses, disclosures, access procedures, etc.) when collecting personal information? Civil Code 1798.17 Printed on paper forms On online forms Other
45
5. Public Records Act Disclosures
Do you have written procedures for responding to PRA requests? How do you protect personal
information in public records?
If so, attach copy to Worksheet.
46
6. Retention & Destruction
Is this records system listed in your Records Retention Schedule?
47
7. Incident Notification Procedures
Does the program/division/department have written procedures for notification of privacy/security incidents? For example, lost/stolen laptop
containing (possibly notice-triggering) personal information: Report as information security incident, not property theft
48
Privacy Awareness
Privacy Inventory raises awareness of privacy vulnerabilities and protection requirementsOngoing awareness training for all users is essential Coming soon from COPP
49
End of Presentation
QuestionsComments